diff options
Diffstat (limited to 'nix/hosts/corrino')
-rw-r--r-- | nix/hosts/corrino/configuration.nix | 7 | ||||
-rw-r--r-- | nix/hosts/corrino/modules/authelia.emile.space.nix | 13 | ||||
-rw-r--r-- | nix/hosts/corrino/ports.nix | 45 | ||||
-rw-r--r-- | nix/hosts/corrino/www/cs.emile.space.nix | 10 | ||||
-rw-r--r-- | nix/hosts/corrino/www/ctf.emile.space.nix | 8 | ||||
-rw-r--r-- | nix/hosts/corrino/www/events.emile.space.nix | 8 | ||||
-rw-r--r-- | nix/hosts/corrino/www/git.emile.space.nix | 5 | ||||
-rw-r--r-- | nix/hosts/corrino/www/grafana.emile.space.nix | 16 | ||||
-rw-r--r-- | nix/hosts/corrino/www/hydra.emile.space.nix | 10 | ||||
-rw-r--r-- | nix/hosts/corrino/www/jupyter.emile.space.nix | 14 | ||||
-rw-r--r-- | nix/hosts/corrino/www/magic-hash.emile.space.nix | 8 | ||||
-rw-r--r-- | nix/hosts/corrino/www/md.emile.space.nix | 9 | ||||
-rw-r--r-- | nix/hosts/corrino/www/netbox.emile.space.nix | 8 | ||||
-rw-r--r-- | nix/hosts/corrino/www/pgweb.emile.space.nix | 6 | ||||
-rw-r--r-- | nix/hosts/corrino/www/photo.emile.space.nix | 8 | ||||
-rw-r--r-- | nix/hosts/corrino/www/stream.emile.space.nix | 12 | ||||
-rw-r--r-- | nix/hosts/corrino/www/talks.emile.space.nix | 5 | ||||
-rw-r--r-- | nix/hosts/corrino/www/tickets.emile.space.nix | 8 |
18 files changed, 139 insertions, 61 deletions
diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index c97d09f..dbc952c 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -1,5 +1,8 @@ { config, pkgs, ... }: -{ + +let + ports = import ./ports.nix; +in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix @@ -57,7 +60,7 @@ enable = true; # ssh port during boot for luks decryption - port = 2222; + port = ports.initrd_ssh; authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; hostKeys = [ "/initrd_ssh_host_ecdsa_key" ]; }; diff --git a/nix/hosts/corrino/modules/authelia.emile.space.nix b/nix/hosts/corrino/modules/authelia.emile.space.nix index 774e62f..8a2c62a 100644 --- a/nix/hosts/corrino/modules/authelia.emile.space.nix +++ b/nix/hosts/corrino/modules/authelia.emile.space.nix @@ -1,6 +1,9 @@ { config, pkgs, ... }: -{ +let + ports = import ../ports.nix; + authelia_port = config.services.authelia.instances.main.settings.server.port; +in { services.nginx.virtualHosts."sso.emile.space" = { forceSSL = true; @@ -8,7 +11,7 @@ locations = { "/" = { - proxyPass = "http://127.0.0.1:9091"; + proxyPass = "http://127.0.0.1:${toString authelia_port}"; extraConfig = '' ## Headers @@ -50,11 +53,11 @@ }; "/api/verify" = { - proxyPass = "http://127.0.0.1:9091"; + proxyPass = "http://127.0.0.1:${toString authelia_port}"; }; "/api/authz/" = { - proxyPass = "http://127.0.0.1:9091"; + proxyPass = "http://127.0.0.1:${toString authelia_port}"; }; }; }; @@ -103,7 +106,7 @@ server = { host = "127.0.0.1"; - port = 9091; + port = ports.authelia; }; # we're using a file to store the user information diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix new file mode 100644 index 0000000..dc2225c --- /dev/null +++ b/nix/hosts/corrino/ports.nix @@ -0,0 +1,45 @@ +{ + # 19xx + stream_rtmp = 1935; + + # 20xx + initrd_ssh = 2222; + photo = 2342; + + # 30xx + git = 3000; + hydra = 3001; + grafana = 3002; + md = 3003; + + # 34xx + # cs = 3463; + + # 40xx + events = 4000; + + + # 54xx + pgweb = 5432; + + # 80xx + stream = 8080; + netbox = 8001; + # 8002 + # 8003 + jupyter = 8004; + + # 83xx + ctf = 8338; + magic-hash = 8339; + + tickets= 8349; + talks = 8350; + + # 90xx + authelia = 9091; + prometheus_node_exporter = 9002; + prometheus = 9003; + loki = 9004; + promtail = 9005; +} diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix index de4d67e..b095162 100644 --- a/nix/hosts/corrino/www/cs.emile.space.nix +++ b/nix/hosts/corrino/www/cs.emile.space.nix @@ -3,16 +3,18 @@ # adapted from https://cs.tvl.fyi/depot/-/blob/ops/modules/sourcegraph.nix -{ ... }: +{ config, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."cs.