sail: Move more hosts away from CF

2023-03-06 09:55:28 +01:00 · 2023-03-06 09:55:28 +01:00 · 779371ac42
commit 779371ac42
parent 2ba78483db
7 changed files with 25 additions and 65 deletions
--- a/container/proxitok/default.nix
+++ b/container/proxitok/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, secret, ... }:

 {
  virtualisation.arion.projects.proxitok.settings = {
@ -38,24 +38,12 @@
  ];

  services.nginx = {
-    enable = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-
-    virtualHosts."proxitok.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
-      forceSSL = false;
-      enableACME = false;
+    virtualHosts."tictac.daniel.sx" = {
+      forceSSL = true;
+      useACMEHost = "daniel.sx";
+      basicAuthFile = config.age.secrets.proxitok-auth.path;

      locations."/" = {
-        basicAuthFile = config.age.secrets.proxitok-auth.path;
        recommendedProxySettings = true;
        proxyPass = "http://127.0.0.1:8005";
      };
--- a/secret/hosts/sail.nix
+++ b/secret/hosts/sail.nix
--- a/system/hosts/sail.nix
+++ b/system/hosts/sail.nix
@ -29,7 +29,7 @@ in

    (import ../nixos/mastodon.nix (args // { inherit secret; }))

-    ../nixos/nitter.nix
+    (import ../nixos/nitter.nix (args // { inherit secret; }))

    (import ../nixos/ntfy-sh.nix (args // { inherit secret; }))

--- a/system/nixos/anonymous-overflow.nix
+++ b/system/nixos/anonymous-overflow.nix
@ -39,23 +39,10 @@ in
  };

  services.nginx = {
-    enable = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-
-    virtualHosts."anonymous-overflow.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
+    virtualHosts."overflow.daniel.sx" = {
      root = "${anonymous-overflow-pkg}/share/anonymous-overflow/public/";
-      forceSSL = false;
-      enableACME = false;
-
+      forceSSL = true;
+      useACMEHost = "daniel.sx";
      basicAuthFile = config.age.secrets.anonymous-overflow-auth.path;

      locations."/" = {
--- a/system/nixos/nginx.nix
+++ b/system/nixos/nginx.nix
@ -6,4 +6,13 @@
    recommendedBrotliSettings = true;
    recommendedTlsSettings = true;
  };
+
+  networking.firewall.interfaces =
+    let
+      nginxTCPPorts = [ 80 443 ];
+    in
+    {
+      "enp1s0".allowedTCPPorts = nginxTCPPorts;
+      "tailscale0".allowedTCPPorts = nginxTCPPorts;
+    };
 }
--- a/system/nixos/nitter.nix
+++ b/system/nixos/nitter.nix
@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, config, secret, ... }:

 let
  nitter-pkg = pkgs.nitter-unstable;
@ -52,22 +52,10 @@ in
  };

  services.nginx = {
-    enable = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-
-    virtualHosts."nitter.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
+    virtualHosts."${secret.nginx.hostnames.nitter}" = {
      root = "${nitter-pkg}/share/nitter/public/";
-      forceSSL = false;
-      enableACME = false;
+      forceSSL = true;
+      useACMEHost = "daniel.sx";

      locations."/" = {
        tryFiles = "$uri @proxy";
--- a/system/nixos/rimgo.nix
+++ b/system/nixos/rimgo.nix
@ -41,21 +41,9 @@ in
  };

  services.nginx = {
-    enable = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-
-    virtualHosts."rimgo.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
-      forceSSL = false;
-      enableACME = false;
+    virtualHosts."ringo.daniel.sx" = {
+      forceSSL = true;
+      useACMEHost = "daniel.sx";
      basicAuthFile = config.age.secrets.rimgo-auth.path;

      locations."/" = {