tangled.org / infra
this repo has no description
31
fork

Configure Feed

Select the types of activity you want to include in your feed.

secure knotmirror with nginx

- don't expose adminpage to public (use ssh tunneling)
- nginx reverse-proxy instead of exposing ports

Signed-off-by: Seongmin Lee <git@boltless.me>

Seongmin Lee 100db7ae 694db58c

+29 -12
+6 -6
flake.lock
··· 682 682 "sqlite-lib-src": "sqlite-lib-src_2" 683 683 }, 684 684 "locked": { 685 - "lastModified": 1773570661, 686 - "narHash": "sha256-EQBScacLgMxv4IKYC1O/1r287PrF/M6REZbiyI63baA=", 687 - "ref": "sl/knotmirror", 688 - "rev": "022c1a2d556f2d35fb3ce75ee98b2abaa7479862", 689 - "revCount": 2076, 685 + "lastModified": 1774452236, 686 + "narHash": "sha256-mlcZC2INHi8DRV4YHY9i+d7NNdrfwpWShf9lYeLpyao=", 687 + "ref": "master", 688 + "rev": "233111b316b5faf365bcd0ee1bc1632460fab552", 689 + "revCount": 2115, 690 690 "type": "git", 691 691 "url": "https://tangled.org/tangled.org/core" 692 692 }, 693 693 "original": { 694 - "ref": "sl/knotmirror", 694 + "ref": "master", 695 695 "type": "git", 696 696 "url": "https://tangled.org/tangled.org/core" 697 697 }
+2 -2
flake.nix
··· 4 4 inputs = { 5 5 nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; 6 6 tangled.url = "git+https://tangled.org/tangled.org/core"; 7 - tangled-mirror.url = "git+https://tangled.org/tangled.org/core?ref=sl/knotmirror"; 7 + tangled-mirror.url = "git+https://tangled.org/tangled.org/core?ref=master"; 8 8 colmena.url = "github:zhaofengli/colmena/release-0.4.x"; 9 9 disko = { 10 10 url = "github:nix-community/disko"; ··· 105 105 mirror = { 106 106 modules = [ 107 107 tangled-mirror.nixosModules.knotmirror 108 - { nixpkgs.overlays = [ tangled-mirror.overlays.default ]; } 109 108 ./hosts/mirror/services/knotmirror.nix 109 + ./hosts/mirror/services/nginx.nix 110 110 ]; 111 111 target = "81.27.110.122"; 112 112 };
+2 -4
hosts/mirror/services/knotmirror.nix
··· 16 16 }; 17 17 services.tangled.knotmirror = { 18 18 enable = true; 19 - package = pkgs.knotmirror; 20 - listenAddr = "0.0.0.0:7000"; 21 - adminListenAddr = "0.0.0.0:7200"; 19 + listenAddr = "127.0.0.1:7000"; 20 + adminListenAddr = "127.0.0.1:7200"; 22 21 hostname = "mirror.tngl.boltless.me"; 23 22 dbUrl = "postgresql://tnglr@127.0.0.1:5432/mirror"; 24 23 fullNetwork = true; ··· 27 26 }; 28 27 systemd.services.tap-knotmirror.after = ["postgresql.service"]; 29 28 systemd.services.knotmirror.after = ["postgresql.service"]; 30 - networking.firewall.allowedTCPPorts = [7000 7100 7200]; 31 29 }
+19
hosts/mirror/services/nginx.nix
··· 1 + { 2 + services.nginx = { 3 + enable = true; 4 + virtualHosts = { 5 + "mirror-tngl.boltless.me" = { 6 + forceSSL = true; 7 + enableACME = true; 8 + locations."/" = { 9 + proxyPass = "http://127.0.0.1:7000"; 10 + }; 11 + }; 12 + }; 13 + }; 14 + security.acme = { 15 + acceptTerms = true; 16 + defaults.email = "team@tangled.org"; 17 + }; 18 + networking.firewall.allowedTCPPorts = [ 80 443 ]; 19 + }