sail: Expose certain services only via SSL

2023-03-12 21:03:36 +01:00 · 2023-03-12 21:03:36 +01:00 · 5232858822
commit 5232858822
parent 5114ab5d10
5 changed files with 46 additions and 54 deletions
--- a/container/proxitok/default.nix
+++ b/container/proxitok/default.nix
@ -37,18 +37,16 @@
    "d /etc/container-proxitok/cache 0755 33 33"
  ];
-  services.nginx = {
+  services.nginx.virtualHosts."tictac.daniel.sx" = {
-    virtualHosts."tictac.daniel.sx" = {
+    http3 = true;
      http3 = true;
-      forceSSL = true;
+    onlySSL = true;
-      useACMEHost = "daniel.sx";
+    useACMEHost = "daniel.sx";
-      basicAuthFile = config.age.secrets.proxitok-auth.path;
+    basicAuthFile = config.age.secrets.proxitok-auth.path;
-      locations."/" = {
+    locations."/" = {
-        recommendedProxySettings = true;
+      recommendedProxySettings = true;
-        proxyPass = "http://127.0.0.1:8005";
+      proxyPass = "http://127.0.0.1:8005";
      };
    };
  };
 }
--- a/system/nixos/anonymous-overflow.nix
+++ b/system/nixos/anonymous-overflow.nix
@ -38,27 +38,25 @@ in
    };
  };
-  services.nginx = {
+  services.nginx.virtualHosts."overflow.daniel.sx" = {
-    virtualHosts."overflow.daniel.sx" = {
+    http3 = true;
      http3 = true;
-      root = "${anonymous-overflow-pkg}/share/anonymous-overflow/public/";
+    root = "${anonymous-overflow-pkg}/share/anonymous-overflow/public/";
-      forceSSL = true;
+    onlySSL = true;
-      useACMEHost = "daniel.sx";
+    useACMEHost = "daniel.sx";
-      basicAuthFile = config.age.secrets.anonymous-overflow-auth.path;
+    basicAuthFile = config.age.secrets.anonymous-overflow-auth.path;
-      locations."/" = {
+    locations."/" = {
-        tryFiles = "$uri @proxy";
+      tryFiles = "$uri @proxy";
-      };
+    };
-      locations."/static".extraConfig = ''
+    locations."/static".extraConfig = ''
-        rewrite ^/static(/.*)$ $1 last;
+      rewrite ^/static(/.*)$ $1 last;
-      '';
+    '';
-      locations."@proxy" = {
+    locations."@proxy" = {
-        recommendedProxySettings = true;
+      recommendedProxySettings = true;
-        proxyPass = "http://127.0.0.1:8003";
+      proxyPass = "http://127.0.0.1:8003";
      };
    };
  };
 }
--- a/system/nixos/libreddit.nix
+++ b/system/nixos/libreddit.nix
@ -11,7 +11,7 @@
  services.nginx.virtualHosts."${secret.nginx.hostnames.libreddit}" = {
    http3 = true;
-    forceSSL = true;
+    onlySSL = true;
    useACMEHost = "daniel.sx";
    basicAuthFile = config.age.secrets.libreddit-auth.path;
--- a/system/nixos/nitter.nix
+++ b/system/nixos/nitter.nix
@ -51,26 +51,24 @@ in
    };
  };
-  services.nginx = {
+  services.nginx.virtualHosts."${secret.nginx.hostnames.nitter}" = {
-    virtualHosts."${secret.nginx.hostnames.nitter}" = {
+    http3 = true;
      http3 = true;
-      root = "${nitter-pkg}/share/nitter/public/";
+    root = "${nitter-pkg}/share/nitter/public/";
-      forceSSL = true;
+    onlySSL = true;
-      useACMEHost = "daniel.sx";
+    useACMEHost = "daniel.sx";
-      locations."/" = {
+    locations."/" = {
-        tryFiles = "$uri @proxy";
+      tryFiles = "$uri @proxy";
-      };
+    };
-      locations."/pic/" = proxy-no-auth;
+    locations."/pic/" = proxy-no-auth;
-      locations."/video/" = proxy-no-auth;
+    locations."/video/" = proxy-no-auth;
-      locations."@proxy" = {
+    locations."@proxy" = {
-        basicAuthFile = config.age.secrets.nitter-auth.path;
+      basicAuthFile = config.age.secrets.nitter-auth.path;
-        recommendedProxySettings = true;
+      recommendedProxySettings = true;
-        proxyPass = "http://127.0.0.1:8001";
+      proxyPass = "http://127.0.0.1:8001";
      };
    };
  };
 }
--- a/system/nixos/rimgo.nix
+++ b/system/nixos/rimgo.nix
@ -40,18 +40,16 @@ in
    };
  };
-  services.nginx = {
+  services.nginx.virtualHosts."ringo.daniel.sx" = {
-    virtualHosts."ringo.daniel.sx" = {
+    http3 = true;
      http3 = true;
-      forceSSL = true;
+    onlySSL = true;
-      useACMEHost = "daniel.sx";
+    useACMEHost = "daniel.sx";
-      basicAuthFile = config.age.secrets.rimgo-auth.path;
+    basicAuthFile = config.age.secrets.rimgo-auth.path;
-      locations."/" = {
+    locations."/" = {
-        recommendedProxySettings = true;
+      recommendedProxySettings = true;
-        proxyPass = "http://127.0.0.1:8006";
+      proxyPass = "http://127.0.0.1:8006";
      };
    };
  };
 }