198 lines
6.0 KiB
Org Mode
198 lines
6.0 KiB
Org Mode
:PROPERTIES:
|
|
:ID: e4998eda-d14a-48ee-9661-3d7d1bead53c
|
|
:ROAM_ALIASES: Nginx
|
|
:ROAM_REFS: https://www.nginx.com/
|
|
:END:
|
|
#+TITLE: Wobserver Nginx Frontends
|
|
#+filetags: :Project:CCE:Wobserver:
|
|
#+AUTO_TANGLE: t
|
|
#+ARCOLOGY_ALLOW_CRAWL: t
|
|
#+ARCOLOGY_KEY: cce/wobserver/nginx
|
|
|
|
Nginx is fine, I guess. I use it to host my sites and proxy my apps. This is the default configuration, follow [[elisp:(org-roam-buffer-toggle)][backlinks]] for site configurations.
|
|
|
|
#+ARROYO_NIXOS_MODULE: nixos/nginx.nix
|
|
#+ARROYO_SYSTEM_ROLE: server
|
|
|
|
#+begin_src nix :tangle ~/arroyo-nix/nixos/nginx.nix :noweb yes
|
|
{ pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./nginx-staticsites.nix
|
|
./wobserver-acme.nix
|
|
];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedTlsSettings = true;
|
|
statusPage = true;
|
|
appendHttpConfig = ''
|
|
log_format main
|
|
'$host $remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
access_log /var/log/nginx/access.log main;
|
|
'';
|
|
};
|
|
services.prometheus.exporters.nginx.enable = true;
|
|
services.prometheus.exporters.nginxlog = {
|
|
enable = true;
|
|
group = "nginx";
|
|
# https://github.com/martin-helmich/prometheus-nginxlog-exporter#configuration-file
|
|
settings = {
|
|
namespaces = [
|
|
{
|
|
name = "wobserver";
|
|
format = ''$host $remote_addr - $remote_user [$time_local] "$request" '' +
|
|
''$status $body_bytes_sent "$http_referer" '' +
|
|
''"$http_user_agent" "$http_x_forwarded_for"'';
|
|
source.files = [ "/var/log/nginx/access.log" ];
|
|
relabel_configs = [
|
|
{
|
|
target_label = "host";
|
|
from = "host";
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|
|
#+end_src
|
|
|
|
* Certs via ACME
|
|
:PROPERTIES:
|
|
:ID: 20220101T185412.693161
|
|
:ROAM_ALIASES: "Let's Encrypt on NixOS" "ACME on NixOS"
|
|
:END:
|
|
|
|
I use [[https://letsencrypt.org/][Lets Encrypt]] for my SSL, I really like 'em.
|
|
|
|
#+begin_src nix :tangle ~/arroyo-nix/nixos/wobserver-acme.nix
|
|
{ ... }:
|
|
|
|
rec {
|
|
security.acme = {
|
|
defaults.email = "acme@rix.si";
|
|
acceptTerms = true;
|
|
};
|
|
|
|
# temporary forward hosts
|
|
# security.acme.certs."media.whatthefuck.copmuter" = {
|
|
# webroot = "/var/lib/acme/acme-challenge";
|
|
# extraDomainNames = [
|
|
# "notes.whatthefuck.computer"
|
|
# ];
|
|
# };
|
|
services.nginx.virtualHosts."media.whatthefuck.computer" = {
|
|
addSSL = true;
|
|
sslCertificate = "/var/lib/nginx/certs/fontkeming.fail_cert.pem";
|
|
sslCertificateKey = "/var/lib/nginx/certs/fontkeming.fail_key.pem";
|
|
};
|
|
services.nginx.virtualHosts."notes.whatthefuck.computer" = services.nginx.virtualHosts."media.whatthefuck.computer";
|
|
|
|
# 'internal' hosts
|
|
# security.acme.certs."fontkeming.fail" = {
|
|
# webroot = "/var/lib/acme/acme-challenge";
|
|
# extraDomainNames = [
|
|
# "home.rix.si"
|
|
# "dns.fontkeming.fail"
|
|
# ];
|
|
# };
|
|
|
|
# # site hosts
|
|
# security.acme.certs."rix.si" = {
|
|
