nixos-config/systems/LoutreOS/web.nix

{ config, lib, pkgs, ... }:

with lib;

let
  nginxSsoAuth = pkgs.writeText "nginx-sso_auth.inc" ''
    # Protect this location using the auth_request
    auth_request /sso-auth;

    # Redirect the user to the login page when they are not logged in
    error_page 401 = @error401;

    location /sso-auth {
        # Do not allow requests from outside
        internal;

        # Access /auth endpoint to query login state
        proxy_pass http://127.0.0.1:${toString(config.services.nginx.sso.configuration.listen.port)}/auth;

        # Do not forward the request body (nginx-sso does not care about it)
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";

        # Set custom information for ACL matching: Each one is available as
        # a field for matching: X-Host = x-host, ...
        proxy_set_header X-Origin-URI $request_uri;
        proxy_set_header X-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # If the user is lead to /logout redirect them to the logout endpoint
    # of ngninx-sso which then will redirect the user to / on the current host
    location /sso-logout {
        return 302 https://login.nyanlout.re/logout?go=$scheme://$http_host/;
    }

    # Define where to send the user to login and specify how to get back
    location @error401 {
        return 302 https://login.nyanlout.re/login?go=$scheme://$http_host$request_uri;
    }
  '';
in
{
  security.acme = {
    defaults.email = "paul@nyanlout.re";
    acceptTerms = true;
  };

  users.groups = {
    work = {};
    webdav = {};
  };
  users.users = {
    work = {
      isSystemUser = true;
      group = config.users.groups.work.name;
    };
    webdav = {
      isSystemUser = true;
      group = config.users.groups.webdav.name;
    };
    # wordpress = {
    #   isSystemUser = true;
    #   group = config.services.nginx.group;
    # };
  };

  services = {
    phpfpm.pools = {
      # work = {
      #   user = config.users.users.work.name;
      #   phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
      #   settings = {
      #     "listen.owner" = config.services.nginx.user;
      #     "pm" = "dynamic";
      #     "pm.max_children" = 75;
      #     "pm.start_servers" = 10;
      #     "pm.min_spare_servers" = 5;
      #     "pm.max_spare_servers" = 20;
      #     "pm.max_requests" = 500;
      #   };
      # };

      # "wordpress-designyourfuture" = {
      #   user = config.users.users.wordpress.name;
      #   group = config.services.nginx.group;
      #   settings = {
      #     "listen.owner" = config.services.nginx.user;
      #     "pm" = "dynamic";
      #     "pm.max_children" = 32;
      #     "pm.start_servers" = 2;
      #     "pm.min_spare_servers" = 2;
      #     "pm.max_spare_servers" = 4;
      #     "pm.max_requests" = 500;
      #   };
      # };


