nixfmt
This commit is contained in:
goeranh
parent
6add85a106
commit
3e82d5f015
5 changed files with 173 additions and 166 deletions
|
|
@ -44,7 +44,10 @@
|
|||
|
||||
systemd.services.authentik-secrets-generator = {
|
||||
enable = true;
|
||||
requiredBy = [ "authentik-secrets-setup.service" "authentik-worker.service" ];
|
||||
requiredBy = [
|
||||
"authentik-secrets-setup.service"
|
||||
"authentik-worker.service"
|
||||
];
|
||||
script = ''
|
||||
echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
|
||||
'';
|
||||
|
|
|
|||
|
|
@ -29,21 +29,14 @@ in
|
|||
];
|
||||
|
||||
networking.hostName = "git";
|
||||
networking.domain = "test.htw.stura-dresden.de";
|
||||
networking.interfaces.ens18.ipv4.addresses = [
|
||||
{
|
||||
address = "167.235.225.23";
|
||||
prefixLength = 32;
|
||||
address = "141.56.51.97";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
networking.interfaces.ens18.ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:4f8:c012:6bd7::1";
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
networking.defaultGateway.address = "172.31.1.1";
|
||||
networking.defaultGateway.address = "141.56.51.254";
|
||||
networking.nameservers = [
|
||||
"9.9.9.9"
|
||||
"1.1.1.1"
|
||||
|
|
@ -53,30 +46,36 @@ in
|
|||
services.forgejo = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
||||
|
||||
server = {
|
||||
PROTOCOL = "http+unix";
|
||||
HTTP_ADDR = "/var/run/forgejo.sock";
|
||||
HTTP_ADDR = "/run/forgejo/forgejo.sock";
|
||||
ROOT_URL = "https://${config.networking.fqdn}";
|
||||
};
|
||||
oauth2_client = {
|
||||
ENABLE_AUTO_REGISTRATION = "true";
|
||||
REGISTER_EMAIL_CONFIRM = "false";
|
||||
username = "email";
|
||||
};
|
||||
service = {
|
||||
SHOW_REGISTRATION_BUTTON = "false";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."git.htw.stura-dresden.de" = {
|
||||
virtualHosts."${config.networking.fqdn}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
recommendedProxySettings = true;
|
||||
proxyWebsockets = true;
|
||||
proxyPass = "http://unix:/var/run/forgejo.sock";
|
||||
proxyPass = "http://unix:/run/forgejo/forgejo.sock";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# virtualisation.docker.enable = true;
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "cert@stura.htw-dresden.de";
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
25
|
||||
80
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
services = {
|
||||
openssh = {
|
||||
enable = true;
|
||||
listenAddresses = [
|
||||
|
|
@ -46,135 +46,134 @@ services = {
|
|||
}
|
||||
];
|
||||
};
|
||||
haproxy =
|
||||
let
|
||||
forwards = {
|
||||
plone = {
|
||||
dest = "141.56.51.3";
|
||||
domain = "stura.htw-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
haproxy =
|
||||
let
|
||||
forwards = {
|
||||
plone = {
|
||||
dest = "141.56.51.3";
|
||||
domain = "stura.htw-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
plone_alt = {
|
||||
dest = "141.56.51.3";
|
||||
domain = "www.stura.htw-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
tix = {
|
||||
dest = "141.56.51.220";
|
||||
domain = "tix.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
vot = {
|
||||
dest = "141.56.51.81";
|
||||
domain = "vot.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
dat = {
|
||||
dest = "141.56.51.81";
|
||||
domain = "dat.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
pro = {
|
||||
dest = "141.56.51.15";
|
||||
domain = "pro.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
cloud = {
|
||||
dest = "141.56.51.16";
|
||||
domain = "cloud.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
wiki = {
|
||||
dest = "141.56.51.13";
|
||||
domain = "wiki.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
};
|
||||
plone_alt = {
|
||||
dest = "141.56.51.3";
|
||||
domain = "www.stura.htw-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
tix = {
|
||||
dest = "141.56.51.220";
|
||||
domain = "tix.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
vot = {
|
||||
dest = "141.56.51.81";
|
||||
domain = "vot.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
dat = {
|
||||
dest = "141.56.51.81";
|
||||
domain = "dat.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
pro = {
|
||||
dest = "141.56.51.15";
|
||||
domain = "pro.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
