From 74181f747f2ce0b26a32815e5d08196e651631de Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Thu, 24 Dec 2020 17:07:40 +0100 Subject: [PATCH] update: sputnik --- .channelStable.json | 11 ++-- .channelUnstable.json | 11 ++-- .nix-writers.json | 5 +- .nixos-generators.json | 5 +- configs/pepe/home-assistant.nix | 2 +- configs/sputnik/nginx.nix | 89 ++++++++++++++++++++++++++++----- 6 files changed, 100 insertions(+), 23 deletions(-) diff --git a/.channelStable.json b/.channelStable.json index 334306d..88b23b7 100644 --- a/.channelStable.json +++ b/.channelStable.json @@ -1,7 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs.git", - "rev": "58f9c4c7d3a42c912362ca68577162e38ea8edfb", - "date": "2020-11-18T12:49:40-05:00", - "sha256": "1517dy07jf4zhzknqbgm617lgjxsn7a6k1vgq61c67f6h55qs5ij", - "fetchSubmodules": false + "rev": "a3a3dda3bacf61e8a39258a0ed9c924eeca8e293", + "date": "2020-12-21T23:27:46+09:00", + "path": "/nix/store/w6v7bln3aqbx4656fknf9q4w9wksk42r-nixpkgs", + "sha256": "1ahn3srby9rjh7019b26n4rb4926di1lqdrclxfy2ff7nlf0yhd5", + "fetchSubmodules": false, + "deepClone": false, + "leaveDotGit": false } diff --git a/.channelUnstable.json b/.channelUnstable.json index eceb17f..fdd9461 100644 --- a/.channelUnstable.json +++ b/.channelUnstable.json @@ -1,7 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs.git", - "rev": "2deeb58f49480f468adca6b08291322de4dbce6b", - "date": "2020-11-12T23:50:31+00:00", - "sha256": "0fx2car6dcd1yz6jjkifcan0amwzhs3170h0r69k0wfwiaadpvjv", - "fetchSubmodules": false + "rev": "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4", + "date": "2020-12-09T15:09:49+01:00", + "path": "/nix/store/cx4wf6pi1l2p01sz7png891m65kinfz3-nixpkgs", + "sha256": "0cnmvnvin9ixzl98fmlm3g17l6w95gifqfb3rfxs55c0wj2ddy53", + "fetchSubmodules": false, + "deepClone": false, + "leaveDotGit": false } diff --git a/.nix-writers.json b/.nix-writers.json index 474b17a..5943e89 100644 --- a/.nix-writers.json +++ b/.nix-writers.json @@ -2,6 +2,9 @@ "url": "https://cgit.krebsco.de/nix-writers/", "rev": "fc8a3802a0777a5f43a9a2fe0f5848ecaeb555a1", "date": "2018-10-27T14:45:48+02:00", + "path": "/nix/store/81f2li00frwb29kzk7wjw7b87l65s8bg-nix-writers", "sha256": "1iy207rcbz9nv9bf64025ypy38x8mwzl6snbmbrq347h6vvs0ksc", - "fetchSubmodules": false + "fetchSubmodules": false, + "deepClone": false, + "leaveDotGit": false } diff --git a/.nixos-generators.json b/.nixos-generators.json index 95085c3..904eef2 100644 --- a/.nixos-generators.json +++ b/.nixos-generators.json @@ -2,6 +2,9 @@ "url": "https://github.com/nix-community/nixos-generators.git", "rev": "ef1e4480cf8af45cfdeac597b2f1b1af33923e93", "date": "2019-01-18T10:41:01+01:00", + "path": "/nix/store/61wmz4fvlyxnxhw9smkl897rhavj06ry-nixos-generators-ef1e448", "sha256": "0ymzp4pmpkjjjg5h8d45gv8avy4wh1dj0v238i2cz3jp3j489ik9", - "fetchSubmodules": false + "fetchSubmodules": false, + "deepClone": false, + "leaveDotGit": false } diff --git a/configs/pepe/home-assistant.nix b/configs/pepe/home-assistant.nix index a18ab3d..a3bf0cc 100644 --- a/configs/pepe/home-assistant.nix +++ b/configs/pepe/home-assistant.nix @@ -429,7 +429,7 @@ in { # }; #}; - hot = 22; + hot = 23; cold = 14; fyrtur_command = device: position: { diff --git a/configs/sputnik/nginx.nix b/configs/sputnik/nginx.nix index 86af53e..4a5e086 100644 --- a/configs/sputnik/nginx.nix +++ b/configs/sputnik/nginx.nix @@ -55,7 +55,38 @@ in { extraConfig = error.extraConfig; locations = { - "/" = { proxyPass = "http://workhorse.private:3000"; }; + "/" = { + proxyPass = "http://workhorse.private:3000"; + extraConfig = '' + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + # + # Custom headers and headers various browsers *should* be OK with but aren't + # + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + # + # Tell client that this pre-flight info is valid for 20 days + # + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + if ($request_method = 'POST') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + } + if ($request_method = 'GET') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + } + ''; + }; } // error.locations; }; @@ -256,19 +287,53 @@ in { services.sslh = { enable = true; - listenAddress = "0.0.0.0"; + listenAddresses = [ "0.0.0.0" ]; port = 443; - verbose = false; + verbose = true; transparent = true; - appendConfig = # json - '' - protocols: - ( - { name: "ssh"; service: "ssh"; host: "localhost"; port: "2222"; probe: "builtin"; }, - { name: "ssl"; host: "localhost"; port: "4443"; probe: "builtin"; }, - { name: "tinc"; host: "localhost"; port: "655"; probe: "builtin"; } - ); - ''; + # List of protocols + # + # Each protocol entry consists of: + # name: name of the probe. These are listed on the command line (ssh -?), plus 'regex' and 'timeout'. + # service: (optional) libwrap service name (see hosts_access(5)) + # host, port: where to connect when this probe succeeds + # log_level: 0 to turn off logging + # 1 to log each incoming connection + # keepalive: Should TCP keepalive be on or off for that + # connection (default is off) + # fork: Should a new process be forked for this protocol? + # (only useful for sslh-select) + # tfo_ok: Set to true if the server supports TCP FAST OPEN + # + # Probe-specific options: + # (sslh will try each probe in order they are declared, and + # connect to the first that matches.) + # + # tls: + # sni_hostnames: list of FQDN for that target + # alpn_protocols: list of ALPN protocols for that target, see: + # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids + # + # if both sni_hostnames AND alpn_protocols are specified, both must match + # + # if neither are set, it is just checked whether this is the TLS protocol or not + # + # Obviously set the most specific probes + # first, and if you use TLS with no ALPN/SNI + # set it as the last TLS probe + # regex: + # regex_patterns: list of patterns to match for + # that target. + # + # You can specify several of 'regex' and 'tls'. + appendConfig = '' + protocols: + ( + { name: "ssh"; service: "ssh"; host: "localhost"; port: "2222";}, + { name: "tls"; host: "localhost"; port: "4443";}, + { name: "tinc"; host: "localhost"; port: "655"; } + ); + ''; }; systemd.services."socat-proxy" = {