      drive = {
        user = config.users.users.webdav.name;
        settings = {
          "listen.owner" = config.services.nginx.user;
          "pm" = "dynamic";
          "pm.max_children" = 75;
          "pm.start_servers" = 10;
          "pm.min_spare_servers" = 5;
          "pm.max_spare_servers" = 20;
          "pm.max_requests" = 500;
        };
        phpOptions = ''
          output_buffering=off
        '';
      };
    };
    nginx = {
      enable = true;
      package = pkgs.nginx.override {
        modules = with pkgs.nginxModules; [ dav moreheaders ];
      };
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
        map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
        }
        add_header Strict-Transport-Security  $hsts_header;
        add_header Referrer-Policy            origin-when-cross-origin;
      '';
      sso = {
        enable = true;
        configuration = {
          listen = {
            addr = "127.0.0.1";
            port = 8082;
          };
          login = {
            title = "LoutreOS login";
            default_method = "simple";
            hide_mfa_field = true;
            names.simple = "Username / Password";
          };
          cookie = {
            domain = ".nyanlout.re";
            secure = true;
          };
          audit_log = {
            targets = [ "fd://stdout" ];
            events = [ "access_denied" "login_success" "login_failure" "logout" ];
          };
          providers.simple = {
            enable_basic_auth = true;
            users = {
              paul = "$2y$10$RMqeJF/hUasXZ5/SLKAu4uKKp6ac6qXCaRu4OY/fIN6ZYucDXzqYm";
            };
            groups = {
              admins = [ "paul" ];
            };
          };
          acl = {
            rule_sets = [
              {
                rules = [ { field = "x-host"; regexp = ".*"; } ];
                allow = [ "@admins" ];
              }
            ];
          };
        };
      };
      virtualHosts = let
        base = locations: {
          locations = locations // {
            "@maintenance" = {
              root = "/var/www/errorpages/";
              extraConfig = ''
                rewrite ^(.*)$ /50x.html break;
              '';
            };
          };
          forceSSL = true;
          enableACME = true;
          extraConfig = ''
            error_page 500 502 503 504 = @maintenance;
          '';
        };
        simpleReverse = rport: base {
          "/" = {
            proxyPass = "http://127.0.0.1:${toString(rport)}/";
          };
        };
        authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
          (base {
            "/" = {
              proxyPass = "http://127.0.0.1:${toString(rport)}/";
              extraConfig = ''
                auth_request_set $cookie $upstream_http_set_cookie;
                auth_request_set $username $upstream_http_x_username;
                proxy_set_header X-WEBAUTH-USER $username;
                add_header Set-Cookie $cookie;
              '';
            };
          })
          {
            extraConfig = ''
              include ${nginxSsoAuth};
            '';
          }
        ];
      in {
        "nyanlout.re" = base {
          "/" = {
            alias = "/var/www/site-perso/";
          };
          "/maintenance/" = {
            alias = "/var/www/errorpages/";
          };
          "/.well-known/openpgpkey/" = {
            alias = "/var/lib/gnupg/wks/nyanlout.re";
            extraConfig = ''
              add_header Access-Control-Allow-Origin * always;
            '';
          };
        } // { default = true; };
        "factorio.nyanlout.re" = base { "/" = { root = "/var/www/factorio"; }; };
        "minecraft.nyanlout.re" = base { "/" = { root = "/var/www/minecraft-overviewer"; }; };
        "musique-meyenheim.fr" = base {
          "/" = {
            proxyPass = "http://unix:/run/site-musique.sock";
          };
          "/static/" = {
            alias = "/var/www/site-musique/staticfiles/";
          };
          "/media/" = {
            alias = "/var/www/site-musique/media/";
          };
        };
        "www.musique-meyenheim.fr" = {
          enableACME = true;
          forceSSL = true;
          globalRedirect = "musique-meyenheim.fr";
        };
        # "maxspiegel.fr" = base { "/" = { root = "/run/python-ci/nyanloutre/site-max"; }; };
        "stream.nyanlout.re" = base {
          "/" = {
            proxyPass = "http://10.30.135.71";
          };
        };
        "login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
        "grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;
        "transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
        "radarr.nyanlout.re" = authReverse 7878;
        "sonarr.nyanlout.re" = authReverse 8989;
        "syncthing.nyanlout.re" = authReverse 8384;
        "prowlarr.nyanlout.re" = authReverse 9696;
        "matrix.nyanlout.re" = simpleReverse 8008;
        "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
        "ci.nyanlout.re" = simpleReverse 52350;
        "gitea.nyanlout.re" = simpleReverse config.services.gitea.settings.server.HTTP_PORT;
        "musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;
        "photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
        "apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
        # "work.rezom.eu" = base {
        #   "/" = {
        #     index = "/_h5ai/public/index.php";
        #     extraConfig = ''
        #       dav_ext_methods PROPFIND OPTIONS;
        #     '';
        #   };
        #   "~ ^/(_h5ai/public/index|random).php" = {
        #     extraConfig = ''
        #       fastcgi_split_path_info ^(.+\.php)(/.+)$;
        #       fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
        #       include ${pkgs.nginx}/conf/fastcgi_params;
        #       include ${pkgs.nginx}/conf/fastcgi.conf;
        #     '';
        #   };
        # } // {
        #   root = "/mnt/medias/iso_linux";
        #   extraConfig = ''
        #     access_log /var/log/nginx/$host.log;
        #   '';
        # };
        "drive.nyanlout.re" = base {
          "/" = {
            index = "/index.php";
            extraConfig = ''
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
              fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
              include ${pkgs.nginx}/conf/fastcgi_params;
              include ${pkgs.nginx}/conf/fastcgi.conf;

