xengi/infra
0
1
Fork 0
Code Pull requests Activity Actions

migrate www config

Browse source
This commit is contained in:
XenGi 2026-02-13 21:50:26 +01:00
parent 3f072e5ecf
commit bfd37e1389
Signed by: xengi
SSH key fingerprint: SHA256:jxWM2RTHvxxcncXycwwWkP7HCWb4VREN05UGJTbIPZg
5 changed files with 99 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

12
flake.nix
View file

@ -108,6 +108,18 @@
#pkgs = import nixpkgs { inherit system; }; #pkgs = import nixpkgs { inherit system; };
inherit system; inherit system;
modules = [ modules = [
agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
www-staging-htpasswd = {
file = ./secrets/www-staging-htpasswd.age;
owner = "nginx";
group = "nginx";
mode = "0440";
};
};
}
./hosts/www ./hosts/www
]; ];
}; };

77
hosts/www/nginx.nix
View file

@ -4,17 +4,72 @@ let
# TODO: mkVHost # TODO: mkVHost
in in
{ {
services.nginx.virtualHosts."www.${config.networking.domain}" = { services.nginx.virtualHosts = {
default = true; "www.${config.networking.domain}" = {
serverAliases = [config.networking.domain]; default = true;
quic = true; serverAliases = [config.networking.domain];
kTLS = true; quic = true;
forceSSL = true; kTLS = true;
enableACME = true; forceSSL = true;
locations."/" = { enableACME = true;
root = "/srv/http/www"; extraConfig = ''
index = "index.html"; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
tryFiles = "$uri $uri/ $uri.html =404"; add_header Strict-Transport-Security max-age=15768000;
'';
locations = {
"/" = {
root = "/srv/http/www";
index = "index.html";
tryFiles = "$uri $uri/ $uri.html =404";
};
# RFC8805
"/noc" = {
root = "/srv/http/noc";
};
# RFC8805 new location
".well-known/loc" = {
root = "/srv/http/noc";
};
"/twentyyears" = {
alias = "/srv/http/twentyyears";
};
"/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\":{\"base_url\":\"https://matrix.berlin.ccc.de\"}}'";
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
default_type application/json;
'';
};
"/.well-known/matrix/server" = {
return = "200 '{\"m.server\":\"matrix.berlin.ccc.de:443\"}'";
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
default_type application/json;
'';
};
"~ ^/~(.+?)$" = {
alias = "/srv/http/homes/$1";
extraConfig = ''
autoindex on;
'';
};
};
};
"staging.${config.networking.domain}" = {
default = true;
quic = true;
kTLS = true;
forceSSL = true;
enableACME = true;
locations."/" = {
basicAuthFile = config.age.secrets.www-staging-htpasswd.path;
extraConfig = ''
auth_basic "Restricted Content";
'';
root = "/srv/http/www-staging";
index = "index.html";
tryFiles = "$uri $uri/ $uri.html =404";
};
}; };
}; };
} }

2
hosts/www/openssh.nix
View file

@ -11,7 +11,9 @@
pkgs.rsync pkgs.rsync
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"command='rsync --server --daemon . /srv/http/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUVX7gs6mqubYsJhi65gvWq4rvA2CtZJFneVRKQHIBs root@www.berlin.ccc.de"
"command='rsync --server --daemon . /srv/http/www/',restrict ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQCy... git.berlin.ccc.de/cccb/www" "command='rsync --server --daemon . /srv/http/www/',restrict ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQCy... git.berlin.ccc.de/cccb/www"
"command='rsync --server --daemon . /srv/http/www-staging/',restrict ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQCy... git.berlin.ccc.de/cccb/www"
]; ];
#extraGroups = ["nginx"]; #extraGroups = ["nginx"];
}; };

2
secrets/secrets.nix
View file

@ -17,6 +17,7 @@ let
_matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix";
_md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md"; _md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md";
_sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql"; _sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql";
_www = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID4TJCMuJZn03soKuxxv6ywFKiXfhLf9Ab03fbMqNaBJ root@www";
in in
{ {
"matrix_admin_password.age".publicKeys = users; "matrix_admin_password.age".publicKeys = users;
@ -29,5 +30,6 @@ in
"grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ];
"postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
"postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
"www-staging-htpasswd.age".publicKeys = users ++ [ _www ];
} }

17
secrets/www-staging-htpasswd.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 uH+n1w Ar9bAfSRPMAeuc4p+b8cCL37M6SAsKwlzb4fHKHQXmo
RONTu2g+yMucqJSNZFbu0H4ZPy0eFzrTKk4SEr89KJA
-> ssh-ed25519 EvLbWw D7r46PZVYRk4uayNRpVSREqeqthRt6cLQCAQZxX07zY
de/675k60YL09QzxYHPaWXTTKubU9HWVtepd+RxdbCU
-> ssh-ed25519 dM+fLQ mCg1Amjge6dXCLtRXG4YpXAYxgmPm7IfI5FFpCxxvFs
rPW4AnuX0cnzwDeg6LAuVYtL3SoTa5iekfduZf7x0K8
-> ssh-ed25519 jxWM2Q l4phZDe2q+W+50Yq112miS0CWV15islvyNcCMiMvdgA
zuHU+P2E8ZD5mks/OywGOggVfTuVwWJxCsdUdrFJ7WA
-> ssh-ed25519 /yCUCg dMyt09SuN7DJnThADJvCD6nUeTkja7U92VcWTM/YsBo
usI3AcP5YASWJvYRueoKfu7FAdK5wp+8sxVvbGWU3bE
-> ssh-ed25519 FGp51g oFgvDFMXOFH+W6+YXgn1UTomBdmUg5fBgvsKbU5S0k8
eq0l/Gtb0bHxUKeIw7cA/vCiqt/YFmJh2yzwWfh05VI
-> ssh-ed25519 Iapucg DeK9BiclurPDW3ZVfFW1TCNWA5U6mS1dauuSlHMT3i0
DtmHxzkTgkQb2K8pBq3sR1HIt6X1s7f7ZiWYf699Qxc
--- kob1NwoFTUA8433K4eXTmgWzgStvrfsGUi9mUd5qy9s
†Ð1¸PÌôŸ{è&SIúxuöÑC<C391>ïïN·¼QQJ/ÑÚï`X@ÏǼÝgÊ”Ï.Šìäæs8æC…¢À>ˆ-5ï±ß<C2B1>º