diff --git a/flake.nix b/flake.nix index 3029e637..f2937308 100644 --- a/flake.nix +++ b/flake.nix @@ -198,13 +198,12 @@ }; }; firewall.trustedInterfaces = [ "virbr0" "waydroid0" ]; - acme = { enable = true; certs = [ "debug.mirism.one" ]; }; + acme = { enable = true; cert."debug.mirism.one" = {}; }; frpClient = { enable = true; serverName = "frp.chn.moe"; user = "pc"; - tcp.store = { localPort = 443; remotePort = 7676; }; }; nix-serve = { enable = true; hostname = "nix-store.chn.moe"; }; smartd.enable = true; @@ -283,7 +282,7 @@ { map = { - "nix-store.chn.moe" = { upstream = "internal.pc.chn.moe:443"; rewriteHttps = true; }; + "nix-store.chn.moe" = { upstream = "internal.pc.chn.moe"; rewriteHttps = true; }; "anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; }; "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; }; "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; rewriteHttps = true; }; @@ -297,7 +296,7 @@ value = { upstream.address = "internal.vps7.chn.moe"; proxyProtocol = true; rewriteHttps = true; }; }) - [ "xn--s8w913fdga" "misskey" "nextcloud" "photoprism" "synapse" "vaultwarden" ])); + [ "xn--s8w913fdga" "misskey" "synapse" ])); }; applications = { @@ -358,10 +357,7 @@ fontconfig.enable = true; sshd.enable = true; rsshub.enable = true; - nginx = - { - transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ]; - }; + nginx.transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ]; wallabag.enable = true; misskey.instances = { @@ -483,125 +479,6 @@ users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ]; };}) ]; - "xmupc1" = - [ - (inputs: { config.nixos = - { - system = - { - fileSystems = - { - mount = - { - vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi"; - btrfs = - { - "/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot"; - "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; - }; - }; - decrypt.auto = - { - "/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; }; - "/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; }; - }; - mdadm = - "ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4"; - swap = [ "/dev/mapper/swap" ]; - resume = "/dev/mapper/swap"; - rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; }; - }; - grub.installDevice = "efi"; - nixpkgs = { march = "znver3"; cudaSupport = true; }; - nix = - { - marches = - [ - "znver3" "znver2" - # PREFETCHW RDRND XSAVE XSAVEOPT PTWRITE SGX GFNI-SSE MOVDIRI MOVDIR64B CLDEMOTE WAITPKG LZCNT - # PCONFIG SERIALIZE HRESET KL WIDEKL AVX-VNNI - "alderlake" - # SAHF FXSR XSAVE - "sandybridge" - # SAHF FXSR PREFETCHW RDRND - "silvermont" - ]; - substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; - }; - gui.enable = true; - kernel.patches = [ "cjktty" "preempt" ]; - impermanence.enable = true; - networking.hostname = "xmupc1"; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; - }; - hardware = - { - cpus = [ "intel" ]; - gpus = [ "intel" "nvidia" ]; - bluetooth.enable = true; - joystick.enable = true; - printer.enable = true; - sound.enable = true; - prime = - { enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };}; - }; - packages.packageSet = "workstation"; - virtualization = - { - docker.enable = true; - kvmHost = { enable = true; gui = true; }; - }; - services = - { - snapper = { enable = true; configs.persistent = "/nix/persistent"; }; - fontconfig.enable = true; - samba = - { - enable = true; - hostsAllowed = "192.168. 