# webroot = "/var/lib/acme/acme-challenge";
|
|
# extraDomainNames = [
|
|
# "whatthefuck.computer" "notes.whatthefuck.computer"
|
|
# "afd.fontkeming.fail" "dev.arcology.garden"
|
|
# "dongiverse.com" "kickass.systems"
|
|
# "ring.whatthefuck.computer"
|
|
# "lionsrear.com" "arcology.garden" "cce.arcology.garden"
|
|
# ];
|
|
# };
|
|
|
|
# # app hosts
|
|
# security.acme.certs."files.fontkeming.fail" = {
|
|
# webroot = "/var/lib/acme/acme-challenge";
|
|
# extraDomainNames = [
|
|
# "code.rix.si"
|
|
# "bag.fontkeming.fail"
|
|
# "matrix.fontkeming.fail"
|
|
# "dimension.fontkeming.fail"
|
|
# ];
|
|
# };
|
|
}
|
|
#+end_src
|
|
|
|
* INPROGRESS wobserver static sites
|
|
:PROPERTIES:
|
|
:ID: 20221223T171929.934471
|
|
:END:
|
|
:LOGBOOK:
|
|
- State "INPROGRESS" from "NEXT" [2022-11-12 Sat 19:41]
|
|
:END:
|
|
|
|
#+begin_src nix :tangle ~/arroyo-nix/nixos/nginx-staticsites.nix
|
|
{ ... }:
|
|
|
|
{
|
|
services.nginx.virtualHosts = {
|
|
"fontkeming.fail".root = "/srv/static-sites/default";
|
|
"fontkeming.fail".default = true;
|
|
|
|
# additional home.rix.si stuff in wobserver-observability!
|
|
"home.rix.si".root = "/srv/static-sites/default";
|
|
"home.rix.si".locations."/fdroid".root = "/srv/fdroid/repo";
|
|
|
|
"afd.fontkeming.fail".root = "/srv/afdsew/SEW";
|
|
|
|
"blog.dongiverse.com".root = "/srv/static-sites/blog.dongiverse.com/_site";
|
|
"dongiverse.com".root = "/srv/static-sites/dongiverse.com/_site";
|
|
|
|
"kickass.systems".root = "/srv/static-sites/kickass.systems/_site";
|
|
|
|
# see akkoma.org
|
|
"notes.whatthefuck.computer" = {
|
|
# root = "/srv/static-sites/notes.whatthefuck.computer/_site"; #
|
|
# locations."/atom.xml".proxyPass = "https://granary.io/url?url=http://notes.whatthefuck.computer/&input=html&output=atom&hub=https://bridgy-fed.superfeedr.com/";
|
|
# locations."/rss.xml".proxyPass = "https://granary.io/url?url=http://notes.whatthefuck.computer/&input=html&output=rss&hub=https://bridgy-fed.superfeedr.com/";
|
|
};
|
|
|
|
"whatthefuck.computer" = {
|
|
root = "/srv/static-sites/whatthefuck.computer/_site";
|
|
serverAliases = ["rix.si"];
|
|
locations."~ ^/~(.+?)(/.*)?$" = {
|
|
alias = "/home/$1/public_html$2";
|
|
index = "index.html index.htm";
|
|
extraConfig = "autoindex on;";
|
|
};
|
|
};
|
|
};
|
|
}
|
|
#+end_src
|
|
|
|
** NEXT move afd.fontkeming.fail vhost to [[id:d7d936ab-781c-4e04-88bb-af65b23c6c43][Area Forecast Discussion]]
|
|
|
|
** DONE plumb these through on fontkeming
|
|
:LOGBOOK:
|
|
- State "DONE" from "INPROGRESS" [2022-12-20 Tue 10:29]
|
|
- State "INPROGRESS" from "NEXT" [2022-11-12 Sat 21:19]
|
|
:END:
|
|
|
|
need to finish up [[id:20220101T190353.843667][Wobserver Observability]] to migrate =home.rix.si=
|
|
|
|
* INPROGRESS virtualHosts
|
|
:LOGBOOK:
|
|
- State "INPROGRESS" from "NEXT" [2022-11-12 Sat 20:01]
|
|
:END:
|
|
* DONE fix nginx_exporter
|
|
:LOGBOOK:
|
|
- State "DONE" from "NEXT" [2022-11-12 Sat 20:01]
|
|
:END:
|
|
* NEXT understand where webroot is wired up
|
|
* NEXT at least read the "recommended settings"
|