Handle nginx open firewall by nixos-modules
This commit is contained in:
parent
a6cbac7c08
commit
aafc472a59
|
@ -0,0 +1,14 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
# this file contains default configuration that may be turned on depending on other config settings.
|
||||||
|
# options should go to modules.
|
||||||
|
|
||||||
|
lib.mkIf config.services.nginx.enable {
|
||||||
|
services.nginx = {
|
||||||
|
openFirewall = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
};
|
||||||
|
}
|
|
@ -231,14 +231,16 @@
|
||||||
({ ... }: {
|
({ ... }: {
|
||||||
_module.args = extraArgs // {
|
_module.args = extraArgs // {
|
||||||
inherit hostRegistry inputs zentralwerk;
|
inherit hostRegistry inputs zentralwerk;
|
||||||
|
|
||||||
|
lib = lib.recursiveUpdate nixpkgs.lib nixos-modules.lib;
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs = {
|
nixpkgs.overlays = [ self.overlays ];
|
||||||
overlays = [ self.overlays ];
|
|
||||||
};
|
|
||||||
})
|
})
|
||||||
|
|
||||||
self.nixosModules.c3d2
|
self.nixosModules.c3d2
|
||||||
|
nixos-modules.nixosModule
|
||||||
|
./config
|
||||||
./modules/audio-server.nix
|
./modules/audio-server.nix
|
||||||
./modules/c3d2.nix
|
./modules/c3d2.nix
|
||||||
./modules/stats.nix
|
./modules/stats.nix
|
||||||
|
|
|
@ -13,8 +13,6 @@
|
||||||
"127.0.0.1" = [ "auth.c3d2.de" ];
|
"127.0.0.1" = [ "auth.c3d2.de" ];
|
||||||
};
|
};
|
||||||
firewall.allowedTCPPorts = [
|
firewall.allowedTCPPorts = [
|
||||||
80 # http
|
|
||||||
443 # https
|
|
||||||
636 # ldaps
|
636 # ldaps
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -27,10 +25,8 @@
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations = {
|
locations = {
|
||||||
|
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
||||||
"/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
|
"/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -4,12 +4,7 @@
|
||||||
microvm.mem = 2048;
|
microvm.mem = 2048;
|
||||||
c3d2.deployment.server = "server10";
|
c3d2.deployment.server = "server10";
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "blogs";
|
||||||
hostName = "blogs";
|
|
||||||
firewall.allowedTCPPorts = [
|
|
||||||
80 443
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# See secrets/hosts/blogs for the .env file with all settings
|
# See secrets/hosts/blogs for the .env file with all settings
|
||||||
services.plume = {
|
services.plume = {
|
||||||
|
|
|
@ -19,8 +19,6 @@ in
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "broker";
|
hostName = "broker";
|
||||||
firewall.allowedTCPPorts = [
|
firewall.allowedTCPPorts = [
|
||||||
# nginx
|
|
||||||
80 443
|
|
||||||
# mosquitto
|
# mosquitto
|
||||||
1883 8883
|
1883 8883
|
||||||
];
|
];
|
||||||
|
|
|
@ -6,10 +6,7 @@
|
||||||
needForSpeed = true;
|
needForSpeed = true;
|
||||||
};
|
};
|
||||||
system.stateVersion = "22.11";
|
system.stateVersion = "22.11";
|
||||||
networking = {
|
networking.hostName = "buzzrelay";
|
||||||
hostName = "buzzrelay";
|
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
|
|
|
@ -12,10 +12,7 @@
|
||||||
mem = 16 * 1024;
|
mem = 16 * 1024;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "caveman";
|
||||||
hostName = "caveman";
|
|
||||||
firewall.allowedTCPPorts = [ 23 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.journald.extraConfig = ''
|
services.journald.extraConfig = ''
|
||||||
Storage=volatile
|
Storage=volatile
|
||||||
|
|
|
@ -6,10 +6,7 @@
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [ vim git ];
|
environment.systemPackages = with pkgs; [ vim git ];
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "direkthilfe";
|
||||||
firewall.allowedTCPPorts = [ 22 80 443 ];
