motiejus
/
config
1
Fork 0
Code Packages Releases Activity

fwminex: formatting

This commit is contained in:
Motiejus Jakštys 2024-08-03 18:00:16 +03:00
parent 117d65010b
commit 9b9b609a5f
1 changed files with 75 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
hosts/fwminex/configuration.nix
View File

@ -178,95 +178,90 @@ in
metrics metrics
} }
''; '';
virtualHosts = virtualHosts = {
let "www.11sync.net".extraConfig = "redir https://jakstys.lt/2024/11sync-shutdown/";
fwminex-vno1 = "127.0.0.1"; "11sync.net".extraConfig = "redir https://jakstys.lt/2024/11sync-shutdown/";
fwminex-jakst = "127.0.0.1"; "vpn.jakstys.lt".extraConfig = ''reverse_proxy 127.0.0.1:${toString myData.ports.headscale}'';
in "hass.jakstys.lt:80".extraConfig = ''
{ @denied not remote_ip ${myData.subnets.tailscale.cidr}
"www.11sync.net".extraConfig = "redir https://jakstys.lt/2024/11sync-shutdown/"; abort @denied
"11sync.net".extraConfig = "redir https://jakstys.lt/2024/11sync-shutdown/"; reverse_proxy 127.0.0.1:${toString myData.ports.hass}
"vpn.jakstys.lt".extraConfig = ''reverse_proxy ${fwminex-vno1}:${toString myData.ports.headscale}''; '';
"hass.jakstys.lt:80".extraConfig = '' "grafana.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr} @denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied abort @denied
reverse_proxy ${fwminex-jakst}:${toString myData.ports.hass} reverse_proxy 127.0.0.1:${toString myData.ports.grafana}
''; tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
"grafana.jakstys.lt".extraConfig = '' '';
@denied not remote_ip ${myData.subnets.tailscale.cidr} "bitwarden.jakstys.lt".extraConfig = ''
abort @denied @denied not remote_ip ${myData.subnets.tailscale.cidr}
reverse_proxy ${fwminex-jakst}:${toString myData.ports.grafana} abort @denied
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem
'';
"bitwarden.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem
# from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples # from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
encode gzip encode gzip
header { header {
# Enable HTTP Strict Transport Security (HSTS) # Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000;" Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks # Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block" X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection) # Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN" X-Frame-Options "SAMEORIGIN"
} }
reverse_proxy ${fwminex-jakst}:${toString myData.ports.vaultwarden} { reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} {
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
} }
''; '';
"www.jakstys.lt".extraConfig = '' "www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt redir https://jakstys.lt
''; '';
"irc.jakstys.lt".extraConfig = "irc.jakstys.lt".extraConfig =
let let
gamja = pkgs.compressDrvWeb (pkgs.gamja.override { gamja = pkgs.compressDrvWeb (pkgs.gamja.override {
gamjaConfig = { gamjaConfig = {
server = { server = {
url = "irc.jakstys.lt:6698"; url = "irc.jakstys.lt:6698";
nick = "motiejus"; nick = "motiejus";
};
}; };
}) { }; };
in }) { };
'' in
@denied not remote_ip ${myData.subnets.tailscale.cidr} ''
abort @denied @denied not remote_ip ${myData.subnets.tailscale.cidr}
tls {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-key.pem abort @denied
tls {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-key.pem
root * ${gamja} root * ${gamja}
file_server browse {
precompressed br gzip
}
'';
"dl.jakstys.lt".extraConfig = ''
root * /var/www/dl
file_server browse { file_server browse {
hide .stfolder precompressed br gzip
}
encode gzip
'';
"jakstys.lt".extraConfig = ''
header Strict-Transport-Security "max-age=31536000"
header /_/* Cache-Control "public, max-age=31536000, immutable"
root * /var/www/jakstys.lt
file_server {
precompressed br gzip
}
handle /.well-known/carddav {
redir https://cdav.migadu.com/
}
handle /.well-known/caldav {
redir https://cdav.migadu.com/
} }
''; '';
}; "dl.jakstys.lt".extraConfig = ''
root * /var/www/dl
file_server browse {
hide .stfolder
}
encode gzip
'';
"jakstys.lt".extraConfig = ''
header Strict-Transport-Security "max-age=31536000"
header /_/* Cache-Control "public, max-age=31536000, immutable"
root * /var/www/jakstys.lt
file_server {
precompressed br gzip
}
handle /.well-known/carddav {
redir https://cdav.migadu.com/
}
handle /.well-known/caldav {
redir https://cdav.migadu.com/
}
'';
};
}; };
nsd = { nsd = {