              client_max_body_size    0;
            '';
          };
        } // {
          root = "/mnt/webdav";
        };
        "rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
          (base {
            "/" = {
              proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
              extraConfig = ''
                auth_request_set $cookie $upstream_http_set_cookie;
                add_header Set-Cookie $cookie;
              '';
            };
          })
          {
            extraConfig = ''
              include ${nginxSsoAuth};
            '';
          }
        ];
        "designyourfuture.amandoline-creations.fr" = base {
          "/".alias = "/var/www/amandoline-designyourfuture/";
        };
        "amandoline-creations.fr" = base {
          "/".alias = "/var/www/amandoline-portfolio/";
        };
        "www.amandoline-creations.fr" = {
          enableACME = true;
          forceSSL = true;
          globalRedirect = "amandoline-creations.fr";
        };
      };
    };

    postgresql = {
      enable = true;
      package = pkgs.postgresql_14;
      settings = {
        full_page_writes = false;
      };
    };

    gitea = {
      enable = true;
      database = {
        type = "postgres";
        port = 5432;
        passwordFile = "/var/lib/gitea/custom/conf/database_password";
      };
      settings = {
        server = {
          HTTP_PORT = 3001;
          ROOT_URL = "https://gitea.nyanlout.re/";
        };
        ui.DEFAULT_THEME = "arc-green";
        log.LEVEL = "Warn";
        service.DISABLE_REGISTRATION = true;
        session.COOKIE_SECURE = true;
      };
    };

    python-ci.enable = true;

    # mysql = {
    #   enable = true;
    #   package = pkgs.mariadb;
    # };
  };

  systemd.services.nginx.serviceConfig = {
    ReadWritePaths = [
      "/var/www/hls"
      "/mnt/webdav"
    ];
  };

  systemd.services.phpfpm-work.serviceConfig = {
    ReadOnlyPaths = "/mnt/medias/iso_linux";
    ReadWritePaths = [
      "/mnt/medias/iso_linux/_h5ai"
    ];
  };

  systemd.services.site-musique = let
    djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_3 pillow setuptools ]));
  in {
    description = "Site Django de la musique de Meyenheim";
    after = [ "network.target" ];
    requires = [ "site-musique.socket" ];
    preStart = ''
      ${djangoEnv}/bin/python manage.py migrate;
      ${djangoEnv}/bin/python manage.py collectstatic --no-input;
    '';
    environment = {
      DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";
      NGINX_DIRECTORY = "/var/www/site-musique";
    };
    serviceConfig = {
      DynamicUser = true;
      Group = "nginx";
      StateDirectory = "site-musique";
      WorkingDirectory = "/var/www/site-musique/";
      ReadWritePaths = [ "/var/www/site-musique/staticfiles" "/var/www/site-musique/media" ];
      EnvironmentFile = "/mnt/secrets/site-musique.env";
      ExecStart = ''${djangoEnv}/bin/gunicorn \
        --access-logfile - \
        --bind unix:/run/site-musique.sock \
        site_musique.wsgi:application
      '';
      PrivateTmp = true;
    };
  };

  systemd.sockets.site-musique = {
    description = "Site Musique socket";
    wantedBy = [ "sockets.target" ];
    listenStreams = [ "/run/site-musique.sock" ];
  };

  systemd.services.nginx-sso.serviceConfig.EnvironmentFile = "/mnt/secrets/nginx-sso.env";
}
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`nginxSsoAuth = pkgs.writeText "nginx-sso_auth.inc" ''`
			`# Protect this location using the auth_request`
			`auth_request /sso-auth;`
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`# Redirect the user to the login page when they are not logged in`
			`error_page 401 = @error401;`