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:3463"; + proxyPass = "http://127.0.0.1:${toString ports.cs}"; extraConfig = '' location = / { @@ -37,7 +39,7 @@ image = "sourcegraph/server:5.1.1"; ports = [ - "127.0.0.1:3463:7080" + "127.0.0.1:${toString ports.cs}:7080" ]; volumes = [ diff --git a/nix/hosts/corrino/www/ctf.emile.space.nix b/nix/hosts/corrino/www/ctf.emile.space.nix index c4de8c5..5c9d49a 100644 --- a/nix/hosts/corrino/www/ctf.emile.space.nix +++ b/nix/hosts/corrino/www/ctf.emile.space.nix @@ -1,13 +1,15 @@ { ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."ctf.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:8338"; + proxyPass = "http://127.0.0.1:${toString ports.ctf}"; }; }; }; @@ -18,7 +20,7 @@ "ctfd" = { image = "ctfd/ctfd"; ports = [ - "8338:8000" + "${toString ports.ctf}:8000" ]; }; }; diff --git a/nix/hosts/corrino/www/events.emile.space.nix b/nix/hosts/corrino/www/events.emile.space.nix index bb4db38..d7f5d50 100644 --- a/nix/hosts/corrino/www/events.emile.space.nix +++ b/nix/hosts/corrino/www/events.emile.space.nix @@ -1,6 +1,8 @@ { ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."events.emile.space" = { forceSSL = true; enableACME = true; @@ -8,7 +10,7 @@ locations = { "/" = { extraConfig = '' - proxy_pass http://[::1]:4000; + proxyPass = "http://[::1]:${toString ports.events}"; ''; }; }; @@ -27,7 +29,7 @@ settings.":mobilizon" = { "Mobilizon.Web.Endpoint" = { url.host = "events.emile.space"; - http.port = 4000; + http.port = ports.events; # The IP address to listen on. Defaults to [::1] notated as a byte # tuple. diff --git a/nix/hosts/corrino/www/git.emile.space.nix b/nix/hosts/corrino/www/git.emile.space.nix index dceadb6..f05c83d 100644 --- a/nix/hosts/corrino/www/git.emile.space.nix +++ b/nix/hosts/corrino/www/git.emile.space.nix @@ -2,6 +2,7 @@ let cfg = config.services.gitea; + ports = import ../ports.nix; authelia-location = '' set $upstream_authelia http://127.0.0.1:9091/api/authz/auth-request; @@ -81,7 +82,8 @@ in { locations = { "/" = { - proxyPass = "http://127.0.0.1:3000"; + # proxyPass = "http://127.0.0.1:3000"; + proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"; # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia # extraConfig = authelia-authrequest; @@ -131,6 +133,7 @@ in { server = { DOMAIN = pkgs.lib.mkForce "git.emile.space"; ROOT_URL = pkgs.lib.mkForce "https://git.emile.space"; + HTTP_PORT = ports.git; #START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index 0f73147..d3e0e2f 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -1,6 +1,8 @@ { config, ... }: -{ +let + ports = import ../ports.nix; +in { services = { nginx.virtualHosts."grafana.emile.space" = { addSSL = true; @@ -16,7 +18,7 @@ settings = { server = { http_addr = "127.0.0.1"; - http_port = 3002; + http_port = ports.grafana; domain = "grafana.emile.space"; root_url = "https://grafana.emile.space/"; }; @@ -47,13 +49,13 @@ prometheus = { enable = true; retentionTime = "356d"; - port = 9003; + port = ports.prometheus; exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; - port = 9002; + port = ports.prometheus_node_exporter; }; }; scrapeConfigs = [ @@ -71,7 +73,7 @@ configuration = { auth_enabled = false; server = { - http_listen_port = 9004; + http_listen_port = ports.loki; }; limits_config = { @@ -112,7 +114,7 @@ enable = true; configuration = { server = { - http_listen_port = 9005; + http_listen_port = ports.promtail; grpc_listen_port = 0; }; positions.filename = "/tmp/positions.yml"; @@ -214,4 +216,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix index 2607ac0..1d1fa0a 100644 --- a/nix/hosts/corrino/www/hydra.emile.space.nix +++ b/nix/hosts/corrino/www/hydra.emile.space.nix @@ -1,13 +1,15 @@ - { ... }: +{ config, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."hydra.