diff --git a/hosts/servo/default.nix b/hosts/servo/default.nix index 4f51bbe0c..71a0fbc25 100644 --- a/hosts/servo/default.nix +++ b/hosts/servo/default.nix @@ -15,8 +15,6 @@ ]; sane.impermanence.enable = true; # sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade - sane.services.nixserve.enable = true; - sane.services.nixserve.sopsFile = ../../secrets/servo.yaml; boot.loader.efi.canTouchEfiVariables = false; sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ]; diff --git a/hosts/servo/services/default.nix b/hosts/servo/services/default.nix index 368118937..81744d3a9 100644 --- a/hosts/servo/services/default.nix +++ b/hosts/servo/services/default.nix @@ -13,6 +13,7 @@ ./kiwix-serve.nix ./matrix ./navidrome.nix + ./nixserve.nix ./nginx.nix ./pleroma.nix ./postfix.nix diff --git a/hosts/servo/services/ejabberd.nix b/hosts/servo/services/ejabberd.nix index f5807e0be..aab51f629 100644 --- a/hosts/servo/services/ejabberd.nix +++ b/hosts/servo/services/ejabberd.nix @@ -34,6 +34,17 @@ "vjid.xmpp.uninsane.org" ]; + # exists so the XMPP server's cert can obtain altNames for all its resources + services.nginx.virtualHosts."pubsub.xmpp.uninsane.org" = { + useACMEHost = "uninsane.org"; + }; + services.nginx.virtualHosts."upload.xmpp.uninsane.org" = { + useACMEHost = "uninsane.org"; + }; + services.nginx.virtualHosts."vjid.xmpp.uninsane.org" = { + useACMEHost = "uninsane.org"; + }; + # TODO: allocate UIDs/GIDs ? services.ejabberd.enable = true; services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" '' diff --git a/hosts/servo/services/freshrss.nix b/hosts/servo/services/freshrss.nix index 46fdb5caf..3b83e4c4e 100644 --- a/hosts/servo/services/freshrss.nix +++ b/hosts/servo/services/freshrss.nix @@ -49,4 +49,11 @@ # the default ("*:0/5") is to run every 5 minutes. # `systemctl list-timers` to show systemd.services.freshrss-updater.startAt = lib.mkForce "*:3/30"; + + services.nginx.virtualHosts."rss.uninsane.org" = { + addSSL = true; + enableACME = true; + # inherit kTLS; + # the routing is handled by services.freshrss.virtualHost + }; } diff --git a/hosts/servo/services/gitea.nix b/hosts/servo/services/gitea.nix index 17a6c85ce..5671b696f 100644 --- a/hosts/servo/services/gitea.nix +++ b/hosts/servo/services/gitea.nix @@ -72,4 +72,16 @@ "/var/lib/gitea" ]; }; + + # hosted git (web view and for `git ` use + # TODO: enable publog? + services.nginx.virtualHosts."git.uninsane.org" = { + forceSSL = true; # gitea complains if served over a different protocol than its config file says + enableACME = true; + # inherit kTLS; + + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + }; + }; } diff --git a/hosts/servo/services/goaccess.nix b/hosts/servo/services/goaccess.nix index 7dd2bb8e3..ec96e7854 100644 --- a/hosts/servo/services/goaccess.nix +++ b/hosts/servo/services/goaccess.nix @@ -43,4 +43,24 @@ after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; }; + + # server statistics + services.nginx.virtualHosts."sink.uninsane.org" = { + addSSL = true; + enableACME = true; + # inherit kTLS; + root = "/var/lib/uninsane/sink"; + + locations."/ws" = { + proxyPass = "http://127.0.0.1:7890"; + # XXX not sure how much of this is necessary + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_buffering off; + proxy_read_timeout 7d; + ''; + }; + }; } diff --git a/hosts/servo/services/ipfs.nix b/hosts/servo/services/ipfs.nix index e5c4cde0c..a931b81ed 100644 --- a/hosts/servo/services/ipfs.nix +++ b/hosts/servo/services/ipfs.nix @@ -18,6 +18,22 @@ lib.mkIf false # i don't actively use ipfs anymore networking.firewall.allowedTCPPorts = [ 4001 ]; networking.firewall.allowedUDPPorts = [ 4001 ]; + services.nginx.virtualHosts."ipfs.uninsane.org" = { + # don't