alisceon/nixos_config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

we servering

Browse source
This commit is contained in:
alisceon 2025-09-24 18:23:45 +02:00
parent 7688f7e215
commit 594981ca52
4 changed files with 103 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

212
hosts/blogbox/configuration.nix
View file

@ -1,5 +1,7 @@
{ config, pkgs, ... }:
let
hugoDir = "/home/alisceon/blog";
in
{
imports =
[ ./hardware-configuration.nix ];
@ -15,151 +17,99 @@
allowedTCPPorts = [ 22 80 443 ];
allowedUDPPorts = [ 443 ];
};
environment = {
systemPackages = with pkgs; [
hugo
caddy
ddclient
]; # end systemPackages
}; # end environment
systemd = {
services = {
"pull-blog" = {
wantedBy = [ "multi-user.target" ];
script = ''
git pull origin main
hugo
'';
serviceConfig = {
type = "oneshot";
user = "root"
};
};
};
user = "alisceon";
workingDirectory = hugoDir;
}; # end serviceConfig
}; # end pull-blog
"ddclient" = {
description = "Dynamic DNS client";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.ddclient}/bin/ddclient -foreground -file /etc/blogbox/ddclient.conf";
Restart = "on-failure";
User = "root";
EnvironmentFile = "/etc/blogbox/.env";
}; # end serviceConfig
}; # end ddclient
}; # end services
timers = {
"pull-blog" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/5";
OnBootSec = "5min";
OnUnitActiveSec = "5min";
Persistent = true;
};
};
};
};
}; # end timerConfig
}; # end pull-blog
"ddclient" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5min";
OnUnitActiveSec = "5min";
Persistent = true;
}; # end timerConfig
}; # end ddclient
}; # end timers
}; # end systemd
services= {
caddy = {
enable = true;
environmentFile = "/etc/blogbox/.env";
virtualHosts = {
"blog" = {
hostName = "${DOMAIN}";
forceSSL = true;
root = "${hugoDir}/public";
index = "index.html";
log = [ "stdout" "stderr" ];
fileServer = { };
tls = {
email = ""
}; # end tls
}; # end {$DOMAIN}
}; # end virtualHosts
}; # end caddy
}; # end services.caddy
environment = {
etc = {
"blogbox/blogbox.env" = {
text = "";
mode = "644";
};
"blogbox/acme.json" = {
text = "";
"blogbox/ddclient.conf" = {
text = ''
use=web, web=dynamicdns.park-your-domain.com/getip
protocol=namecheap
server=dynamicdns.park-your-domain.com
login_env=DOMAIN
password_env=DDNS_PASSWORD
@
'';
mode = "600";
};
};
"blogbox/.env.example" = {
text = ''
HUGO_DIR=${hugoDir}
HUGO_ENV=production
DOMAIN=example.com
DDNS_PASSWORD=yourpassword
NAMECHEAP_API_KEY=yourapikey
'';
mode = "600";
};
}; # end etc
};
virtualisation = {
podman.dockerSocket.enable = true;
oci-containers = {
backend = "podman";
containers = {
traefik = {
image = "docker.io/library/traefik:beaufort";
autoStart = true;
autoRemoveOnStop = true;
privileged = true;
networks = [ "Containet" ];
ports = [ "80:80" "443:443" "443:443/udp" ];
volumes = [
"${pkgs.podman}/run/podman/podman.sock:/var/run/docker.sock:ro"
"/etc/traefik/acme.json:/acme.json"
];
environmentFiles = [ "/etc/traefik/blogbox.env" ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.http-catchall.rule" = "hostregexp(`{host:.+}`)";
"traefik.http.routers.http-catchall.entrypoints" = "web";
};
cmd = ''
--accesslog \
--accesslog.format=json \
--accesslog.fields.headers.names.User-Agent=keep \
--log.level=INFO \
--providers.docker=true \
--providers.docker.network=Containet \
--providers.docker.exposedbydefault=false \
--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
--entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
--entryPoints.web.forwardedHeaders.insecure=false \
--entryPoints.web.proxyProtocol.insecure=false \
--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
--entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
--entryPoints.websecure.forwardedHeaders.insecure=false \
--entryPoints.websecure.proxyProtocol.insecure=false \
--entrypoints.web.address=:80 \
--entrypoints.websecure.address=:443 \
--entryPoints.metrics.address=:8082 \
--entrypoints.web.http.redirections.entryPoint.to=websecure \
--entrypoints.web.http.redirections.entryPoint.scheme=https \
--entrypoints.web.http.redirections.entrypoint.permanent=true \
--entrypoints.websecure.http3 \
--entrypoints.name.http3.advertisedport=443 \
--entrypoints.websecure.http.tls.certResolver=leresolver \
--entrypoints.websecure.http.tls.domains[0].main=$DOMAIN \
--entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN \
--certificatesresolvers.leresolver.acme.dnschallenge=true \
--certificatesresolvers.leresolver.acme.dnschallenge.provider=namecheap \
--certificatesresolvers.leresolver.acme.storage=./acme.json \
--certificatesresolvers.leresolver.acme.dnschallenge.resolvers=dns1.registrar-servers.com:53,dns2.registrar-servers.com:53 \
--metrics.prometheus=true \
--metrics.prometheus.addrouterslabels=true \
--metrics.prometheus.entryPoint=metrics
''
}; # end traefik
hugo = {
labels = {
"traefik.enable" = true;
"traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
"traefik.http.routers.hugo-router.entrypoints" = "websecure";
"traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
"traefik.http.routers.hugo-router.service" = "hugo-router";
"traefik.http.middlewares.compression.compress" = "true";
"traefik.http.middlewares.retry.retry.attempts" = "8";
"traefik.http.middlewares.retry.retry.initialInterval" = "2";
"traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
"traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
"traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
"traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
"traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
"traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
"traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
"traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
"traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
"traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
"traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
};
}; # end hugo
cats = {
labels = {
"traefik.http.routers.cats-router.priority"="1";
"traefik.http.middlewares.cats.errors.status"="400-599";
"traefik.http.middlewares.cats.errors.service"="cats-router";
"traefik.http.middlewares.cats.errors.query"="/{status}.html";
"traefik.enable" = true;
"traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
"traefik.http.routers.hugo-router.entrypoints" = "websecure";
"traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
"traefik.http.routers.hugo-router.service" = "hugo-router";
"traefik.http.middlewares.compression.compress" = "true";
"traefik.http.middlewares.retry.retry.attempts" = "8";
"traefik.http.middlewares.retry.retry.initialInterval" = "2";
"traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
"traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
"traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
"traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
"traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
"traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
"traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
"traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
"traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
"traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
"traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
};
}; # end cats
}; # end containers
}; # end oci-containers
}; # end virtualisation
} # end file