From 5f8473d38c5ee78c1f32d1486f2e1abbd84fcb05 Mon Sep 17 00:00:00 2001 From: emily Date: Wed, 10 Jan 2024 13:30:05 +0100 Subject: [PATCH] moved things around mainly nginx --- config/hosts/web02/configuration.nix | 46 +++------------- config/lxc.nix | 17 ------ flake.lock | 81 +++++++++++++++++++++++++--- flake.nix | 12 +++-- 4 files changed, 91 insertions(+), 65 deletions(-) delete mode 100644 config/lxc.nix diff --git a/config/hosts/web02/configuration.nix b/config/hosts/web02/configuration.nix index 2d004bd..64a6582 100644 --- a/config/hosts/web02/configuration.nix +++ b/config/hosts/web02/configuration.nix @@ -1,14 +1,6 @@ -{ config, inputs, pkgs, lib, ... }: +{ config, pkgs, lib, fernglas, ... }: let bmpPort = 11019; - extraConfig = '' - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Referrer-Policy "same-origin" always; - ''; autoIndex = '' autoindex on; autoindex_exact_size off; @@ -50,23 +42,6 @@ in { }; }; services.nginx = { - package = pkgs.nginxQuic; - enable = true; - - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - sslProtocols = "TLSv1.3"; - clientMaxBodySize = "0"; - - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - ${extraConfig} - ''; - createHost = { "miau.zip" = { root = "/var/www/kyouma.net"; }; "www.miau.zip" = { redirectTo = "miau.zip"; }; @@ -107,22 +82,15 @@ in { }; "lg.kyouma.net" = { useACMEHost = "kyouma.net"; - locations."/".root = inputs.fernglas.packages.${config.nixpkgs.hostPlatform.system}.fernglas-frontend; + locations."/".root = fernglas.packages.${config.nixpkgs.hostPlatform.system}.fernglas-frontend; locations."/api/".proxyPass = "http://${config.services.fernglas.settings.api.bind}"; }; }; }; - security.acme = { - acceptTerms = true; - defaults = { - keyType = "ec384"; - email = "noc@kyouma.net"; - }; - certs = { - "miau.zip" = { extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; }; - "kyouma.net" = { extraDomainNames = [ "www.kyouma.net" "lg.kyouma.net" ]; }; - "emily.cat" = { extraDomainNames = [ "www.emily.cat" ]; }; - "cocaine.trade" = { extraDomainNames = [ "www.cocaine.trade" "files.cocaine.trade" ]; }; - }; + security.acme.certs = { + "miau.zip" = { extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; }; + "kyouma.net" = { extraDomainNames = [ "www.kyouma.net" "lg.kyouma.net" ]; }; + "emily.cat" = { extraDomainNames = [ "www.emily.cat" ]; }; + "cocaine.trade" = { extraDomainNames = [ "www.cocaine.trade" "files.cocaine.trade" ]; }; }; } diff --git a/config/lxc.nix b/config/lxc.nix deleted file mode 100644 index 3f46f36..0000000 --- a/config/lxc.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, lib, modulesPath, ... }: - -with lib; { - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ]; - proxmoxLXC = { - manageNetwork = true; - manageHostName = true; - }; - networking.useDHCP = false; - - system.autoUpgrade.enable = true; - nix.optimise.automatic = true; - nix.gc.automatic = true; - nix.gc.options = "--delete-older-than 2d"; -} diff --git a/flake.lock b/flake.lock index fac99c9..15f7366 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,42 @@ { "nodes": { + "fernglas": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1703863936, + "narHash": "sha256-sy+rSQ1NMUf5Rhoi0waBgBh+vj98ADjrROSkBG4EFWY=", + "owner": "wobcom", + "repo": "fernglas", + "rev": "eef7c251904c9c39eacb0d680474901af4b7a9b4", + "type": "github" + }, + "original": { + "owner": "wobcom", + "repo": "fernglas", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1704786394, @@ -17,15 +54,31 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704538339, - "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=", - "owner": "nixos", + "lastModified": 1699099776, + "narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701", + "rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1704722960, + "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d", + "type": "github" + }, + "original": { + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -33,8 +86,24 @@ }, "root": { "inputs": { + "fernglas": "fernglas", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 6e2f51a..b0a99ff 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,17 @@ { description = "emilys config hell"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs = { + type = "github"; + owner = "NixOS"; + repo = "nixpkgs"; + ref = "nixos-unstable"; + }; nixos-hardware.url = "github:nixos/nixos-hardware"; fernglas.url = "github:wobcom/fernglas"; }; - outputs = { self, nixpkgs, nixos-hardware, ... }@attrs: { + outputs = { self, nixpkgs, nixos-hardware, fernglas, ... }@attrs: { nixosConfigurations = { web02 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -14,7 +19,8 @@ modules = [ fernglas.nixosModules.default ./config/common - ./config/lxc.nix + ./config/common-lxc.nix + ./config/common-nginx.nix ./config/hosts/web02/configuration.nix ]; };