chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 07:09:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

nginx: httpProxy add rewriteHttps option

Browse Source 
nginx: httpProxy add locations support
vaultwarden: init
This commit is contained in:
陈浩南
2023-09-16 15:34:27 +08:00
parent 4463cab071
commit f48a494e4f
8 changed files with 188 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
flake.nix
View File

@@ -274,8 +274,6 @@
{
"ng01.mirism.one" = 7411;
"beta.mirism.one" = 9114;
"nix-store.chn.moe" = 7676;
"direct.xn--qbtm095lrg0bfka60z.chn.moe" = 7676;
};
};
streamProxy =
@@ -283,6 +281,7 @@
enable = true;
map =
{
"nix-store.chn.moe" = { upstream = "internal.pc.chn.moe"; rewriteHttps = true; };
"anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; };
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; };
};
@@ -295,6 +294,7 @@
};
coturn.enable = true;
synapse-proxy."synapse.chn.moe".upstream.address = "internal.vps7.chn.moe";
vaultwarden-proxy = { enable = true; upstream.address = "internal.vps7.chn.moe"; };
};
};})
];
@@ -353,6 +353,8 @@
synapse.enable = true;
synapse-proxy."synapse.chn.moe" = {};
xrdp = { enable = true; hostname = "vps7.chn.moe"; };
vaultwarden.enable = true;
vaultwarden-proxy.enable = true;
};
};})
];

8
modules/services/default.nix
View File

@@ -17,6 +17,7 @@ inputs:
./acme.nix
./samba.nix
./sshd.nix
./vaultwarden.nix
# ./docker.nix
];
options.nixos.services = let inherit (inputs.lib) mkOption types; in
@@ -256,7 +257,8 @@ inputs:
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
};
sops.secrets."store/signingKey" = {};
nixos.services.nginx.httpProxy.${services.nix-serve.hostname}.upstream = "http://127.0.0.1:5000";
nixos.services.nginx.httpProxy.${services.nix-serve.hostname} =
{ rewriteHttps = true; locations."/".upstream = "http://127.0.0.1:5000"; };
}
)
(mkIf services.smartd.enable { services.smartd.enable = true; })
@@ -343,8 +345,8 @@ inputs:
enable = true;
httpProxy."wallabag.chn.moe" =
{
upstream = "http://127.0.0.1:4398";
setHeaders.Host = "wallabag.chn.moe";
rewriteHttps = true;
locations."/" = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; };
};
};
postgresql.enable = true;

12
modules/services/misskey.nix
View File

@@ -140,10 +140,14 @@ inputs:
name = hostname;
value =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
rewriteHttps = true;
locations."/" =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
};
})
(attrsToList misskey-proxy));

69
modules/services/nginx.nix
View File

@@ -13,13 +13,19 @@ inputs:
{
type = types.attrsOf (types.submodule { options =
{
upstream = mkOption { type = types.nonEmptyStr; };
rewriteHttps = mkOption { type = types.bool; default = false; };
websocket = mkOption { type = types.bool; default = false; };
http2 = mkOption { type = types.bool; default = true; };
setHeaders = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
addAuth = mkOption { type = types.bool; default = false; };
detectAuth = mkOption { type = types.bool; default = false; };
locations = mkOption
{
type = types.attrsOf (types.submodule { options =
{
upstream = mkOption { type = types.nonEmptyStr; };
websocket = mkOption { type = types.bool; default = false; };
setHeaders = mkOption { type = types.attrsOf types.str; default = {}; };
};});
};
};});
default = {};
};
@@ -83,37 +89,38 @@ inputs:
value =
{
serverName = site.name;
listen =
[
{ addr = "127.0.0.1"; port = (if site.value.http2 then 443 else 3065); ssl = true; }
{ addr = "0.0.0.0"; port = 80; }
];
listen = [ { addr = "127.0.0.1"; port = (if site.value.http2 then 443 else 3065); ssl = true; } ]
++ (if site.value.rewriteHttps then [ { addr = "0.0.0.0"; port = 80; } ] else []);
useACMEHost = site.name;
locations."/" =
{
proxyPass = site.value.upstream;
proxyWebsockets = site.value.websocket;
recommendedProxySettings = false;
recommendedProxySettingsNoHost = true;
basicAuthFile =
if site.value.detectAuth then
inputs.config.sops.secrets."nginx/detectAuth/${site.name}".path
else null;
extraConfig = concatStringsSep "\n"
(
(map
(header: "proxy_set_header ${header.name} ${header.value};")
(attrsToList site.value.setHeaders))
++ (if site.value.detectAuth then ["proxy_hide_header Authorization;"] else [])
++ (
if site.value.addAuth then
["include ${inputs.config.sops.templates."nginx/addAuth/${site.name}-template".path};"]
else [])
);
};
addSSL = true;
locations = listToAttrs (map
(location:
{
inherit (location) name;
value =
{
proxyPass = location.value.upstream;
proxyWebsockets = location.value.websocket;
recommendedProxySettings = false;
recommendedProxySettingsNoHost = true;
extraConfig = concatStringsSep "\n"
(
(map
(header: ''proxy_set_header ${header.name} "${header.value}";'')
(attrsToList location.value.setHeaders))
++ (if site.value.detectAuth then ["proxy_hide_header Authorization;"] else [])
++ (
if site.value.addAuth then
["include ${inputs.config.sops.templates."nginx/addAuth/${site.name}-template".path};"]
else [])
);
};
})
(attrsToList site.value.locations));
forceSSL = site.value.rewriteHttps;
http2 = site.value.http2;
basicAuthFile =
if site.value.detectAuth then inputs.config.sops.secrets."nginx/detectAuth/${site.name}".path
else null;
};
})
(attrsToList nginx.httpProxy));