default to ssl upgrades, since this may be dnslink'd from a different domain. + # ideally we'd disable ssl entirely, but some places assume it? + addSSL = true; + enableACME = true; + # inherit kTLS; + + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Ipfs-Gateway-Prefix ""; + ''; + }; + }; + # services.ipfs.enable = true; services.kubo.localDiscovery = true; services.kubo.settings = { diff --git a/hosts/servo/services/jackett.nix b/hosts/servo/services/jackett.nix index 073f17cfd..2aa724e13 100644 --- a/hosts/servo/services/jackett.nix +++ b/hosts/servo/services/jackett.nix @@ -15,5 +15,16 @@ # patch jackett to listen on the public interfaces # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic"; }; + + # jackett torrent search + services.nginx.virtualHosts."jackett.uninsane.org" = { + forceSSL = true; + enableACME = true; + # inherit kTLS; + locations."/" = { + # proxyPass = "http://ovpns.uninsane.org:9117"; + proxyPass = "http://10.0.1.6:9117"; + }; + }; } diff --git a/hosts/servo/services/jellyfin.nix b/hosts/servo/services/jellyfin.nix index 3ed5848a5..546afb468 100644 --- a/hosts/servo/services/jellyfin.nix +++ b/hosts/servo/services/jellyfin.nix @@ -1,5 +1,8 @@ -{ config, ... }: +{ config, lib, ... }: +# TODO: re-enable after migrating media dir to /var/lib/uninsane/media +# else it's too spammy +lib.mkIf false { networking.firewall.allowedUDPPorts = [ 1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html @@ -9,9 +12,56 @@ { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; } ]; + # Jellyfin multimedia server + # this is mostly taken from the official jellfin.org docs + services.nginx.virtualHosts."jelly.uninsane.org" = { + addSSL = true; + enableACME = true; + # inherit kTLS; + + locations."/" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + ''; + }; + # locations."/web/" = { + # proxyPass = "http://127.0.0.1:8096/web/index.html"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header X-Forwarded-Protocol $scheme; + # proxy_set_header X-Forwarded-Host $http_host; + # ''; + # }; + locations."/socket" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + ''; + }; + }; + # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid; # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid; - # TODO: re-enable after migrating media dir to /var/lib/uninsane/media - # else it's too spammy - # services.jellyfin.enable = true; + services.jellyfin.enable = true; } diff --git a/hosts/servo/services/kiwix-serve.nix b/hosts/servo/services/kiwix-serve.nix index 577dcdb1d..4189e096c 100644 --- a/hosts/servo/services/kiwix-serve.nix +++ b/hosts/servo/services/kiwix-serve.nix @@ -5,4 +5,11 @@ port = 8013; zimPaths = [ "/var/lib/uninsane/www-archive/wikipedia_en_all_maxi_2022-05.zim" ]; }; + + services.nginx.virtualHosts."w.uninsane.org" = { + forceSSL = true; + enableACME = true; + # inherit kTLS; + locations."/".proxyPass = "http://127.0.0.1:8013"; + }; } diff --git a/hosts/servo/services/matrix/default.nix b/hosts/servo/services/matrix/default.nix index c9cc9332b..e5b99f6fd 100644 --- a/hosts/servo/services/matrix/default.nix +++ b/hosts/servo/services/matrix/default.nix @@ -1,6 +1,6 @@ # docs: https://nixos.wiki/wiki/Matrix # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { imports = [ @@ -77,6 +77,50 @@ # create a token with limited uses: # curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer " localhost:8008/_synapse/admin/v1/registration_tokens/new + # matrix chat server + # TODO: was `publog` + services.nginx.virtualHosts."matrix.uninsane.org" = { + addSSL = true; + enableACME = true; + # inherit kTLS; + + # TODO colin: replace this with something helpful to the viewer + # locations."