cloud = {
|
||||
dest = "141.56.51.16";
|
||||
domain = "cloud.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
wiki = {
|
||||
dest = "141.56.51.13";
|
||||
domain = "wiki.htw.stura-dresden.de";
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
};
|
||||
};
|
||||
in{
|
||||
enable = true;
|
||||
config = ''
|
||||
global
|
||||
log /dev/log local0
|
||||
maxconn 4096
|
||||
# for ACME/Let's Encrypt cert + key in one file:
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
crt-base /var/lib/acme
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
config = ''
|
||||
global
|
||||
log /dev/log local0
|
||||
maxconn 4096
|
||||
# for ACME/Let's Encrypt cert + key in one file:
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
crt-base /var/lib/acme
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode tcp
|
||||
option tcplog
|
||||
timeout connect 5s
|
||||
timeout client 30s
|
||||
timeout server 30s
|
||||
defaults
|
||||
log global
|
||||
mode tcp
|
||||
option tcplog
|
||||
timeout connect 5s
|
||||
timeout client 30s
|
||||
timeout server 30s
|
||||
|
||||
frontend stats
|
||||
bind 127.0.0.1:8404
|
||||
mode http
|
||||
stats enable
|
||||
stats uri /stats
|
||||
stats refresh 10s
|
||||
stats auth admin:yourpassword
|
||||
stats show-legends
|
||||
stats show-node
|
||||
frontend stats
|
||||
bind 127.0.0.1:8404
|
||||
mode http
|
||||
stats enable
|
||||
stats uri /stats
|
||||
stats refresh 10s
|
||||
stats auth admin:yourpassword
|
||||
stats show-legends
|
||||
stats show-node
|
||||
|
||||
frontend http-in
|
||||
bind *:80
|
||||
frontend http-in
|
||||
bind *:80
|
||||
|
||||
${
|
||||
lib.foldlAttrs(prev: name: value: prev +
|
||||
"acl is_${name} hdr(host) -i ${value.domain}\n"
|
||||
) "" forwards
|
||||
}
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
|
||||
) "" forwards}
|
||||
|
||||
${
|
||||
lib.foldlAttrs(prev: name: value: prev +
|
||||
"use_backend ${name}_80 if is_${name}\n"
|
||||
) "" forwards
|
||||
}
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev + "use_backend ${name}_80 if is_${name}\n"
|
||||
) "" forwards}
|
||||
|
||||
default_backend plone_80
|
||||
default_backend plone_80
|
||||
|
||||
|
||||
frontend ssh_jump_alt
|
||||
bind *:2142
|
||||
mode tcp
|
||||
timeout client 30m
|
||||
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
|
||||
use_backend ssh_srs2
|
||||
frontend ssh_jump_alt
|
||||
bind *:2142
|
||||
mode tcp
|
||||
timeout client 30m
|
||||
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
|
||||
use_backend ssh_srs2
|
||||
|
||||
# ---- SNI routing (TCP, peek at handshake) ----
|
||||
frontend sni_router
|
||||
bind *:443
|
||||
mode tcp
|
||||
tcp-request inspect-delay 1s
|
||||
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||
# ---- SNI routing (TCP, peek at handshake) ----
|
||||
frontend sni_router
|
||||
bind *:443
|
||||
mode tcp
|
||||
tcp-request inspect-delay 1s
|
||||
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||
|
||||
# terminated here
|
||||
${
|
||||
lib.foldlAttrs(prev: name: value: prev +
|
||||
"use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
|
||||
) "" forwards
|
||||
}
|
||||
# terminated here
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
|
||||
) "" forwards}
|
||||
|
||||
backend ssh_srs2
|
||||
mode tcp
|
||||
timeout server 30m
|
||||
timeout connect 10s
|
||||
option tcpka
|
||||
server srs2 141.56.51.2:80 check
|
||||
backend ssh_srs2
|
||||
mode tcp
|
||||
timeout server 30m
|
||||
timeout connect 10s
|
||||
option tcpka
|
||||
server srs2 141.56.51.2:80 check
|
||||
|
||||
${
|
||||
lib.foldlAttrs(prev: name: value: prev +
|
||||
''
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev
|
||||
+ ''
|
||||
|
||||
backend ${name}_80
|
||||
mode http
|
||||
|
|
@ -184,14 +183,11 @@ services = {
|
|||
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
|
||||
|
||||
''
|
||||
) "" forwards
|
||||
}
|
||||
'';
|
||||
};
|
||||
) "" forwards}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
openvpn
|
||||
tcpdump
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@
|
|||
];
|
||||
networking.defaultGateway.address = "141.56.51.254";
|
||||
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "cert@stura.htw-dresden.de";
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue