diff --git a/nixos/components/network/nginx.nix b/nixos/components/network/nginx.nix index ab87afa..e43dc67 100644 --- a/nixos/components/network/nginx.nix +++ b/nixos/components/network/nginx.nix @@ -6,248 +6,260 @@ with lib; default = config.components.network.enable; }; - config = mkIf (config.components.network.nginx.enable) { + options.components.network.nginx.landingpage.enable = mkOption { + type = lib.types.bool; + default = config.components.network.nginx.enable; + }; - environment.systemPackages = [ - pkgs.nginx-config-formatter - (pkgs.writers.writePython3Bin "nginx-show-config" { flakeIgnore = [ "E265" "E225" "W292" ]; } - (lib.fileContents "${assets}/nginx-show-config.py")) - ]; + config = mkMerge [ + (mkIf (config.components.network.nginx.enable) { - security.acme.defaults.email = "contact@ingolf-wagner.de"; - security.acme.acceptTerms = true; + environment.systemPackages = [ + pkgs.nginx-config-formatter + (pkgs.writers.writePython3Bin "nginx-show-config" { flakeIgnore = [ "E265" "E225" "W292" ]; } + (lib.fileContents "${assets}/nginx-show-config.py")) + ]; - services.nginx = { + security.acme.defaults.email = "contact@ingolf-wagner.de"; + security.acme.acceptTerms = true; - # Use recommended settings - recommendedGzipSettings = lib.mkDefault true; - recommendedOptimisation = lib.mkDefault true; - recommendedProxySettings = lib.mkDefault true; - recommendedTlsSettings = lib.mkDefault true; + services.nginx = { - # for loki logging - commonHttpConfig = '' - log_format logfmt escape=json 'timestamp=$time_iso8601 ' - 'facility=nginx ' - 'src_addr=$remote_addr ' - 'body_bytes_sent=$body_bytes_sent ' - 'request_time=$request_time ' - 'response_status=$status ' - 'request="$request" ' - 'request_method="$request_method" ' - 'host="$host" ' - 'upstream_cache_status="$upstream_cache_status" ' - 'upstream_addr="$upstream_addr" ' - 'http_x_forwarded_for="$http_x_forwarded_for" ' - 'http_referrer="$http_referer" ' - 'http_user_agent="$http_user_agent"'; + # Use recommended settings + recommendedGzipSettings = lib.mkDefault true; + recommendedOptimisation = lib.mkDefault true; + recommendedProxySettings = lib.mkDefault true; + recommendedTlsSettings = lib.mkDefault true; - # log to local journald - access_log syslog:server=unix:/dev/log logfmt; - ''; + # for loki logging + commonHttpConfig = '' + log_format logfmt escape=json 'timestamp=$time_iso8601 ' + 'facility=nginx ' + 'src_addr=$remote_addr ' + 'body_bytes_sent=$body_bytes_sent ' + 'request_time=$request_time ' + 'response_status=$status ' + 'request="$request" ' + 'request_method="$request_method" ' + 'host="$host" ' + 'upstream_cache_status="$upstream_cache_status" ' + 'upstream_addr="$upstream_addr" ' + 'http_x_forwarded_for="$http_x_forwarded_for" ' + 'http_referrer="$http_referer" ' + 'http_user_agent="$http_user_agent"'; - }; + # log to local journald + access_log syslog:server=unix:/dev/log logfmt; + ''; - services.nginx.package = pkgs.nginxMainline; - services.nginx.virtualHosts."${config.networking.hostName}.private" = { - default = lib.mkDefault true; - locations."/" = { - root = pkgs.landingpage.override { + }; + + services.nginx.package = pkgs.nginxMainline; + + }) + + (mkIf (config.components.network.nginx.landingpage.enable) { + + services.nginx.virtualHosts."${config.networking.hostName}.private" = { + default = lib.mkDefault true; + locations."/" = { + root = pkgs.landingpage.override { - jsonConfig = [ - { title = "System Links"; } - { - text = "Syncthings"; - items = map - ({ name, host ? "${name}.private", ... }: { - label = name; - href = "http://${host}:8384/"; - image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif"; - }) - (lib.flatten (lib.mapAttrsToList (name: { ... }: { inherit name; }) - config.services.tinc.networks."private".hostSettings)); - } - { - text = "robi"; - items = [ - { - label = "Jellyfin"; - href = "http://flix.ingolf-wagner.de/"; - image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; - } - { - label = "netdata"; - href = "http://robi.private:19999/"; - image = "https://media.giphy.com/media/BkjdN6MQCDPaw/giphy.gif"; - } - { - label = "logs"; - href = "http://grafana.robi.private/explore"; - image = "https://raw.githubusercontent.com/cncf/landscape/master/hosted_logos/grafana-loki.svg"; - } - { - label = "grafana"; - href = "http://grafana.robi.private/"; - image = "https://www.vectorlogo.zone/logos/grafana/grafana-icon.svg"; - } - { - label = "prometheus"; - href = "http://prometheus.robi.private/"; - image = "https://www.vectorlogo.zone/logos/prometheusio/prometheusio-icon.svg"; - } + jsonConfig = [ + { title = "System Links"; } + { + text = "Syncthings"; + items = map + ({ name, host ? "${name}.private", ... }: { + label = name; + href = "http://${host}:8384/"; + image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif"; + }) + (lib.flatten (lib.mapAttrsToList (name: { ... }: { inherit name; }) + config.services.tinc.networks."private".hostSettings)); + } + { + text = "robi"; + items = [ + { + label = "Jellyfin"; + href = "http://flix.ingolf-wagner.de/"; + image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; + } + { + label = "netdata"; + href = "http://robi.private:19999/"; + image = "https://media.giphy.com/media/BkjdN6MQCDPaw/giphy.gif"; + } + { + label = "logs"; + href = "http://grafana.robi.private/explore"; + image = "https://raw.githubusercontent.com/cncf/landscape/master/hosted_logos/grafana-loki.svg"; + } + { + label = "grafana"; + href = "http://grafana.robi.private/"; + image = "https://www.vectorlogo.zone/logos/grafana/grafana-icon.svg"; + } + { + label = "prometheus"; + href = "http://prometheus.robi.private/"; + image = "https://www.vectorlogo.zone/logos/prometheusio/prometheusio-icon.svg"; + } - ]; - } - { - text = "chungus"; - items = [ - { - label = "HomeAssistant"; - href = "http://chungus.private:8123/"; - image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; - } - { - label = "Zigbee2Mqtt"; - href = "http://chungus.private:9666/"; - image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; - } - { - label = "Flix"; - href = "http://chungus:8096/"; - image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; - } - { - label = "netdata"; - href = "http://chungus.private:19999/"; - image = "https://media.giphy.com/media/BkjdN6MQCDPaw/giphy.gif"; - } - { - label = "logs"; - href = "http://grafana.chungus.private/explore"; - image = "https://raw.githubusercontent.com/cncf/landscape/master/hosted_logos/grafana-loki.svg"; - } - { - label = "grafana"; - href = "http://grafana.chungus.private/"; - image = "https://www.vectorlogo.zone/logos/grafana/grafana-icon.svg"; - } - { - label = "prometheus"; - href = "http://prometheus.chungus.private/"; - image = "https://www.vectorlogo.zone/logos/prometheusio/prometheusio-icon.svg"; - } - { - label = "Kitchen"; - href = "http://192.168.178.101/"; - image = "https://i.giphy.com/3o7TKsrMIW65QT7VWo.webp"; - } - { - label = "Living Room"; - href = "http://192.168.178.102/"; - image = "https://i.giphy.com/3o7TKsrMIW65QT7VWo.webp"; - } - ]; - } - { - title = "Various Links"; - items = [ - { - label = "Terrapen"; - href = "http://192.168.178.31/"; - image = "https://i.giphy.com/W08brEWFt7EpA5y2jI.webp"; - } - { - label = "NeverSSL"; - href = "https://oldslowfreshlight.neverssl.com/"; - image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; - } - { - label = "Hetzner Cloud"; - href = "https://console.hetzner.cloud/projects"; - image = - "https://media.giphy.com/media/NECZ8crkbXR0k/giphy.gif"; - } - { - label = "Pass the Popcorn"; - href = "https://passthepopcorn.me/"; - image = - "https://media.giphy.com/media/NipFetnQOuKhW/giphy.gif"; - } - { - label = "redacted"; - href = "https://redacted.ch/"; - image = - "https://media.giphy.com/media/ku5EcFe4PNGWA/giphy.gif"; - } - { - label = "Cups"; - href = "http://localhost:631/"; - image = - "https://media.giphy.com/media/7hU7x4GPurk2c/giphy.gif"; - } - ]; - } - { - text = "NixOS Links"; - items = [ - { - label = "NixOS Manual"; - href = "https://nixos.org/nixos/manual/"; - image = - "https://media.giphy.com/media/dsdVyKkSqccEzoPufX/giphy.gif"; - } - { - label = "Nixpkgs Manual"; - href = "https://nixos.org/nixpkgs/manual/"; - image = - "https://media.giphy.com/media/dsdVyKkSqccEzoPufX/giphy.gif"; - } - { - label = "NixOS Reference"; - href = - "https://storage.googleapis.com/files.tazj.in/nixdoc/manual.html#sec-functions-library"; - image = - "https://media.giphy.com/media/LkjlH3rVETgsg/giphy.gif"; - } - { - label = "Nix Packages"; - href = "https://nixos.org/nixos/packages.html"; - image = - "https://media.giphy.com/media/l2YWlohvjPnsvkdEc/giphy.gif"; - } - { - label = "NixOS Language specific helpers"; - href = - "https://nixos.wiki/wiki/Language-specific_package_helpers"; - image = - "https://media.giphy.com/media/LkjlH3rVETgsg/giphy.gif"; - } - { - label = "NixOS Weekly"; - href = "https://weekly.nixos.org/"; - image = - "https://media.giphy.com/media/lXiRLb0xFzmreM8k8/giphy.gif"; - } - { - label = "NixOS Security"; - href = "https://broken.sh/"; - image = - "https://media.giphy.com/media/BqILAHjH1Ttm0/giphy.gif"; - } - { - label = "NixOS RFCs"; - href = "https://github.com/NixOS/rfcs/"; - image = - "https://media.giphy.com/media/Uq9bGjGKg08M0/giphy.gif"; - } - ]; - } - { urlEncode = true; } - ]; + ]; + } + { + text = "chungus"; + items = [ + { + label = "HomeAssistant"; + href = "http://chungus.private:8123/"; + image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; + } + { + label = "Zigbee2Mqtt"; + href = "http://chungus.private:9666/"; + image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; + } + { + label = "Flix"; + href = "http://chungus:8096/"; + image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; + } + { + label = "netdata"; + href = "http://chungus.private:19999/"; + image = "https://media.giphy.com/media/BkjdN6MQCDPaw/giphy.gif"; + } + { + label = "logs"; + href = "http://grafana.chungus.private/explore"; + image = "https://raw.githubusercontent.com/cncf/landscape/master/hosted_logos/grafana-loki.svg"; + } + { + label = "grafana"; + href = "http://grafana.chungus.private/"; + image = "https://www.vectorlogo.zone/logos/grafana/grafana-icon.svg"; + } + { + label = "prometheus"; + href = "http://prometheus.chungus.private/"; + image = "https://www.vectorlogo.zone/logos/prometheusio/prometheusio-icon.svg"; + } + { + label = "Kitchen"; + href = "http://192.168.178.101/"; + image = "https://i.giphy.com/3o7TKsrMIW65QT7VWo.webp"; + } + { + label = "Living Room"; + href = "http://192.168.178.102/"; + image = "https://i.giphy.com/3o7TKsrMIW65QT7VWo.webp"; + } + ]; + } + { + title = "Various Links"; + items = [ + { + label = "Terrapen"; + href = "http://192.168.178.31/"; + image = "https://i.giphy.com/W08brEWFt7EpA5y2jI.webp"; + } + { + label = "NeverSSL"; + href = "https://oldslowfreshlight.neverssl.com/"; + image = "https://media.giphy.com/media/fyLi0OuWysotq/giphy.gif"; + } + { + label = "Hetzner Cloud"; + href = "https://console.hetzner.cloud/projects"; + image = + "https://media.giphy.com/media/NECZ8crkbXR0k/giphy.gif"; + } + { + label = "Pass the Popcorn"; + href = "https://passthepopcorn.me/"; + image = + "https://media.giphy.com/media/NipFetnQOuKhW/giphy.gif"; + } + { + label = "redacted"; + href = "https://redacted.ch/"; + image = + "https://media.giphy.com/media/ku5EcFe4PNGWA/giphy.gif"; + } + { + label = "Cups"; + href = "http://localhost:631/"; + image = + "https://media.giphy.com/media/7hU7x4GPurk2c/giphy.gif"; + } + ]; + } + { + text = "NixOS Links"; + items = [ + { + label = "NixOS Manual"; + href = "https://nixos.org/nixos/manual/"; + image = + "https://media.giphy.com/media/dsdVyKkSqccEzoPufX/giphy.gif"; + } + { + label = "Nixpkgs Manual"; + href = "https://nixos.org/nixpkgs/manual/"; + image = + "https://media.giphy.com/media/dsdVyKkSqccEzoPufX/giphy.gif"; + } + { + label = "NixOS Reference"; + href = + "https://storage.googleapis.com/files.tazj.in/nixdoc/manual.html#sec-functions-library"; + image = + "https://media.giphy.com/media/LkjlH3rVETgsg/giphy.gif"; + } + { + label = "Nix Packages"; + href = "https://nixos.org/nixos/packages.html"; + image = + "https://media.giphy.com/media/l2YWlohvjPnsvkdEc/giphy.gif"; + } + { + label = "NixOS Language specific helpers"; + href = + "https://nixos.wiki/wiki/Language-specific_package_helpers"; + image = + "https://media.giphy.com/media/LkjlH3rVETgsg/giphy.gif"; + } + { + label = "NixOS Weekly"; + href = "https://weekly.nixos.org/"; + image = + "https://media.giphy.com/media/lXiRLb0xFzmreM8k8/giphy.gif"; + } + { + label = "NixOS Security"; + href = "https://broken.sh/"; + image = + "https://media.giphy.com/media/BqILAHjH1Ttm0/giphy.gif"; + } + { + label = "NixOS RFCs"; + href = "https://github.com/NixOS/rfcs/"; + image = + "https://media.giphy.com/media/Uq9bGjGKg08M0/giphy.gif"; + } + ]; + } + { urlEncode = true; } + ]; + }; }; }; - }; - }; + }) + ]; } diff --git a/nixos/homes/common/packages.nix b/nixos/homes/common/packages.nix index 6c26b0a..41da475 100644 --- a/nixos/homes/common/packages.nix +++ b/nixos/homes/common/packages.nix @@ -29,6 +29,11 @@ with lib; tree killall nix-tree + + unstable.vulnix + (writers.writeBashBin "vulnix-system" '' + ${unstable.vulnix}/bin/vulnix --profile /nix/var/nix/profiles/system + '') ]; programs.btop.enable = true; diff --git a/nixos/machines/orbi/configuration.nix b/nixos/machines/orbi/configuration.nix index ec7f61f..4cb88dc 100644 --- a/nixos/machines/orbi/configuration.nix +++ b/nixos/machines/orbi/configuration.nix @@ -13,11 +13,11 @@ #./borg.nix #./codimd.nix #./gitea.nix - #./packages.nix #./taskserver.nix #./vaultwarden.nix - #./nginx.nix - #./nginx-wkd.nix + + ./nginx-ingolf-wagner-de.nix + ./nginx-wkd.nix ./network-tinc.nix ./network-wireguard.nix @@ -53,6 +53,7 @@ components.mainUser.enable = true; components.gui.enable = false; components.network.enable = true; + components.network.nginx.landingpage.enable = false; components.network.wifi.enable = false; security.acme.acceptTerms = true; diff --git a/nixos/machines/orbi/hardware-configuration/default.nix b/nixos/machines/orbi/hardware-configuration/default.nix index c48958e..bbbc6e3 100644 --- a/nixos/machines/orbi/hardware-configuration/default.nix +++ b/nixos/machines/orbi/hardware-configuration/default.nix @@ -55,6 +55,9 @@ in services.openssh.enable = true; services.sshguard.enable = true; + environment.systemPackages = [ + pkgs.ipset # for sshguard + ]; boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!) diff --git a/nixos/machines/orbi/nginx.nix b/nixos/machines/orbi/nginx-ingolf-wagner-de.nix similarity index 91% rename from nixos/machines/orbi/nginx.nix rename to nixos/machines/orbi/nginx-ingolf-wagner-de.nix index b05b49d..414ff7d 100644 --- a/nixos/machines/orbi/nginx.nix +++ b/nixos/machines/orbi/nginx-ingolf-wagner-de.nix @@ -107,7 +107,6 @@ in }; }; }; - "travel.ingolf-wagner.de" = { forceSSL = true; enableACME = true; @@ -138,21 +137,6 @@ in }; } // error.locations; }; - "terranix.org" = { - forceSSL = true; - enableACME = true; - extraConfig = error.extraConfig; - locations = { - "/" = { - root = "/srv/www/terranix"; - extraConfig = '' - if (-d $request_filename) { - rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; - } - ''; - }; - } // error.locations; - }; }; }; } diff --git a/nixos/machines/orbi/packages.nix b/nixos/machines/orbi/packages.nix deleted file mode 100644 index fb47b8c..0000000 --- a/nixos/machines/orbi/packages.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, pkgs, ... }: { - environment.systemPackages = with pkgs; [ - mosh - mediainfo - youtube-dl - ipset # for sshguard - - unstable.vulnix - (pkgs.writers.writeBashBin "vulnix-system" '' - ${pkgs.unstable.vulnix}/bin/vulnix --profile /nix/var/nix/profiles/system - '') - - ]; -} diff --git a/nixos/machines/robi/configuration.nix b/nixos/machines/robi/configuration.nix index 9a8a0d9..6315010 100644 --- a/nixos/machines/robi/configuration.nix +++ b/nixos/machines/robi/configuration.nix @@ -1,7 +1,7 @@ { lib, config, pkgs, ... }: { imports = [ - # ../../system/all/nginx.nix + # ../../system/all/nginx-ingolf-wagner-de.nix ../../system/all/defaults.nix ../../components @@ -16,8 +16,8 @@ ./packages.nix ./taskserver.nix ./vaultwarden.nix - ./nginx.nix - ./nginx-wkd.nix + #./nginx.nix + #./nginx-wkd.nix ./network-tinc.nix #./network-wireguard.nix