5
modules/services/rsshub.nix
View File

@@ -62,8 +62,9 @@ inputs:
enable = true;
httpProxy.${rsshub.hostname} =
{
upstream = "http://127.0.0.1:${toString rsshub.port}";
setHeaders.Host = rsshub.hostname;
rewriteHttps = true;
locations."/" =
{ upstream = "http://127.0.0.1:${toString rsshub.port}"; setHeaders.Host = rsshub.hostname; };
};
};
};

12
modules/services/synapse.nix
View File

@@ -133,10 +133,14 @@ inputs:
name = hostname;
value =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
rewriteHttps = true;
locations."/" =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
};
})
(attrsToList synapse-proxy));

117
modules/services/vaultwarden.nix Normal file
View File

@@ -0,0 +1,117 @@
inputs:
{
options.nixos.services = let inherit (inputs.lib) mkOption types; in
{
vaultwarden =
{
enable = mkOption { type = types.bool; default = false; };
autoStart = mkOption { type = types.bool; default = true; };
port = mkOption { type = types.ints.unsigned; default = 8000; };
websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
hostname = mkOption { type = types.str; default = "vaultwarden.chn.moe"; };
};
vaultwarden-proxy =
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "vaultwarden.chn.moe"; };
upstream = mkOption
{
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
{
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
port = mkOption { type = types.ints.unsigned; default = 8000; };
websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
};})];
default = {};
};
};
};
config =
let
inherit (inputs.config.nixos.services) vaultwarden vaultwarden-proxy;
inherit (builtins) listToAttrs;
inherit (inputs.lib) mkIf mkMerge;
in mkMerge
[
(
mkIf vaultwarden.enable
{
services.vaultwarden =
{
enable = true;
dbBackend = "postgresql";
config =
{
DATA_FOLDER = "/var/lib/vaultwarden";
WEB_VAULT_ENABLED = true;
WEBSOCKET_ENABLED = true;
ROCKET_PORT = vaultwarden.port;
WEBSOCKET_PORT = toString vaultwarden.websocketPort;
SIGNUPS_VERIFY = true;
DOMAIN = "https://${vaultwarden.hostname}";
SMTP_HOST = "mail.chn.moe";
SMTP_FROM = "bot@chn.moe";
SMTP_FROM_NAME = "vaultwarden";
SMTP_SECURITY = "force_tls";
SMTP_USERNAME = "bot@chn.moe";
};
environmentFile = inputs.config.sops.templates."vaultwarden.env".path;
};
sops =
{
templates."vaultwarden.env" =
let
serviceConfig = inputs.config.systemd.services.vaultwarden.serviceConfig;
placeholder = inputs.config.sops.placeholder;
in
{
owner = serviceConfig.User;
group = serviceConfig.Group;
content =
''
DATABASE_URL=postgresql://vaultwarden:${placeholder."postgresql/vaultwarden"}@localhost/vaultwarden
ADMIN_TOKEN=${placeholder."vaultwarden/admin_token"}
SMTP_PASSWORD=${placeholder."mail/bot"}
'';
};
secrets = listToAttrs (map
(secret: { name = secret; value = {}; })
[ "vaultwarden/admin_token" "mail/bot" ]);
};
systemd.services.vaultwarden =
{
enable = vaultwarden.autoStart;
after = [ "postgresql.service" ];
};
nixos.services.postgresql = { enable = true; instances.vaultwarden = {}; };
}
)
(
mkIf vaultwarden-proxy.enable
{
nixos.services.nginx =
{
enable = true;
httpProxy."${vaultwarden-proxy.hostname}" =
{
rewriteHttps = true;
locations = let upstream = vaultwarden-proxy.upstream; in (listToAttrs (map
(location: { name = location; value =
{
upstream = "http://${upstream.address or upstream}:${builtins.toString upstream.port or 8000}";
setHeaders = { Host = vaultwarden-proxy.hostname; Connection = ""; };
};})
[ "/" "/notifications/hub/negotiate" ]))
// { "/notifications/hub" =
{
upstream =
"http://${upstream.address or upstream}:${builtins.toString upstream.websocketPort or 3012}";
websocket = true;
setHeaders.Host = vaultwarden-proxy.hostname;
};};
};
};
}
)
];
}

