From 73b0e338fca7accd4001e789cbd07e05d3e9cb05 Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Sun, 28 Jul 2024 17:19:25 +0200 Subject: [PATCH] nx2site save (unused) --- system-modules/nx2site.nix | 58 +++++++--- system-modules/nx2site/proxy.nix | 186 +++++++++++++++++++++++++++++++ 2 files changed, 230 insertions(+), 14 deletions(-) create mode 100644 system-modules/nx2site/proxy.nix diff --git a/system-modules/nx2site.nix b/system-modules/nx2site.nix index ccf6a3f..7eba019 100644 --- a/system-modules/nx2site.nix +++ b/system-modules/nx2site.nix @@ -1,5 +1,7 @@ { config, pkgs, lib, user, host, ... }: -lib.mkIf (host == "NxACE") +lib.mkIf false +# lib.mkIf (host == "NxACE") +((import ./nx2site/proxy.nix { inherit config pkgs lib user; }) // { sops.secrets = { "nx2site/namecheap.pw" = { }; @@ -14,18 +16,15 @@ lib.mkIf (host == "NxACE") Unit = "namecheap-dynamic-dns.service"; }; }; - services."namecheap-dynamic-dns" = - let + services."namecheap-dynamic-dns" = let u = let domain = "nx2.site"; passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path; + # passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path; log-file-path = "/var/log/update_namecheap.log"; count-file-path = "/var/log/update_namecheap-count.txt"; - in - pkgs.writers.writePython3Bin "update_namecheap" { - libraries = with pkgs.python311Packages; [ - requests - ]; + in pkgs.writers.writePython3Bin "update_namecheap" { + libraries = with pkgs.python311Packages; [ requests ]; flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" ]; } '' import requests @@ -58,7 +57,7 @@ lib.mkIf (host == "NxACE") # Perform DNS updates resp_base = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password={pw}&ip={my_ip}") resp_subd = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=*&domain=${domain}&password={pw}&ip={my_ip}") - + # Reset the count file with open("${count-file-path}", 'w') as f: f.write('0') @@ -71,19 +70,50 @@ lib.mkIf (host == "NxACE") parser = argparse.ArgumentParser() parser.add_argument('-f', '--force', action='store_true', help='Force update') args = parser.parse_args() - + main(args.force) ''; - in - { + in { script = '' set -eu ${u}/bin/update_namecheap ''; serviceConfig = { Type = "oneshot"; - # User = "nx2"; }; }; }; -} + # I can't use this becasue API Access for Namecheap needs a static whitelisted IP, which I don't have + # security.acme = { + # acceptTerms = true; + # certs."nx2site" = { }; + # }; + environment.systemPackages = with pkgs; [ + certbot + (writeShellApplication { + name = "refresh_ssl_certificate"; + runtimeInputs = [ certbot ]; + # https://forum.endeavouros.com/t/tutorial-add-a-systemd-boot-loader-menu-entry-for-a-windows-installation-using-a-separate-esp-partition/37431 + text = let + webroot = /home/nx2/nx2site/staticweb/content; + in /*bash*/ '' + cartbot + ls ${webroot} + ''; + }) + ]; + networking.hosts = { # docker network inspect nx2site_default | grep -E "Name|IPv4" | tr "\n" " " | sed -r 's- +- -g;s-\n?"Name": -\n-g' | sed -r '1d;2d;s-"(.+?)", "IPv4Address": "(.+)/16",- "\2" = [ "\1.docker" ];-g' + "172.1.2.1" = [ "staticweb.docker" ]; + "172.1.3.1" = [ "matrix.docker" ]; + # "172.1.0.9" = [ "matrixdb.docker" ]; + "172.1.4.1" = [ "matrix-ss.docker" ]; + # "172.1.0.7" = [ "matrix-ssdb.docker" ]; + "172.1.5.1" = [ "pw.docker" ]; + "172.1.6.1" = [ "git.docker" ]; + # "172.1.0.10" = [ "gitdb.docker" ]; + "172.1.7.1" = [ "nn.docker" ]; + "172.1.8.1" = [ "llm.docker" ]; + # "172.1.9.1" = [ "proxy.docker" ]; + "172.1.10.1" = [ "share.docker" ]; + }; +}) diff --git a/system-modules/nx2site/proxy.nix b/system-modules/nx2site/proxy.nix new file mode 100644 index 0000000..356e231 --- /dev/null +++ b/system-modules/nx2site/proxy.nix @@ -0,0 +1,186 @@ +{ config, pkgs, lib, user }: +{ + sops.secrets = { + "nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; }; + "nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; }; + "nx2site/dhparams.pem" = { owner = config.services.nginx.user; }; + }; + services.nginx = let + config-root = /home/${user}/nx2site/proxy/config; + xcontent-root = /home/${user}/nx2site/proxy/xcontent; + content-root = /home/${user}/nx2site/proxy/content; + in { + enable = true; + additionalModules = []; + # appendConfig = ''''; + clientMaxBodySize = "20m"; + + defaultHTTPListenPort = 80; + defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"; + defaultListen = [ { + addr = "0.0.0.0"; + ssl = true; + port = 443; + proxyProtocol = true; + }]; + defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types"; + defaultSSLListenPort = 443; + enableQuicBPF = true; + enableReload = true; + # eventsConfig = ''''; + # logError = ; + # mapHashBucketSize = ; + # mapHashMaxSize = ; + package = pkgs.nginxQuic; + # preStart = true; + proxyResolveWhileRunning = false; + proxyTimeout = "20s"; + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedZstdSettings = true; + serverTokens = false; + # sslCiphers = true; + sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path; + sslProtocols = "TLSv1.2 TLSv1.3"; + statusPage = false; + streamConfig = ""; # udp config + validateConfigFile = true; + upstreams = { + "staticweb".servers = { "staticweb.docker:80" = {}; }; + "matrix".servers = { "matrix.docker:80" = {}; }; + "matrix-ss".servers = { "matrix-ss.docker:80" = {}; }; + "pw".servers = { "pw.docker:80" = {}; }; + "git".servers = { "git.docker:80" = {}; }; + "nn".servers = { "nn.docker:80" = {}; }; + "llm".servers = { "llm.docker:80" = {}; }; + "share".servers = { "share.docker:80" = {}; }; + + "sync".servers = { "localhost:8384" = {}; }; + }; + virtualHosts = let + sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path; + sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path; + kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; + in + { + "nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { + proxyPass = "http://staticweb"; + # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf; + }; + "/.well-known/matrix/client" = { + return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' ''; + extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ]; + }; + "/.well-known/matrix/server" = { + return = ''200 '{"m.server":"matrix.nx2.site:443"}' ''; + extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ]; + }; + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://matrix-ss"; + # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ]; + }; + "~ ^(\/_matrix|\/_synapse\/client)" = { + return = ''200 '{"m.server":"matrix.nx2.site:443"}' ''; + # extraConfig = []; + }; + }; + }; + "matrix.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + listen = [ + { addr = "0.0.0.0"; port = 443; ssl = true; } + { addr = "0.0.0.0"; port = 8448; ssl = true; } + ]; + locations = { + "/" = { + proxyPass = "http://matrix"; + # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf; + }; + }; + }; + "matrix-ss.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + # "resolver 1.1.1.1;" + # "client_max_body_size 500M;" + # ]; + locations = { + "/" = { proxyPass = "http://pw"; }; + }; + }; + # "dev.nx2.site" = { + # kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; + sslCertificate = cert; sslCertificateKey = key; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + # locations = { + # "/" = { + # proxyPass = "http://dev"; + # }; + # }; + # }; + "pw.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { proxyPass = "http://pw"; }; + "/admin" = { proxyPass = "http://pw"; }; + "/notifications/hub" = { proxyPass = "http://pw"; }; + "/notifications/hub/negotiate" = { proxyPass = "http://pw"; }; + }; + }; + "share.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;'' + # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;'' + # ''proxy_set_header X-Real-IP $remote_addr;'' + # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'' + # ''proxy_set_header Host $http_host;'' + # ]; + }; + "/socket.io" = { + proxyPass = "http://share/socket.io"; + proxyWebsockets = true; + # extraConfig = [ + # ''proxy_http_version 1.1;'' + # ''proxy_set_header Upgrade $http_upgrade;'' + # ''proxy_set_header Connection "upgrade";'' + # ]; + }; + }; + }; + "sync.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { proxyPass = "http://sync"; }; + }; + }; + "git.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { proxyPass = "http://git"; }; + }; + }; + "~^(.*)\.nx2\.site$" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + root = "/home/nx2/nx2site/staticweb/xcontent/"; + locations = { + "~.*" = { + return = "502 /502.html"; + }; + }; + }; + }; + }; +}