127."; - shares = - { - media.path = "/run/media/chn"; - home.path = "/home/chn"; - mnt.path = "/mnt"; - share.path = "/home/chn/share"; - }; - }; - sshd.enable = true; - xrayClient = - { - enable = true; - serverAddress = "74.211.99.69"; - serverName = "vps6.xserver.chn.moe"; - dns = - { - extraInterfaces = [ "docker0" ]; - hosts = - { - "mirism.one" = "216.24.188.24"; - "beta.mirism.one" = "216.24.188.24"; - "ng01.mirism.one" = "216.24.188.24"; - "debug.mirism.one" = "127.0.0.1"; - "initrd.vps6.chn.moe" = "74.211.99.69"; - "nix-store.chn.moe" = "127.0.0.1"; - }; - }; - }; - firewall.trustedInterfaces = [ "virbr0" ]; - frpClient = - { - enable = true; - serverName = "frp.chn.moe"; - user = "xmupc1"; - tcp.store = { localPort = 443; remotePort = 7676; }; - }; - smartd.enable = true; - nginx.transparentProxy.enable = false; - postgresql.enable = true; - }; - bugs = [ "xmunet" "firefox" "embree" ]; - };}) - ]; "yoga" = [ (inputs: { config.nixos = diff --git a/modules/services/coturn.nix b/modules/services/coturn.nix index 7c214bc9..703a8f04 100644 --- a/modules/services/coturn.nix +++ b/modules/services/coturn.nix @@ -25,8 +25,11 @@ inputs: no-cli = true; }; sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User; - nixos.services.acme = { enable = true; certs = [ coturn.hostname ]; }; - security.acme.certs.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group; + nixos.services.acme = + { + enable = true; + cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group; + }; networking.firewall = with inputs.config.services.coturn; { allowedUDPPorts = [ listening-port tls-listening-port ]; diff --git a/modules/services/default.nix b/modules/services/default.nix index e9d2cccb..96bf641c 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -25,19 +25,14 @@ inputs: ./photoprism.nix ./nextcloud.nix ./freshrss.nix + ./kmscon.nix + ./fontconfig.nix + ./nix-serve.nix ]; options.nixos.services = let inherit (inputs.lib) mkOption types; in { - kmscon.enable = mkOption { type = types.bool; default = false; }; - fontconfig.enable = mkOption { type = types.bool; default = false; }; firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; - nix-serve = - { - enable = mkOption { type = types.bool; default = false; }; - hostname = mkOption { type = types.nonEmptyStr; }; - }; smartd.enable = mkOption { type = types.bool; default = false; }; - fileshelter.enable = mkOption { type = types.bool; default = false; }; wallabag.enable = mkOption { type = types.bool; default = false; }; noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; }; }; @@ -49,49 +44,7 @@ inputs: inherit (builtins) map listToAttrs toString; in mkMerge [ - ( - mkIf services.kmscon.enable - { - services.kmscon = - { - enable = true; - fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }]; - }; - } - ) - ( - mkIf services.fontconfig.enable - { - fonts = - { - fontDir.enable = true; - fonts = with inputs.pkgs; - [ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ]; - fontconfig.defaultFonts = - { - emoji = [ "Noto Color Emoji" ]; - monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"]; - sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ]; - serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ]; - }; - }; - } - ) { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; } - ( - mkIf services.nix-serve.enable - { - services.nix-serve = - { - enable = true; - openFirewall = true; - secretKeyFile = inputs.config.sops.secrets."store/signingKey".path; - }; - sops.secrets."store/signingKey" = {}; - nixos.services.nginx.http.${services.nix-serve.hostname} = - { rewriteHttps = true; locations."