mirror of
https://github.com/CHN-beta/nixos.git
synced 2026-01-12 04:39:23 +08:00
misskey 增加代理,并准备部署到 vps7
This commit is contained in:
@@ -332,6 +332,11 @@
|
||||
rsshub.enable = true;
|
||||
nginx = { enable = true; transparentProxy.externalIp = "207.180.253.54"; };
|
||||
wallabag.enable = true;
|
||||
misskey =
|
||||
{
|
||||
enable = true;
|
||||
hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
|
||||
};
|
||||
};
|
||||
boot =
|
||||
{
|
||||
|
||||
@@ -94,7 +94,17 @@ inputs:
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
httpProxy.${misskey.hostname} = { upstream = "http://127.0.0.1:${toString misskey.port}"; websocket = true; };
|
||||
httpProxy =
|
||||
{
|
||||
"${misskey.hostname}" = { upstream = "http://127.0.0.1:${toString misskey.port}"; websocket = true; };
|
||||
"direct.${misskey.hostname}" =
|
||||
{
|
||||
upstream = "http://127.0.0.1:${toString misskey.port}";
|
||||
websocket = true;
|
||||
setHeaders.Host = "direct.${misskey.hostname}";
|
||||
detectAuth = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
postgresql = { enable = true; instances.misskey = {}; };
|
||||
};
|
||||
|
||||
@@ -17,9 +17,9 @@ inputs:
|
||||
rewriteHttps = mkOption { type = types.bool; default = false; };
|
||||
websocket = mkOption { type = types.bool; default = false; };
|
||||
http2 = mkOption { type = types.bool; default = true; };
|
||||
# setHeaders = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
|
||||
addPin = mkOption { type = types.bool; default = false; };
|
||||
detectPin = mkOption { type = types.bool; default = false; };
|
||||
setHeaders = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
|
||||
addAuth = mkOption { type = types.bool; default = false; };
|
||||
detectAuth = mkOption { type = types.bool; default = false; };
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
@@ -28,11 +28,11 @@ inputs:
|
||||
let
|
||||
inherit (inputs.lib) mkMerge mkIf;
|
||||
inherit (inputs.localLib) stripeTabs attrsToList;
|
||||
inherit (inputs.config.nixosservices) nginx;
|
||||
inherit (builtins) map listToAttrs concatStringsSep toString;
|
||||
inherit (inputs.config.nixos.services) nginx;
|
||||
inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues;
|
||||
in mkMerge
|
||||
[
|
||||
(mkIf services.nginx.enable
|
||||
(mkIf nginx.enable
|
||||
{
|
||||
services =
|
||||
{
|
||||
@@ -61,13 +61,34 @@ inputs:
|
||||
{
|
||||
proxyPass = site.value.upstream;
|
||||
proxyWebsockets = site.value.websocket;
|
||||
};
|
||||
extraConfig = concatStringsSep "\n"
|
||||
(
|
||||
(map
|
||||
(header: "proxy_set_header ${header.name} ${header.value};")
|
||||
(attrsToList site.value.setHeaders))
|
||||
++ (if site.value.detectAuth then ["proxy_hide_header Authorization;"] else [])
|
||||
);
|
||||
}
|
||||
// (
|
||||
if site.value.detectAuth then
|
||||