			`location /sso-auth {`
			`# Do not allow requests from outside`
			`internal;`

			`# Access /auth endpoint to query login state`
			`proxy_pass http://127.0.0.1:${toString(config.services.nginx.sso.configuration.listen.port)}/auth;`

			`# Do not forward the request body (nginx-sso does not care about it)`
			`proxy_pass_request_body off;`
			`proxy_set_header Content-Length "";`

			`# Set custom information for ACL matching: Each one is available as`
			`# a field for matching: X-Host = x-host, ...`
			`proxy_set_header X-Origin-URI $request_uri;`
			`proxy_set_header X-Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`}`

			`# If the user is lead to /logout redirect them to the logout endpoint`
			`# of ngninx-sso which then will redirect the user to / on the current host`
			`location /sso-logout {`
			`return 302 https://login.nyanlout.re/logout?go=$scheme://$http_host/;`
			`}`

			`# Define where to send the user to login and specify how to get back`
			`location @error401 {`
			`return 302 https://login.nyanlout.re/login?go=$scheme://$http_host$request_uri;`
			`}`
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00			`'';`
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`in`
			`{`
			`security.acme = {`
LoutreOS: fix acme config 2022-07-05 20:41:35 +02:00			`defaults.email = "paul@nyanlout.re";`
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`acceptTerms = true;`
			`};`

update nginx conf 2021-10-11 10:58:02 +02:00			`users.groups = {`
			`work = {};`
			`webdav = {};`
			`};`
			`users.users = {`
			`work = {`
			`isSystemUser = true;`
			`group = config.users.groups.work.name;`
			`};`
			`webdav = {`
			`isSystemUser = true;`
			`group = config.users.groups.webdav.name;`
			`};`
amandoleene-designyourfuture: wordpress to static website 2022-10-14 14:13:12 +02:00			`# wordpress = {`
			`# isSystemUser = true;`
			`# group = config.services.nginx.group;`
			`# };`
change nginx config 2020-11-29 12:53:51 +01:00			`};`

migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`services = {`
update nginx conf 2021-10-11 10:58:02 +02:00			`phpfpm.pools = {`
LoutreOS: disable redis 2022-07-05 20:40:48 +02:00			`# work = {`
			`# user = config.users.users.work.name;`
			`# phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);`
			`# settings = {`
			`# "listen.owner" = config.services.nginx.user;`
			`# "pm" = "dynamic";`
			`# "pm.max_children" = 75;`
			`# "pm.start_servers" = 10;`
			`# "pm.min_spare_servers" = 5;`
			`# "pm.max_spare_servers" = 20;`
			`# "pm.max_requests" = 500;`
			`# };`
			`# };`
add wordpress website 2022-09-23 13:38:36 +02:00
amandoleene-designyourfuture: wordpress to static website 2022-10-14 14:13:12 +02:00			`# "wordpress-designyourfuture" = {`
			`# user = config.users.users.wordpress.name;`
			`# group = config.services.nginx.group;`
			`# settings = {`
			`# "listen.owner" = config.services.nginx.user;`
			`# "pm" = "dynamic";`
			`# "pm.max_children" = 32;`
			`# "pm.start_servers" = 2;`
			`# "pm.min_spare_servers" = 2;`
			`# "pm.max_spare_servers" = 4;`
			`# "pm.max_requests" = 500;`
			`# };`
			`# };`
add wordpress website 2022-09-23 13:38:36 +02:00