/".proxy.upstream = "http://127.0.0.1:5000"; }; - } - ) (mkIf services.smartd.enable { services.smartd.enable = true; }) ( mkIf services.wallabag.enable @@ -111,11 +64,6 @@ inputs: extraOptions = [ "--add-host=host.docker.internal:host-gateway" ]; environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ]; }; - # systemd.services.docker-wallabag.serviceConfig = - # { - # User = "wallabag"; - # Group = "wallabag"; - # }; sops = { templates."wallabag/env".content = @@ -139,33 +87,7 @@ inputs: # SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe # SYMFONY__ENV__FROM_EMAIL=bot@chn.moe # SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe - secrets = - { - "redis/wallabag".owner = inputs.config.users.users.redis-wallabag.name; - "postgresql/wallabag" = {}; - "mail/bot-encoded" = {}; - }; - }; - services = - { - redis.servers.wallabag = - { - enable = true; - bind = null; - port = 8790; - requirePassFile = inputs.config.sops.secrets."redis/wallabag".path; - }; - postgresql = - { - ensureDatabases = [ "wallabag" ]; - ensureUsers = - [{ - name = "wallabag"; - ensurePermissions."DATABASE \"wallabag\"" = "ALL PRIVILEGES"; - }]; - # ALTER DATABASE db_name OWNER TO new_owner_name - # sudo docker exec -t wallabag /var/www/wallabag/bin/console wallabag:install --env=prod --no-interaction - }; + secrets."mail/bot-encoded" = {}; }; nixos = { @@ -174,21 +96,14 @@ inputs: nginx = { enable = true; - http."wallabag.chn.moe" = - { - rewriteHttps = true; - locations."/".proxy = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; }; - }; + https."wallabag.chn.moe".location."/".proxy.upstream = "http://127.0.0.1:4398"; }; - postgresql.enable = true; + postgresql = { enable = true; instances.wallabag = {}; }; + redis.instances.wallabag.port = 8790; }; + # TODO: root docker use config of rootless docker? virtualization.docker.enable = true; }; - # users = - # { - # users.wallabag = { isSystemUser = true; group = "wallabag"; autoSubUidGidRange = true; }; - # groups.wallabag = {}; - # }; } ) (mkIf services.noisetorch.enable { programs.noisetorch.enable = true; }) diff --git a/modules/services/fontconfig.nix b/modules/services/fontconfig.nix new file mode 100644 index 00000000..9c8caf0d --- /dev/null +++ b/modules/services/fontconfig.nix @@ -0,0 +1,27 @@ +inputs: +{ + options.nixos.services.fontconfig = let inherit (inputs.lib) mkOption types; in + { + enable = mkOption { type = types.bool; default = false; }; + }; + config = + let + inherit (inputs.lib) mkIf; + inherit (inputs.config.nixos.services) fontconfig; + in mkIf fontconfig.enable + { + fonts = + { + fontDir.enable = true; + fonts = with inputs.pkgs; + [ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ]; + fontconfig.defaultFonts = + { + emoji = [ "Noto Color Emoji" ]; + monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"]; + sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ]; + serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ]; + }; + }; + }; +} diff --git a/modules/services/freshrss.nix b/modules/services/freshrss.nix index 501ef1a7..543d1d97 100644 --- a/modules/services/freshrss.nix +++ b/modules/services/freshrss.nix @@ -37,10 +37,9 @@ inputs: nixos.services = { mariadb = { enable = true; instances.freshrss = {}; }; - nginx.http.${freshrss.hostname} = + nginx.https.${freshrss.hostname} = { - rewriteHttps = true; - locations = + location = { "/".static = { diff --git a/modules/services/frp.nix b/modules/services/frp.nix index 1c394566..9f1625fd 100644 --- a/modules/services/frp.nix +++ b/modules/services/frp.nix @@ -179,8 +179,11 @@ inputs: }; secrets."frp/token" = {}; }; - nixos.services.acme = { enable = true; certs = [ frpServer.serverName ]; }; - security.acme.certs.${frpServer.serverName}.group = "frp"; + nixos.services.acme = + { + enable = true; + cert.