diff --git a/ai.nix b/ai.nix index 71b86e9..69a09c5 100644 --- a/ai.nix +++ b/ai.nix @@ -9,8 +9,6 @@ in { services.nginx.virtualHosts = { ${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:9876/"; proxyWebsockets = true; diff --git a/audiobooks.nix b/audiobooks.nix index 52be9c2..468aa1e 100644 --- a/audiobooks.nix +++ b/audiobooks.nix @@ -1,19 +1,13 @@ -{ ... }: - -let +{...}: let domain = "books.sondell.org"; -in -{ - # +in { + # services.audiobookshelf = { enable = true; port = 8000; }; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; default = true; locations."/" = { proxyPass = "http://localhost:8000/"; @@ -21,4 +15,3 @@ in }; }; } - diff --git a/configuration.nix b/configuration.nix index c66812d..d3ea4e9 100644 --- a/configuration.nix +++ b/configuration.nix @@ -174,6 +174,7 @@ services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; # services.openssh.settings.PermitRootLogin = "proh"; + services.nginx.enable = true; security.acme = { acceptTerms = true; defaults = { @@ -181,8 +182,12 @@ dnsProvider = "cloudflare"; # # location of your CLOUDFLARE_DNS_API_TOKEN=[value] # # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile= - environmentFile = "/etc/nixos/.secrets/cloudflare_dns_tokend"; + environmentFile = "/etc/nixos/.secrets/cloudflare_zone_dns_edit"; }; + # certs."sondell.org" = { + # domain = "*.sondell.org"; + # group = config.services.nginx.group; + # }; }; # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; diff --git a/coturn.nix b/coturn.nix index 40978ac..1ffdb05 100644 --- a/coturn.nix +++ b/coturn.nix @@ -44,23 +44,22 @@ # open the firewall networking.firewall = { interfaces.enp2s0 = let - range = with config.services.coturn; [ { - from = min-port; - to = max-port; - } ]; - in - { + range = with config.services.coturn; [ + { + from = min-port; + to = max-port; + } + ]; + in { allowedUDPPortRanges = range; - allowedUDPPorts = [ 3478 5349 ]; - allowedTCPPortRanges = [ ]; - allowedTCPPorts = [ 3478 5349 ]; + allowedUDPPorts = [3478 5349]; + allowedTCPPortRanges = []; + allowedTCPPorts = [3478 5349]; }; }; services.nginx = { enable = true; virtualHosts."turn.sondell.org" = { - forceSSL = true; - enableACME = true; }; }; # get a certificate @@ -82,4 +81,3 @@ ]; }; } - diff --git a/dufs.nix b/dufs.nix index a2e3353..645af2a 100644 --- a/dufs.nix +++ b/dufs.nix @@ -36,8 +36,6 @@ in { }; }; services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:${port}/"; proxyWebsockets = true; diff --git a/ebooks.nix b/ebooks.nix index 7a99204..36849d0 100644 --- a/ebooks.nix +++ b/ebooks.nix @@ -17,8 +17,6 @@ in { }; services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString port}/"; proxyWebsockets = true; diff --git a/filebrowser.nix b/filebrowser.nix index 9ae7e12..d4d8788 100644 --- a/filebrowser.nix +++ b/filebrowser.nix @@ -35,8 +35,6 @@ in { }; services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:8080/"; proxyWebsockets = true; diff --git a/forgejo.nix b/forgejo.nix index 6a76a33..b8dda28 100644 --- a/forgejo.nix +++ b/forgejo.nix @@ -21,6 +21,25 @@ in { }; }; + services.restic.backups = { + "forgejo" = { + passwordFile = "/etc/nixos/.secrets/restic_pw"; + repository = "sftp:Glenn@nas:/home/back/vaultwarden/restic"; + initialize = true; + paths = [ + "/var/lib/forgejo" + ]; + user = "root"; + timerConfig.OnCalendar = "02:05"; + pruneOpts = [ + "--keep-daily 10" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + }; + environment.systemPackages = let cfg = config.services.forgejo; forgejo-cli = pkgs.writeScriptBin "forgejo-cli" '' @@ -49,8 +68,6 @@ in { }; services.nginx.virtualHosts.${domain} = { - enableACME = true; - forceSSL = true; locations."/" = { proxyPass = "http://localhost:3000/"; }; diff --git a/homepage.nix b/homepage.nix index 36c5070..2b60794 100644 --- a/homepage.nix +++ b/homepage.nix @@ -1,31 +1,28 @@ -{ homepage, ... }: - -let - domain = "sondell.org"; +{homepage, ...