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:3001"; + proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}"; }; }; }; @@ -22,7 +24,7 @@ enable = true; listenHost = "*"; - port = 3001; + port = ports.hydra; hydraURL = "https://hydra.emile.space"; # externally visible URL # Directory that holds Hydra garbage collector roots. diff --git a/nix/hosts/corrino/www/jupyter.emile.space.nix b/nix/hosts/corrino/www/jupyter.emile.space.nix index d1d951c..18e56a0 100644 --- a/nix/hosts/corrino/www/jupyter.emile.space.nix +++ b/nix/hosts/corrino/www/jupyter.emile.space.nix @@ -1,22 +1,24 @@ -{ pkgs, lib, config, ... }: +{ pkgs, config, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."jupyter.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:8004"; + proxyPass = "http://127.0.0.1:${toString config.services.jupyter.port}"; }; }; }; - services.jupyter = rec { + services.jupyter = { enable = true; ip = "127.0.0.1"; - port = 8004; + port = ports.jupyter; # ; python3 # >>> from notebook.auth import passwd @@ -57,4 +59,4 @@ users.users.jupyter.group = "jupyter"; users.groups.jupyter = {}; -} \ No newline at end of file +} diff --git a/nix/hosts/corrino/www/magic-hash.emile.space.nix b/nix/hosts/corrino/www/magic-hash.emile.space.nix index 05446ea..4f57d12 100644 --- a/nix/hosts/corrino/www/magic-hash.emile.space.nix +++ b/nix/hosts/corrino/www/magic-hash.emile.space.nix @@ -1,13 +1,15 @@ { config, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."magic-hash.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:8339"; + proxyPass = "http://127.0.0.1:${toString ports.magic-hash}"; }; }; }; @@ -18,7 +20,7 @@ "ctfd" = { image = "magic-hash"; ports = [ - "8338:80" + "${toString ports.magic-hash}:80" ]; environment = { diff --git a/nix/hosts/corrino/www/md.emile.space.nix b/nix/hosts/corrino/www/md.emile.space.nix index 8d9d109..29ddc67 100644 --- a/nix/hosts/corrino/www/md.emile.space.nix +++ b/nix/hosts/corrino/www/md.emile.space.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."md.emile.space" = { forceSSL = true; enableACME = true; @@ -10,7 +12,8 @@ locations = { "/" = { - proxyPass = "http://127.0.0.1:3003"; + # proxyPass = "http://127.0.0.1:3003"; + proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}"; # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia # extraConfig = authelia-authrequest; @@ -58,7 +61,7 @@ settings = { host = "127.0.0.1"; - port = 3003; + port = ports.md; domain = "md.emile.space"; diff --git a/nix/hosts/corrino/www/netbox.emile.space.nix b/nix/hosts/corrino/www/netbox.emile.space.nix index a86209c..3f07bf5 100644 --- a/nix/hosts/corrino/www/netbox.emile.space.nix +++ b/nix/hosts/corrino/www/netbox.emile.space.nix @@ -1,13 +1,15 @@ { config, pkgs, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."netbox.emile.space" = { forceSSL = true; enableACME = true; kTLS = true; locations."/" = { - proxyPass = "http://[::1]:8001"; + proxyPass = "http://[::1]:${toString config.services.netbox.port}"; proxyWebsockets = true; }; locations."/static/".root = "${config.services.netbox.dataDir}"; @@ -25,7 +27,7 @@ enableLdap = false; settings = {}; secretKeyFile = config.age.secrets.netbox_secret.path; - port = 8001; + port = ports.netbox; listenAddress = "[::1]"; }; diff --git a/nix/hosts/corrino/www/pgweb.emile.space.nix b/nix/hosts/corrino/www/pgweb.emile.space.nix index 522a6bf..1ce8063 100644 --- a/nix/hosts/corrino/www/pgweb.emile.space.nix +++ b/nix/hosts/corrino/www/pgweb.emile.space.nix @@ -1,13 +1,15 @@ { pkgs, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."pgweb.