${frpServer.serverName}.group = "frp"; + }; users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; }; networking.firewall.allowedTCPPorts = [ 7000 ]; } diff --git a/modules/services/kmscon.nix b/modules/services/kmscon.nix new file mode 100644 index 00000000..b8328807 --- /dev/null +++ b/modules/services/kmscon.nix @@ -0,0 +1,19 @@ +inputs: +{ + options.nixos.services.kmscon = let inherit (inputs.lib) mkOption types; in + { + enable = mkOption { type = types.bool; default = false; }; + }; + config = + let + inherit (inputs.lib) mkIf; + inherit (inputs.config.nixos.services) kmscon; + in mkIf kmscon.enable + { + services.kmscon = + { + enable = true; + fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }]; + }; + }; +} diff --git a/modules/services/misskey.nix b/modules/services/misskey.nix index 578b9963..b293aa53 100644 --- a/modules/services/misskey.nix +++ b/modules/services/misskey.nix @@ -169,13 +169,11 @@ inputs: name = hostname; value = { - global.rewriteHttps = true; listen.main.proxyProtocol = true; - locations."/".proxy = + location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; - setHeaders.Host = hostname; }; }; }) diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 779187ae..4cfa97a3 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -70,11 +70,7 @@ inputs: nginx = { enable = true; - https.${nextcloud.hostname} = - { - global.rewriteHttps = true; - listen.main.proxyProtocol = true; - }; + https.${nextcloud.hostname} = {}; }; }; sops = diff --git a/modules/services/nginx/applications/element.nix b/modules/services/nginx/applications/element.nix index 11c9197d..7043c666 100644 --- a/modules/services/nginx/applications/element.nix +++ b/modules/services/nginx/applications/element.nix @@ -20,21 +20,17 @@ inputs: (instance: with instance.value; { name = hostname; - value = - { - global.rewriteHttps = true; - locations."/".static.root = - if defaultServer == null then toString inputs.pkgs.element-web - else toString (inputs.pkgs.element-web.override { conf = + value.location."/".static.root = + if defaultServer == null then toString inputs.pkgs.element-web + else toString (inputs.pkgs.element-web.override { conf = + { + default_server_config."m.homeserver" = { - default_server_config."m.homeserver" = - { - base_url = "https://${defaultServer}"; - server_name = defaultServer; - }; - disable_guests = false; - };}); - }; + base_url = "https://${defaultServer}"; + server_name = defaultServer; + }; + disable_guests = false; + };}); }) (attrsToList instances)); }; diff --git a/modules/services/nginx/applications/synapse-admin.nix b/modules/services/nginx/applications/synapse-admin.nix index efe77719..6d5344fe 100644 --- a/modules/services/nginx/applications/synapse-admin.nix +++ b/modules/services/nginx/applications/synapse-admin.nix @@ -14,15 +14,11 @@ inputs: inherit (builtins) map listToAttrs; in { - nixos.services.nginx.http = listToAttrs (map - (http: with http.value; + nixos.services.nginx.https = listToAttrs (map + (site: with site.value; { name = hostname; - value = - { - rewriteHttps = true; - locations."/".static.root = "${inputs.pkgs.synapse-admin}"; - }; + value.location."/".static.root = "${inputs.pkgs.synapse-admin}"; }) (attrsToList instances)); }; diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix index 01600e42..1e09e761 100644 --- a/modules/services/nginx/default.nix +++ b/modules/services/nginx/default.nix @@ -44,9 +44,9 @@ inputs: ]; default = {}; }; - proxyProtocol = mkOption { type = types.bool; default = false; }; + proxyProtocol = mkOption { type = types.bool; default = true; }; addToTransparentProxy = mkOption { type = types.bool; default = true; }; - rewriteHttps = mkOption { type = types.bool; default = false; }; + rewriteHttps = mkOption { type = types.bool; default = true; }; };}) ]); default = {}; @@ -54,14 +54,14 @@ inputs: }; https = mkOption { - type = types.attrsOf (types.submodule { options = + type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options = { global = { root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; index = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; }; detectAuth = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; }; - rewriteHttps = mkOption { type = types.bool; default = false; }; + rewriteHttps = mkOption { type = types.bool; default = true; }; }; listen = mkOption { @@ -75,18 +75,14 @@ inputs: };}); default.main = {}; }; - locations = mkOption + location = mkOption { type = types.attrsOf (types.submodule { options = let genericOptions = { # htpasswd -n username - detectAuth = mkOption - { - type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); - default = null; - }; + detectAuth = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; }; }; in { @@ -97,7 +93,11 @@ inputs: { upstream = mkOption { type = types.nonEmptyStr; }; websocket = mkOption { type = types.bool; default = false; }; - setHeaders = mkOption { type = types.attrsOf types.str; default = {}; }; + setHeaders = mkOption + { + type = types.attrsOf types.str; + default.Host = siteSubmoduleInputs.config._module.args.name; + }; # echo -n "username:password" | base64 addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; };}); @@ -127,7 +127,7 @@ inputs: };}); default = {}; }; - };}); + };})); default = {}; }; http = mkOption @@ -157,7 +157,7 @@ inputs: }; config = let - inherit (inputs.lib) mkMerge mkIf; + inherit (inputs.lib) mkMerge mkIf mkDefault; inherit (inputs.lib.string) escapeURL; inherit (inputs.localLib) attrsToList; inherit (inputs.config.nixos.services) nginx; @@ -406,7 +406,7 @@ inputs: (concatLists (map (site: (map (location: { inherit (location) value; name = "${site.name} ${location.name}"; }) - (attrsToList site.value.locations))) + (attrsToList site.value.location))) (attrsToList nginx.https)))) # root should be specified either in global or in each location ++ (map @@ -418,7 +418,7 @@ inputs: (concatLists (map (site: (map (location: { inherit (location) value; name = "${site.name} ${location.name}"; }) - (attrsToList site.value.locations))) + (attrsToList site.value.location))) (filter (site: site.value.global.root == null) (attrsToList nginx.https))))) ); services.nginx.virtualHosts = listToAttrs (map @@ -500,7 +500,7 @@ inputs: else {} ); }) - (attrsToList site.value.locations)); + (attrsToList site.value.location)); }; }) (attrsToList nginx.https)); @@ -534,6 +534,7 @@ inputs: upstream.port = httpsPort + httpsPortShift.proxyProtocol + (if site.value.http2 then httpsPortShift.http2 else 0); proxyProtocol = true; + rewiteHttps = mkDefault false; }; }) (filter (listen: listen.value.proxyProtocol) listens)); @@ -564,7 +565,7 @@ inputs: httpsLocationTypes); addAuth = location.value.proxy.addAuth or null; }) - (attrsToList site.value.locations)) + (attrsToList site.value.location)) (attrsToList nginx.https))) ++ (map (site: diff --git a/modules/services/nix-serve.nix b/modules/services/nix-serve.nix new file mode 100644 index 00000000..5bbdc3b9 --- /dev/null +++ b/modules/services/nix-serve.nix @@ -0,0 +1,29 @@ +inputs: +{ + options.nixos.services.nix-serve = let inherit (inputs.lib) mkOption types; in + { + enable = mkOption { type = types.bool; default = false; }; + hostname = mkOption { type = types.nonEmptyStr; }; + }; + config = + let + inherit (inputs.lib) mkMerge mkIf; + inherit (inputs.localLib) stripeTabs attrsToList; + inherit (inputs.config.nixos.services) nix-serve; + inherit (builtins) map listToAttrs toString; + in mkIf nix-serve.enable + { + services.nix-serve = + { + enable = true; + openFirewall = true; + secretKeyFile = inputs.config.sops.secrets."store/signingKey".path; + }; + sops.secrets."store/signingKey" = {}; + nixos.services.nginx = + { + enable = true; + https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000"; + }; + }; +} diff --git a/modules/services/photoprism.nix b/modules/services/photoprism.nix index a0c1195f..d5b525eb 100644 --- a/modules/services/photoprism.nix +++ b/modules/services/photoprism.nix @@ -48,16 +48,10 @@ inputs: nginx = { enable = true; - https.