sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

modules/nixos: add nginx

Browse source 
- set worker_processes / worker_cpu_affinity to auto, enable pcre_jit

- enable ktls

- set a default virtualHost for a 404 and use it for reuseport

- set enableACME, forceSSL by default, disable for localhost

- set robots header and file
This commit is contained in:
zowoq 2024-07-08 09:36:56 +10:00
parent cf8fc93213
commit 01c2beb7b4
10 changed files with 60 additions and 21 deletions

1
flake.nix
View file

@ -166,6 +166,7 @@
hercules-ci = ./modules/nixos/hercules-ci.nix; hercules-ci = ./modules/nixos/hercules-ci.nix;
hydra = ./modules/nixos/hydra.nix; hydra = ./modules/nixos/hydra.nix;
monitoring = ./modules/nixos/monitoring; monitoring = ./modules/nixos/monitoring;
nginx = ./modules/nixos/nginx.nix;
nur-update = ./modules/nixos/nur-update.nix; nur-update = ./modules/nixos/nur-update.nix;
remote-builder = ./modules/nixos/remote-builder.nix; remote-builder = ./modules/nixos/remote-builder.nix;
watch-store = ./modules/nixos/watch-store.nix; watch-store = ./modules/nixos/watch-store.nix;

2
hosts/build02/default.nix
View file

@ -2,7 +2,7 @@
{ {
imports = [ imports = [
inputs.srvos.nixosModules.mixins-nginx inputs.self.nixosModules.nginx
inputs.srvos.nixosModules.hardware-hetzner-online-amd inputs.srvos.nixosModules.hardware-hetzner-online-amd
./nixpkgs-update.nix ./nixpkgs-update.nix
./nixpkgs-update-backup.nix ./nixpkgs-update-backup.nix

4
hosts/build02/nixpkgs-update.nix
View file

@ -292,8 +292,6 @@ in
services.nginx.recommendedZstdSettings = false; services.nginx.recommendedZstdSettings = false;
services.nginx.virtualHosts."nixpkgs-update-logs.nix-community.org" = { services.nginx.virtualHosts."nixpkgs-update-logs.nix-community.org" = {
forceSSL = true;
enableACME = true;
locations."/" = { locations."/" = {
alias = "/var/log/nixpkgs-update/"; alias = "/var/log/nixpkgs-update/";
extraConfig = '' extraConfig = ''
@ -305,8 +303,6 @@ in
# TODO: permanent redirect r.ryantm.com/log/ -> nixpkgs-update-logs.nix-community.org # TODO: permanent redirect r.ryantm.com/log/ -> nixpkgs-update-logs.nix-community.org
services.nginx.virtualHosts."r.ryantm.com" = { services.nginx.virtualHosts."r.ryantm.com" = {
forceSSL = true;
enableACME = true;
locations."/log/" = { locations."/log/" = {
alias = "/var/log/nixpkgs-update/"; alias = "/var/log/nixpkgs-update/";
extraConfig = '' extraConfig = ''

2
hosts/build03/default.nix
View file

@ -1,7 +1,7 @@
{ inputs, ... }: { inputs, ... }:
{ {
imports = [ imports = [
inputs.srvos.nixosModules.mixins-nginx inputs.self.nixosModules.nginx
inputs.srvos.nixosModules.hardware-hetzner-online-amd inputs.srvos.nixosModules.hardware-hetzner-online-amd
inputs.self.nixosModules.disko-zfs inputs.self.nixosModules.disko-zfs
inputs.self.nixosModules.buildbot inputs.self.nixosModules.buildbot

2
hosts/web02/default.nix
View file

@ -3,7 +3,7 @@
imports = [ imports = [
./gandi.nix ./gandi.nix
inputs.self.nixosModules.monitoring inputs.self.nixosModules.monitoring
inputs.srvos.nixosModules.mixins-nginx inputs.self.nixosModules.nginx
]; ];
networking.useDHCP = true; networking.useDHCP = true;

5
modules/nixos/buildbot.nix
View file

@ -9,10 +9,7 @@
inputs.buildbot-nix.nixosModules.buildbot-worker inputs.buildbot-nix.nixosModules.buildbot-worker
]; ];
services.nginx.virtualHosts."buildbot.nix-community.org" = { services.nginx.virtualHosts."buildbot.nix-community.org" = { };
enableACME = true;
forceSSL = true;
};
sops.secrets.buildbot-github-oauth-secret = { }; sops.secrets.buildbot-github-oauth-secret = { };
sops.secrets.buildbot-github-app-secret-key = { }; sops.secrets.buildbot-github-app-secret-key = { };

8
modules/nixos/hydra.nix
View file

@ -51,12 +51,8 @@
''; '';
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts."hydra.nix-community.org" = {
"hydra.nix-community.org" = { locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";
};
}; };
# Create user accounts # Create user accounts

2
modules/nixos/monitoring/default.nix
View file

@ -11,8 +11,6 @@
sops.secrets.nginx-basic-auth-file.owner = "nginx"; sops.secrets.nginx-basic-auth-file.owner = "nginx";
services.nginx.virtualHosts."monitoring.nix-community.org" = { services.nginx.virtualHosts."monitoring.nix-community.org" = {
enableACME = true;
forceSSL = true;
locations."/".return = "302 https://nix-community.org/monitoring"; locations."/".return = "302 https://nix-community.org/monitoring";
locations."/alertmanager/" = { locations."/alertmanager/" = {
basicAuthFile = config.sops.secrets.nginx-basic-auth-file.path; basicAuthFile = config.sops.secrets.nginx-basic-auth-file.path;

53
modules/nixos/nginx.nix Normal file
View file

@ -0,0 +1,53 @@
{
config,
inputs,
lib,
pkgs,
...
}:
{
options.services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
config = {
enableACME = lib.mkDefault true;
forceSSL = lib.mkDefault true;
kTLS = true;
extraConfig = ''
add_header X-Robots-Tag "none, noarchive, nosnippet";
'';
locations."= /robots.txt".alias = pkgs.writeText "robots.txt" ''
User-agent: *
Disallow: /
'';
};
}
);
};
imports = [ inputs.srvos.nixosModules.mixins-nginx ];
config = {
services.nginx = {
appendConfig = ''
pcre_jit on;
worker_processes auto;
worker_cpu_affinity auto;
'';
virtualHosts."${config.networking.hostName}.nix-community.org" = {
default = true;
locations."/".return = "404";
reuseport = true; # should only be set for one virtualHost
};
# localhost is used by the nginx status page
virtualHosts.localhost = {
enableACME = false;
forceSSL = false;
};
};
};
}

2
modules/nixos/nur-update.nix
View file

@ -7,8 +7,6 @@
{ {
services.nginx.virtualHosts."nur-update.nix-community.org" = { services.nginx.virtualHosts."nur-update.nix-community.org" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/nur-update/gunicorn.sock"; locations."/".proxyPass = "http://unix:/run/nur-update/gunicorn.sock";
}; };