diff --git a/containers/vsftpd.nix b/containers/vsftpd.nix
index 409ab6f..77e01dd 100644
--- a/containers/vsftpd.nix
+++ b/containers/vsftpd.nix
@@ -12,7 +12,7 @@
userlistDeny = false;
localUsers = true;
userlist = ["claire" "manu" "lakeu" "fusil" "stryxion" "nico"];
- rsaCertFile = "/var/vsftpd/vsftpd.pem";
+ rsaCertFile = "/var/lib/acme/nyanlout.re/full.pem";
extraConfig = ''
pasv_min_port=64000
pasv_max_port=65535
@@ -59,8 +59,8 @@
};
};
bindMounts = {
- "/var/vsftpd/vsftpd.pem" = {
- hostPath = "/var/vsftpd/vsftpd.pem";
+ "/var/lib/acme/nyanlout.re" = {
+ hostPath = "/var/lib/acme/nyanlout.re";
};
"/mnt/medias" = {
hostPath = "/mnt/medias";
diff --git a/overlays/riot-web.nix b/overlays/riot-web.nix
index c92dfa5..33428ff 100644
--- a/overlays/riot-web.nix
+++ b/overlays/riot-web.nix
@@ -1,17 +1,15 @@
self: super:
{
riot-web = super.riot-web.override {
- conf = ''
- {
- "default_hs_url": "https://matrix.nyanlout.re",
- "default_is_url": "https://vector.im",
- "brand": "Nyanloutre",
- "default_theme": "dark",
- "integrations_ui_url": "https://dimension.t2bot.io/riot",
- "integrations_rest_url": "https://dimension.t2bot.io/api/v1/scalar",
- "integrations_widgets_urls": ["https://dimension.t2bot.io/widgets"],
- "integrations_jitsi_widget_url": "https://dimension.t2bot.io/widgets/jitsi"
- }
- '';
+ conf = {
+ default_hs_url = "https://matrix.nyanlout.re";
+ default_is_url = "https://vector.im";
+ brand = "Nyanloutre";
+ default_theme = "dark";
+ integrations_ui_url = "https://dimension.t2bot.io/riot";
+ integrations_rest_url = "https://dimension.t2bot.io/api/v1/scalar";
+ integrations_widgets_urls = ["https://dimension.t2bot.io/widgets"];
+ integrations_jitsi_widget_url = "https://dimension.t2bot.io/widgets/jitsi";
+ };
};
}
diff --git a/services/haproxy-acme.nix b/services/haproxy-acme.nix
index 4309e95..f7b16e3 100644
--- a/services/haproxy-acme.nix
+++ b/services/haproxy-acme.nix
@@ -20,23 +20,28 @@ let
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
+ mode http
option forwardfor
option http-server-close
+ option httplog
+ option dontlognull
timeout client 10s
timeout connect 4s
timeout server 30s
+ timeout tunnel 3600s
errorfile 503 ${./errorfiles/503.html}
userlist LOUTRE
user paul password $6$YNjCpiPABu9$.iEp.3BgoswHcX3SMjz1/CiyqFQn/fjnxtT9CWBqQHBKynvK2kh/i62ije0WmCvhKRUhy9gdVbJStM3ciGXnC1
- frontend public
+ frontend http-in
bind :::80 v4v6
- bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
- mode http
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
- acl haproxy-acl path_beg /haproxy
- redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
- http-response set-header Strict-Transport-Security max-age=15768000
use_backend letsencrypt-backend if letsencrypt-acl
+ redirect scheme https code 301 if !letsencrypt-acl
+ frontend public
+ bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
+ http-response set-header Strict-Transport-Security max-age=15768000
+ http-request add-header X-Forwarded-Proto https
+ acl haproxy-acl path_beg /haproxy
use_backend haproxy_stats if haproxy-acl
${concatStrings (
mapAttrsToList (name: value:
@@ -126,6 +131,7 @@ in
};
};
+ security.acme.acceptTerms = true;
security.acme.certs = {
${cfg.domaine} = {
extraDomains = mapAttrs' (name: value:
@@ -137,6 +143,7 @@ in
group = "acme";
postRun = ''
systemctl reload haproxy.service
+ nixos-container run vsftpd -- systemctl restart vsftpd
'';
};
};
diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix
index 8edcfe9..a1d8c67 100644
--- a/systems/LoutreOS/configuration.nix
+++ b/systems/LoutreOS/configuration.nix
@@ -33,7 +33,7 @@ in
];
nixpkgs.config.allowUnfree = false;
- nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem (builtins.parseDrvName pkg.pname).name [ "factorio-headless" "perl5.30.0-slimserver" "minecraft-server" ]);
+ nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem (builtins.parseDrvName pkg.pname).name [ "factorio-headless" "perl5.30.1-slimserver" "minecraft-server" ]);
services.zfs = {
autoSnapshot.enable = true;
diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix
index ebbfc84..c0d1a5e 100644
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@@ -262,47 +262,47 @@ in
};
};
- systemd.services.minecraft-overviewer =
- let
- clientJar = pkgs.fetchurl {
- url = "https://overviewer.org/textures/1.14";
- sha256 = "0fij9wac7vj6h0kd3mfhqpn0w9gl8pbs9vs9s085zajm0szpr44k";
- name = "client.jar";
- };
- configFile = pkgs.runCommand "overviewer-config" { CLIENT_JAR = clientJar; } ''
- substitute ${./config-overviewer.py} $out \
- --subst-var CLIENT_JAR
- '';
- in
- {
- script = ''
- ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile}
- ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} --genpoi
- rm /var/www/minecraft-overviewer/progress.json
- '';
- serviceConfig = {
- User = "nginx";
- Group = "nginx";
- };
- };
+ # systemd.services.minecraft-overviewer =
+ # let
+ # clientJar = pkgs.fetchurl {
+ # url = "https://overviewer.org/textures/1.14";
+ # sha256 = "0fij9wac7vj6h0kd3mfhqpn0w9gl8pbs9vs9s085zajm0szpr44k";
+ # name = "client.jar";
+ # };
+ # configFile = pkgs.runCommand "overviewer-config" { CLIENT_JAR = clientJar; } ''
+ # substitute ${./config-overviewer.py} $out \
+ # --subst-var CLIENT_JAR
+ # '';
+ # in
+ # {
+ # script = ''
+ # ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile}
+ # ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} --genpoi
+ # rm /var/www/minecraft-overviewer/progress.json
+ # '';
+ # serviceConfig = {
+ # User = "nginx";
+ # Group = "nginx";
+ # };
+ # };
- systemd.timers.minecraft-overviewer = {
- wantedBy = [ "multi-user.target" ];
- timerConfig = {
- OnCalendar = "*-*-* 04:00:00";
- };
- };
+ # systemd.timers.minecraft-overviewer = {
+ # wantedBy = [ "multi-user.target" ];
+ # timerConfig = {
+ # OnCalendar = "*-*-* 04:00:00";
+ # };
+ # };
- systemd.packages = with pkgs; [
- tgt
- ];
+ # systemd.packages = with pkgs; [
+ # tgt
+ # ];
- environment.etc."tgt/targets.conf".text = ''
-
- backing-store /dev/zvol/loutrepool/steam-lun
- initiator-address 10.30.50.3
-
- '';
+ # environment.etc."tgt/targets.conf".text = ''
+ #
+ # backing-store /dev/zvol/loutrepool/steam-lun
+ # initiator-address 10.30.50.3
+ #
+ # '';
users.groups.acme.members = [ "matrix-synapse" ];
diff --git a/systems/LoutreOS/web.nix b/systems/LoutreOS/web.nix
index 599a8c9..d98099f 100644
--- a/systems/LoutreOS/web.nix
+++ b/systems/LoutreOS/web.nix
@@ -2,6 +2,17 @@
with lib;
+#### VHost table ####
+# 10000 riot.nyanlout.re
+# 10001 factorio.nyanlout.re
+# 10002 minecraft.nyanlout.re
+# 10003 nyanlout.re
+# 10004 musique-meyenheim.fr
+# 10005 social.nyanlout.re
+# 10006 pgmanage.nyanlout.re
+# 10007 maxspiegel.fr
+####
+
let
domaine = "nyanlout.re";
@@ -32,16 +43,16 @@ in
"syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
"jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
"searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
- "riot.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "riot"; auth = false; };
+ "riot.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "riot.nyanlout.re"; auth = false; };
"matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
"pgmanage.${domaine}" = { ip = "127.0.0.1"; port = config.services.pgmanage.port; auth = true; };
"gitea.${domaine}" = { ip = "127.0.0.1"; port = config.services.gitea.httpPort; auth = false; };
"ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
- "factorio.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "factorio"; auth = false; };
+ "factorio.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "factorio.nyanlout.re"; auth = false; };
"airsonic.${domaine}" = { ip = "127.0.0.1"; port = 4040; auth = false; };
- "${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "wkd"; auth = false; };
+ "${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "nyanlout.re"; auth = false; };
"musique-meyenheim.fr" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "musique-meyenheim.fr"; auth = false; };
- "minecraft.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "minecraft-overviewer"; auth = false; };
+ "minecraft.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "minecraft.nyanlout.re"; auth = false; };
};
};
@@ -49,37 +60,43 @@ in
nginx = {
enable = true;
+ recommendedProxySettings = true;
+ appendHttpConfig = ''
+ set_real_ip_from 127.0.0.1;
+ real_ip_header X-Forwarded-For;
+ '';
virtualHosts = {
- "riot" = {
- listen = [ { addr = "127.0.0.1"; port = 52345; } ];
+ "riot.nyanlout.re" = {
+ listen = [ { addr = "127.0.0.1"; port = 10000; } ];
locations = { "/" = { root = pkgs.riot-web; }; };
};
- "factorio" = {
- listen = [ { addr = "127.0.0.1"; port = 52351; } ];
+ "factorio.nyanlout.re" = {
+ listen = [ { addr = "127.0.0.1"; port = 10001; } ];
locations = { "/" = { root = "/var/www/factorio"; }; };
};
- "minecraft-overviewer" = {
- listen = [ { addr = "127.0.0.1"; port = 52354; } ];
+ "minecraft.nyanlout.re" = {
+ listen = [ { addr = "127.0.0.1"; port = 10002; } ];
locations = { "/" = { root = "/var/www/minecraft-overviewer"; }; };
};
- "wkd" = {
- listen = [ { addr = "127.0.0.1"; port = 52352; } ];
- locations = { "/.well-known/openpgpkey/" = {
- alias = "/var/lib/gnupg/wks/nyanlout.re";
- extraConfig = ''
- add_header Access-Control-Allow-Origin * always;
- '';
- }; };
+ "nyanlout.re" = {
+ listen = [ { addr = "127.0.0.1"; port = 10003; } ];
+ locations = {
+ "/" = {
+ alias = "/var/www/site-perso/";
+ };
+ "/.well-known/openpgpkey/" = {
+ alias = "/var/lib/gnupg/wks/nyanlout.re";
+ extraConfig = ''
+ add_header Access-Control-Allow-Origin * always;
+ '';
+ };
+ };
};
"musique-meyenheim.fr" = {
- listen = [ { addr = "127.0.0.1"; port = 52353; } ];
+ listen = [ { addr = "127.0.0.1"; port = 10004; } ];
locations = {
"/" = {
proxyPass = "http://unix:/run/site-musique.sock";
- extraConfig = ''
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $remote_addr;
- '';
};
"/static/" = {
alias = "/var/www/site-musique/staticfiles/";
@@ -96,7 +113,7 @@ in
pgmanage = {
enable = true;
- port = 52347;
+ port = 10006;
connections = {
localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
};
@@ -126,7 +143,7 @@ in
site-max = {
enable = true;
- port = 52348;
+ port = 10007;
domaine = "maxspiegel.fr";
};
};