update nginx conf 2021-10-11 10:58:02 +02:00			`drive = {`
			`user = config.users.users.webdav.name;`
			`settings = {`
			`"listen.owner" = config.services.nginx.user;`
			`"pm" = "dynamic";`
			`"pm.max_children" = 75;`
			`"pm.start_servers" = 10;`
			`"pm.min_spare_servers" = 5;`
			`"pm.max_spare_servers" = 20;`
			`"pm.max_requests" = 500;`
			`};`
			`phpOptions = ''`
			`output_buffering=off`
			`'';`
change nginx config 2020-11-29 12:53:51 +01:00			`};`
			`};`
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00			`nginx = {`
			`enable = true;`
nginx: create rtmp streaming server 2020-04-08 12:48:42 +02:00			`package = pkgs.nginx.override {`
update nginx conf 2021-10-11 10:58:02 +02:00			`modules = with pkgs.nginxModules; [ dav moreheaders ];`
nginx: create rtmp streaming server 2020-04-08 12:48:42 +02:00			`};`
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
web: refactor nginx config 2020-03-02 23:20:17 +01:00			`recommendedProxySettings = true;`
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`recommendedTlsSettings = true;`
			`commonHttpConfig = ''`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`
			`add_header Referrer-Policy origin-when-cross-origin;`
web: refactor nginx config 2020-03-02 23:20:17 +01:00			`'';`
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`sso = {`
			`enable = true;`
			`configuration = {`
			`listen = {`
			`addr = "127.0.0.1";`
			`port = 8082;`
			`};`
			`login = {`
			`title = "LoutreOS login";`
			`default_method = "simple";`
			`hide_mfa_field = true;`
			`names.simple = "Username / Password";`
			`};`
			`cookie = {`
			`domain = ".nyanlout.re";`
			`secure = true;`
			`};`
			`audit_log = {`
			`targets = [ "fd://stdout" ];`
			`events = [ "access_denied" "login_success" "login_failure" "logout" ];`
			`};`
			`providers.simple = {`
			`enable_basic_auth = true;`
			`users = {`
			`paul = "$2y$10$RMqeJF/hUasXZ5/SLKAu4uKKp6ac6qXCaRu4OY/fIN6ZYucDXzqYm";`
			`};`
			`groups = {`
			`admins = [ "paul" ];`
			`};`
			`};`
			`acl = {`
			`rule_sets = [`
			`{`
			`rules = [ { field = "x-host"; regexp = ".*"; } ];`
			`allow = [ "@admins" ];`
			`}`
			`];`
			`};`
LoutreOS: ajout site Minecraft 2019-11-02 13:53:53 +01:00			`};`
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`};`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`virtualHosts = let`
			`base = locations: {`
update nginx conf 2021-10-11 10:58:02 +02:00			`locations = locations // {`
			`"@maintenance" = {`
			`root = "/var/www/errorpages/";`
			`extraConfig = ''`
			`rewrite ^(.*)$ /50x.html break;`
			`'';`
			`};`
			`};`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`forceSSL = true;`
			`enableACME = true;`
update nginx conf 2021-10-11 10:58:02 +02:00			`extraConfig = ''`
			`error_page 500 502 503 504 = @maintenance;`
			`'';`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`};`
			`simpleReverse = rport: base {`
			`"/" = {`
			`proxyPass = "http://127.0.0.1:${toString(rport)}/";`
			`};`
			`};`
update nginx conf 2021-10-11 10:58:02 +02:00			`authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [`
			`(base {`
			`"/" = {`
			`proxyPass = "http://127.0.0.1:${toString(rport)}/";`
			`extraConfig = ''`
			`auth_request_set $cookie $upstream_http_set_cookie;`
update LoutreOS to 22.11 2022-12-30 15:08:20 +01:00			`auth_request_set $username $upstream_http_x_username;`
			`proxy_set_header X-WEBAUTH-USER $username;`
update nginx conf 2021-10-11 10:58:02 +02:00			`add_header Set-Cookie $cookie;`
			`'';`
			`};`
			`})`
			`{`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`extraConfig = ''`
update nginx conf 2021-10-11 10:58:02 +02:00			`include ${nginxSsoAuth};`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`'';`
update nginx conf 2021-10-11 10:58:02 +02:00			`}`
			`];`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`in {`
nginx: utilisation fonctions 2020-04-09 16:28:25 +02:00			`"nyanlout.re" = base {`
			`"/" = {`
			`alias = "/var/www/site-perso/";`
migrate haproxy -> nginx 2020-04-08 12:45:36 +02:00			`};`
update nginx conf 2021-10-11 10:58:02 +02:00			`"/maintenance/" = {`
nginx: utilisation fonctions 2020-04-09 16:28:25 +02:00			`alias = "/var/www/errorpages/";`
mastodon: init 2020-04-08 12:49:45 +02:00			`};`
nginx: utilisation fonctions 2020-04-09 16:28:25 +02:00			`"/.well-known/openpgpkey/" = {`
			`alias = "/var/lib/gnupg/wks/nyanlout.re";`
mastodon: init 2020-04-08 12:49:45 +02:00			`extraConfig = ''`
nginx: utilisation fonctions 2020-04-09 16:28:25 +02:00			`add_header Access-Control-Allow-Origin * always;`
mastodon: init 2020-04-08 12:49:45 +02:00			`'';`
			`};`
nginx: utilisation fonctions 2020-04-09 16:28:25 +02:00			`} // { default = true; };`
			`"factorio.nyanlout.re" = base { "/" = { root = "/var/www/factorio"; }; };`
			`"minecraft.nyanlout.re" = base { "/" = { root = "/var/www/minecraft-overviewer"; }; };`
			`"musique-meyenheim.fr" = base {`
			`"/" = {`
			`proxyPass = "http://unix:/run/site-musique.sock";`
			`};`
			`"/static/" = {`
			`alias = "/var/www/site-musique/staticfiles/";`
			`};`
			`"/media/" = {`
