rrix
/
complete-computing-environment
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
complete-computing-environment/nginx.org

6.0 KiB
Raw Permalink Blame History

Wobserver Nginx Frontends

Nginx is fine, I guess. I use it to host my sites and proxy my apps. This is the default configuration, follow backlinks for site configurations.

{ pkgs, ... }:

{
  imports = [
    ./nginx-staticsites.nix
    ./wobserver-acme.nix
  ];

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    statusPage = true;
    appendHttpConfig = ''
      log_format main
                 '$host $remote_addr - $remote_user [$time_local] "$request" '
                 '$status $body_bytes_sent "$http_referer" '
                 '"$http_user_agent" "$http_x_forwarded_for"';
      access_log /var/log/nginx/access.log  main;
    '';
  };
  services.prometheus.exporters.nginx.enable = true;
  services.prometheus.exporters.nginxlog = {
    enable = true;
    group = "nginx";
    # https://github.com/martin-helmich/prometheus-nginxlog-exporter#configuration-file
    settings = {
      namespaces = [
        {
          name = "wobserver";
          format = ''$host $remote_addr - $remote_user [$time_local] "$request" '' +
                   ''$status $body_bytes_sent "$http_referer" '' + 
                   ''"$http_user_agent" "$http_x_forwarded_for"'';
          source.files = [ "/var/log/nginx/access.log" ];
          relabel_configs = [
            {
              target_label = "host";
              from = "host";
            }
          ];
        }
      ];
    };
  };
}

Certs via ACME

I use Lets Encrypt for my SSL, I really like 'em.

{ ... }:

rec {
  security.acme = {
    defaults.email = "acme@rix.si";
    acceptTerms = true;
  };

  # temporary forward hosts
  # security.acme.certs."media.whatthefuck.copmuter" = {
  #   webroot = "/var/lib/acme/acme-challenge";
  #   extraDomainNames = [
  #     "notes.whatthefuck.computer"
  #   ];
  # };
  services.nginx.virtualHosts."media.whatthefuck.computer" = {
    addSSL = true;
    sslCertificate = "/var/lib/nginx/certs/fontkeming.fail_cert.pem";
    sslCertificateKey = "/var/lib/nginx/certs/fontkeming.fail_key.pem";
  };
  services.nginx.virtualHosts."notes.whatthefuck.computer" = services.nginx.virtualHosts."media.whatthefuck.computer";

  # 'internal' hosts
  # security.acme.certs."fontkeming.fail" = {
  #   webroot = "/var/lib/acme/acme-challenge";
  #   extraDomainNames = [
  #     "home.rix.si"
  #     "dns.fontkeming.fail"
  #   ];
  # };

  # # site hosts
  # security.acme.certs."rix.si" = {
  #   webroot = "/var/lib/acme/acme-challenge";
  #   extraDomainNames = [
  #     "whatthefuck.computer" "notes.whatthefuck.computer" 
  #     "afd.fontkeming.fail" "dev.arcology.garden"
  #     "dongiverse.com" "kickass.systems"
  #     "ring.whatthefuck.computer"
  #     "lionsrear.com" "arcology.garden" "cce.arcology.garden"
  #   ];
  # };

  # # app hosts
  # security.acme.certs."files.fontkeming.fail" = {
  #   webroot = "/var/lib/acme/acme-challenge";
  #   extraDomainNames = [
  #     "code.rix.si"
  #     "bag.fontkeming.fail"
  #     "matrix.fontkeming.fail" 
  #     "dimension.fontkeming.fail"
  #   ];
  # };
}

INPROGRESS wobserver static sites

  • State "INPROGRESS" from "NEXT" [2022-11-12 Sat 19:41]
{ ... }:

{
  services.nginx.virtualHosts = {
    "fontkeming.fail".root = "/srv/static-sites/default";
    "fontkeming.fail".default = true;

    # additional home.rix.si stuff in wobserver-observability!
    "home.rix.si".root = "/srv/static-sites/default";
    "home.rix.si".locations."/fdroid".root = "/srv/fdroid/repo";

    "afd.fontkeming.fail".root = "/srv/afdsew/SEW";

    "blog.dongiverse.com".root = "/srv/static-sites/blog.dongiverse.com/_site";
    "dongiverse.com".root = "/srv/static-sites/dongiverse.com/_site";

    "kickass.systems".root = "/srv/static-sites/kickass.systems/_site";

    # see akkoma.org
    "notes.whatthefuck.computer" = {
      # root = "/srv/static-sites/notes.whatthefuck.computer/_site"; # 
      # locations."/atom.xml".proxyPass = "https://granary.io/url?url=http://notes.whatthefuck.computer/&input=html&output=atom&hub=https://bridgy-fed.superfeedr.com/";
      # locations."/rss.xml".proxyPass = "https://granary.io/url?url=http://notes.whatthefuck.computer/&input=html&output=rss&hub=https://bridgy-fed.superfeedr.com/";
    };

    "whatthefuck.computer" = {
      root = "/srv/static-sites/whatthefuck.computer/_site";
      serverAliases = ["rix.si"];
      locations."~ ^/~(.+?)(/.*)?$" = {
        alias = "/home/$1/public_html$2";
        index = "index.html index.htm";
        extraConfig = "autoindex on;";
      };
    };
  };
}

NEXT move afd.fontkeming.fail vhost to Area Forecast Discussion

DONE plumb these through on fontkeming

  • State "DONE" from "INPROGRESS" [2022-12-20 Tue 10:29]
  • State "INPROGRESS" from "NEXT" [2022-11-12 Sat 21:19]

need to finish up Wobserver Observability to migrate home.rix.si

INPROGRESS virtualHosts

  • State "INPROGRESS" from "NEXT" [2022-11-12 Sat 20:01]

DONE fix nginx_exporter

  • State "DONE" from "NEXT" [2022-11-12 Sat 20:01]

NEXT understand where webroot is wired up

NEXT at least read the "recommended settings"