{
|
||||
recommendedProxySettings = false;
|
||||
basicAuthFile = inputs.config.sops.secrets."nginx/detectAuth/${site.name}".path;
|
||||
}
|
||||
else {}
|
||||
)
|
||||
// (
|
||||
if site.value.addAuth then
|
||||
let config = inputs.config.sops.templates."nginx/addAuth/${site.name}-template".path;
|
||||
in { extraConfig = "include ${config};"; }
|
||||
else {}
|
||||
);
|
||||
addSSL = true;
|
||||
forceSSL = site.value.rewriteHttps;
|
||||
http2 = site.value.http2;
|
||||
};
|
||||
})
|
||||
(attrsToList services.nginx.httpProxy));
|
||||
(attrsToList nginx.httpProxy));
|
||||
recommendedZstdSettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
@@ -111,7 +132,29 @@ inputs:
|
||||
};
|
||||
};
|
||||
};
|
||||
sops.secrets."nginx/maxmind-license".owner = inputs.config.users.users.nginx.name;
|
||||
sops =
|
||||
{
|
||||
templates = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
name = "nginx/addAuth/${site.name}";
|
||||
value =
|
||||
{
|
||||
content =
|
||||
let placeholder = inputs.config.sops.placeholder."nginx/addAuth/${site.name}";
|
||||
in ''proxy_set_header Authorization "Basic ${placeholder}";'';
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
};
|
||||
})
|
||||
(filter (site: site.value.addAuth) (attrsToList nginx.httpProxy)));
|
||||
secrets = { "nginx/maxmind-license".owner = inputs.config.users.users.nginx.name; }
|
||||
// (listToAttrs (map
|
||||
(site: { name = "nginx/detectAuth/${site.name}"; value.owner = inputs.config.users.users.nginx.name; })
|
||||
(filter (site: site.value.detectAuth) (attrsToList nginx.httpProxy))))
|
||||
// (listToAttrs (map
|
||||
(site: { name = "nginx/addAuth/${site.name}"; value = {}; })
|
||||
(filter (site: site.value.addAuth) (attrsToList nginx.httpProxy))));
|
||||
};
|
||||
systemd.services.nginx.serviceConfig =
|
||||
{
|
||||
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
|
||||
@@ -122,13 +165,13 @@ inputs:
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
certs = map (cert: cert.name) (attrsToList services.nginx.httpProxy);
|
||||
certs = map (cert: cert.name) (attrsToList nginx.httpProxy);
|
||||
};
|
||||
security.acme.certs = listToAttrs (map
|
||||
(cert: { inherit (cert) name; value.group = inputs.config.services.nginx.group; })
|
||||
(attrsToList services.nginx.httpProxy));
|
||||
(attrsToList nginx.httpProxy));
|
||||
})
|
||||
(mkIf services.nginx.transparentProxy.enable
|
||||
(mkIf nginx.transparentProxy.enable
|
||||
{
|
||||
services.nginx.streamConfig = stripeTabs
|
||||
''
|
||||
@@ -143,17 +186,17 @@ inputs:
|
||||
${concatStringsSep "\n" (map
|
||||
(x: '' "${x.name}" 127.0.0.1:${toString x.value};'')
|
||||
(
|
||||
(attrsToList services.nginx.transparentProxy.map)
|
||||
(attrsToList nginx.transparentProxy.map)
|
||||
++ (map
|
||||