/".extraConfig = '' + # return 404; + # ''; + + locations."/" = { + proxyPass = "http://127.0.0.1:8008"; + }; + # redirect browsers to the web client. + # i don't think native matrix clients ever fetch the root. + # ideally this would be put behind some user-agent test though. + locations."= /" = { + return = "301 https://web.matrix.uninsane.org"; + }; + + # locations."/_matrix" = { + # proxyPass = "http://127.0.0.1:8008"; + # }; + }; + + # matrix web client + # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-element-web + services.nginx.virtualHosts."web.matrix.uninsane.org" = { + forceSSL = true; + enableACME = true; + # inherit kTLS; + + root = pkgs.element-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "https://matrix.uninsane.org"; + "server_name" = "uninsane.org"; + }; + }; + }; + }; + sops.secrets.matrix_synapse_secrets = { sopsFile = ../../../../secrets/servo.yaml; diff --git a/hosts/servo/services/navidrome.nix b/hosts/servo/services/navidrome.nix index 14890ca59..c46904caf 100644 --- a/hosts/servo/services/navidrome.nix +++ b/hosts/servo/services/navidrome.nix @@ -14,4 +14,11 @@ AutoImportPlaylists = false; ScanSchedule = "@every 1h"; }; + + services.nginx.virtualHosts."music.uninsane.org" = { + forceSSL = true; + enableACME = true; + # inherit kTLS; + locations."/".proxyPass = "http://127.0.0.1:4533"; + }; } diff --git a/hosts/servo/services/nginx.nix b/hosts/servo/services/nginx.nix index ad47880d7..dcd0eecbf 100644 --- a/hosts/servo/services/nginx.nix +++ b/hosts/servo/services/nginx.nix @@ -9,7 +9,7 @@ let ''; }; - kTLS = true; # in-kernel TLS for better perf + # kTLS = true; # in-kernel TLS for better perf in { @@ -48,7 +48,7 @@ in # and things don't look right. so force SSL. forceSSL = true; enableACME = true; - inherit kTLS; + # inherit kTLS; # for OCSP stapling sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; @@ -96,263 +96,6 @@ in # }; }; - # server statistics - services.nginx.virtualHosts."sink.uninsane.org" = { - addSSL = true; - enableACME = true; - inherit kTLS; - root = "/var/lib/uninsane/sink"; - - locations."/ws" = { - proxyPass = "http://127.0.0.1:7890"; - # XXX not sure how much of this is necessary - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_buffering off; - proxy_read_timeout 7d; - ''; - }; - - }; - - # Pleroma server and web interface - services.nginx.virtualHosts."fed.uninsane.org" = publog { - forceSSL = true; # pleroma redirects to https anyway - enableACME = true; - inherit kTLS; - locations."/" = { - proxyPass = "http://127.0.0.1:4000"; - # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx - extraConfig = '' - # XXX colin: this block is in the nixos examples: i don't understand all of it - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; - add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; - if ($request_method = OPTIONS) { - return 204; - } - - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - # proxy_set_header Host $http_host; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # colin: added this due to Pleroma complaining in its logs - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-Proto $scheme; - - client_max_body_size 16m; - ''; - }; - }; - - # transmission web client - services.nginx.virtualHosts."bt.uninsane.org" = { - # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL - forceSSL = true; - enableACME = true; - inherit kTLS; - locations."/" = { - # proxyPass = "http://ovpns.uninsane.org:9091"; - proxyPass = "http://10.0.1.6:9091"; - }; - }; - - # jackett torrent search - services.nginx.virtualHosts."jackett.uninsane.org" = { - forceSSL = true; - enableACME = true; - inherit kTLS; - locations."