diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix index 9d30fb4..3e91234 100644 --- a/hosts/matrix/default.nix +++ b/hosts/matrix/default.nix @@ -5,6 +5,7 @@ ../common.nix ../../services/openssh.nix ../../services/nginx.nix + ./nginx.nix ../../services/postgres.nix ../../services/synapse.nix ../../services/draupnir.nix diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix new file mode 100644 index 0000000..183b249 --- /dev/null +++ b/hosts/matrix/nginx.nix @@ -0,0 +1,24 @@ +{ config, ... }: + +{ + services.nginx.virtualHosts."matrix.${config.networking.domain}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations = { + #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; + "/".return = "418 \"🫖\""; + "~ ^(/_matrix|/_synapse/client)" = { + recommendedProxySettings = true; + proxyPass = "http://[::1]:8008"; + extraConfig = '' + client_max_body_size 64M; + proxy_set_header X-Request-ID $request_id; + proxy_http_version 1.1; + ''; + }; + }; + }; +} diff --git a/hosts/md/default.nix b/hosts/md/default.nix index 9c7bc32..d9ddd6c 100644 --- a/hosts/md/default.nix +++ b/hosts/md/default.nix @@ -4,7 +4,10 @@ imports = [ ../common.nix ../../services/openssh.nix - ../../services/hedgedoc.nix + ./hedgedoc.nix + ../../services/nginx.nix + ./nginx + ./postgres.nix ]; networking = { diff --git a/hosts/md/hedgedoc.nix b/hosts/md/hedgedoc.nix new file mode 100644 index 0000000..4d54cc6 --- /dev/null +++ b/hosts/md/hedgedoc.nix @@ -0,0 +1,20 @@ +{ config, ... }: + +{ + services.hedgedoc = { + enable = true; + settings = { + domain = "${config.networking.hostName}.${config.networking.domain}"; + #environmentFile = config.age.secrets.hedgedoc_settings.path; + protocolUseSSL = true; + db = { + dialect = "postgresql"; + host = "/run/postgresql"; + username = "hedgedoc"; + database = "hedgedoc"; + }; + enableStatsApi = true; + }; + }; +} + diff --git a/hosts/md/nginx.nix b/hosts/md/nginx.nix new file mode 100644 index 0000000..dd7e9a9 --- /dev/null +++ b/hosts/md/nginx.nix @@ -0,0 +1,40 @@ +{ config, ... }: + +let + cfg = config.services.hedgedoc.settings; +in +{ + nginx.virtualHosts."${fqdn}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + }; + "/socket.io/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + "/metrics" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + #allow 195.160.173.255; + #allow 2001:678:760:cccb::ffff; + #deny all; + }; + "/status" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + #allow 195.160.173.255; + #allow 2001:678:760:cccb::ffff; + #deny all; + }; + }; + }; +} + diff --git a/hosts/md/postgres.nix b/hosts/md/postgres.nix new file mode 100644 index 0000000..ec1adcc --- /dev/null +++ b/hosts/md/postgres.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: + +{ + services = { + postgresql = { + enable = true; + package = pkgs.postgresql_18; + enableJIT = true; + initdbArgs = [ + "--locale=C" + "--encoding=UTF8" + ]; + ensureUsers = [{ name = cfg.db.username; ensureDBOwnership = true; }]; + ensureDatabases = [ cfg.db.database ]; + }; + postgresqlBackup = { + enable = true; + startAt = "*-*-* 09:00:00"; + compression = "zstd"; + }; + }; +} + diff --git a/hosts/www/default.nix b/hosts/www/default.nix new file mode 100644 index 0000000..342b7fa --- /dev/null +++ b/hosts/www/default.nix @@ -0,0 +1,34 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../../services/openssh.nix + ../../services/nginx.nix + ]; + + networking = { + hostName = "www"; + firewall = { + allowedTCPPorts = [ + 80 # HTTP/1 + 443 # HTTP/2 + ]; + allowedUDPPorts = [ + 443 # HTTP/3 + ]; + }; + }; + + services = { + openssh.banner = '' + __ __ __ __ __ __ __ __ __ + /\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ + \ \ \_/ \_/ \ \ \_/ \_/ \ \ \_/ \_/ \ + \ \___x___/'\ \___x___/'\ \___x___/' + \/__//__/ \/__//__/ \/__//__/ + ''; + }; + + system.stateVersion = "25.11"; +} diff --git a/hosts/www/nginx.nix b/hosts/www/nginx.nix new file mode 100644 index 0000000..bf532f7 --- /dev/null +++ b/hosts/www/nginx.nix @@ -0,0 +1,21 @@ +{ config, ... }: + +let + # TODO: mkVHost +in +{ + services.nginx.virtualHosts."${config.networking.hostName}.${config.networking.domain}" = { + default = true; + serverAliases = [${config.networking.domain}]; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + root = "/srv/http/www"; + index = "index.html"; + locations."/" = { + try_files = "$uri $uri/ $uri.html =404"; + }; + }; +} + diff --git a/services/hedgedoc.nix b/services/hedgedoc.nix deleted file mode 100644 index 9650ced..0000000 --- a/services/hedgedoc.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ config, pkgs, ... }: - -let - fqdn = "hedgedoc.berlin.ccc.de"; - cfg = config.services.hedgedoc.settings; -in -{ - services = { - hedgedoc = { - enable = true; - settings = { - domain = fqdn; - #environmentFile = config.age.secrets.hedgedoc_settings.path; - protocolUseSSL = true; - db = { - dialect = "postgresql"; - host = "/run/postgresql"; - username = "hedgedoc"; - database = "hedgedoc"; - }; - enableStatsApi = true; - }; - }; - nginx = { - enable = true; - resolver.addresses = [ - "[2606:4700:4700::1111]" - "[2620:fe::fe]" - "1.1.1.1" - "9.9.9.9" - ]; - statusPage = true; # http://127.0.0.1/nginx_status - sslProtocols = "TLSv1.3"; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedBrotliSettings = true; - virtualHosts."${fqdn}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - }; - "/socket.io/" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - "/metrics" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - #allow 195.160.173.255; - #allow 2001:678:760:cccb::ffff; - #deny all; - }; - "/status" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - #allow 195.160.173.255; - #allow 2001:678:760:cccb::ffff; - #deny all; - }; - }; - }; - }; - postgresql = { - enable = true; - package = pkgs.postgresql_18; - enableJIT = true; - initdbArgs = [ - "--locale=C" - "--encoding=UTF8" - ]; - ensureUsers = [{ name = cfg.db.username; ensureDBOwnership = true; }]; - ensureDatabases = [ cfg.db.database ]; - }; - postgresqlBackup = { - enable = true; - startAt = "*-*-* 09:00:00"; - compression = "zstd"; - }; - }; -} - diff --git a/services/nginx.nix b/services/nginx.nix index eff02e6..21b7e66 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,8 +1,5 @@ -{ config, pkgs, ... }: +{ config, ... }: -let - fqdn = "matrix.berlin.ccc.de"; -in { users.users.nginx.extraGroups = [ "acme" ]; @@ -20,25 +17,5 @@ in recommendedOptimisation = true; recommendedGzipSettings = true; recommendedBrotliSettings = true; - virtualHosts."${fqdn}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations = { - #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; - "/".return = "418 \"🫖\""; - "~ ^(/_matrix|/_synapse/client)" = { - recommendedProxySettings = true; - proxyPass = "http://[::1]:8008"; - extraConfig = '' - client_max_body_size 64M; - proxy_set_header X-Request-ID $request_id; - proxy_http_version 1.1; - ''; - }; - }; - }; }; }