fuuko: Configure to work on-demand

This is so I can only enable it when I don’t mind it generating tons of
noise.
This commit is contained in:
Simon Bruder 2022-10-07 22:19:58 +02:00
parent aa279c8bea
commit c0b743a65b
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
9 changed files with 32 additions and 28 deletions

View file

@ -36,11 +36,6 @@
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."fuuko.home.sbruder.de" = {
enableACME = true;
forceSSL = true;
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";

View file

@ -76,4 +76,8 @@
useDHCP = false;
interfaces.enp8s0.useDHCP = true;
};
services.logind.extraConfig = ''
HandlePowerKey=suspend
'';
}

View file

@ -4,9 +4,6 @@
sops.secrets.media-htpasswd.owner = "nginx";
services.nginx.virtualHosts."media.sbruder.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.media-htpasswd.path;
root = "/data/media/";

View file

@ -4,4 +4,9 @@
downloadDir = "/data/torrent";
fqdn = "torrent.sbruder.de";
};
services.nginx.virtualHosts."torrent.sbruder.de" = {
enableACME = false;
forceSSL = false;
};
}

View file

@ -115,7 +115,7 @@ in
rules = map mkAlert [
{
name = "InstanceDown";
expr = ''up{instance!~"(nunotaba|sayuri|mayushii).vpn.sbruder.de:.*"} == 0'';
expr = ''up{instance!~"(nunotaba|sayuri|mayushii|fuuko).vpn.sbruder.de:.*"} == 0'';
description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for more than 1 minutes.";
}
{

View file

@ -5,6 +5,7 @@
./hardware-configuration.nix
../../modules
./services/fuuko-proxy.nix
./services/media.nix
./services/restic.nix
];

View file

@ -0,0 +1,18 @@
{ lib, ... }:
{
services.nginx.virtualHosts = builtins.listToAttrs (map
(fqdn: lib.nameValuePair fqdn {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://fuuko.vpn.sbruder.de/;
proxy_set_header Host ${fqdn};
'';
})
[
"media.sbruder.de"
"torrent.sbruder.de"
]);
}

View file

@ -3,7 +3,6 @@
{
sops.secrets = {
media-htpasswd.owner = "nginx";
media-proxy-auth.owner = "nginx";
media-sb-proxy-auth = {
owner = "nginx";
sopsFile = ../secrets.yaml;
@ -17,27 +16,12 @@
basicAuthFile = config.sops.secrets.media-htpasswd.path;
locations = {
"/" = {
extraConfig = ''
rewrite ^(.*/)$ /__regular$1 last;
rewrite ^(.*\\.[^/]*)$ /__storagebox$1 last;
'';
};
"/__nginx-interactive-index-assets__/".alias = "${builtins.filterSource
(path: type: baseNameOf path != "default.nix")
../../../modules/nginx-interactive-index}/";
"/__regular/" = {
"/" = {
extraConfig = ''
internal;
proxy_pass https://media.sbruder.de/;
include ${config.sops.secrets.media-proxy-auth.path};
proxy_buffering off;
'';
};
"/__storagebox/" = {
extraConfig = ''
internal;
proxy_pass https://u313368-sub3.your-storagebox.de/;
proxy_set_header Host u313368-sub3.your-storagebox.de;
include ${config.sops.secrets.media-sb-proxy-auth.path};

View file

@ -156,8 +156,8 @@ in
};
services.nginx.virtualHosts."${cfg.fqdn}" = {
enableACME = true;
forceSSL = true;
enableACME = lib.mkDefault true;
forceSSL = lib.mkDefault true;
# treated as state
basicAuthFile = "${cfg.homeDir}/htpasswd";