web: refactor nginx config

This commit is contained in:
nyanloutre 2020-03-02 23:20:17 +01:00
parent 5d755bf63b
commit f86ef0518d
2 changed files with 53 additions and 31 deletions

View File

@ -20,23 +20,28 @@ let
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults defaults
mode http
option forwardfor option forwardfor
option http-server-close option http-server-close
option httplog
option dontlognull
timeout client 10s timeout client 10s
timeout connect 4s timeout connect 4s
timeout server 30s timeout server 30s
timeout tunnel 3600s
errorfile 503 ${./errorfiles/503.html} errorfile 503 ${./errorfiles/503.html}
userlist LOUTRE userlist LOUTRE
user paul password $6$YNjCpiPABu9$.iEp.3BgoswHcX3SMjz1/CiyqFQn/fjnxtT9CWBqQHBKynvK2kh/i62ije0WmCvhKRUhy9gdVbJStM3ciGXnC1 user paul password $6$YNjCpiPABu9$.iEp.3BgoswHcX3SMjz1/CiyqFQn/fjnxtT9CWBqQHBKynvK2kh/i62ije0WmCvhKRUhy9gdVbJStM3ciGXnC1
frontend public frontend http-in
bind :::80 v4v6 bind :::80 v4v6
bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
mode http
acl letsencrypt-acl path_beg /.well-known/acme-challenge/ acl letsencrypt-acl path_beg /.well-known/acme-challenge/
acl haproxy-acl path_beg /haproxy
redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
http-response set-header Strict-Transport-Security max-age=15768000
use_backend letsencrypt-backend if letsencrypt-acl use_backend letsencrypt-backend if letsencrypt-acl
redirect scheme https code 301 if !letsencrypt-acl
frontend public
bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
http-response set-header Strict-Transport-Security max-age=15768000
http-request add-header X-Forwarded-Proto https
acl haproxy-acl path_beg /haproxy
use_backend haproxy_stats if haproxy-acl use_backend haproxy_stats if haproxy-acl
${concatStrings ( ${concatStrings (
mapAttrsToList (name: value: mapAttrsToList (name: value:

View File

@ -2,6 +2,17 @@
with lib; with lib;
#### VHost table ####
# 10000 riot.nyanlout.re
# 10001 factorio.nyanlout.re
# 10002 minecraft.nyanlout.re
# 10003 nyanlout.re
# 10004 musique-meyenheim.fr
# 10005 social.nyanlout.re
# 10006 pgmanage.nyanlout.re
# 10007 maxspiegel.fr
####
let let
domaine = "nyanlout.re"; domaine = "nyanlout.re";
@ -32,16 +43,16 @@ in
"syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; }; "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
"jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; }; "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
"searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; }; "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
"riot.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "riot"; auth = false; }; "riot.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "riot.nyanlout.re"; auth = false; };
"matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; }; "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
"pgmanage.${domaine}" = { ip = "127.0.0.1"; port = config.services.pgmanage.port; auth = true; }; "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = config.services.pgmanage.port; auth = true; };
"gitea.${domaine}" = { ip = "127.0.0.1"; port = config.services.gitea.httpPort; auth = false; }; "gitea.${domaine}" = { ip = "127.0.0.1"; port = config.services.gitea.httpPort; auth = false; };
"ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; }; "ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
"factorio.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "factorio"; auth = false; }; "factorio.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "factorio.nyanlout.re"; auth = false; };
"airsonic.${domaine}" = { ip = "127.0.0.1"; port = 4040; auth = false; }; "airsonic.${domaine}" = { ip = "127.0.0.1"; port = 4040; auth = false; };
"${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "wkd"; auth = false; }; "${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "nyanlout.re"; auth = false; };
"musique-meyenheim.fr" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "musique-meyenheim.fr"; auth = false; }; "musique-meyenheim.fr" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "musique-meyenheim.fr"; auth = false; };
"minecraft.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "minecraft-overviewer"; auth = false; }; "minecraft.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "minecraft.nyanlout.re"; auth = false; };
}; };
}; };
@ -49,37 +60,43 @@ in
nginx = { nginx = {
enable = true; enable = true;
recommendedProxySettings = true;
appendHttpConfig = ''
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
'';
virtualHosts = { virtualHosts = {
"riot" = { "riot.nyanlout.re" = {
listen = [ { addr = "127.0.0.1"; port = 52345; } ]; listen = [ { addr = "127.0.0.1"; port = 10000; } ];
locations = { "/" = { root = pkgs.riot-web; }; }; locations = { "/" = { root = pkgs.riot-web; }; };
}; };
"factorio" = { "factorio.nyanlout.re" = {
listen = [ { addr = "127.0.0.1"; port = 52351; } ]; listen = [ { addr = "127.0.0.1"; port = 10001; } ];
locations = { "/" = { root = "/var/www/factorio"; }; }; locations = { "/" = { root = "/var/www/factorio"; }; };
}; };
"minecraft-overviewer" = { "minecraft.nyanlout.re" = {
listen = [ { addr = "127.0.0.1"; port = 52354; } ]; listen = [ { addr = "127.0.0.1"; port = 10002; } ];
locations = { "/" = { root = "/var/www/minecraft-overviewer"; }; }; locations = { "/" = { root = "/var/www/minecraft-overviewer"; }; };
}; };
"wkd" = { "nyanlout.re" = {
listen = [ { addr = "127.0.0.1"; port = 52352; } ]; listen = [ { addr = "127.0.0.1"; port = 10003; } ];
locations = { "/.well-known/openpgpkey/" = { locations = {
"/" = {
alias = "/var/www/site-perso/";
};
"/.well-known/openpgpkey/" = {
alias = "/var/lib/gnupg/wks/nyanlout.re"; alias = "/var/lib/gnupg/wks/nyanlout.re";
extraConfig = '' extraConfig = ''
add_header Access-Control-Allow-Origin * always; add_header Access-Control-Allow-Origin * always;
''; '';
}; }; };
};
}; };
"musique-meyenheim.fr" = { "musique-meyenheim.fr" = {
listen = [ { addr = "127.0.0.1"; port = 52353; } ]; listen = [ { addr = "127.0.0.1"; port = 10004; } ];
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://unix:/run/site-musique.sock"; proxyPass = "http://unix:/run/site-musique.sock";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
'';
}; };
"/static/" = { "/static/" = {
alias = "/var/www/site-musique/staticfiles/"; alias = "/var/www/site-musique/staticfiles/";
@ -96,7 +113,7 @@ in
pgmanage = { pgmanage = {
enable = true; enable = true;
port = 52347; port = 10006;
connections = { connections = {
localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres"; localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
}; };
@ -126,7 +143,7 @@ in
site-max = { site-max = {
enable = true; enable = true;
port = 52348; port = 10007;
domaine = "maxspiegel.fr"; domaine = "maxspiegel.fr";
}; };
}; };