JakeHillion/nixos
1
0
Fork 0
Code Issues 10 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

www/global: migrate vm.strangervm->jorah
Some checks reported errors
continuous-integration/drone/pr Build was killed
Details
continuous-integration/drone/push Build was killed
Details

Browse Source
This commit is contained in:
Jake Hillion 2023-11-25 16:35:10 +00:00
parent 6ee3e2f095
commit f047111de7
6 changed files with 120 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/jorah.cx.ts.hillion.co.uk/default.nix
View File

@ -22,6 +22,7 @@
custom = {
locations.autoServe = true;
services.version_tracker.enable = true;
www.global.enable = true;
};
## Filesystems
@ -52,8 +53,11 @@
interfaces = {
enp5s0 = {
allowedTCPPorts = lib.mkForce [
80 # HTTP 1-2
443 # HTTPS 1-2
];
allowedUDPPorts = lib.mkForce [
443 # HTTP 3
];
};
};
@ -64,6 +68,8 @@
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
ipv4Addr = "100.96.143.138";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
};
};
}

7
hosts/vm.strangervm.ts.hillion.co.uk/default.nix
View File

@ -21,7 +21,6 @@
## Custom Services
custom = {
locations.autoServe = true;
www.global.enable = true;
services.matrix.enable = true;
};
@ -37,6 +36,10 @@
22 # SSH
];
allowedUDPPorts = lib.mkForce [ ];
trustedInterfaces = lib.mkForce [
"lo"
"tailscale0"
];
interfaces = {
ens18 = {
allowedTCPPorts = lib.mkForce [
@ -55,6 +58,8 @@
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
ipv4Addr = "100.110.89.111";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:626e:596f";
};
## Resilio Sync (Encrypted)

74
modules/services/mastodon/default.nix
View File

@ -32,26 +32,68 @@ in
};
};
services.mastodon = {
enable = true;
localDomain = "social.hillion.co.uk";
services = {
mastodon = {
enable = true;
localDomain = "social.hillion.co.uk";
vapidPublicKeyFile = builtins.path { path = ./vapid_public_key; };
otpSecretFile = config.age.secrets."mastodon/otp_secret_file".path;
secretKeyBaseFile = config.age.secrets."mastodon/secret_key_base".path;
vapidPrivateKeyFile = config.age.secrets."mastodon/vapid_private_key".path;
vapidPublicKeyFile = builtins.path { path = ./vapid_public_key; };
otpSecretFile = config.age.secrets."mastodon/otp_secret_file".path;
secretKeyBaseFile = config.age.secrets."mastodon/secret_key_base".path;
vapidPrivateKeyFile = config.age.secrets."mastodon/vapid_private_key".path;
smtp = {
user = "mastodon@social.hillion.co.uk";
port = 587;
passwordFile = config.age.secrets."mastodon/mastodon_at_social.hillion.co.uk".path;
host = "smtp.eu.mailgun.org";
fromAddress = "mastodon@social.hillion.co.uk";
authenticate = true;
smtp = {
user = "mastodon@social.hillion.co.uk";
port = 587;
passwordFile = config.age.secrets."mastodon/mastodon_at_social.hillion.co.uk".path;
host = "smtp.eu.mailgun.org";
fromAddress = "mastodon@social.hillion.co.uk";
authenticate = true;
};
extraConfig = {
EMAIL_DOMAIN_WHITELIST = "hillion.co.uk";
};
};
extraConfig = {
EMAIL_DOMAIN_WHITELIST = "hillion.co.uk";
caddy = {
enable = true;
virtualHosts."social.hillion.co.uk".extraConfig = ''
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
}
route * {
file_server * {
root ${pkgs.mastodon}/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket
}
handle_errors {
root * ${pkgs.mastodon}/public
rewrite 500.html
file_server
}
encode gzip
header /* {
Strict-Transport-Security "max-age=31536000;"
}
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
header /packs/* Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
'';
};
};
};

