From c0b743a65b7f5c51afc017e74eafc2c1a0d35138 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Fri, 7 Oct 2022 22:19:58 +0200 Subject: [PATCH] fuuko: Configure to work on-demand MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is so I can only enable it when I don’t mind it generating tons of noise. --- machines/fuuko/configuration.nix | 5 ----- machines/fuuko/hardware-configuration.nix | 4 ++++ machines/fuuko/services/media.nix | 3 --- machines/fuuko/services/torrent.nix | 5 +++++ machines/renge/services/prometheus.nix | 2 +- machines/vueko/configuration.nix | 1 + machines/vueko/services/fuuko-proxy.nix | 18 ++++++++++++++++++ machines/vueko/services/media.nix | 18 +----------------- modules/qbittorrent/default.nix | 4 ++-- 9 files changed, 32 insertions(+), 28 deletions(-) create mode 100644 machines/vueko/services/fuuko-proxy.nix diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix index 0d9f97a..3402be5 100644 --- a/machines/fuuko/configuration.nix +++ b/machines/fuuko/configuration.nix @@ -36,11 +36,6 @@ recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - - virtualHosts."fuuko.home.sbruder.de" = { - enableACME = true; - forceSSL = true; - }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys"; diff --git a/machines/fuuko/hardware-configuration.nix b/machines/fuuko/hardware-configuration.nix index fa7f285..ac2f1ef 100644 --- a/machines/fuuko/hardware-configuration.nix +++ b/machines/fuuko/hardware-configuration.nix @@ -76,4 +76,8 @@ useDHCP = false; interfaces.enp8s0.useDHCP = true; }; + + services.logind.extraConfig = '' + HandlePowerKey=suspend + ''; } diff --git a/machines/fuuko/services/media.nix b/machines/fuuko/services/media.nix index d5b8ea6..9ed214c 100644 --- a/machines/fuuko/services/media.nix +++ b/machines/fuuko/services/media.nix @@ -4,9 +4,6 @@ sops.secrets.media-htpasswd.owner = "nginx"; services.nginx.virtualHosts."media.sbruder.de" = { - enableACME = true; - forceSSL = true; - basicAuthFile = config.sops.secrets.media-htpasswd.path; root = "/data/media/"; diff --git a/machines/fuuko/services/torrent.nix b/machines/fuuko/services/torrent.nix index d967b04..280f278 100644 --- a/machines/fuuko/services/torrent.nix +++ b/machines/fuuko/services/torrent.nix @@ -4,4 +4,9 @@ downloadDir = "/data/torrent"; fqdn = "torrent.sbruder.de"; }; + + services.nginx.virtualHosts."torrent.sbruder.de" = { + enableACME = false; + forceSSL = false; + }; } diff --git a/machines/renge/services/prometheus.nix b/machines/renge/services/prometheus.nix index 1f3dca1..d3479c4 100644 --- a/machines/renge/services/prometheus.nix +++ b/machines/renge/services/prometheus.nix @@ -115,7 +115,7 @@ in rules = map mkAlert [ { name = "InstanceDown"; - expr = ''up{instance!~"(nunotaba|sayuri|mayushii).vpn.sbruder.de:.*"} == 0''; + expr = ''up{instance!~"(nunotaba|sayuri|mayushii|fuuko).vpn.sbruder.de:.*"} == 0''; description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for more than 1 minutes."; } { diff --git a/machines/vueko/configuration.nix b/machines/vueko/configuration.nix index 3c98abf..9fda7c3 100644 --- a/machines/vueko/configuration.nix +++ b/machines/vueko/configuration.nix @@ -5,6 +5,7 @@ ./hardware-configuration.nix ../../modules + ./services/fuuko-proxy.nix ./services/media.nix ./services/restic.nix ]; diff --git a/machines/vueko/services/fuuko-proxy.nix b/machines/vueko/services/fuuko-proxy.nix new file mode 100644 index 0000000..1f837e8 --- /dev/null +++ b/machines/vueko/services/fuuko-proxy.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +{ + services.nginx.virtualHosts = builtins.listToAttrs (map + (fqdn: lib.nameValuePair fqdn { + enableACME = true; + forceSSL = true; + + locations."/".extraConfig = '' + proxy_pass http://fuuko.vpn.sbruder.de/; + proxy_set_header Host ${fqdn}; + ''; + }) + [ + "media.sbruder.de" + "torrent.sbruder.de" + ]); +} diff --git a/machines/vueko/services/media.nix b/machines/vueko/services/media.nix index b4dab89..e0f5a87 100644 --- a/machines/vueko/services/media.nix +++ b/machines/vueko/services/media.nix @@ -3,7 +3,6 @@ { sops.secrets = { media-htpasswd.owner = "nginx"; - media-proxy-auth.owner = "nginx"; media-sb-proxy-auth = { owner = "nginx"; sopsFile = ../secrets.yaml; @@ -17,27 +16,12 @@ basicAuthFile = config.sops.secrets.media-htpasswd.path; locations = { - "/" = { - extraConfig = '' - rewrite ^(.*/)$ /__regular$1 last; - rewrite ^(.*\\.[^/]*)$ /__storagebox$1 last; - ''; - }; "/__nginx-interactive-index-assets__/".alias = "${builtins.filterSource (path: type: baseNameOf path != "default.nix") ../../../modules/nginx-interactive-index}/"; - "/__regular/" = { + "/" = { extraConfig = '' - internal; - proxy_pass https://media.sbruder.de/; - include ${config.sops.secrets.media-proxy-auth.path}; - proxy_buffering off; - ''; - }; - "/__storagebox/" = { - extraConfig = '' - internal; proxy_pass https://u313368-sub3.your-storagebox.de/; proxy_set_header Host u313368-sub3.your-storagebox.de; include ${config.sops.secrets.media-sb-proxy-auth.path}; diff --git a/modules/qbittorrent/default.nix b/modules/qbittorrent/default.nix index e45230e..ad41ba2 100644 --- a/modules/qbittorrent/default.nix +++ b/modules/qbittorrent/default.nix @@ -156,8 +156,8 @@ in }; services.nginx.virtualHosts."${cfg.fqdn}" = { - enableACME = true; - forceSSL = true; + enableACME = lib.mkDefault true; + forceSSL = lib.mkDefault true; # treated as state basicAuthFile = "${cfg.homeDir}/htpasswd";