/" = { - # proxyPass = "http://ovpns.uninsane.org:9117"; - proxyPass = "http://10.0.1.6:9117"; - }; - }; - - # matrix chat server - services.nginx.virtualHosts."matrix.uninsane.org" = publog { - addSSL = true; - enableACME = true; - inherit kTLS; - - # TODO colin: replace this with something helpful to the viewer - # locations."/".extraConfig = '' - # return 404; - # ''; - - locations."/" = { - proxyPass = "http://127.0.0.1:8008"; - }; - # redirect browsers to the web client. - # i don't think native matrix clients ever fetch the root. - # ideally this would be put behind some user-agent test though. - locations."= /" = { - return = "301 https://web.matrix.uninsane.org"; - }; - - # locations."/_matrix" = { - # proxyPass = "http://127.0.0.1:8008"; - # }; - }; - - # matrix web client - # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-element-web - services.nginx.virtualHosts."web.matrix.uninsane.org" = { - forceSSL = true; - enableACME = true; - inherit kTLS; - - root = pkgs.element-web.override { - conf = { - default_server_config."m.homeserver" = { - "base_url" = "https://matrix.uninsane.org"; - "server_name" = "uninsane.org"; - }; - }; - }; - }; - - # hosted git (web view and for `git ` use - services.nginx.virtualHosts."git.uninsane.org" = publog { - forceSSL = true; # gitea complains if served over a different protocol than its config file says - enableACME = true; - inherit kTLS; - - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - }; - }; - - # Jellyfin multimedia server - # this is mostly taken from the official jellfin.org docs - services.nginx.virtualHosts."jelly.uninsane.org" = { - addSSL = true; - enableACME = true; - inherit kTLS; - - locations."/" = { - proxyPass = "http://127.0.0.1:8096"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Protocol $scheme; - proxy_set_header X-Forwarded-Host $http_host; - - # Disable buffering when the nginx proxy gets very resource heavy upon streaming - proxy_buffering off; - ''; - }; - # locations."/web/" = { - # proxyPass = "http://127.0.0.1:8096/web/index.html"; - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header X-Forwarded-Protocol $scheme; - # proxy_set_header X-Forwarded-Host $http_host; - # ''; - # }; - locations."/socket" = { - proxyPass = "http://127.0.0.1:8096"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Protocol $scheme; - proxy_set_header X-Forwarded-Host $http_host; - ''; - }; - }; - - services.nginx.virtualHosts."music.uninsane.org" = { - forceSSL = true; - enableACME = true; - inherit kTLS; - locations."/".proxyPass = "http://127.0.0.1:4533"; - }; - - services.nginx.virtualHosts."w.uninsane.org" = { - forceSSL = true; - enableACME = true; - inherit kTLS; - locations."/".proxyPass = "http://127.0.0.1:8013"; - }; - - services.nginx.virtualHosts."rss.uninsane.org" = { - addSSL = true; - enableACME = true; - inherit kTLS; - # the routing is handled by freshrss.nix - }; - - services.nginx.virtualHosts."ipfs.uninsane.org" = { - # don't default to ssl upgrades, since this may be dnslink'd from a different domain. - # ideally we'd disable ssl entirely, but some places assume it? - addSSL = true; - enableACME = true; - inherit kTLS; - - locations."/" = { - proxyPass = "http://127.0.0.1:8080"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Ipfs-Gateway-Prefix ""; - ''; - }; - }; - - # exists only to manage certs for dovecot - services.nginx.virtualHosts."imap.uninsane.org" = { - enableACME = true; - }; - # exists only to manage certs for Postfix - services.nginx.virtualHosts."mx.uninsane.org" = { - enableACME = true; - }; - - # exists so the XMPP server's cert can obtain altNames for all its resources - services.nginx.virtualHosts."pubsub.xmpp.uninsane.org" = { - useACMEHost = "uninsane.org"; - }; - services.nginx.virtualHosts."upload.xmpp.uninsane.org" = { - useACMEHost = "uninsane.org"; - }; - services.nginx.virtualHosts."vjid.xmpp.uninsane.org" = { - useACMEHost = "uninsane.org"; - }; - - services.nginx.virtualHosts."nixcache.uninsane.org" = { - addSSL = true; - enableACME = true; - inherit kTLS; - # serverAliases = [ "nixcache" ]; - locations."