strato-infra/nixos/machines/nginx/default.nix

130 lines
3.9 KiB
Nix
Raw Normal View History

2022-05-21 21:59:14 +02:00
{ config, pkgs, ... }:
let
proxy = path: {
2022-05-23 21:53:50 +02:00
http2 = true;
2022-05-21 21:59:14 +02:00
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = path;
proxyWebsockets = true;
};
};
bigProxy = path: {
2022-05-23 21:53:50 +02:00
http2 = true;
2022-05-21 21:59:14 +02:00
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = path;
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 0;
'';
};
};
2022-05-26 17:14:44 +02:00
redirect = dest: {
forceSSL = true;
enableACME = true;
http2 = true;
globalRedirect = dest;
};
2022-05-23 21:57:54 +02:00
k8sProxy = proxy "http://kubernetes.lxd:8080/";
2022-05-21 21:59:14 +02:00
in {
2022-05-19 17:47:41 +02:00
imports = [ ../../common ../../common/lxc.nix ];
networking.hostName = "nginx";
system.stateVersion = "21.11";
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 9113 9117 ];
2022-05-19 17:47:41 +02:00
services.nginx = {
enable = true;
commonHttpConfig = ''
log_format custom '$remote_addr - $remote_user [$time_local] '
'"$host" "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log custom;
'';
2022-05-19 17:47:41 +02:00
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
2022-05-23 21:53:50 +02:00
recommendedGzipSettings = true;
2022-05-19 17:47:41 +02:00
package = pkgs.nginxMainline;
statusPage = true;
2022-05-23 21:46:53 +02:00
2022-05-19 17:47:41 +02:00
virtualHosts."asraphiel.dev" = {
forceSSL = true;
2022-05-23 21:53:50 +02:00
http2 = true;
2022-05-19 17:47:41 +02:00
enableACME = true;
root = "/etc/main";
};
virtualHosts."auth.asraphiel.dev" = k8sProxy;
2022-05-21 21:59:14 +02:00
virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/";
virtualHosts."drone.asraphiel.dev" = k8sProxy;
2022-05-21 21:59:14 +02:00
virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/";
2022-05-21 21:59:14 +02:00
virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/";
virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
2022-05-26 17:14:44 +02:00
virtualHosts."cdn.voidcorp.nl" = redirect "s3.asraphiel.dev";
virtualHosts."cdn.asraphiel.dev" = k8sProxy;
2022-05-22 01:12:03 +02:00
virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
2022-05-23 21:46:53 +02:00
virtualHosts."vaultwarden.asraphiel.dev" =
proxy "http://vaultwarden.lxd:8000/";
2022-05-26 17:14:44 +02:00
virtualHosts."analytics.asraphiel.dev" = redirect "ikaros.asraphiel.dev";
virtualHosts."ikaros.asraphiel.dev" = k8sProxy;
2022-05-25 20:42:04 +02:00
virtualHosts."whoami.asraphiel.dev" = k8sProxy;
virtualHosts."stats.asraphiel.dev" = proxy "http://grafana.lxd:2345/";
virtualHosts."groenehartansichtkaarten.nl" = k8sProxy;
virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy;
virtualHosts."galerievanslagmaat.nl" = k8sProxy;
2022-05-24 09:38:44 +02:00
virtualHosts."galerie.asraphiel.dev" = k8sProxy;
virtualHosts."staging.galerievanslagmaat.nl" = k8sProxy;
2022-05-24 09:38:44 +02:00
virtualHosts."galerie-staging.asraphiel.dev" = k8sProxy;
virtualHosts."www.galerievanslagmaat.nl" = {
forceSSL = true;
enableACME = true;
http2 = true;
globalRedirect = "galerievanslagmaat.nl";
};
2022-05-19 17:47:41 +02:00
};
2022-05-23 21:46:53 +02:00
services.prometheus.exporters.nginx.enable = true;
services.prometheus.exporters.nginxlog.enable = true;
services.prometheus.exporters.nginxlog.user = config.services.nginx.user;
services.prometheus.exporters.nginxlog.settings = {
consul = { enable = false; };
namespaces = [{
name = "asraphiel";
format = ''
$remote_addr - $remote_user [$time_local] "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'';
source = {
files = [ "/var/log/nginx/access.log" ];
};
relabel_configs = [
{
target_label = "remote_addr";
from = "remote_addr";
}
{
target_label = "host";
from = "host";
}
];
}];
};
security.acme.defaults.email = "acme@voidcorp.nl";
2022-05-19 17:47:41 +02:00
security.acme.acceptTerms = true;
environment.etc."main/index.html" = {
enable = true;
source = ./index.html;
};
}