deployment: added nginx+acme

Services are till now started via:

backend/src/beherbergung/webserver/handler.clj

(wrap-cors :access-control-allow-origin [#"http://localhost:3000" #".*.broenradio.org"]

> lein run

frontend/search/public/config.json

{"base_url": "https://search.beherbergung.broenradio.org",
 "backend_base_url": "https://backend.beherbergung.broenradio.org"}

> yarn && yarn build && yarn start
This commit is contained in:
Johannes Lötzsch 2022-03-10 12:51:57 +01:00
parent 38a9850142
commit 1c330ebaef
6 changed files with 87 additions and 5 deletions

View File

@ -3,7 +3,8 @@ let
util = dns.util.${system};
in
{
networking.domain = "beherbergung.mission-lifeline.de";
networking.domain = "beherbergung.broenradio.org";
# "beherbergung.mission-lifeline.de";
services.bind = {
enable = true;
@ -12,9 +13,9 @@ in
master = true;
file = util.writeZone "${config.networking.domain}" (import (./dns + "/${config.networking.domain}.nix") {inherit dns;});
};
"beherbergung.broenradio.org" = { ## not required in future (but till the NS-record of beherbergung.mission-lifeline.de is configured)
"beherbergung.mission-lifeline.de" = { ## not required in future (but till the NS-record of beherbergung.mission-lifeline.de is configured)
master = true;
file = util.writeZone "beherbergung.broenradio.org" (import (./dns + "/${config.networking.domain}.nix") {inherit dns;});
file = util.writeZone "beherbergung.mission-lifeline.de" (import (./dns + "/${config.networking.domain}.nix") {inherit dns;});
};
};
};

View File

@ -0,0 +1,14 @@
{ config, pkgs, nixpkgs, ... }:
{
imports = [
./common.nix
];
security.acme.certs."${config.networking.domain}".extraDomainNames = [
"beherbergung.mission-lifeline.de"
"backend.beherbergung.mission-lifeline.de"
"search.beherbergung.mission-lifeline.de"
"submission.beherbergung.mission-lifeline.de"
];
}

View File

@ -0,0 +1,33 @@
{ config, pkgs, nixpkgs, ... }:
{
imports = [
./common.nix
];
security.acme.certs."${config.networking.domain}".extraDomainNames = [
"backend.${config.networking.domain}"
"search.${config.networking.domain}"
"submission.${config.networking.domain}"
];
services.nginx.virtualHosts = {
"search.${config.networking.domain}" = {
#default = true; ## we would need cors settings supporting multiple hosts
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyPass = "http://localhost:3000";
#proxyWebsockets = true;
extraConfig = "proxy_pass_header Authorization;";
};
};
"backend.${config.networking.domain}" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyPass = "http://localhost:4000";
extraConfig = "proxy_pass_header Authorization;";
};
};
};
}

View File

@ -0,0 +1,34 @@
{ config, pkgs, nixpkgs, ... }:
{
## After updating the nixpkgs, the acme-unit failed. It was mitigated by:
## > chmod acme:nginx /var/lib/acme/
security.acme = {
acceptTerms = true;
email = "acme-admin@mission-lifeline.de";
preliminarySelfsigned = true;
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
commonHttpConfig = ''
#types_hash_max_size 1024;
server_names_hash_bucket_size 128;
'';
virtualHosts = {
"${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
root = "/var/www";
extraConfig = ''autoindex on;'';
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

View File

@ -35,7 +35,7 @@
#./deployment/modules/sops.nix
./deployment/modules/dns.nix
#./deployment/modules/monitoring/client.nix
#./deployment/modules/nginx/timmi.nix
./deployment/modules/nginx/beherbergung.nix
#nix-deploy-git.nixosModule
#./deployment/modules/nix-deploy-git.nix
];
@ -52,7 +52,7 @@
beherbergung-lifeline = nixpkgs.lib.nixosSystem (lib.mergeAttrs commonAttrs {
modules = commonModules ++ [
./deployment/hosts/beherbergung-lifeline/configuration.nix
#./deployment/modules/nginx/timmi-public.nix
#./deployment/modules/nginx/beherbergung-lifeline.nix
#./deployment/modules/binarycache/client.nix
#./deployment/modules/binarycache/server.nix
#./deployment/modules/monitoring/server.nix