diff --git a/ai.nix b/ai.nix index 69a09c5..71b86e9 100644 --- a/ai.nix +++ b/ai.nix @@ -9,6 +9,8 @@ in { services.nginx.virtualHosts = { ${domain} = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:9876/"; proxyWebsockets = true; diff --git a/audiobooks.nix b/audiobooks.nix index 468aa1e..52be9c2 100644 --- a/audiobooks.nix +++ b/audiobooks.nix @@ -1,13 +1,19 @@ -{...}: let +{ ... }: + +let domain = "books.sondell.org"; -in { - # +in +{ + # services.audiobookshelf = { enable = true; port = 8000; }; + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; default = true; locations."/" = { proxyPass = "http://localhost:8000/"; @@ -15,3 +21,4 @@ in { }; }; } + diff --git a/configuration.nix b/configuration.nix index d3ea4e9..c66812d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -174,7 +174,6 @@ services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; # services.openssh.settings.PermitRootLogin = "proh"; - services.nginx.enable = true; security.acme = { acceptTerms = true; defaults = { @@ -182,12 +181,8 @@ dnsProvider = "cloudflare"; # # location of your CLOUDFLARE_DNS_API_TOKEN=[value] # # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile= - environmentFile = "/etc/nixos/.secrets/cloudflare_zone_dns_edit"; + environmentFile = "/etc/nixos/.secrets/cloudflare_dns_tokend"; }; - # certs."sondell.org" = { - # domain = "*.sondell.org"; - # group = config.services.nginx.group; - # }; }; # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; diff --git a/coturn.nix b/coturn.nix index 1ffdb05..40978ac 100644 --- a/coturn.nix +++ b/coturn.nix @@ -44,22 +44,23 @@ # open the firewall networking.firewall = { interfaces.enp2s0 = let - range = with config.services.coturn; [ - { - from = min-port; - to = max-port; - } - ]; - in { + range = with config.services.coturn; [ { + from = min-port; + to = max-port; + } ]; + in + { allowedUDPPortRanges = range; - allowedUDPPorts = [3478 5349]; - allowedTCPPortRanges = []; - allowedTCPPorts = [3478 5349]; + allowedUDPPorts = [ 3478 5349 ]; + allowedTCPPortRanges = [ ]; + allowedTCPPorts = [ 3478 5349 ]; }; }; services.nginx = { enable = true; virtualHosts."turn.sondell.org" = { + forceSSL = true; + enableACME = true; }; }; # get a certificate @@ -81,3 +82,4 @@ ]; }; } + diff --git a/dufs.nix b/dufs.nix index 645af2a..a2e3353 100644 --- a/dufs.nix +++ b/dufs.nix @@ -36,6 +36,8 @@ in { }; }; services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:${port}/"; proxyWebsockets = true; diff --git a/ebooks.nix b/ebooks.nix index 36849d0..7a99204 100644 --- a/ebooks.nix +++ b/ebooks.nix @@ -17,6 +17,8 @@ in { }; services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString port}/"; proxyWebsockets = true; diff --git a/filebrowser.nix b/filebrowser.nix index d4d8788..9ae7e12 100644 --- a/filebrowser.nix +++ b/filebrowser.nix @@ -35,6 +35,8 @@ in { }; services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:8080/"; proxyWebsockets = true; diff --git a/forgejo.nix b/forgejo.nix index b8dda28..6a76a33 100644 --- a/forgejo.nix +++ b/forgejo.nix @@ -21,25 +21,6 @@ in { }; }; - services.restic.backups = { - "forgejo" = { - passwordFile = "/etc/nixos/.secrets/restic_pw"; - repository = "sftp:Glenn@nas:/home/back/vaultwarden/restic"; - initialize = true; - paths = [ - "/var/lib/forgejo" - ]; - user = "root"; - timerConfig.OnCalendar = "02:05"; - pruneOpts = [ - "--keep-daily 10" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 75" - ]; - }; - }; - environment.systemPackages = let cfg = config.services.forgejo; forgejo-cli = pkgs.writeScriptBin "forgejo-cli" '' @@ -68,6 +49,8 @@ in { }; services.nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; locations."/" = { proxyPass = "http://localhost:3000/"; }; diff --git a/homepage.nix b/homepage.nix index 2b60794..36c5070 100644 --- a/homepage.nix +++ b/homepage.nix @@ -1,28 +1,31 @@ -{homepage, ...