(site: { name = site.name; value = (if site.value.http2 then 443 else 3065); })
|
||||
(attrsToList services.nginx.httpProxy)
|
||||
(attrsToList nginx.httpProxy)
|
||||
)
|
||||
))}
|
||||
default 127.0.0.1:443;
|
||||
}
|
||||
server
|
||||
{
|
||||
listen ${services.nginx.transparentProxy.externalIp}:443;
|
||||
listen ${nginx.transparentProxy.externalIp}:443;
|
||||
ssl_preread on;
|
||||
proxy_bind $remote_addr transparent;
|
||||
proxy_pass $backend;
|
||||
@@ -188,7 +231,7 @@ inputs:
|
||||
)
|
||||
+ concatStringsSep "\n" (map
|
||||
(port: ''${ipset} add nginx_proxy_port ${toString port}'')
|
||||
(inputs.lib.unique ((attrValues services.nginx.transparentProxy.map) ++ [ 443 3065 ])))
|
||||
(inputs.lib.unique ((attrValues nginx.transparentProxy.map) ++ [ 443 3065 ])))
|
||||
);
|
||||
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop" (stripeTabs
|
||||
''
|
||||
|
||||
@@ -7,6 +7,9 @@ frp:
|
||||
store:
|
||||
signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
|
||||
nginx:
|
||||
detectAuth:
|
||||
#ENC[AES256_GCM,data:3JlL83PuobpUYTsgAIT6Fw7EUf42hjhdREqiRB3yJq8SLd8mQEgS3bI=,iv:ujECnaWT2enQUwtjLCbaD2EF1dgbVoxk6aLm9ydmtGk=,tag:3JXn9NB1yWJPJlWRWW4/AA==,type:comment]
|
||||
direct.misskey.chn.moe: ENC[AES256_GCM,data:lomcsh/Q0OcNIB0xX0AC02dwhTs24Dg6JTBjSTXO1flPERojGbyXFrXCcj43,iv:eqYQcMoIOa+9ncrdec0SbvNpTy3qhZxV8AVUtTrrJF8=,tag:uqPfeKTWuwU4HNNkXAn+NQ==,type:str]
|
||||
maxmind-license: ENC[AES256_GCM,data:PVV4VAvB22KoA8EM8Honb+KWYhydXdmTAVlDw/XnTcbaIY+5Km2gGA==,iv:7PfytRbpW4G2iDNqysvZnB0YsQFVUL5Kr1DNsBzuhCA=,tag:z2J14fdD7AUNabN+6kUojA==,type:str]
|
||||
postgresql:
|
||||
misskey: ENC[AES256_GCM,data:KiJ2smpRwJ1pzauCgVsmFH4aCiw4sEkCQ9JSTao5NdI=,iv:jIc0a797dokfByN2vJcYcAFfPC8MP7wCV5qsxoCDxcE=,tag:L5n1/xszwB0lhqYcbLqp2Q==,type:str]
|
||||
@@ -36,8 +39,8 @@ sops:
|
||||
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
|
||||
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-25T10:28:18Z"
|
||||
mac: ENC[AES256_GCM,data:55vCP0EGllIJ6BLKcy3OMhC+biWy0ikIPH1U8/BgteiGXDxkOj9iRMM8hZrzG8H0bUO6wUba5GGsb8x8DOSg+hBLwqijLZP3Yu0PJKZo4OXlADBFR9U0u/NGrkSoq2s64KOkSzuHaA6uyAa3ZKF0newCdarefMc3oEfI6DQyDEM=,iv:LIIi3ht2wusnYasQR/irUFejkInN+9GJ+woAHHLgI+0=,tag:U9kJPTN3+9NloDe647R4SQ==,type:str]
|
||||
lastmodified: "2023-08-25T14:11:58Z"
|
||||
mac: ENC[AES256_GCM,data:4mBu1XHiiw4oWBAI/cVbsdst8BH+aVFLIHMjR+YXrmHCxwu5fWgLtKGyJVR3udvLw/WbHa5Ce8AYialPhaWmgy0Jp0pWW4VNaTA0u//9Vv5Vs5A3pp74kzcd5aZwtCMAk1Gsf9t0jIGUkc7E+TPCfOSNp4AVVbqh14HErzLsa1E=,iv:SUNbJX61ZuR4MrwsHqm7wFyI978qovFiUz8UTTl7G/4=,tag:f5jG3opgTUCckSChv9RBhA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
@@ -1,12 +1,17 @@
|
||||
acme:
|
||||
cloudflare.ini: ENC[AES256_GCM,data:PJ3JhdSPCyxzdcRI4UFdESWgyAjIYGyuVaU9l0R3s8mJidtgavvSSMy0hC0G/2fauLB/Eqc3L3NppXFjlKVywVE=,iv:lZVlOf7P/Vs/+u/5YPKFXmdeYV9NP9kcVWd00w1OjB4=,tag:LfWZTvPQH4QPrNrYfZ/Z6Q==,type:str]
