maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(*): initialize new Snix infrastructure

Browse source 
Co-Authored-By: edef <edef@edef.eu>
Co-Authored-by: Ryan Lahfa <raito@lix.systems>
Change-Id: Ica1cda177a236814de900f50a8a61d288f58f519
This commit is contained in:
Florian Klink 2025-01-06 01:06:47 +01:00
parent 067eff3427
commit a52ea3675c
124 changed files with 27723 additions and 1631 deletions
Download patch file Download diff file Expand all files Collapse all files

52
ops/modules/www/auth.snix.dev.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, ... }:
let
host = "auth.snix.dev";
realm = "snix-project";
in
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."${host}" = {
serverName = host;
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:9091";
extraConfig = ''
proxy_pass_header Authorization;
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
# Allow clients with Auth hardcoded to use our base path.
#
# XXX: ok so this is horrible. For some reason gerrit explodes if
# it receives a redirect when doing auth. But we need to redirect
# the browser to reuse sessions. Thus, user agent scanning.
if ($http_user_agent ~* "^Java.*$") {
rewrite ^/auth/(.*)$ /$1 last;
}
rewrite ^/auth/(.*)$ /$1 redirect;
# Hacks to make us compatible with authenticators that expect GitLab's format.
rewrite ^/realms/${realm}/protocol/openid-connect/api/v4/user$ /realms/${realm}/protocol/openid-connect/userinfo;
rewrite ^/realms/${realm}/protocol/openid-connect/oauth/authorize$ /realms/${realm}/protocol/openid-connect/auth?scope=openid%20email%20profile;
rewrite ^/realms/${realm}/protocol/openid-connect/oauth/token$ /realms/${realm}/protocol/openid-connect/token;
'';
};
# Forward our admin address to our default realm.
locations."= /admin".extraConfig = "return 302 https://${host}/admin/snix-project/console/;";
locations."= /superadmin".extraConfig = "return 302 https://${host}/admin/master/console/;";
# Forward our root address to the account management portal.
locations."= /".extraConfig = "return 302 https://${host}/realms/${realm}/account;";
};
};
}

4
ops/modules/www/base.nix
View file

@ -2,9 +2,11 @@
{
config = {
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "letsencrypt@tvl.su";
defaults.email = "acme@snix.dev";
};
services.nginx = {

7
ops/modules/www/cl.tvl.fyi.nix → ops/modules/www/cl.snix.dev.nix
View file

@ -8,12 +8,11 @@
config = {
services.nginx.virtualHosts."cl-shortlink" = {
serverName = "cl";
extraConfig = "return 302 https://cl.tvl.fyi$request_uri;";
extraConfig = "return 302 https://cl.snix.dev$request_uri;";
};
services.nginx.virtualHosts.gerrit = {
serverName = "cl.tvl.fyi";
serverAliases = [ "cl.tvl.su" ];
serverName = "cl.snix.dev";
enableACME = true;
forceSSL = true;
@ -21,7 +20,7 @@
location / {
proxy_pass http://localhost:4778;
proxy_set_header X-Forwarded-For $remote_addr;
# The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
# The :443 suffix is a workaround for https://b.snix.dev/issues/88.
proxy_set_header Host $host:443;
}