}: let + domain1 = "sondell.org"; + domain2 = "start.sondell.org"; port = "8118"; -in -{ - systemd.services.homepage = { - enable = true; - description = "homepage with links to selfhosted services"; - wantedBy = [ "multi-user.target" ]; - unitConfig = { - After="network-online.target"; - }; - serviceConfig = { - ExecStart = "${homepage}/bin/home-prod -p ${port}"; - User= "sondell"; - Type= "simple"; - }; - }; - - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; + hostSettings = { locations."/" = { proxyPass = "http://localhost:${port}/"; proxyWebsockets = true; }; }; -} +in { + systemd.services.homepage = { + enable = true; + description = "homepage with links to selfhosted services"; + wantedBy = ["multi-user.target"]; + unitConfig = { + After = "network-online.target"; + }; + serviceConfig = { + ExecStart = "${homepage}/bin/home-prod -p ${port}"; + User = "sondell"; + Type = "simple"; + }; + }; + services.nginx.virtualHosts.${domain1} = hostSettings; + services.nginx.virtualHosts.${domain2} = hostSettings; +} diff --git a/jellyfin.nix b/jellyfin.nix index 9d80b2b..299a53a 100644 --- a/jellyfin.nix +++ b/jellyfin.nix @@ -1,23 +1,16 @@ -{ config, ... }: - -let +{config, ...}: let domain = "jelly.sondell.org"; - # derp = "hi"; -in -{ - # + # derp = "hi"; +in { + # services.jellyfin = { enable = true; }; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:8096/"; proxyWebsockets = true; }; }; } - diff --git a/matrix.nix b/matrix.nix index 05be83b..80af344 100644 --- a/matrix.nix +++ b/matrix.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: - -let +{ + config, + pkgs, + ... +}: let domain = "sondell.org"; hostName = "matrix"; fqdn = "${hostName}.${domain}"; @@ -12,9 +14,8 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; -in -{ - # +in { + # services.matrix-synapse = { enable = true; settings.enable_registration = true; @@ -27,33 +28,29 @@ in type = "http"; tls = false; x_forwarded = true; - resources = [ + resources = [ { - names = [ "client" "federation" ]; + names = ["client" "federation"]; compress = true; - } + } ]; } ]; - }; - -services.postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; -}; + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; services.nginx.virtualHosts = { ${fqdn} = { - enableACME = true; - forceSSL = true; # locations."/".extraConfig = '' # return 404; # ''; @@ -66,7 +63,6 @@ services.postgresql = { ${domain} = { enableACME = true; - forceSSL = true; # locations."/" = { # proxyPass = "http://localhost:8008"; # }; @@ -83,4 +79,3 @@ services.postgresql = { }; }; } - diff --git a/nextcloud.nix b/nextcloud.nix index b9da869..0fdc0bd 100644 --- a/nextcloud.nix +++ b/nextcloud.nix @@ -64,10 +64,10 @@ in { nginx.virtualHosts = { ${domain} = { - forceSSL = true; - enableACME = true; - # Use DNS Challenege. - # acmeRoot = null; + # forceSSL = true; + # enableACME = true; + # # Use DNS Challenege. + # # acmeRoot = null; }; }; postgresql.enable = true; @@ -90,6 +90,9 @@ in { # Let NixOS install and configure Redis caching automatically. configureRedis = true; settings = { + trusted_proxies = [ + "192.168.1.199" + ]; maintenance_window_start = 1; }; extraOptions = { @@ -112,7 +115,7 @@ in { inherit mail calendar contacts notes onlyoffice cookbook spreed memories previewgenerator; }; config = { - overwriteProtocol = "https"; + # overwriteProtocol = "https"; defaultPhoneRegion = "SE"; dbtype = "pgsql"; adminuser = "admin"; @@ -138,8 +141,8 @@ in { jwtSecretFile = "/etc/nixos/.secrets/onlyoffice.jwt"; }; services.nginx.virtualHosts."office.sondell.org" = { - forceSSL = true; - enableACME = true; - # locations."/".proxyPass = "http://12:8123"; + # forceSSL = true; + # enableACME = true; + # locations."/".proxyPass = "http://localhost:8123"; }; } diff --git a/vaultwarden.nix b/vaultwarden.nix index 481c043..339d707 100644 --- a/vaultwarden.nix +++ b/vaultwarden.nix @@ -31,8 +31,6 @@ in { }; }; services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; locations."/" = { proxyPass = "http://localhost:${port}/"; };