${photoprism.hostname} = + https.${photoprism.hostname}.location."/".proxy = { - global.rewriteHttps = true; - listen.main.proxyProtocol = true; - location."/".proxy = - { - upstream = "http://127.0.0.1:${toString photoprism.port}"; - websocket = true; - setHeaders.Host = photoprism.hostname; - }; + upstream = "http://127.0.0.1:${toString photoprism.port}"; + websocket = true; }; }; }; diff --git a/modules/services/rsshub.nix b/modules/services/rsshub.nix index 305ac4fa..e1dcea77 100644 --- a/modules/services/rsshub.nix +++ b/modules/services/rsshub.nix @@ -60,12 +60,7 @@ inputs: nginx = { enable = true; - http.${rsshub.hostname} = - { - rewriteHttps = true; - locations."/".proxy = - { upstream = "http://127.0.0.1:${toString rsshub.port}"; setHeaders.Host = rsshub.hostname; }; - }; + https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:${toString rsshub.port}"; }; }; }; diff --git a/modules/services/synapse.nix b/modules/services/synapse.nix index a6aa9ccf..08f3e9dc 100644 --- a/modules/services/synapse.nix +++ b/modules/services/synapse.nix @@ -104,13 +104,11 @@ inputs: enable = true; https.${synapse.hostname} = { - global.rewriteHttps = true; listen.main.proxyProtocol = true; location."/".proxy = { upstream = "http://127.0.0.1:${toString synapse.port}"; websocket = true; - setHeaders.Host = synapse.hostname; }; }; }; diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index a48dbf63..359eee73 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -70,8 +70,6 @@ inputs: enable = true; https.${vaultwarden.hostname} = { - global.rewriteHttps = true; - listen.main.proxyProtocol = true; location = listToAttrs ( (map @@ -93,7 +91,6 @@ inputs: { upstream = "http://127.0.0.1:${toString vaultwarden.websocketPort}"; websocket = true; - setHeaders.Host = vaultwarden.hostname; }; }) [ "/notifications/hub" ]) diff --git a/modules/services/xray.nix b/modules/services/xray.nix index 07390368..558eba56 100644 --- a/modules/services/xray.nix +++ b/modules/services/xray.nix @@ -512,10 +512,9 @@ inputs: users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; }; nixos.services = { - acme = { enable = true; certs = [ xrayServer.serverName ]; }; - nginx.transparentProxy.map."${xrayServer.serverName}" = 4726; + acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; }; + nginx = { enable = true; transparentProxy.map."${xrayServer.serverName}" = 4726; }; }; - security.acme.certs.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; } )) ]; diff --git a/modules/services/xrdp.nix b/modules/services/xrdp.nix index 1325905e..24404a90 100644 --- a/modules/services/xrdp.nix +++ b/modules/services/xrdp.nix @@ -6,7 +6,7 @@ inputs: port = mkOption { type = types.ints.unsigned; default = 3389; }; hostname = mkOption { - type = types.nullOr (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]); + type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; }; }; @@ -29,14 +29,21 @@ inputs: mkIf (xrdp.hostname != null) ( let - mainDomain = if builtins.typeOf xrdp.hostname == "string" then xrdp.hostname - else builtins.elemAt xrdp.hostname 0; + mainDomain = builtins.elemAt xrdp.hostname 0; in { - services.xrdp = let keydir = inputs.config.security.acme.certs.${mainDomain}.directory; in - { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; }; - nixos.services.acme = { enable = true; certs = [ xrdp.hostname ]; }; - security.acme.certs.${mainDomain}.group = inputs.config.systemd.services.xrdp.serviceConfig.Group; + services.xrdp = + let keydir = inputs.config.security.acme.certs.${mainDomain}.directory; + in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; }; + nixos.services.acme = + { + enable = true; + cert.${mainDomain} = + { + domains = xrdp.hostname; + group = inputs.config.systemd.services.xrdp.serviceConfig.Group; + }; + }; } ) )