|
|
||||||
hostName = "direkthilfe";
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
openssh = {
|
openssh = {
|
||||||
|
|
|
@ -14,10 +14,7 @@
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "ftp";
|
||||||
hostName = "ftp";
|
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups."ftpupload" = { };
|
users.groups."ftpupload" = { };
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
||||||
${hosts4.auth} = [ "auth.c3d2.de" ];
|
${hosts4.auth} = [ "auth.c3d2.de" ];
|
||||||
};
|
};
|
||||||
firewall.allowedTCPPorts = [ 80 443 2222 ];
|
firewall.allowedTCPPorts = [ 2222 ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
|
|
@ -11,8 +11,8 @@
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
firewall = {
|
firewall = {
|
||||||
# http https influxdb
|
# influxdb
|
||||||
allowedTCPPorts = [ 80 443 8086 ];
|
allowedTCPPorts = [ 8086 ];
|
||||||
# collectd
|
# collectd
|
||||||
allowedUDPPorts = [ 25826 ];
|
allowedUDPPorts = [ 25826 ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
||||||
${hosts4.auth} = [ "auth.c3d2.de" ];
|
${hosts4.auth} = [ "auth.c3d2.de" ];
|
||||||
};
|
};
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
|
|
@ -32,8 +32,6 @@ in
|
||||||
143
|
143
|
||||||
# managesieve
|
# managesieve
|
||||||
4190
|
4190
|
||||||
# nginx for cert and rspamd
|
|
||||||
80 443
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -5,10 +5,7 @@
|
||||||
|
|
||||||
microvm.mem = 2 * 1024;
|
microvm.mem = 2 * 1024;
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "matemat";
|
||||||
hostName = "matemat";
|
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
nginx = {
|
nginx = {
|
||||||
|
|
|
@ -1,10 +1,7 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
networking = {
|
networking.hostName = "mediawiki";
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
hostName = "mediawiki";
|
|
||||||
};
|
|
||||||
|
|
||||||
c3d2.deployment.server = "server10";
|
c3d2.deployment.server = "server10";
|
||||||
|
|
||||||
|
|
|
@ -7,10 +7,7 @@
|
||||||
|
|
||||||
microvm.mem = 2048;
|
microvm.mem = 2048;
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "mobilizon";
|
||||||
hostName = "mobilizon";
|
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.postgresql.package = pkgs.postgresql_13;
|
services.postgresql.package = pkgs.postgresql_13;
|
||||||
|
|
||||||
|
|
|
@ -6,10 +6,7 @@
|
||||||
deployment.server = "server10";
|
deployment.server = "server10";
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "network-homepage";
|
||||||
hostName = "network-homepage";
|
|
||||||
firewall.allowedTCPPorts = [ 22 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
nginx = rec {
|
nginx = rec {
|
||||||
|
|
|
@ -16,10 +16,7 @@
|
||||||
};
|
};
|
||||||
c3d2.hq.statistics.enable = true;
|
c3d2.hq.statistics.enable = true;
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "owncast";
|
||||||
hostName = "owncast";
|
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.owncast = {
|
services.owncast = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -28,9 +25,6 @@
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
additionalModules = [ pkgs.nginxModules.fancyindex ];
|
additionalModules = [ pkgs.nginxModules.fancyindex ];
|
||||||
virtualHosts."owncast.c3d2.de" = {
|
virtualHosts."owncast.c3d2.de" = {
|
||||||
default = true;
|
default = true;
|
||||||
|
|
|
@ -1,23 +1,14 @@
|
||||||
{ zentralwerk, config, lib, ... }:
|
{ zentralwerk, config, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
deployment = {
|
deployment.mem = 1024;
|
||||||
mem = 1024;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "prometheus";
|
hostName = "prometheus";
|
