diff options
Diffstat (limited to 'makefu')
27 files changed, 449 insertions, 400 deletions
diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix new file mode 100644 index 000000000..1eac141dc --- /dev/null +++ b/makefu/1systems/fileleech.nix @@ -0,0 +1,111 @@ +{ config, pkgs, lib, ... }: +let + toMapper = id: "/media/crypt${builtins.toString id}"; + byid = dev: "/dev/disk/by-id/" + dev; + keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0"; + rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; + rootPartition = rootDisk + "-part3"; + + dataDisks = let + idpart = dev: byid dev + "-part1"; + in [ + { name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";} + { name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";} + { name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";} + { name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";} + { name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";} + { name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";} + { name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";} + { name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity + ]; + + disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks; +in { + imports = [ + ../. + ../2configs/tinc/retiolum.nix + ../2configs/disable_v6.nix + ../2configs/torrent.nix + ../2configs/fs/sda-crypto-root.nix + + ../2configs/elchos/irc-token.nix + ../2configs/elchos/log.nix + ../2configs/elchos/search.nix + ../2configs/elchos/stats.nix + + ]; + makefu.server.primary-itf = "enp8s0f0"; + krebs = { + enable = true; + build.host = config.krebs.hosts.fileleech; + }; + # git clone https://github.com/makefu/docker-pyload + # docker build . + # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload + + virtualisation.docker.enable = true; # for pyload + networking.firewall.allowedTCPPorts = [ + 51412 # torrent + 8112 # rutorrent-web + 8113 # pyload + 8080 # sabnzbd + 9090 # sabnzbd-ssl + 655 # tinc + ]; + networking.firewall.allowedUDPPorts = [ + 655 # tinc + 51412 # torrent + ]; + + services.sabnzbd.enable = true; + systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + boot.initrd.luks = { + devices = let + usbkey = name: device: { + inherit name device keyFile; + keyFileSize = 4096; + allowDiscards = true; + }; + in builtins.map (x: usbkey x.name x.device) disks; + }; + environment.systemPackages = with pkgs;[ mergerfs ]; + + fileSystems = let + cryptMount = name: + { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; + in cryptMount "crypt0" + // cryptMount "crypt1" + // cryptMount "crypt2" + // cryptMount "crypt3" + // cryptMount "crypt4" + // cryptMount "crypt5" + // cryptMount "crypt6" + // cryptMount "crypt7" + + # this entry sometimes creates issues + // { "/media/cryptX" = { + device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]); + fsType = "mergerfs"; + noCheck = true; + options = [ "defaults" "nofail" "allow_other" "nonempty" ]; }; + } + + ; + makefu.snapraid = { + enable = true; + disks = map toMapper [ 0 1 2 3 4 5 6 ]; + parity = toMapper 7; + }; + + boot.loader.grub.device = rootDisk; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html + boot.extraModprobeConfig = '' + options ixgbe allow_unsupported_sfp=1 + ''; +} diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index e8a368fa2..e7761a642 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -15,6 +15,7 @@ in { ../2configs/git/cgit-retiolum.nix # ../2configs/mattermost-docker.nix ../2configs/nginx/euer.test.nix + ../2configs/nginx/public_html.nix ../2configs/nginx/update.connector.one.nix ../2configs/deployment/mycube.connector.one.nix @@ -31,7 +32,9 @@ in { ]; services.smartd.devices = [ { device = "/dev/sda";} ]; + ###### stable + services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; krebs.build.host = config.krebs.hosts.gum; krebs.tinc.retiolum = { extraConfig = '' @@ -48,10 +51,6 @@ in { makefu.taskserver.enable = true; - krebs.nginx.servers.cgit = { - server-names = [ "cgit.euer.krebsco.de" ]; - listen = [ "${external-ip}:80" "${internal-ip}:80" ]; - }; # access users.users = { @@ -76,9 +75,8 @@ in { services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="c8:0a:a9:c8:ee:dd", NAME="et0" ''; - boot.kernelParams = [ "ipv6.disable=1" ]; + boot.kernelParams = [ ]; networking = { - enableIPv6 = false; firewall = { allowPing = true; logRefusedConnections = false; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 4fbbd653d..609d52134 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -48,12 +48,16 @@ in { ../2configs/exim-retiolum.nix ../2configs/smart-monitor.nix ../2configs/mail-client.nix - ../2configs/disable_v6.nix + # ../2configs/disable_v6.nix #../2configs/graphite-standalone.nix #../2configs/share-user-sftp.nix ../2configs/omo-share.nix ../2configs/tinc/retiolum.nix - ../2configs/torrent.nix + # ../2configs/torrent.nix + + # ../2configs/elchos/search.nix + # ../2configs/elchos/log.nix + # ../2configs/elchos/irc-token.nix ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload @@ -121,7 +125,8 @@ in { // { "/media/cryptX" = { device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]); fsType = "mergerfs"; - options = [ "defaults" "allow_other" ]; + noCheck = true; + options = [ "defaults" "allow_other" "nofail" "nonempty" ]; }; }; diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 1c5d2352e..96aeb2856 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -21,7 +21,6 @@ in { krebs = { enable = true; build.host = config.krebs.hosts.shoney; - nginx.enable = true; tinc_graphs = { enable = true; network = "siem"; @@ -29,9 +28,15 @@ in { nginx = { enable = true; # TODO: remove hard-coded hostname + anonymous-domain = "localhost.localdomain"; + anonymous.extraConfig = "return 403;"; complete = { - listen = [ "${tinc-siem-ip}:80" ]; - server-names = [ "graphs.siem" ]; + serverAliases = [ "graphs.siem" ]; + extraConfig = '' + if ( $server_addr = "${ip}" ) { + return 403; + } + ''; }; }; }; diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 17e81f793..6290ff6e9 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -21,9 +21,7 @@ in { # other nginx ../2configs/nginx/euer.wiki.nix ../2configs/nginx/euer.blog.nix - ../2configs/nginx/euer.test.nix - - #../2configs/elchos/stats.nix + # ../2configs/nginx/euer.test.nix # collectd # ../2configs/collectd/collectd-base.nix @@ -47,26 +45,31 @@ in { random-emoji ]; }; - # bepasty to listen only on the correct interfaces - krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ]; - krebs.bepasty.servers.external.nginx.listen = [ "${external-ip}:80" "${external-ip}:443 ssl" ]; - # prepare graphs - krebs.nginx.enable = true; + services.nginx.enable = true; krebs.retiolum-bootstrap.enable = true; - + krebs.bepasty.servers."paste.r".nginx.extraConfig = '' + if ( $server_addr = "${external-ip}" ) { + return 403; + } + ''; krebs.tinc_graphs = { enable = true; nginx = { enable = true; # TODO: remove hard-coded hostname complete = { - listen = [ "${internal-ip}:80" ]; - server-names = [ "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ]; + extraConfig = '' + if ( $server_addr = "${external-ip}" ) { + return 403; + } + ''; + serverAliases = [ "graphs.retiolum" "graphs.wry" "graphs.retiolum" "graphs.wry.retiolum" ]; }; anonymous = { - listen = [ "${external-ip}:80" ] ; - server-names = [ "graphs.krebsco.de" ]; + enableSSL = true; + forceSSL = true; + enableACME = true; }; }; }; diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index a6be04876..936aaf004 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -20,54 +20,29 @@ let ext-dom = "paste.krebsco.de" ; in { - krebs.nginx.enable = mkDefault true; + services.nginx.enable = mkDefault true; krebs.bepasty = { enable = true; serveNginx= true; servers = { - internal = { + "paste.r" = { nginx = { - server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ]; + serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; secretKey = secKey; }; - external = { + "${ext-dom}" = { nginx = { - server-names = [ ext-dom ]; - ssl = { - enable = true; - certificate = "${acmepath}/${ext-dom}/fullchain.pem"; - certificate_key = "${acmepath}/${ext-dom}/key.pem"; - # these certs will be needed if acme has not yet created certificates: - #certificate = "${sec}/wildcard.krebsco.de.crt"; - #certificate_key = "${sec}/wildcard.krebsco.de.key"; - ciphers = "RC4:HIGH:!aNULL:!MD5" ; - force_encryption = true; - }; - locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' - root ${acmechall}/${ext-dom}/; - ''); - extraConfig = '' - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_verify_client off; - proxy_ssl_session_reuse off; - ''; + enableSSL = true; + forceSSL = true; + enableACME = true; }; defaultPermissions = "read"; secretKey = secKey; }; }; }; - security.acme.certs."${ext-dom}" = { - email = "acme@syntax-fehler.de"; - webroot = "${acmechall}/${ext-dom}/"; - group = "nginx"; - allowKeysForGroup = true; - postRun = "systemctl reload nginx.service"; - extraDomains."${ext-dom}" = null ; - }; } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 9a2adbc3e..9e3f3eb61 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -22,7 +22,7 @@ with import <stockholm/lib>; user = config.krebs.users.makefu; source = let inherit (config.krebs.build) host user; - ref = "f52eaf4"; # stable @ 2016-12-12 + ref = "ee13b9af"; # stable @ 2016-12-12 in { nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then { diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 091b7f21b..379176f78 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -27,23 +27,18 @@ in { }; }; - krebs.nginx = { + services.nginx = { enable = mkDefault true; - servers = { - mybox-connector-one = { - listen = [ "${external-ip}:80" ]; - server-names = [ - "mycube.connector.one" - "mybox.connector.one" - ]; - locations = singleton (nameValuePair "/" '' + virtualHosts."mybox.connector.one" = { + locations = { + "/".extraConfig = '' uwsgi_pass unix://${wsgi-sock}; uwsgi_param UWSGI_CHDIR ${pkgs.mycube-flask}/${pkgs.python.sitePackages}; uwsgi_param UWSGI_MODULE mycube.websrv; uwsgi_param UWSGI_CALLABLE app; include ${pkgs.nginx}/conf/uwsgi_params; - ''); + ''; }; }; }; diff --git a/makefu/2configs/disable_v6.nix b/makefu/2configs/disable_v6.nix index 37db172ef..0a8c8d53d 100644 --- a/makefu/2configs/disable_v6.nix +++ b/makefu/2configs/disable_v6.nix @@ -1,4 +1,3 @@ { networking.enableIPv6 = false; - boot.kernelParams = [ "ipv6.disable=1" ]; } diff --git a/makefu/2configs/elchos/irc-token.nix b/makefu/2configs/elchos/irc-token.nix new file mode 100644 index 000000000..3f3c4ffc3 --- /dev/null +++ b/makefu/2configs/elchos/irc-token.nix @@ -0,0 +1,62 @@ +{pkgs, ...}: +with import <stockholm/lib>; +let + secret = (import <secrets/elchos-token.nix>); +in { + systemd.services.elchos-irctoken = { + startAt = "*:0/30"; + serviceConfig = { + RuntimeMaxSec = "20"; + }; + script = '' + set -euf + now=$(date -u +%Y-%m-%dT%H:%M) + sec=$(echo -n "${secret}$now" | md5sum | cut -d\ -f1) + message="The secret valid for 30 minutes is $sec" + echo "token for $now (UTC) is $sec" + LOGNAME=sec-announcer + HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --static) + IRC_SERVER=irc.freenode.net + IRC_PORT=6667 + IRC_NICK=$HOSTNAME-$$ + IRC_CHANNEL='#eloop' + + export IRC_CHANNEL # for privmsg_cat + + echo2() { echo "$*"; echo "$*" >&2; } + + privmsg_cat() { ${pkgs.gawk}/bin/awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$HOSTNAME" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + ${pkgs.gnused}/bin/sed -un '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + printf '%s' "$message" \ + | privmsg_cat + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -un '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin + ''; + }; +} diff --git a/makefu/2configs/elchos/log.nix b/makefu/2configs/elchos/log.nix new file mode 100644 index 000000000..3facd1ceb --- /dev/null +++ b/makefu/2configs/elchos/log.