mirror of
https://forge.katzen.cafe/katzen-cafe/katzen-cafe.git
synced 2024-11-05 15:36:23 +01:00
183 lines
4.7 KiB
Nix
183 lines
4.7 KiB
Nix
{ pkgs, ... }:
|
|
{
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "jade@schrottkatze.de";
|
|
webroot = "/var/lib/acme/acme-challenge";
|
|
};
|
|
certs = {
|
|
"meet.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"miau.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"forge.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"wiki.phtanum-b.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"wiki.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"auth.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"design.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"ck.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"mumble.katzen.cafe" = {
|
|
group = "murmur";
|
|
keyType = "rsa4096";
|
|
};
|
|
"hc-vault.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"grafana.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
"wolke.katzen.cafe" = {
|
|
group = "nginx";
|
|
keyType = "rsa4096";
|
|
};
|
|
# "prosody.katzen.cafe" = {
|
|
# group = "prosody";
|
|
# keyType = "rsa4096";
|
|
# extraDomainNames = [
|
|
# "uploads.prosody.katzen.cafe"
|
|
# "conference.prosody.katzen.cafe"
|
|
# ];
|
|
# };
|
|
};
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
statusPage = true;
|
|
|
|
virtualHosts = {
|
|
"miau.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
root = "/var/www/miau";
|
|
};
|
|
};
|
|
"_.katzen.cafe" = {
|
|
# Catchall vhost, will redirect users to HTTPS for all vhosts
|
|
serverAliases = [ "*.katzen.cafe" ];
|
|
locations."/.well-known/acme-challenge" = {
|
|
root = "/var/lib/acme/acme-challenge";
|
|
};
|
|
locations."/" = {
|
|
return = "301 https://$host$request_uri";
|
|
root = "/var/www/miau";
|
|
};
|
|
};
|
|
"grafana.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:2343";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
"ck.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:3000";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
client_max_body_size 8M;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
'';
|
|
};
|
|
};
|
|
"forge.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:8082";
|
|
};
|
|
};
|
|
"auth.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.3:8080";
|
|
# proxy_set_header Host $host;
|
|
extraConfig = ''
|
|
proxy_buffers 4 256k;
|
|
proxy_buffer_size 128k;
|
|
proxy_busy_buffers_size 256k;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
'';
|
|
};
|
|
#extraConfig = ''
|
|
#'';
|
|
};
|
|
"design.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:9001";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
"wiki.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://10.0.2.2";
|
|
};
|
|
};
|
|
"wiki.phtanum-b.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://10.0.1.2";
|
|
};
|
|
};
|
|
"wolke.katzen.cafe" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://10.0.3.2";
|
|
};
|
|
extraConfig = ''
|
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
}
|