rewrite frumar.nix, pennyworth.nix, remove some vpn proxies

nixos/machines/frumar/default.nix

@@ -18,71 +18,81 @@
 
   security.y-selfsigned.enable = true;
 
-  services.nginx = {
-    enable = true;
-    virtualHosts."unifi.yori.cc" = {
+  services.nginx = let
+    sslForward = proxyPass: extra: lib.mkMerge [ {
       onlySSL = true;
       useACMEHost = "wildcard.yori.cc";
       locations."/" = {
-        proxyPass = "https://[::1]:8443";
+        inherit proxyPass;
         proxyWebsockets = true;
-        extraConfig = ''
+      };
+    } extra ];
+  in {
+    enable = true;
+    virtualHosts = {
+      "unifi.yori.cc" = sslForward "https://[::1]:8443" {
+        locations."/".extraConfig = ''
           proxy_ssl_verify off;
           proxy_ssl_session_reuse on;
         '';
       };
-    };
-    virtualHosts."priv.yori.cc" = let
-      oauth2Block = ''
-        auth_request /oauth2/auth;
-        error_page 401 = /oauth2/sign_in;
-
-        # pass information via X-User and X-Email headers to backend,
-        # requires running with --set-xauthrequest flag
-        auth_request_set $user   $upstream_http_x_auth_request_user;
-        auth_request_set $email  $upstream_http_x_auth_request_email;
-        proxy_set_header X-User  $user;
-        proxy_set_header X-Email $email;
-
-        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-        auth_request_set $auth_cookie $upstream_http_set_cookie;
-        add_header Set-Cookie $auth_cookie;
-      '';
-    in {
-      onlySSL = true;
-      useACMEHost = "wildcard.yori.cc";
-      locations."/".proxyPass = "http://127.0.0.1:4000";
-      locations."/sonarr" = {
-        proxyPass = "http://127.0.0.1:8989";
-        extraConfig = oauth2Block;
+      "grafana.yori.cc" = sslForward "http://127.0.0.1:3000" {};
+      "prometheus.yori.cc" = sslForward "http://127.0.0.1:9090" {
+        # only over VPN
+        listen = [ { addr = "10.209.0.3"; port = 443; ssl = true; } ];
       };
-      locations."/radarr" = {
-        proxyPass = "http://127.0.0.1:7878";
-        extraConfig = oauth2Block;
+      "plex.yori.cc" = sslForward "http://127.0.0.1:32400" {
+        extraConfig = ''
+          gzip on;
+          gzip_vary on;
+          gzip_min_length 1000;
+	        gzip_proxied any;
+	        gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
+          proxy_http_version 1.1;
+          proxy_buffering off;
+        '';
       };
-      locations."/marvin-tracker/" = {
-        proxyPass = "http://[::1]:4001/";
-        # handles auth using arg
+      "fooocus.yori.cc" = sslForward "http://192.168.2.135:7860" {}; 
+      "priv.yori.cc" = let
+        oauth2Block = ''
+          auth_request /oauth2/auth;
+          error_page 401 = /oauth2/sign_in;
+  
+          # pass information via X-User and X-Email headers to backend,
+          # requires running with --set-xauthrequest flag
+          auth_request_set $user   $upstream_http_x_auth_request_user;
+          auth_request_set $email  $upstream_http_x_auth_request_email;
+          proxy_set_header X-User  $user;
+          proxy_set_header X-Email $email;
+  
+          # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+          auth_request_set $auth_cookie $upstream_http_set_cookie;
+          add_header Set-Cookie $auth_cookie;
+        '';
+        proxyOauth2 = proxyPass: {
+          inherit proxyPass;
+          extraConfig = oauth2Block;
+        };
+      in {
+        onlySSL = true;
+        useACMEHost = "wildcard.yori.cc";
+        # TODO remove dashy
+        locations."/".proxyPass = "http://127.0.0.1:4000";
+        locations."/sonarr" = proxyOauth2 "http://127.0.0.1:8989";
+        locations."/radarr" = proxyOauth2 "http://127.0.0.1:7878";
+        locations."/marvin-tracker/" = {
+          proxyPass = "http://[::1]:4001/";
+          # handles auth using arg
+        };
+        locations."/paperless/" = proxyOauth2 "http://127.0.0.1:${toString config.services.paperless.port}/";
+        locations."/media/" = {
+          root = "/var/mediashare";
+        };
       };
-      locations."/paperless/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
-        extraConfig = oauth2Block;
+      "frumar.yori.cc" = {
+        enableACME = lib.mkForce false;
+        inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
       };
-      locations."/media/" = {
-        root = "/var/mediashare";
-      };
-    };
-    virtualHosts."fooocus.yori.cc" = {
-      onlySSL = true;
-      useACMEHost = "wildcard.yori.cc";
-      locations."/" = {
-        proxyPass = "http://192.168.2.135:7860";
-        proxyWebsockets = true;
-      };
-    };
-    virtualHosts."frumar.yori.cc" = {
-      enableACME = lib.mkForce false;
-      inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
     };
   };
   systemd.services.nginx.serviceConfig.BindReadOnlyPaths = [ "/data/plexmedia/ca" "/var/mediashare" ];