||||||
firewall = {
|
firewall.allowedUDPPorts = [
|
||||||
allowedTCPPorts = [
|
# services.prometheus.exporters.collectd.collectdBinary
|
||||||
# nginx
|
25826
|
||||||
80 443
|
];
|
||||||
];
|
|
||||||
allowedUDPPorts = [
|
|
||||||
# services.prometheus.exporters.collectd.collectdBinary
|
|
||||||
25826
|
|
||||||
];
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.prometheus = {
|
services.prometheus = {
|
||||||
|
|
|
@ -48,8 +48,6 @@
|
||||||
networking = {
|
networking = {
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [
|
||||||
# nginx
|
|
||||||
80 443
|
|
||||||
# pulseaudio/pipewire network sync
|
# pulseaudio/pipewire network sync
|
||||||
4713
|
4713
|
||||||
# llmnr
|
# llmnr
|
||||||
|
@ -64,9 +62,7 @@
|
||||||
};
|
};
|
||||||
hostName = "pulsebert";
|
hostName = "pulsebert";
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
interfaces = {
|
interfaces.eth0.useDHCP = true;
|
||||||
eth0.useDHCP = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
|
|
@ -37,7 +37,6 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
systemd.services = let
|
systemd.services = let
|
||||||
scraperPkgs = import scrapers { inherit pkgs; };
|
scraperPkgs = import scrapers { inherit pkgs; };
|
||||||
|
|
|
@ -16,9 +16,6 @@
|
||||||
|
|
||||||
networking.hostName = "sdrweb";
|
networking.hostName = "sdrweb";
|
||||||
|
|
||||||
# http https
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts."sdr.hq.c3d2.de" = {
|
virtualHosts."sdr.hq.c3d2.de" = {
|
||||||
|
|
|
@ -12,8 +12,7 @@
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "sshlog";
|
hostName = "sshlog";
|
||||||
firewall.allowedTCPPorts = [
|
firewall.allowedTCPPorts = [
|
||||||
22
|
22 # not using openssh module
|
||||||
80 443
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,6 @@ in
|
||||||
networking.hostName = "stream";
|
networking.hostName = "stream";
|
||||||
c3d2.hq.statistics.enable = true;
|
c3d2.hq.statistics.enable = true;
|
||||||
deployment = {
|
deployment = {
|
||||||
persistedShares = [ "/etc" "/home" "/var" ];
|
|
||||||
storage = "big";
|
storage = "big";
|
||||||
mem = 4096;
|
mem = 4096;
|
||||||
networks = lib.mkForce [ "pub" "serv" ];
|
networks = lib.mkForce [ "pub" "serv" ];
|
||||||
|
@ -42,7 +41,6 @@ in
|
||||||
networkConfig.IPv6AcceptRA = true;
|
networkConfig.IPv6AcceptRA = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
services.peerflix.enable = true;
|
services.peerflix.enable = true;
|
||||||
systemd.services.peerflix.serviceConfig = {
|
systemd.services.peerflix.serviceConfig = {
|
||||||
|
|
|
@ -8,10 +8,7 @@
|
||||||
hq.statistics.enable = true;
|
hq.statistics.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "ticker";
|
||||||
hostName = "ticker";
|
|
||||||
firewall.allowedTCPPorts = [ 22 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
nginx = {
|
nginx = {
|
||||||
|
|
|
@ -5,8 +5,6 @@
|
||||||
microvm.mem = 1024;
|
microvm.mem = 1024;
|
||||||
c3d2.deployment.server = "server10";
|
c3d2.deployment.server = "server10";
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
services.engelsystem = {
|
services.engelsystem = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "zengel.datenspuren.de";
|
domain = "zengel.datenspuren.de";
|
||||||
|
|
|
@ -345,13 +345,6 @@ in
|
||||||
vim.defaultEditor = true;
|
vim.defaultEditor = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = lib.mkIf config.services.nginx.enable {
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
time.timeZone = lib.mkDefault "Europe/Berlin";
|
time.timeZone = lib.mkDefault "Europe/Berlin";
|
||||||
|
|
||||||
# Reboot on hang
|
# Reboot on hang
|
||||||
|
|
Loading…
Reference in New Issue