From 5f7cb338674063f93b174970a5e81f9b53e35ef1 Mon Sep 17 00:00:00 2001 From: glenn Date: Tue, 14 Jan 2025 15:17:47 +0100 Subject: [PATCH] defer tls/ssl to hyperserver --- ai.nix | 2 -- audiobooks.nix | 13 +++---------- coturn.nix | 22 ++++++++++------------ dufs.nix | 2 -- ebooks.nix | 2 -- filebrowser.nix | 2 -- forgejo.nix | 2 -- homepage.nix | 2 -- jellyfin.nix | 15 ++++----------- matrix.nix | 45 ++++++++++++++++++++------------------------- nextcloud.nix | 23 +++++++++++++---------- vaultwarden.nix | 2 -- 12 files changed, 50 insertions(+), 82 deletions(-) diff --git a/ai.nix b/ai.nix index 71b86e9..69a09c5 100644 --- a/ai.nix +++ b/ai.nix @@ -9,8 +9,6 @@ in { services.nginx.virtualHosts = { ${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:9876/"; proxyWebsockets = true; diff --git a/audiobooks.nix b/audiobooks.nix index 52be9c2..468aa1e 100644 --- a/audiobooks.nix +++ b/audiobooks.nix @@ -1,19 +1,13 @@ -{ ... }: - -let +{...}: let domain = "books.sondell.org"; -in -{ - # +in { + # services.audiobookshelf = { enable = true; port = 8000; }; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; default = true; locations."/" = { proxyPass = "http://localhost:8000/"; @@ -21,4 +15,3 @@ in }; }; } - diff --git a/coturn.nix b/coturn.nix index 40978ac..1ffdb05 100644 --- a/coturn.nix +++ b/coturn.nix @@ -44,23 +44,22 @@ # open the firewall networking.firewall = { interfaces.enp2s0 = let - range = with config.services.coturn; [ { - from = min-port; - to = max-port; - } ]; - in - { + range = with config.services.coturn; [ + { + from = min-port; + to = max-port; + } + ]; + in { allowedUDPPortRanges = range; - allowedUDPPorts = [ 3478 5349 ]; - allowedTCPPortRanges = [ ]; - allowedTCPPorts = [ 3478 5349 ]; + allowedUDPPorts = [3478 5349]; + allowedTCPPortRanges = []; + allowedTCPPorts = [3478 5349]; }; }; services.nginx = { enable = true; virtualHosts."turn.sondell.org" = { - forceSSL = true; - enableACME = true; }; }; # get a certificate @@ -82,4 +81,3 @@ ]; }; } - diff --git a/dufs.nix b/dufs.nix index a2e3353..645af2a 100644 --- a/dufs.nix +++ b/dufs.nix @@ -36,8 +36,6 @@ in { }; }; services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:${port}/"; proxyWebsockets = true; diff --git a/ebooks.nix b/ebooks.nix index 7a99204..36849d0 100644 --- a/ebooks.nix +++ b/ebooks.nix @@ -17,8 +17,6 @@ in { }; services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString port}/"; proxyWebsockets = true; diff --git a/filebrowser.nix b/filebrowser.nix index 9ae7e12..d4d8788 100644 --- a/filebrowser.nix +++ b/filebrowser.nix @@ -35,8 +35,6 @@ in { }; services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:8080/"; proxyWebsockets = true; diff --git a/forgejo.nix b/forgejo.nix index 7a6b325..b8dda28 100644 --- a/forgejo.nix +++ b/forgejo.nix @@ -68,8 +68,6 @@ in { }; services.nginx.virtualHosts.${domain} = { - enableACME = true; - forceSSL = true; locations."/" = { proxyPass = "http://localhost:3000/"; }; diff --git a/homepage.nix b/homepage.nix index d652a59..2b60794 100644 --- a/homepage.nix +++ b/homepage.nix @@ -3,8 +3,6 @@ domain2 = "start.sondell.org"; port = "8118"; hostSettings = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:${port}/"; proxyWebsockets = true; diff --git a/jellyfin.nix b/jellyfin.nix index 9d80b2b..299a53a 100644 --- a/jellyfin.nix +++ b/jellyfin.nix @@ -1,23 +1,16 @@ -{ config, ... }: - -let +{config, ...}: let domain = "jelly.sondell.org"; - # derp = "hi"; -in -{ - # + # derp = "hi"; +in { + # services.jellyfin = { enable = true; }; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:8096/"; proxyWebsockets = true; }; }; } - diff --git a/matrix.nix b/matrix.nix index 05be83b..80af344 100644 --- a/matrix.nix +++ b/matrix.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: - -let +{ + config, + pkgs, + ... +}: let domain = "sondell.org"; hostName = "matrix"; fqdn = "${hostName}.${domain}"; @@ -12,9 +14,8 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; -in -{ - # +in { + # services.matrix-synapse = { enable = true; settings.enable_registration = true; @@ -27,33 +28,29 @@ in type = "http"; tls = false; x_forwarded = true; - resources = [ + resources = [ { - names = [ "client" "federation" ]; + names = ["client" "federation"]; compress = true; - } + } ]; } ]; - }; - -services.postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; -}; + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; services.nginx.virtualHosts = { ${fqdn} = { - enableACME = true; - forceSSL = true; # locations."/".extraConfig = '' # return 404; # ''; @@ -66,7 +63,6 @@ services.postgresql = { ${domain} = { enableACME = true; - forceSSL = true; # locations."/" = { # proxyPass = "http://localhost:8008"; # }; @@ -83,4 +79,3 @@ services.postgresql = { }; }; } - diff --git a/nextcloud.nix b/nextcloud.nix index b9da869..55438a3 100644 --- a/nextcloud.nix +++ b/nextcloud.nix @@ -64,10 +64,10 @@ in { nginx.virtualHosts = { ${domain} = { - forceSSL = true; - enableACME = true; - # Use DNS Challenege. - # acmeRoot = null; + # forceSSL = true; + # enableACME = true; + # # Use DNS Challenege. + # # acmeRoot = null; }; }; postgresql.enable = true; @@ -90,6 +90,9 @@ in { # Let NixOS install and configure Redis caching automatically. configureRedis = true; settings = { + trusted_proxies = [ + "192.168.1.199" + ]; maintenance_window_start = 1; }; extraOptions = { @@ -112,7 +115,7 @@ in { inherit mail calendar contacts notes onlyoffice cookbook spreed memories previewgenerator; }; config = { - overwriteProtocol = "https"; + # overwriteProtocol = "https"; defaultPhoneRegion = "SE"; dbtype = "pgsql"; adminuser = "admin"; @@ -137,9 +140,9 @@ in { hostname = "office.sondell.org"; jwtSecretFile = "/etc/nixos/.secrets/onlyoffice.jwt"; }; - services.nginx.virtualHosts."office.sondell.org" = { - forceSSL = true; - enableACME = true; - # locations."/".proxyPass = "http://12:8123"; - }; + # services.nginx.virtualHosts."office.sondell.org" = { + # forceSSL = true; + # enableACME = true; + # # locations."/".proxyPass = "http://12:8123"; + # }; } diff --git a/vaultwarden.nix b/vaultwarden.nix index 481c043..339d707 100644 --- a/vaultwarden.nix +++ b/vaultwarden.nix @@ -31,8 +31,6 @@ in { }; }; services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:${port}/"; };