16
modules/services/matrix.nix
View File

@ -74,7 +74,11 @@ in
tls = false;
type = "http";
x_forwarded = true;
bind_addresses = [ "::1" ];
bind_addresses = [
"::1"
config.custom.tailscale.ipv4Addr
config.custom.tailscale.ipv6Addr
];
resources = [
{
names = [ "client" "federation" ];
@ -117,10 +121,12 @@ in
};
};
systemd.services.heisenbridge = lib.mkIf cfg.heisenbridge {
serviceConfig = {
Restart = "on-failure";
RestartSec = 15;
systemd.services = {
heisenbridge = lib.mkIf cfg.heisenbridge {
serviceConfig = {
Restart = "on-failure";
RestartSec = 15;
};
};
};
};

103
modules/www/global.nix
View File

@ -10,82 +10,51 @@ in
};
config = lib.mkIf cfg.enable {
custom.www.www-repo.enable = true;
users.users.caddy.extraGroups = [ "mastodon" ];
services.caddy = {
enable = true;
virtualHosts."hillion.co.uk".extraConfig = ''
handle /.well-known/* {
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
respond 404
}
handle {
redir https://blog.hillion.co.uk{uri}
}
'';
virtualHosts."blog.hillion.co.uk".extraConfig = ''
root * /var/www/blog.hillion.co.uk
file_server
'';
virtualHosts."gitea.hillion.co.uk".extraConfig = ''
reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000
'';
virtualHosts."homeassistant.hillion.co.uk".extraConfig = ''
reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123
'';
virtualHosts."emby.hillion.co.uk".extraConfig = ''
reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096
'';
virtualHosts."matrix.hillion.co.uk".extraConfig = ''
reverse_proxy http://${locations.services.matrix}:8008
'';
virtualHosts."unifi.hillion.co.uk".extraConfig = ''
reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 {
transport http {
tls_insecure_skip_verify
virtualHosts = {
"hillion.co.uk".extraConfig = ''
handle /.well-known/* {
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
respond 404
}
}
'';
virtualHosts."drone.hillion.co.uk".extraConfig = ''
reverse_proxy http://vm.strangervm.ts.hillion.co.uk:18733
'';
virtualHosts."social.hillion.co.uk".extraConfig = ''
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
}
route * {
file_server * {
root ${pkgs.mastodon}/public
pass_thru
handle {
redir https://blog.hillion.co.uk{uri}
}
reverse_proxy * unix//run/mastodon-web/web.socket
}
handle_errors {
root * ${pkgs.mastodon}/public
rewrite 500.html
'';
"blog.hillion.co.uk".extraConfig = ''
root * /var/www/blog.hillion.co.uk
file_server
}
encode gzip
header /* {
Strict-Transport-Security "max-age=31536000;"
}
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
header /packs/* Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
'';
'';
"gitea.hillion.co.uk".extraConfig = ''
reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000
'';
"homeassistant.hillion.co.uk".extraConfig = ''
reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123
'';
"emby.hillion.co.uk".extraConfig = ''
reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096
'';
"matrix.hillion.co.uk".extraConfig = ''
reverse_proxy http://${locations.services.matrix}:8008
'';
"unifi.hillion.co.uk".extraConfig = ''
reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 {
transport http {
tls_insecure_skip_verify
}
}
'';
"drone.hillion.co.uk".extraConfig = ''
reverse_proxy http://vm.strangervm.ts.hillion.co.uk:18733
'';
};
};
};
}

6
modules/www/www-repo.nix
View File

@ -53,10 +53,10 @@ in
};
script = ''
if [ ! -d "${cfg.path}/.git" ] ; then
${pkgs.git}/bin/git clone ${cfg.remote} ${cfg.path}
if [ ! -d "${cfg.location}/.git" ] ; then
${pkgs.git}/bin/git clone ${cfg.remote} ${cfg.location}
else
cd ${cfg.path}
cd ${cfg.location}
${pkgs.git} remote set-url origin ${cfg.remote}
${pkgs.git}/bin/git fetch
${pkgs.git}/bin/git reset --hard origin/${cfg.branch}