			`alias = "/var/www/site-musique/media/";`
mastodon: init 2020-04-08 12:49:45 +02:00			`};`
			`};`
redirect www.musique-meyenheim.fr 2023-02-16 17:30:46 +01:00			`"www.musique-meyenheim.fr" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`globalRedirect = "musique-meyenheim.fr";`
			`};`
LoutreOS: temporarily disable max website 2022-07-05 21:53:47 +02:00			`# "maxspiegel.fr" = base { "/" = { root = "/run/python-ci/nyanloutre/site-max"; }; };`
nginx: utilisation fonctions 2020-04-09 16:28:25 +02:00			`"stream.nyanlout.re" = base {`
			`"/" = {`
LoutreOS: déplacement serveur rtmp 2021-01-06 02:20:58 +01:00			`proxyPass = "http://10.30.135.71";`
nginx: create rtmp streaming server 2020-04-08 12:48:42 +02:00			`};`
			`};`
nginx: utilisation fonctions 2020-04-09 16:28:25 +02:00			`"login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;`
update LoutreOS to 22.11 2022-12-30 15:08:20 +01:00			`"grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;`
rename obsolete transmission option 2021-12-16 19:07:30 +01:00			`"transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`"radarr.nyanlout.re" = authReverse 7878;`
			`"sonarr.nyanlout.re" = authReverse 8989;`
			`"syncthing.nyanlout.re" = authReverse 8384;`
replace jackett with prowlarr 2023-05-18 22:41:11 +02:00			`"prowlarr.nyanlout.re" = authReverse 9696;`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`"matrix.nyanlout.re" = simpleReverse 8008;`
update nginx conf 2021-10-11 10:58:02 +02:00			`"emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {`
			`locations."/" = {`
			`proxyWebsockets = true;`
			`};`
			`};`
nginx: simplify nix functions 2020-04-08 13:03:01 +02:00			`"ci.nyanlout.re" = simpleReverse 52350;`
LoutreOS: update to 23.05 and rename deprecated options 2023-06-13 14:05:05 +02:00			`"gitea.nyanlout.re" = simpleReverse config.services.gitea.settings.server.HTTP_PORT;`
LoutreOS: airsonic -> navidrome 2021-01-06 02:07:56 +01:00			`"musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;`
create photoprism accounts 2023-05-18 20:23:02 +02:00			`"photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {`
install photoprism 2022-12-30 15:08:37 +01:00			`locations."/" = {`
			`proxyWebsockets = true;`
			`};`
			`};`
fix nginx home-assistant config 2022-06-14 08:27:13 +02:00			`"apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port) {`
Installation home-assistant 2020-08-30 21:16:41 +02:00			`locations."/" = {`
			`proxyWebsockets = true;`
			`};`
			`};`
update nginx conf 2021-10-11 10:58:02 +02:00			`# "work.rezom.eu" = base {`
			`# "/" = {`
			`# index = "/_h5ai/public/index.php";`
			`# extraConfig = ''`
			`# dav_ext_methods PROPFIND OPTIONS;`
			`# '';`
			`# };`
			`# "~ ^/(_h5ai/public/index\|random).php" = {`
			`# extraConfig = ''`
			`# fastcgi_split_path_info ^(.+\.php)(/.+)$;`
			`# fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};`
			`# include ${pkgs.nginx}/conf/fastcgi_params;`
			`# include ${pkgs.nginx}/conf/fastcgi.conf;`
			`# '';`
			`# };`
			`# } // {`
			`# root = "/mnt/medias/iso_linux";`
			`# extraConfig = ''`
			`# access_log /var/log/nginx/$host.log;`
			`# '';`
			`# };`
			`"drive.nyanlout.re" = base {`
change nginx config 2020-11-29 12:53:51 +01:00			`"/" = {`
update nginx conf 2021-10-11 10:58:02 +02:00			`index = "/index.php";`
change nginx config 2020-11-29 12:53:51 +01:00			`extraConfig = ''`
			`fastcgi_split_path_info ^(.+\.php)(/.+)$;`
update nginx conf 2021-10-11 10:58:02 +02:00			`fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};`
change nginx config 2020-11-29 12:53:51 +01:00			`include ${pkgs.nginx}/conf/fastcgi_params;`
			`include ${pkgs.nginx}/conf/fastcgi.conf;`
update nginx conf 2021-10-11 10:58:02 +02:00
			`client_max_body_size 0;`
change nginx config 2020-11-29 12:53:51 +01:00			`'';`
			`};`
LoutreOS: indexation de logs nginx avec Loki 2021-01-06 02:12:01 +01:00			`} // {`
update nginx conf 2021-10-11 10:58:02 +02:00			`root = "/mnt/webdav";`
LoutreOS: indexation de logs nginx avec Loki 2021-01-06 02:12:01 +01:00			`};`
update nginx conf 2021-10-11 10:58:02 +02:00			`"rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [`
			`(base {`
			`"/" = {`
			`proxyPass = "http://unix:/run/rspamd/worker-controller.sock";`
			`extraConfig = ''`
			`auth_request_set $cookie $upstream_http_set_cookie;`
			`add_header Set-Cookie $cookie;`
			`'';`
			`};`
			`})`
			`{`
			`extraConfig = ''`
			`include ${nginxSsoAuth};`
			`'';`
			`}`
			`];`
add wordpress website 2022-09-23 13:38:36 +02:00			`"designyourfuture.amandoline-creations.fr" = base {`
ajout amandoline-creations.fr 2023-02-16 17:31:01 +01:00			`"/".alias = "/var/www/amandoline-designyourfuture/";`
			`};`
			`"amandoline-creations.fr" = base {`
			`"/".alias = "/var/www/amandoline-portfolio/";`
			`};`
			`"www.amandoline-creations.fr" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`globalRedirect = "amandoline-creations.fr";`
amandoleene-designyourfuture: wordpress to static website 2022-10-14 14:13:12 +02:00			`};`
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00			`};`
			`};`

