diff --git a/flake.lock b/flake.lock index ce9c930..686a6d2 100644 --- a/flake.lock +++ b/flake.lock @@ -49,11 +49,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1711500952, - "narHash": "sha256-YEF6ycTwkcuZq1ocon+JahHgwuQLQtpH2js1j+gN8K8=", + "lastModified": 1711944236, + "narHash": "sha256-ojbn/vd70A0q5exwbBwOLzTFODQls1BrkghShqqouUM=", "owner": "rycee", "repo": "nur-expressions", - "rev": "d0df0c83bfe2e7ed6e26259a289d7056c4001ced", + "rev": "bf108287a1a055d42b769328e2e18333bb5f842e", "type": "gitlab" }, "original": { @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1711625603, - "narHash": "sha256-W+9dfqA9bqUIBV5u7jaIARAzMe3kTq/Hp2SpSVXKRQw=", + "lastModified": 1711915616, + "narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=", "owner": "nix-community", "repo": "home-manager", - "rev": "c0ef0dab55611c676ad7539bf4e41b3ec6fa87d2", + "rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6", "type": "github" }, "original": { @@ -335,11 +335,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1711832515, - "narHash": "sha256-RtO7XBMlXQDr31B26zDmCp9vQF1oIdnuFStRnqYj6cc=", + "lastModified": 1711972950, + "narHash": "sha256-WWtorZJ5wFhu5qRiVd1MkugwBSqLf+kktdCzwHAqgUQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9db82fb29eb1e7e07285580e61724601651ddbda", + "rev": "cb13a6d0ae81a8fecbc3eb198d6c2a08bd45d32f", "type": "github" }, "original": { @@ -410,11 +410,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1711809391, - "narHash": "sha256-/nGV6P8nB/R/ysbl1KQIKIwp1mQPXxtnoEd+pf3X+nw=", + "lastModified": 1711888895, + "narHash": "sha256-Hykv2DGC5EHzZ89+54w/zkit+CVGLRcdIgOWnB4zW5k=", "owner": "nix-community", "repo": "nixvim", - "rev": "0c16f59202c5062d12ef9cd4560cc9fca9d99f9a", + "rev": "db6b61f117c83943f15289ced03674f81d08256a", "type": "github" }, "original": { diff --git a/hosts/x86_64-linux/beleth/default.nix b/hosts/x86_64-linux/beleth/default.nix index 4511cdb..225a08d 100644 --- a/hosts/x86_64-linux/beleth/default.nix +++ b/hosts/x86_64-linux/beleth/default.nix @@ -12,42 +12,61 @@ with lib; { ./jellyfin.nix ]; - services.nginx = { + # users.users.nginx.extraGroups = ["acme"]; + + # services.nginx = { + # enable = true; + # package = pkgs.nginxQuic; + # + # recommendedGzipSettings = true; + # recommendedOptimisation = true; + # recommendedProxySettings = true; + # recommendedTlsSettings = true; + # + # # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + # # sslProtocols = mkDefault "TLSv1.3"; + # + # clientMaxBodySize = mkDefault "128M"; + # commonHttpConfig = '' + # map $scheme $hsts_header { + # https "max-age=31536000; includeSubdomains; preload"; + # } + # add_header Strict-Transport-Security $hsts_header; + # add_header X-Content-Type-Options "nosniff" always; + # add_header X-XSS-Protection "1; mode=block" always; + # add_header X-Frame-Options "SAMEORIGIN" always; + # add_header Referrer-Policy "same-origin" always; + # ''; + # }; + # + # security.acme = { + # acceptTerms = true; + # defaults.email = "xqtc@tutanota.com"; + # defaults.keyType = "ec256"; + # # certs = { + # # # "heroin.trade" = {}; + # # "jellyfin.heroin.trade" = {}; + # # "grafana.heroin.trade" = {}; + # # }; + # }; + + services.caddy = { enable = true; - package = pkgs.nginxQuic; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - sslProtocols = mkDefault "TLSv1.3"; - # sslDhparam = config.security.dhparams.params.nginx.path; - - clientMaxBodySize = mkDefault "128M"; - commonHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; + email = "xqtc@tutanota.com"; + configFile = pkgs.writeText "Caddyfile" '' + heroin.trade { + root * /var/www/website/build/ + file_server + } + jellyfin.heroin.trade { + reverse_proxy http://127.0.0.1:8096 + } + grafana.heroin.trade { + reverse_proxy http://127.0.0.1:2342 } - add_header Strict-Transport-Security $hsts_header; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Referrer-Policy "same-origin" always; ''; }; - security.acme = { - acceptTerms = true; - defaults.email = "xqtc@tutanota.com"; - defaults.keyType = "ec256"; - certs = { - "jellyfin.heroin.trade" = {}; - "grafana.heroin.trade" = {}; - }; - }; - nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings = { diff --git a/hosts/x86_64-linux/beleth/jellyfin.nix b/hosts/x86_64-linux/beleth/jellyfin.nix index fefc23a..d956a45 100644 --- a/hosts/x86_64-linux/beleth/jellyfin.nix +++ b/hosts/x86_64-linux/beleth/jellyfin.nix @@ -38,36 +38,4 @@ in { services.jellyfin.enable = true; # services.jellyfin.openFirewall = true; services.jellyfin.user = "xqtc"; - services.nginx.virtualHosts."jellyfin.heroin.trade" = { - # addSSL = true; - # kTLS = true; - - forceSSL = true; - enableACME = true; - locations = { - # "= /".return = "302 https://$host/web/"; - "/" = { - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header X-Forwarded-Protocol $scheme; - # proxy_set_header X-Forwarded-Host $http_host; - # proxy_buffering on; - # ''; - proxyPass = "http://127.0.0.1:8096"; - proxyWebsockets = true; - }; - # "= /web/" = { - # proxyPass = "http://127.0.0.1:8096/web/index.html"; - # extraConfig = proxyConfig; - # }; - # "/socket" = { - # proxyPass = "http://127.0.0.1:8096"; - # proxyWebsockets = true; - # extraConfig = proxyConfig; - # }; - }; - }; } diff --git a/hosts/x86_64-linux/beleth/monitoring.nix b/hosts/x86_64-linux/beleth/monitoring.nix index 43ebc6b..520d4bd 100644 --- a/hosts/x86_64-linux/beleth/monitoring.nix +++ b/hosts/x86_64-linux/beleth/monitoring.nix @@ -6,10 +6,9 @@ networking.firewall.allowedTCPPorts = [80 443 9001]; services.grafana = { enable = true; - settings.server = { - port = 2342; - addr = "127.0.0.1"; - }; + port = 2342; + addr = "127.0.0.1"; + domain = "grafan.heroin.trade"; }; services.prometheus = { @@ -33,16 +32,4 @@ } ]; }; - - services.nginx.virtualHosts."grafana.heroin.trade" = { - forceSSL = true; - enableACME = true; - locations."/" = { - extraConfig = '' - proxy_set_header Host $host; - ''; - proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - }; - }; }