7
secrets/vps7.yaml
View File

@@ -13,6 +13,7 @@ postgresql:
wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
misskey: ENC[AES256_GCM,data:OXKLrkPDgVTdsZolzLVOlkYswLVFy0LSXiGjohic4j3t9cTrMIfBa7LbA5J7VlLryO/ISzLpu8lt9aEsmjYSSw==,iv:V4n3MUkAnbLs5gBOOqCubHxuKJGvfH9dND1YgD1YgCs=,tag:RXiXeekS76pGHUz3oEPQ9w==,type:str]
synapse: ENC[AES256_GCM,data:Orfse2arRGMujA8MloqOp+iVr0+uCVtlMZJNAA36J3UCog5ExE8HE6G5wIvvoP0o/PNToYc9Jgn8T7iWdU6FIA==,iv:XQ6/bDfIRmvZ3VdTqH5Gaiu2emd5kV+q6RjNXDQEtkc=,tag:Yq+w9oxv2yhpsQfMRp4HaQ==,type:str]
vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
meilisearch:
misskey: ENC[AES256_GCM,data:+oLR/0G6bjSz3jbZxeoGbLd7I4AiJDxodpc8DEHmHjYaNS6UrQEO50ekNSm3DpcK9+bqMJl4q+d1PWXgHRJbIw==,iv:rQcq7LksBhJr26D3112y41ryW3cEwnG6XLgiFhLv3d4=,tag:/PaX7MIERrtqJoayzdf/AA==,type:str]
rsshub:
@@ -32,6 +33,8 @@ synapse:
signing-key: ENC[AES256_GCM,data:ZCayvU2lElUnuyVDL05XjO3v2P78ha9i9PEcLvpBLgNeYkh7nH9Z4kIAP6Pmbw39ufaSJuo5tZZPmA==,iv:CfxqL7dJbmG/jEcdDe+Su8uxsA4dkOq/CCOGlb3EDIk=,tag:9728QS3GLnTcerzDgtQEWw==,type:str]
nebula:
key: ENC[AES256_GCM,data:9o6EkfTWOU0KwnJsgHML4E7VOfzo3LHnlOkV8ubhi6aayXImC3lAaoPrqUI=,iv:KHprijN7z+4FIIW+D5klDM9a9VzMJ5xawPc7jJtbHmk=,tag:0DAmxoz8D5f38ndPbkNW+g==,type:str]
vaultwarden:
admin_token: ENC[AES256_GCM,data:muavuOY88Lm4rSEoCp4IIPp7Z+sqf36VwpnPgf+K6IwwFkUgYM1GO80ogReYWqqUM6ij1Yzl5D9ncUbq+aGTKQ==,iv:jA4MRJlz71CMmPnWjb2tGbbIoMkEsESUowhXDckKKMI=,tag:l0HaJmnU29YeFUxjOgN3Kg==,type:str]
sops:
kms: []
gcp_kms: []
@@ -56,8 +59,8 @@ sops:
SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-03T08:51:12Z"
mac: ENC[AES256_GCM,data:PKxrr1uONIi4ljjS6FFLApcvjVEda4lnsh005Ukmi4NF4fj5/Tyg/4+j85S3UGjgKlHUJsda9qit/23sZjb1IMGgQyL3HakOhEGc1JgbvlibcGm8ZE5LCznu9sp7BQ6hDnYmV1rAyWBDmO6zjNwdjT6NikZUY5o+KiXptLWaUYo=,iv:Gw07qLy4QijtdJa3e15YsbP9UhCS+hpJuApvkvIDc7c=,tag:zit2ySLqpJ7si+YrGINFmg==,type:str]
lastmodified: "2023-09-16T06:00:05Z"
mac: ENC[AES256_GCM,data:1+Uqp+nb1zIkKVQzQWlEVBv3hAiBknHJSiVdEPxj4IzAAWc1okSsh8QYRkTA5WR54BL6I7xerITLvaqAIF1cNnmkZJ/bbbgXuQgwrrRfqDKzxOmtblQDxFO6A815VreLTfWjZN6/h3oEzH4DW+xRtd+js4n5L+nyLMee1O9kOi8=,iv:s6QN07djU9PAA2WRZ4xw2O0iDKqzmaEqVyRmeRoHNXE=,tag:y/KjOdf0cXl2XQbibjrVPQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3