}: let - domain1 = "sondell.org"; - domain2 = "start.sondell.org"; +{ homepage, ... }: + +let + domain = "sondell.org"; port = "8118"; - hostSettings = { +in +{ + systemd.services.homepage = { + enable = true; + description = "homepage with links to selfhosted services"; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + After="network-online.target"; + }; + serviceConfig = { + ExecStart = "${homepage}/bin/home-prod -p ${port}"; + User= "sondell"; + Type= "simple"; + }; + }; + + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:${port}/"; proxyWebsockets = true; }; }; -in { - systemd.services.homepage = { - enable = true; - description = "homepage with links to selfhosted services"; - wantedBy = ["multi-user.target"]; - unitConfig = { - After = "network-online.target"; - }; - serviceConfig = { - ExecStart = "${homepage}/bin/home-prod -p ${port}"; - User = "sondell"; - Type = "simple"; - }; - }; - - services.nginx.virtualHosts.${domain1} = hostSettings; - services.nginx.virtualHosts.${domain2} = hostSettings; } + diff --git a/jellyfin.nix b/jellyfin.nix index 299a53a..9d80b2b 100644 --- a/jellyfin.nix +++ b/jellyfin.nix @@ -1,16 +1,23 @@ -{config, ...}: let +{ config, ... }: + +let domain = "jelly.sondell.org"; - # derp = "hi"; -in { - # + # derp = "hi"; +in +{ + # services.jellyfin = { enable = true; }; + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:8096/"; proxyWebsockets = true; }; }; } + diff --git a/matrix.nix b/matrix.nix index 80af344..05be83b 100644 --- a/matrix.nix +++ b/matrix.nix @@ -1,8 +1,6 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: + +let domain = "sondell.org"; hostName = "matrix"; fqdn = "${hostName}.${domain}"; @@ -14,8 +12,9 @@ add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; -in { - # +in +{ + # services.matrix-synapse = { enable = true; settings.enable_registration = true; @@ -28,29 +27,33 @@ in { type = "http"; tls = false; x_forwarded = true; - resources = [ + resources = [ { - names = ["client" "federation"]; + names = [ "client" "federation" ]; compress = true; - } + } ]; } ]; + }; - services.postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; + +services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; +}; services.nginx.virtualHosts = { ${fqdn} = { + enableACME = true; + forceSSL = true; # locations."/".extraConfig = '' # return 404; # ''; @@ -63,6 +66,7 @@ in { ${domain} = { enableACME = true; + forceSSL = true; # locations."/" = { # proxyPass = "http://localhost:8008"; # }; @@ -79,3 +83,4 @@ in { }; }; } + diff --git a/nextcloud.nix b/nextcloud.nix index 0fdc0bd..b9da869 100644 --- a/nextcloud.nix +++ b/nextcloud.nix @@ -64,10 +64,10 @@ in { nginx.virtualHosts = { ${domain} = { - # forceSSL = true; - # enableACME = true; - # # Use DNS Challenege. - # # acmeRoot = null; + forceSSL = true; + enableACME = true; + # Use DNS Challenege. + # acmeRoot = null; }; }; postgresql.enable = true; @@ -90,9 +90,6 @@ in { # Let NixOS install and configure Redis caching automatically. configureRedis = true; settings = { - trusted_proxies = [ - "192.168.1.199" - ]; maintenance_window_start = 1; }; extraOptions = { @@ -115,7 +112,7 @@ in { inherit mail calendar contacts notes onlyoffice cookbook spreed memories previewgenerator; }; config = { - # overwriteProtocol = "https"; + overwriteProtocol = "https"; defaultPhoneRegion = "SE"; dbtype = "pgsql"; adminuser = "admin"; @@ -141,8 +138,8 @@ in { jwtSecretFile = "/etc/nixos/.secrets/onlyoffice.jwt"; }; services.nginx.virtualHosts."office.sondell.org" = { - # forceSSL = true; - # enableACME = true; - # locations."/".proxyPass = "http://localhost:8123"; + forceSSL = true; + enableACME = true; + # locations."/".proxyPass = "http://12:8123"; }; } diff --git a/vaultwarden.nix b/vaultwarden.nix index 339d707..481c043 100644 --- a/vaultwarden.nix +++ b/vaultwarden.nix @@ -31,6 +31,8 @@ in { }; }; services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:${port}/"; };