/".extraConfig = '' - proxy_pass http://localhost:${toString config.services.nix-serve.port}; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; - }; # serve any site not listed above, if it's static. # because we define it dynamically, SSL isn't trivial. support only http diff --git a/hosts/servo/services/nixserve.nix b/hosts/servo/services/nixserve.nix new file mode 100644 index 000000000..3c05937a1 --- /dev/null +++ b/hosts/servo/services/nixserve.nix @@ -0,0 +1,18 @@ +{ config, ... }: + +{ + services.nginx.virtualHosts."nixcache.uninsane.org" = { + addSSL = true; + enableACME = true; + # inherit kTLS; + # serverAliases = [ "nixcache" ]; + locations."/".extraConfig = '' + proxy_pass http://localhost:${toString config.services.nix-serve.port}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + sane.services.nixserve.enable = true; + sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml; +} diff --git a/hosts/servo/services/pleroma.nix b/hosts/servo/services/pleroma.nix index 55e903cb4..482fe60a7 100644 --- a/hosts/servo/services/pleroma.nix +++ b/hosts/servo/services/pleroma.nix @@ -137,6 +137,48 @@ # CapabilityBoundingSet = lib.mkForce "~"; # }; + # Pleroma server and web interface + # TODO: enable publog? + services.nginx.virtualHosts."fed.uninsane.org" = { + forceSSL = true; # pleroma redirects to https anyway + enableACME = true; + # inherit kTLS; + locations."/" = { + proxyPass = "http://127.0.0.1:4000"; + # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx + extraConfig = '' + # XXX colin: this block is in the nixos examples: i don't understand all of it + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + if ($request_method = OPTIONS) { + return 204; + } + + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + # proxy_set_header Host $http_host; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # colin: added this due to Pleroma complaining in its logs + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-Proto $scheme; + + client_max_body_size 16m; + ''; + }; + }; + sops.secrets.pleroma_secrets = { sopsFile = ../../../secrets/servo.yaml; owner = config.users.users.pleroma.name; diff --git a/hosts/servo/services/postfix.nix b/hosts/servo/services/postfix.nix index 67dcd3676..4140ad2ed 100644 --- a/hosts/servo/services/postfix.nix +++ b/hosts/servo/services/postfix.nix @@ -34,6 +34,15 @@ in 993 # IMAPS ]; + # exists only to manage certs for dovecot + services.nginx.virtualHosts."imap.uninsane.org" = { + enableACME = true; + }; + # exists only to manage certs for Postfix + services.nginx.virtualHosts."mx.uninsane.org" = { + enableACME = true; + }; + services.postfix.enable = true; services.postfix.hostname = "mx.uninsane.org"; services.postfix.origin = "uninsane.org"; diff --git a/hosts/servo/services/transmission.nix b/hosts/servo/services/transmission.nix index 1bc879653..49845eab4 100644 --- a/hosts/servo/services/transmission.nix +++ b/hosts/servo/services/transmission.nix @@ -62,5 +62,17 @@ OnUnitActiveSec = "240min"; }; }; + + # transmission web client + services.nginx.virtualHosts."bt.uninsane.org" = { + # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL + forceSSL = true; + enableACME = true; + # inherit kTLS; + locations."/" = { + # proxyPass = "http://ovpns.uninsane.org:9091"; + proxyPass = "http://10.0.1.6:9091"; + }; + }; }