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let +in { + networking.firewall.allowedTCPPorts = [ 80 443 514 ]; + networking.firewall.allowedUDPPorts = [ 80 443 514 ]; + services.logstash = { + enable = true; + enableWeb = true; + inputConfig = '' + syslog { + timezone => "Etc/UTC" + } + ''; + filterConfig = '' + if ( [program] == "proftpd") { + kv { + field_split => " " + } + } + ''; + outputConfig = '' + stdout { + codec => rubydebug + } + elasticsearch { } + ''; + }; + services.elasticsearch = { + enable = true; + }; + services.kibana = { + enable = true; + port = 9332; + }; + services.nginx = { + virtualHosts = { + "log.nsupdate.info" = { + enableACME = true; + forceSSL = true; + basicAuth = import <secrets/kibana-auth.nix>; + locations = { + "/" = { + proxyPass = "http://localhost:9332"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + }; + }; +} diff --git a/makefu/2configs/elchos/search.nix b/makefu/2configs/elchos/search.nix index 5adaa0c6f..5777be373 100644 --- a/makefu/2configs/elchos/search.nix +++ b/makefu/2configs/elchos/search.nix @@ -1,11 +1,12 @@ { config, lib, pkgs, ... }: -# graphite-web on port 8080 -# carbon cache on port 2003 (tcp/udp) +# search also generates ddclient entries for all other logs + with import <stockholm/lib>; let #primary-itf = "eth0"; - primary-itf = "wlp2s0"; + #primary-itf = "wlp2s0"; + primary-itf = config.makefu.server.primary-itf; elch-sock = "${config.services.uwsgi.runDir}/uwsgi-elch.sock"; ddclientUser = "ddclient"; sec = toString <secrets>; @@ -14,15 +15,7 @@ let cfg = "${stateDir}/cfg"; ddclientPIDFile = "${stateDir}/ddclient.pid"; - acmepath = "/var/lib/acme/"; - acmechall = acmepath + "/challenges/"; # TODO: correct cert generation requires a `real` internet ip address - stats-dom = "stats.nsupdate.info"; - search-dom = "search.nsupdate.info"; - search_ssl_cert = "${acmepath}/${search-dom}/fullchain.pem"; - search_ssl_key = "${acmepath}/${search-dom}/key.pem"; - stats_ssl_cert = "${acmepath}/${stats-dom}/fullchain.pem"; - stats_ssl_key = "${acmepath}/${stats-dom}/key.pem"; gen-cfg = dict: '' ssl=yes @@ -64,75 +57,22 @@ in { }; }; - security.acme.certs = { - "${stats-dom}" = { - email = "acme@syntax-fehler.de"; - webroot = "${acmechall}/${stats-dom}/"; - group = "nginx"; - allowKeysForGroup = true; - postRun = "systemctl reload nginx.service"; - extraDomains = { - "${stats-dom}" = null ; - }; - }; - "${search-dom}" = { - email = "acme@syntax-fehler.de"; - webroot = "${acmechall}/${search-dom}/"; - group = "nginx"; - allowKeysForGroup = true; - postRun = "systemctl reload nginx.service"; - extraDomains = { - "${stats-dom}" = null ; - }; - }; - }; - - krebs.nginx = { + services.nginx = { enable = mkDefault true; - servers = { - elch-stats = { - server-names = [ stats-dom ]; - # listen = [ "80" "443 ssl" ]; - ssl = { - enable = true; - certificate = stats_ssl_cert; - certificate_key = stats_ssl_key; - force_encryption = true; + virtualHosts = { + "search.nsupdate.info" = { + enableACME = true; + forceSSL = true; + locations = { + "/".extraConfig = '' + uwsgi_pass unix://${elch-sock}; + uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages}; + uwsgi_param UWSGI_MODULE elchhub.wsgi; + uwsgi_param UWSGI_CALLABLE app; + + include ${pkgs.nginx}/conf/uwsgi_params; + ''; }; - - locations = [ - (nameValuePair "/" '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:3000/; - '') - (nameValuePair "/.well-known/acme-challenge" '' - root ${acmechall}/${search-dom}/; - '') - ]; - }; - elchhub = { - server-names = [ "search.nsupdate.info" ]; - # listen = [ "80" "443 ssl" ]; - ssl = { - enable = true; - certificate = search_ssl_cert; - certificate_key = search_ssl_key; - force_encryption = true; - }; - locations = [ (nameValuePair "/" '' - uwsgi_pass unix://${elch-sock}; - uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages}; - uwsgi_param UWSGI_MODULE elchhub.wsgi; - uwsgi_param UWSGI_CALLABLE app; - - include ${pkgs.nginx}/conf/uwsgi_params; - '') - (nameValuePair "/.well-known/acme-challenge" '' - root ${acmechall}/${search-dom}/; - '') - ]; }; }; }; @@ -147,7 +87,7 @@ in { ExecStart = "${pkgs.elchhub}/bin/elch-manager"; }; }; - register-elchos-nsupdate = { + ddclient-nsupdate-elchos = { wantedBy = [ "multi-user.target" ]; after = [ "ip-up.target" ]; serviceConfig = { @@ -163,49 +103,8 @@ in { }; }; - services.grafana = { - enable = true; - addr = "127.0.0.1"; - users.allowSignUp = false; - users.allowOrgCreate = false; - users.autoAssignOrg = false; - auth.anonymous.enable = true; - security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} - }; - - services.graphite = { - api = { - enable = true; - listenAddress = "127.0.0.1"; - port = 8080; - }; - carbon = { - enableCache = true; - # save disk usage by restricting to 1 bulk update per second - config = '' - [cache] - MAX_CACHE_SIZE = inf - MAX_UPDATES_PER_SECOND = 1 - MAX_CREATES_PER_MINUTE = 500 - ''; - storageSchemas = '' - [carbon] - pattern = ^carbon\. - retentions = 60:90d - - [elchos] - patterhn = ^elchos\. - retentions = 10s:30d,60s:3y - - [default] - pattern = .* - retentions = 30s:30d,300s:1y - ''; - }; - }; - networking.firewall = { - allowedTCPPorts = [ 2003 80 443 ]; - allowedUDPPorts = [ 2003 ]; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ ]; }; } diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix index 9f27b6647..b6133205f 100644 --- a/makefu/2configs/elchos/stats.nix +++ b/makefu/2configs/elchos/stats.nix @@ -1,73 +1,48 @@ { config, lib, pkgs, ... }: +# requires nsupdate to get correct hostname (from ./search.nix) # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) + with import <stockholm/lib>; -let - sec = toString <secrets>; - acmepath = "/var/lib/acme/"; - acmechall = acmepath + "/challenges/"; - ext-dom = "stats.nsupdate.info"; - #ssl_cert = "${sec}/wildcard.krebsco.de.crt"; - #ssl_key = "${sec}/wildcard.krebsco.de.key"; - ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem"; - ssl_key = "${acmepath}/${ext-dom}/key.pem"; -in { - networking.firewall = { - allowedTCPPorts = [ 2003 80 443 ]; - allowedUDPPorts = [ 2003 ]; +{ + + services.nginx = { + enable = mkDefault true; + virtualHosts = { + "stats.nsupdate.info" = { + enableACME = true; + forceSSL = true; + + locations = { + "/" = { + proxyPass = "http://localhost:3000/"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + }; }; services.grafana = { enable = true; addr = "127.0.0.1"; - extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; }; users.allowSignUp = false; users.allowOrgCreate = false; users.autoAssignOrg = false; + auth.anonymous.enable = true; security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} }; - krebs.nginx = { - enable = true; - servers.elch-stats = { - server-names = [ ext-dom ]; - listen = [ "80" "443 ssl" ]; - ssl = { - enable = true; - # these certs will be needed if acme has not yet created certificates: - certificate = ssl_cert; - certificate_key = ssl_key; - force_encryption = true; - }; - - locations = [ - (nameValuePair "/" '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:3000/; |