(T)im's N(ix) Flake, Multi-Host Configurations for all of my machines! 74k1.sh/
nixos nix
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat(knights): add pocket-id proxy

74k1 57a75057 cd413f40

+50 -29
+50 -29
hosts/nixos/knights/configuration.nix
··· 248 248 }; 249 249 }; 250 250 "${domain00}" = { 251 - forceSSL = true; 252 - enableACME = true; 251 + addSSL = true; 252 + useACMEHost = "${allSecrets.global.domain00}"; 253 + # enableACME = true; 253 254 root = "/var/www/${domain00}/"; 254 255 }; 255 256 "auth.${domain00}" = { 257 + addSSL = true; 258 + useACMEHost = "${allSecrets.global.domain00}"; 256 259 # enableACME = true; 257 - # useACMEHost = "auth.${domain00}"; 258 - forceSSL = true; 259 - sslCertificate = "/var/lib/acme/auth.${domain00}/fullchain.pem"; 260 - sslCertificateKey = "/var/lib/acme/auth.${domain00}/key.pem"; 261 - sslTrustedCertificate = "/var/lib/acme/auth.${domain00}/chain.pem"; 262 260 locations."/" = { 263 - proxyPass = "https://10.100.0.1:8443"; 261 + proxyPass = "http://10.100.0.1:1411"; 264 262 # proxyWebsockets = true; 265 263 # recommendedProxySettings = true; 266 264 extraConfig = '' 267 - proxy_ssl_name auth.${domain00}; 268 - # proxy_ssl_verify on; 269 - # proxy_ssl_trusted_certificate /var/lib/acme/auth.${domain00}/fullchain.pem; 270 - proxy_ssl_server_name on; 271 - proxy_ssl_session_reuse off; 265 + # proxy_set_header Host $host; 266 + # proxy_set_header X-Real-IP $remote_addr; 267 + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 268 + # proxy_set_header X-Forwarded-Proto $scheme; 272 269 273 - proxy_set_header Host $host; 274 - proxy_set_header X-Real-IP $remote_addr; 275 - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 276 - proxy_set_header X-Forwarded-Proto $scheme; 270 + proxy_busy_buffers_size 512k; 271 + proxy_buffers 4 512k; 272 + proxy_buffer_size 256k; 277 273 ''; 278 274 }; 279 275 }; 280 276 # "vw.${domain00}" = { 281 - # forceSSL = true; 282 - # enableACME = true; 277 + # addSSL = true; 278 + # useACMEHost = "${allSecrets.global.domain00}"; 283 279 # locations."/" = { 284 280 # proxyPass = "http://10.100.0.1:8222"; 285 281 # proxyWebsockets = true; 286 282 # }; 287 283 # }; 288 284 # "git.${domain00}" = { 289 - # forceSSL = true; 290 - # enableACME = true; 285 + # addSSL = true; 286 + # useACMEHost = "${allSecrets.global.domain00}"; 291 287 # locations."/" = { 292 288 # proxyPass = "http://127.0.0.1${toString config.services.anubis.instances.forgejo.settings.BIND}"; 293 289 # recommendedProxySettings = true; ··· 298 294 # }; 299 295 # }; 300 296 # "news.${domain00}" = { 301 - # forceSSL = true; 302 - # enableACME = true; 297 + # addSSL = true; 298 + # useACMEHost = "${allSecrets.global.domain00}"; 303 299 # locations."/" = { 304 300 # proxyPass = "http://10.100.0.1:8084"; 305 301 # }; 306 302 # }; 303 + # Opencloud! 307 304 # "files.${domain00}" = { 308 - # forceSSL = true; 309 - # enableACME = true; 305 + # addSSL = true; 306 + # useACMEHost = "${allSecrets.global.domain00}"; 310 307 # locations = { 311 308 # "/" = { 312 309 # proxyPass = "http://10.100.0.1:80"; ··· 323 320 # # }; 324 321 # }; 325 322 # }; 323 + # change mum n sister 326 324 # "immich.${domain00}" = { 327 - # forceSSL = true; 328 - # enableACME = true; 325 + # addSSL = true; 326 + # useACMEHost = "${allSecrets.global.domain00}"; 329 327 # locations."/" = { 330 328 # proxyPass = "http://10.100.0.1:3001"; 331 329 # # see https://immich.app/docs/administration/reverse-proxy/ ··· 346 344 # ''; 347 345 # }; 348 346 # }; 347 + # should perhaps run on chatai.74k1.sh as well 349 348 # "chat.${domain00}" = { 350 - # enableACME = true; 351 349 # addSSL = true; 350 + # useACMEHost = "${allSecrets.global.domain00}"; 352 351 # locations."/" = { 353 352 # proxyPass = "http://127.0.0.1${toString config.services.anubis.instances.chat.settings.BIND}"; 354 353 # proxyWebsockets = true; ··· 443 442 proxyWebsockets = true; 444 443 }; 445 444 }; 445 + # catch-all for domain00 446 + "*.${allSecrets.global.domain00}" = { 447 + forceSSL = true; 448 + useACMEHost = "${allSecrets.global.domain00}"; 449 + locations."/" = { 450 + return = "444"; # Close connection without response 451 + }; 452 + }; 446 453 }; 447 454 }; 448 455 }; 456 + 449 457 450 458 security.acme = { 451 459 acceptTerms = true; 452 - preliminarySelfsigned = false; 453 460 defaults = { 454 461 email = "${allSecrets.global.mail.acme}"; 455 462 group = "nginx"; 463 + }; 464 + certs = let 465 + inherit (allSecrets.global) domain00; 466 + in { 467 + "${domain00}" = { 468 + domain = "${domain00}"; 469 + dnsProvider = "namecheap"; 470 + dnsPropagationCheck = true; 471 + environmentFile = config.age.secrets."namecheap_api_secrets".path; 472 + extraDomainNames = [ 473 + "*.${domain00}" 474 + ]; 475 + webroot = null; 476 + }; 456 477 }; 457 478 }; 458 479