sail: Move more hosts away from CF

container/proxitok/default.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, secret, ... }:
 
 {
   virtualisation.arion.projects.proxitok.settings = {
@@ -38,24 +38,12 @@
   ];
 
   services.nginx = {
-    enable = true;
+    virtualHosts."tictac.daniel.sx" = {
-    recommendedOptimisation = true;
+      forceSSL = true;
-    recommendedGzipSettings = true;
+      useACMEHost = "daniel.sx";
-    recommendedBrotliSettings = true;
+      basicAuthFile = config.age.secrets.proxitok-auth.path;
-
-    virtualHosts."proxitok.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
-      forceSSL = false;
-      enableACME = false;
 
       locations."/" = {
-        basicAuthFile = config.age.secrets.proxitok-auth.path;
         recommendedProxySettings = true;
         proxyPass = "http://127.0.0.1:8005";
       };

system/hosts/sail.nix

@@ -29,7 +29,7 @@ in
 
     (import ../nixos/mastodon.nix (args // { inherit secret; }))
 
-    ../nixos/nitter.nix
+    (import ../nixos/nitter.nix (args // { inherit secret; }))
 
     (import ../nixos/ntfy-sh.nix (args // { inherit secret; }))
 

system/nixos/anonymous-overflow.nix

@@ -39,23 +39,10 @@ in
   };
 
   services.nginx = {
-    enable = true;
+    virtualHosts."overflow.daniel.sx" = {
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-
-    virtualHosts."anonymous-overflow.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
       root = "${anonymous-overflow-pkg}/share/anonymous-overflow/public/";
-      forceSSL = false;
+      forceSSL = true;
-      enableACME = false;
+      useACMEHost = "daniel.sx";
-
       basicAuthFile = config.age.secrets.anonymous-overflow-auth.path;
 
       locations."/" = {

system/nixos/nginx.nix

@@ -6,4 +6,13 @@
     recommendedBrotliSettings = true;
     recommendedTlsSettings = true;
   };
+
+  networking.firewall.interfaces =
+    let
+      nginxTCPPorts = [ 80 443 ];
+    in
+    {
+      "enp1s0".allowedTCPPorts = nginxTCPPorts;
+      "tailscale0".allowedTCPPorts = nginxTCPPorts;
+    };
 }

system/nixos/nitter.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, config, secret, ... }:
 
 let
   nitter-pkg = pkgs.nitter-unstable;
@@ -52,22 +52,10 @@ in
   };
 
   services.nginx = {
-    enable = true;
+    virtualHosts."${secret.nginx.hostnames.nitter}" = {
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-
-    virtualHosts."nitter.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
       root = "${nitter-pkg}/share/nitter/public/";
-      forceSSL = false;
+      forceSSL = true;
-      enableACME = false;
+      useACMEHost = "daniel.sx";
 
       locations."/" = {
         tryFiles = "$uri @proxy";

system/nixos/rimgo.nix

@@ -41,21 +41,9 @@ in
   };
 
   services.nginx = {
-    enable = true;
+    virtualHosts."ringo.daniel.sx" = {
-    recommendedOptimisation = true;
+      forceSSL = true;
-    recommendedGzipSettings = true;
+      useACMEHost = "daniel.sx";
-    recommendedBrotliSettings = true;
-
-    virtualHosts."rimgo.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
-      forceSSL = false;
-      enableACME = false;
       basicAuthFile = config.age.secrets.rimgo-auth.path;
 
       locations."/" = {