82
ops/modules/www/code.tvl.fyi.nix
View file

@ -1,82 +0,0 @@
{ depot, pkgs, config, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts.cgit = {
serverName = "code.tvl.fyi";
serverAliases = [ "code.tvl.su" ];
enableACME = true;
forceSSL = true;
extraConfig = ''
if ($http_user_agent ~ (ClaudeBot|GPTBot|Amazonbot)) {
return 403;
}
location = /go-get/tvix/build-go {
alias ${pkgs.writeText "go-import-metadata.html" ''<html><meta name="go-import" content="code.tvl.fyi/tvix/build-go git https://code.tvl.fyi/depot.git:/tvix/build-go.git"></html>''};
}
location = /go-get/tvix/castore-go {
alias ${pkgs.writeText "go-import-metadata.html" ''<html><meta name="go-import" content="code.tvl.fyi/tvix/castore-go git https://code.tvl.fyi/depot.git:/tvix/castore-go.git"></html>''};
}
location = /go-get/tvix/store-go {
alias ${pkgs.writeText "go-import-metadata.html" ''<html><meta name="go-import" content="code.tvl.fyi/tvix/store-go git https://code.tvl.fyi/depot.git:/tvix/store-go.git"></html>''};
}
location = /go-get/tvix/nar-bridge {
alias ${pkgs.writeText "go-import-metadata.html" ''<html><meta name="go-import" content="code.tvl.fyi/tvix/nar-bridge git https://code.tvl.fyi/depot.git:/tvix/nar-bridge.git"></html>''};
}
location = /tvix/build-go {
if ($args ~* "/?go-get=1") {
return 302 /go-get/tvix/build-go;
}
}
location = /tvix/castore-go {
if ($args ~* "/?go-get=1") {
return 302 /go-get/tvix/castore-go;
}
}
location = /tvix/store-go {
if ($args ~* "/?go-get=1") {
return 302 /go-get/tvix/store-go;
}
}
location = /tvix/nar-bridge {
if ($args ~* "/?go-get=1") {
return 302 /go-get/tvix/nar-bridge;
}
}
# Git operations on depot.git hit josh
location /depot.git {
proxy_pass http://127.0.0.1:${toString config.services.depot.josh.port};
}
# Git clone operations on '/' should be redirected to josh now.
location = /info/refs {
return 302 https://code.tvl.fyi/depot.git/info/refs$is_args$args;
}
# Static assets must always hit the root.
location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
proxy_pass http://localhost:2448;
}
# Everything else is forwarded to cgit for the web view
location / {
proxy_pass http://localhost:2448/cgit.cgi/depot/;
}
'';
};
};
}

26
ops/modules/www/git.snix.dev.nix Normal file
View file

@ -0,0 +1,26 @@
{ ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts.forgejo = {
serverName = "git.snix.dev";
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;
# This has to be sufficiently large for uploading layers of
# non-broken docker images.
client_max_body_size 1G;
'';
};
};
};
}

22
ops/modules/www/loki.snix.dev.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, ... }:
{
imports = [
./base.nix
];
services.nginx = {
upstreams.loki = {
servers."127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}" = { };
extraConfig = "keepalive 16;";
};
virtualHosts."loki.snix.dev" = {
enableACME = true;
forceSSL = true;
locations."/loki/api/v1/push" = {
proxyPass = "http://loki";
basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
};
};
};
}

25
ops/modules/www/mail.snix.dev.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, ... }:
{
imports = [
./base.nix
];
config = {
# Listen on a special IPv4 & IPv6 specialized for mail.
# This NGINX has only one role: obtain TLS/SSL certificates for the mailserver.
# All the TLS, IMAP, SMTP stuff is handled directly by the mailserver runtime.
# This is why you will not see any `stream { }` block here.
services.nginx.virtualHosts.stalwart = {
serverName = "mail.snix.dev";
enableACME = true;
forceSSL = true;
listenAddresses = [
"127.0.0.2"
"49.12.112.149"
"[2a01:4f8:c013:3e62::2]"
];
};
};
}

24
ops/modules/www/mimir.snix.dev.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, ... }:
let
mimirPort = config.services.mimir.configuration.server.http_listen_port;
in
{
imports = [
./base.nix
];
services.nginx = {
upstreams.mimir = {
servers."127.0.0.1:${toString mimirPort}" = { };
extraConfig = "keepalive 16;";
};
virtualHosts."mimir.snix.dev" = {
enableACME = true;
forceSSL = true;
locations."/api/v1/push" = {
proxyPass = "http://mimir";
basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
};
};
};
}

25
ops/modules/www/status.snix.dev.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx =
let
scfg = config.services.grafana.settings.server;
in
{
enable = true;
virtualHosts."${scfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${scfg.http_addr}:${toString scfg.http_port}";
proxyWebsockets = true;
};
};
};
};
}

25
ops/modules/www/status.tvl.su.nix
View file

@ -1,25 +0,0 @@
{ config, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."status-fyi" = {
serverName = "status.tvl.fyi";
enableACME = true;
extraConfig = "return 302 https://status.tvl.su$request_uri;";
};
services.nginx.virtualHosts.grafana = {
serverName = "status.tvl.su";
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
};
};
};
}

22
ops/modules/www/tempo.snix.dev.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, ... }:
{
imports = [
./base.nix
];
services.nginx = {
upstreams.tempo = {
servers."${config.services.tempo.settings.distributor.receivers.otlp.protocols.http.endpoint}" = { };
extraConfig = "keepalive 16;";
};
virtualHosts."tempo.snix.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://tempo";
basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
};
};
};
}