James/eve-psr-nix0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor nginx.nix using generative functions; Remove bind container service; Enable CoreDNS; Open 53UDP on system firewall; rename service files; containers listen on localhost only; added SDA-EXT data volume

Browse Source
This commit is contained in:
James Eversole
2023-06-27 19:41:33 -05:00
parent 13e06ad3af
commit 6de382ceb4
10 changed files with 159 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
application/containers.nix
View File

@ -2,17 +2,9 @@
virtualisation.oci-containers = {
containers = {
bind = {
image = "sameersbn/bind:latest";
ports =
[ "0.0.0.0:53:53/tcp" "0.0.0.0:53:53/udp" "0.0.0.0:5053:10000/tcp" ];
volumes = [ "/home/sezycei/srv/containerdata/bind/bind:/data" ];
environmentFiles = [ /home/sezycei/srv/containerdata/bind/.env ];
};
jellyfin = {
image = "linuxserver/jellyfin";
ports = [ "0.0.0.0:8096:8096" "0.0.0.0:8920:8920" ];
ports = [ "127.0.0.1:8096:8096" "127.0.0.1:8920:8920" ];
volumes = [
"/home/sezycei/srv/containerdata/jellyfin/config:/config"
"/home/torrent/data/completed:/data/unsorted"
@ -31,7 +23,7 @@
legit = {
image = "docker.matri.cx/legit";
ports = [ "0.0.0.0:5121:8080" ];
ports = [ "127.0.0.1:5121:8080" ];
volumes = [
"/home/sezycei/srv/containerdata/legit/static:/static"
"/home/sezycei/srv/containerdata/legit/templates:/templates"
@ -43,7 +35,7 @@
murmur = {
image = "goofball222/murmur";
ports = [ "0.0.0.0:64738:64738" "0.0.0.0:64738:64738/udp" ];
ports = [ "127.0.0.1:64738:64738" "127.0.0.1:64738:64738/udp" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
@ -54,7 +46,7 @@
purr = {
image = "docker.matri.cx/purr";
ports = [ "0.0.0.0:5195:3000" ];
ports = [ "127.0.0.1:5195:3000" ];
volumes = [
"/home/sezycei/dev/purr/data/Purr.sqlite:/app/data/Purr.sqlite"
"/home/sezycei/dev/purr/config.dhall:/app/config.dhall"
@ -64,7 +56,7 @@
registry = {
image = "registry:2";
ports = [ "0.0.0.0:3001:5000" ];
ports = [ "127.0.0.1:3001:5000" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
@ -75,7 +67,7 @@
transmission = {
image = "haugene/transmission-openvpn";
ports = [ "0.0.0.0:9091:9091" ];
ports = [ "127.0.0.1:9091:9091" ];
volumes = [
"/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json"
"/etc/localtime:/etc/localtime:ro"

183
application/nginx.nix
View File

@ -1,124 +1,77 @@
{ config, ... }: {
{ pkgs, config, ... }:
let
containernix = import ./containers.nix;
containers = containernix.virtualisation.oci-containers.containers;
in
{
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."cache.matri.cx" = {
enableACME = true;
forceSSL = true;
root = "/var/www/cache.matri.cx";
locations."/" = {
extraConfig = "allow 192.168.0.0\/24;\ndeny all;";
proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
virtualHosts =
let
base = locations: {
enableACME = true;
forceSSL = true;
inherit locations;
};
static = { dir }: base {
"/".root = dir;
};
proxied = { target, extra ? "" }: base {
"/" = {
proxyPass = target;
extraConfig = extra;
};
};
proxiedAuth = { target, extra ? "", auth }: base {
"/" = {
proxyPass = target;
basicAuthFile = auth;
extraConfig = extra;
};
};
proxiedLAN = { target }: base {
"/" = {
proxyPass = target;
extraConfig = ''
allow 192.168.0.0/24;
deny all;
'';
};
};
in
{
"cache.matri.cx" = proxiedLAN {
target = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
"caitlynncox.com" = static { dir = "/var/www/caitlynncox.com"; };
"dallasmed65.com" = static { dir = "/var/www/dallasmed65.com"; };
"docker.matri.cx" = proxiedAuth {
auth = config.age.secrets.htpasswd-dock.path;
target = "http://127.0.0.1:3001";
};
"eversole.co" = static { dir = "/var/www/jame.su"; };
"git.eversole.co" = proxied { target = "http://127.0.0.1:5121"; };
"graf.eversole.co" = { root = "/var/www/graf.eversole.co"; }; # refer to /monitoring/nginx.nix
"hydra.matri.cx" = proxied {
target = "http://127.0.0.1:3034";
extra = ''
proxy_set_header X-Request-Base "https://hydra.matri.cx";
'';
};
"jame.su" = static { dir = "/var/www/jame.su"; };
"matri.cx" = static { dir = "/var/www/matri.cx"; };
"media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
"sezycei.com" = static { dir = "/var/www/sezycei.com"; };
"snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
"transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9001"; };
"purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
};
};
virtualHosts."caitlynncox.com" = {
enableACME = true;
forceSSL = true;
root = "/var/www/caitlynncox.com";
};
virtualHosts."dallasmed65.com" = {
enableACME = true;
forceSSL = true;
root = "/var/www/dallasmed65.com";
};
virtualHosts."docker.matri.cx" = {
enableACME = true;
forceSSL = true;
root = "/var/www/docker.matri.cx";
locations."/" = {
basicAuthFile = config.age.secrets.htpasswd-dock.path;
proxyPass = "http://192.168.0.130:3001";
};
};
virtualHosts."eversole.co" = {
enableACME = true;
forceSSL = true;
root = "/var/www/jame.su";
locations = {
"/.well-known/openpgpkey/hu/".extraConfig = ''
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin * always;
'';
"/ip".proxyPass = "http://192.168.0.130:5001";
"/pw".proxyPass = "http://192.168.0.130:5002";
};
};
virtualHosts."git.eversole.co" = {
enableACME = true;
forceSSL = true;
root = "/var/www/git.eversole.co";
locations = {
"/James".extraConfig = ''
if ($request_uri ~* "([^/]*$)" ) {
return 301 https://$server_name/$1;
}
'';
"/".proxyPass = "http://192.168.0.130:5121";
};
};
# refer to /monitoring/nginx.nix
virtualHosts."graf.eversole.co" = {
root = "/var/www/graf.eversole.co";
};
virtualHosts."hydra.matri.cx" = {
enableACME = true;
forceSSL = true;
root = "/var/www/hydra.matri.cx";
locations."/" = {
proxyPass = "http://192.168.0.130:3034";
extraConfig = ''
proxy_set_header X-Request-Base "https://hydra.matri.cx";
'';
};
};
virtualHosts."jame.su" = {
enableACME = true;
forceSSL = true;
root = "/var/www/jame.su";
};
virtualHosts."matri.cx" = {
enableACME = true;
forceSSL = true;
root = "/var/www/matri.cx";
};
virtualHosts."media.matri.cx" = {
enableACME = true;
forceSSL = true;
root = "/var/www/media.matri.cx";
locations."/".proxyPass = "http://192.168.0.130:8096";
};
virtualHosts."sezycei.com" = {
enableACME = true;
forceSSL = true;
root = "/var/www/sezycei.com";
};
virtualHosts."snakebelmont.com" = {
enableACME = true;
forceSSL = true;
root = "/var/www/snakebelmont.com";
};
virtualHosts."purr.eversole.co" = {
enableACME = true;
forceSSL = true;
root = "/var/www/purr.eversole.co";
locations."/".proxyPass = "http://192.168.0.130:5195";
};
};
}