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:5432"; + proxyPass = "http://127.0.0.1:${toString ports.pgweb}"; }; }; }; diff --git a/nix/hosts/corrino/www/photo.emile.space.nix b/nix/hosts/corrino/www/photo.emile.space.nix index 7f2e9ca..6ebf94d 100644 --- a/nix/hosts/corrino/www/photo.emile.space.nix +++ b/nix/hosts/corrino/www/photo.emile.space.nix @@ -1,13 +1,15 @@ { config, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."photo.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:2342"; + proxyPass = "http://127.0.0.1:${toString config.services.photoprism.port}"; proxyWebsockets = true; }; }; @@ -17,7 +19,7 @@ enable = true; address = "127.0.0.1"; - port = 2342; + port = ports.photo; passwordFile = config.age.secrets.photoprism_password.path; diff --git a/nix/hosts/corrino/www/stream.emile.space.nix b/nix/hosts/corrino/www/stream.emile.space.nix index 7340d4f..21ee627 100644 --- a/nix/hosts/corrino/www/stream.emile.space.nix +++ b/nix/hosts/corrino/www/stream.emile.space.nix @@ -1,13 +1,15 @@ -{ ... }: +{ config, ... }: -{ +let + ports = import ../ports.nix; +in { services.nginx.virtualHosts."stream.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:8080"; + proxyPass = "http://127.0.0.1:${toString config.services.owncast.port}"; proxyWebsockets = true; }; }; @@ -18,7 +20,7 @@ openFirewall = true; listen = "0.0.0.0"; dataDir = "/var/lib/owncast"; - rtmp-port = 1935; - port = 8080; # web interface + rtmp-port = ports.stream_rtmp; + port = ports.stream; # web interface }; } diff --git a/nix/hosts/corrino/www/talks.emile.space.nix b/nix/hosts/corrino/www/talks.emile.space.nix index 4833fa7..80c264e 100644 --- a/nix/hosts/corrino/www/talks.emile.space.nix +++ b/nix/hosts/corrino/www/talks.emile.space.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: let + ports = import ../ports.nix; pretalx_config = pkgs.writeText "/etc/pretalx.cfg" '' [filesystem] media = /public/media @@ -42,7 +43,7 @@ in { locations = { "/" = { extraConfig = '' - proxy_pass http://127.0.0.1:8350; + proxy_pass http://127.0.0.1:${toString ports.talks}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; @@ -61,7 +62,7 @@ in { pretalx = { image = "pretalx/standalone:latest"; ports = [ - "127.0.0.1:8350:80" + "127.0.0.1:${toString ports.talks}:80" ]; volumes = [ "/var/pretalx-data:/data" # {static, media} diff --git a/nix/hosts/corrino/www/tickets.emile.space.nix b/nix/hosts/corrino/www/tickets.emile.space.nix index f479263..f7d7b94 100644 --- a/nix/hosts/corrino/www/tickets.emile.space.nix +++ b/nix/hosts/corrino/www/tickets.emile.space.nix @@ -6,8 +6,7 @@ # times... sorry let - # pretix_config = config.age.secrets.pretix.path; - + ports = import ../ports.nix; pretix_config = pkgs.writeText "pretix.cfg" '' [pretix] instance_name=tickets.emile.space @@ -57,7 +56,7 @@ in { locations = { "/" = { extraConfig = '' - proxy_pass http://127.0.0.1:8349; + proxy_pass http://127.0.0.1:${toString ports.tickets}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; @@ -70,7 +69,7 @@ in { pretix = { image = "pretix/standalone:stable"; ports = [ - "127.0.0.1:8349:80" + "127.0.0.1:${toString ports.tickets}:80" ]; volumes = [ "/var/pretix-data:/data" @@ -116,5 +115,4 @@ in { # services.redis.settings.unixsocketperm = "770"; # trace: warning: The option `services.redis.settings' defined in `/nix/store/ib5271hcbjqrxb0yrmrjcypvpacmnp2s-source/ops/modules/www/tickets.emile.space.nix' has been renamed to `services.redis.servers."".settings'. - } |