postgresql: improve zfs performances 2020-04-08 12:53:53 +02:00			`postgresql = {`
			`enable = true;`
LoutreOS: update Postgresql to 14 2022-07-04 23:39:05 +02:00			`package = pkgs.postgresql_14;`
fixs nixos 20.09 2020-11-29 12:51:18 +01:00			`settings = {`
			`full_page_writes = false;`
			`};`
postgresql: improve zfs performances 2020-04-08 12:53:53 +02:00			`};`
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00
			`gitea = {`
			`enable = true;`
			`database = {`
			`type = "postgres";`
			`port = 5432;`
			`passwordFile = "/var/lib/gitea/custom/conf/database_password";`
			`};`
fixs nixos 20.09 2020-11-29 12:51:18 +01:00			`settings = {`
LoutreOS: update to 23.05 and rename deprecated options 2023-06-13 14:05:05 +02:00			`server = {`
			`HTTP_PORT = 3001;`
			`ROOT_URL = "https://gitea.nyanlout.re/";`
			`};`
fixs nixos 20.09 2020-11-29 12:51:18 +01:00			`ui.DEFAULT_THEME = "arc-green";`
update LoutreOS to 22.11 2022-12-30 15:08:20 +01:00			`log.LEVEL = "Warn";`
			`service.DISABLE_REGISTRATION = true;`
			`session.COOKIE_SECURE = true;`
fixs nixos 20.09 2020-11-29 12:51:18 +01:00			`};`
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00			`};`