|
||||
nginx:
|
||||
detectAuth:
|
||||
#ENC[AES256_GCM,data:LOMtWaj0AcYZOuvb192leCipFe1rnFBic1lafqyJC5IcdOE9lSziPLQ=,iv:vDWpbJS7XoS4CfXnV9Hd7G8n5uMBSn1Ow9CI/VexFnM=,tag:Tk6Fl1ERgB9uzP35O7UBmA==,type:comment]
|
||||
direct.xn--qbtm095lrg0bfka60z.chn.moe: ENC[AES256_GCM,data:4eLmbxBj7vQHYVhKgTVMPJ9F5hhMmWyb6tKXeg0QnU2JSi0/ZUrryvsaB1Mo,iv:c7I+nwRB+UIJmwwqC+1F7r1jutvaoz7j15kG0za9pQ0=,tag:r8bLUORkP2W2nUWC0pzaKA==,type:str]
|
||||
maxmind-license: ENC[AES256_GCM,data:9aW4QR3K6S+eTqzIjVlNEwkG0wZ4u5jgRfe7CMwRlJlK4AmcS6c45Q==,iv:cPTN1K4Aag5sohGbCQUZHYTvcwAL7AhF+rrY3OvXGPs=,tag:d9GGUMHnfzRz9Cf2U+dBfw==,type:str]
|
||||
redis:
|
||||
rsshub: ENC[AES256_GCM,data:uPnZIjbnRRoWIHlWkZNZkMpIb3Ujnnpb+AisVSVGFv4sfDAuDlAjt39pRdnWkCXJPqtXjJzQ+FeT34cqxTf8Bg==,iv:/jcyAHkxByFnbkmCAYQwda2QRmhW7L/ICoLuCgsVLCI=,tag:M5Q+dh/Bn7FiNpqQGYus4Q==,type:str]
|
||||
wallabag: ENC[AES256_GCM,data:WkiqS9TOHxYalDp7Ssgg2x7vj4D58psQ5au4a0e3LZBecERwzUKmrhbVKRuDvNTwWbYxSds9SAca0wN+pWmrmA==,iv:QqHlzSXG1I4+p8wd58lcQs8TqAF3foxiYVdgL8L3IpA=,tag:CPtFgIeFL5W25gtd6NFkrg==,type:str]
|
||||
misskey: ENC[AES256_GCM,data:JTmngGfeGRBWpmD4dTNe77sFJ848jUlDH8Fr14mzrHx5z/lw1ttbjFEGCB5fjk10U2BefkPREiu1PW8NBX0ThA==,iv:AzRmV7NXRGYQ7KKhdoY8uQMk/TAkJ8dDq8WGcVZKsro=,tag:ucwv/l2WgyHJMD/qgkHBWQ==,type:str]
|
||||
postgresql:
|
||||
wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
|
||||
misskey: ENC[AES256_GCM,data:cHrEk1UVsjvXJdwf90SgMM7qyMBlsE4J8gVQ0at2rBXmWXR0QMvKe4CV8e6xLn4DZbn36qF30Pc7Ag4mak/bng==,iv:HNPflBYgOaGUBEuJHQnO8PtCioSoZsvDZ1GMmqNrkrA=,tag:8/jS2sW0iShmbRxLQU+hTA==,type:str]
|
||||
rsshub:
|
||||
pixiv-refreshtoken: ENC[AES256_GCM,data:EeSOTSAAh+1Dc8+a/AaPJ0aBK5DTa3pdS6DrIMQmRw/n0SRu2QoynIF76w==,iv:dnZxi8jM1I4w3C2duYielpP/8wOAdHDjcqDIrowM0dM=,tag:8irGvLEbRJHV9TB8Jibs9g==,type:str]
|
||||
youtube-key: ENC[AES256_GCM,data:OEm/ynOUPUq7ZEVzL2jgs9d+utkLTIdNq0MHE0JDujb9ndAwyJJI,iv:RRae6Cg6GdDnXAQOdtBYmcA7ZNuu70VpIg2MEezBn5k=,tag:gX4ZG345cT3Jh3ovUxtLGw==,type:str]
|
||||
@@ -39,8 +44,8 @@ sops:
|
||||
SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
|
||||
HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-15T08:22:03Z"
|
||||
mac: ENC[AES256_GCM,data:8razKAEWufn3igL5bWo6N2y5G210V+Jw014BerTAfYvqpXUhrLP9NmDlp4dGwafGjfTmwpp+HuN4ZupIU9g+4ml+pVipViEVRAPbuWTA8sVCWT1kSmh1XOQA+3XIg3DwM2MfPMpdhVIvzDWaB1We2DoQy+ZUwgmaU5XwnlnCctQ=,iv:XszNLWFq08+aVkL+H/rEH12r2rbVMwcuJloUoq1n+1k=,tag:9C20v/n+Q+3CasArLu8XQg==,type:str]
|
||||
lastmodified: "2023-08-25T14:32:24Z"
|
||||
mac: ENC[AES256_GCM,data:mm85yQGxlKdCrzS/6RO9cmJazFJ3ND2JEGBky4R1W4Vcmb8lidj6ZEKDIgyoGPcJm6woDgLBBnUV7JX6CWK/OcuRzhJMq2il8ck6wBHPi2qYN0n9gSEFgPe5ND0MfWmCRv3TVshKRCkcmnP3SlOHErYsxY/gTFnZ/GOlH2GOODY=,iv:JUAx8bSNKn6DdjIooJpBk/ug+MhXwzN3MvF/S6kI59A=,tag:tt+3TG6jNVPIHkm+LAELKw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
Reference in New Issue
Block a user