			`python-ci.enable = true;`
add wordpress website 2022-09-23 13:38:36 +02:00
amandoleene-designyourfuture: wordpress to static website 2022-10-14 14:13:12 +02:00			`# mysql = {`
			`# enable = true;`
			`# package = pkgs.mariadb;`
			`# };`
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00			`};`
LoutreOS: migration site musique Django 2019-11-01 22:23:20 +01:00
fixs nixos 20.09 2020-11-29 12:51:18 +01:00			`systemd.services.nginx.serviceConfig = {`
update nginx conf 2021-10-11 10:58:02 +02:00			`ReadWritePaths = [`
			`"/var/www/hls"`
			`"/mnt/webdav"`
			`];`
fixs nixos 20.09 2020-11-29 12:51:18 +01:00			`};`

change nginx config 2020-11-29 12:53:51 +01:00			`systemd.services.phpfpm-work.serviceConfig = {`
			`ReadOnlyPaths = "/mnt/medias/iso_linux";`
LoutreOS: ajout config php redis 2021-01-06 02:15:38 +01:00			`ReadWritePaths = [`
			`"/mnt/medias/iso_linux/_h5ai"`
			`];`
change nginx config 2020-11-29 12:53:51 +01:00			`};`

LoutreOS: migration site musique Django 2019-11-01 22:23:20 +01:00			`systemd.services.site-musique = let`
Changes for 21.05 2021-07-28 23:03:34 +02:00			`djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_3 pillow setuptools ]));`
LoutreOS: migration site musique Django 2019-11-01 22:23:20 +01:00			`in {`
			`description = "Site Django de la musique de Meyenheim";`
			`after = [ "network.target" ];`
			`requires = [ "site-musique.socket" ];`
			`preStart = ''`
			`${djangoEnv}/bin/python manage.py migrate;`
			`${djangoEnv}/bin/python manage.py collectstatic --no-input;`
			`'';`
			`environment = {`
			`DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";`
			`NGINX_DIRECTORY = "/var/www/site-musique";`
			`};`
			`serviceConfig = {`
			`DynamicUser = true;`
			`Group = "nginx";`
			`StateDirectory = "site-musique";`
			`WorkingDirectory = "/var/www/site-musique/";`
			`ReadWritePaths = [ "/var/www/site-musique/staticfiles" "/var/www/site-musique/media" ];`
			`EnvironmentFile = "/mnt/secrets/site-musique.env";`
			`ExecStart = ''${djangoEnv}/bin/gunicorn \`
			`--access-logfile - \`
			`--bind unix:/run/site-musique.sock \`
			`site_musique.wsgi:application`
			`'';`
			`PrivateTmp = true;`
			`};`
			`};`

			`systemd.sockets.site-musique = {`
			`description = "Site Musique socket";`
			`wantedBy = [ "sockets.target" ];`
			`listenStreams = [ "/run/site-musique.sock" ];`
			`};`
migrate to nix flake 2021-10-11 10:43:57 +02:00
			`systemd.services.nginx-sso.serviceConfig.EnvironmentFile = "/mnt/secrets/nginx-sso.env";`
LoutreOS: refactor services 2019-11-01 15:24:50 +01:00			`}`