nixos/machines/pennyworth/default.nix

@@ -2,30 +2,17 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, lib, ... }:
-let
-  sslforward = proxyPass: {
-    forceSSL = true;
-    enableACME = true;
-    locations."/" = {
-      inherit proxyPass;
-      proxyWebsockets = true;
-    };
-  };
-  vpn = import ../../vpn.nix;
-in {
+{ config, pkgs, lib, ... }: {
   imports = [
     ./hetznercloud.nix
     ../../roles/server.nix
     ../../roles/datakami.nix
     ../../services/backup.nix
     ../../services/email.nix
-    ../../services/calibre-web.nix
   ];
 
   system.stateVersion = "19.03";
 
-  services.nginx.enable = true;
   services.yorick = {
     public = {
       enable = true;
@@ -47,6 +34,7 @@ in {
       enable = true;
       vhost = "calibre.yori.cc";
     };
+    vpn-host.enable = true;
   };
 
   age.secrets.muflax.file = ../../../secrets/http.muflax.age;
@@ -58,62 +46,29 @@ in {
       private_key = config.age.secrets.muflax.path;
     };
   };
-  services.nginx.commonHttpConfig = ''
-    access_log off; 
-  '';
-  services.nginx.virtualHosts = {
-    "yori.cc" = {
-      enableACME = true;
-      forceSSL = true;
-      globalRedirect = "yorickvanpelt.nl";
-    };
-    "yorickvanpelt.nl".locations."/p1".return =
-      "301 https://git.yori.cc/yorick/meterkast";
-    "grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000";
-    #"ubiquiti.yori.cc" = sslforward "https://${vpn.ips.frumar}:8443";
-    "prometheus.yori.cc" = {
-      # only over vpn
-      listen = [{
-        addr = "10.209.0.1";
-        port = 80;
-      }];
-      locations."/".proxyPass = "http://10.209.0.3:9090";
-    };
-    "pub.yori.cc".locations."/muflax/".extraConfig = ''
-      rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
-    '';
-    "plex.yori.cc" = (sslforward "http://${vpn.ips.frumar}:32400") // {
-      extraConfig = ''
-        gzip on;
-        gzip_vary on;
-        gzip_min_length 1000;
-	      gzip_proxied any;
-	      gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
-        proxy_http_version 1.1;
-        proxy_buffering off;
+  services.nginx = {
+    enable = true;
+    commonHttpConfig = "access_log off;";
+    virtualHosts = {
+      "yori.cc" = {
+        enableACME = true;
+        forceSSL = true;
+        globalRedirect = "yorickvanpelt.nl";
+      };
+      "yorickvanpelt.nl".locations."/p1".return =
+        "301 https://git.yori.cc/yorick/meterkast";
+      "pub.yori.cc".locations."/muflax/".extraConfig = ''
+        rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
       '';
     };
   };
-  networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
-  networking.firewall.allowedTCPPorts = [ 60307 ]; # weechat relay
+
+  # TODO: reload cert in weechat
   security.acme.certs."pennyworth.yori.cc".postRun = ''
     cat fullchain.pem key.pem > /home/yorick/.weechat/ssl/relay.pem
     chown yorick:users /home/yorick/.weechat/ssl/relay.pem
     chmod 0600 $_
   '';
-  networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
-    (machine: publicKey: {
-      inherit publicKey;
-      allowedIPs = [ "${vpn.ips.${machine}}/32" ];
-    }) vpn.keys);
-  services.prometheus.exporters.wireguard = { enable = true; };
-  networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9586 ];
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  users.users.yorick.packages = with pkgs; [
-    sshfs-fuse
-    weechat
-    ripgrep
-  ];
-  nix.settings.allowed-users = [ "@wheel" ];
 
+  users.users.yorick.packages = with pkgs; [ sshfs-fuse weechat ripgrep ];
 }

nixos/roles/server.nix

@@ -7,6 +7,7 @@
   networking.firewall.logRefusedConnections =
     false; # Silence logging of scanners and knockers
 
+  nix.settings.allowed-users = [ "@wheel" ];
   # TODO: upstream with noXlibs
   nixpkgs.overlays = [
     (self: super: {

nixos/services/default.nix

@@ -1,4 +1,11 @@
 {
-  imports =
-    [ ./git.nix ./muflax-church.nix ./pub.nix ./website.nix ./torrent-wg.nix ];
+  imports = [
+    ./calibre-web.nix
+    ./git.nix
+    ./muflax-church.nix
+    ./pub.nix
+    ./vpn-host.nix
+    ./website.nix
+    ./torrent-wg.nix
+  ];
 }

nixos/services/vpn-host.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.services.yorick.vpn-host;
+in {
+  options.services.yorick.vpn-host = with lib; {
+    enable = mkEnableOption "vpn-host";
+  };
+  config = lib.mkIf cfg.enable {
+
+    services.prometheus.exporters.wireguard.enable = true;
+
+    networking = {
+      firewall = {
+        allowedUDPPorts = [ 31790 ]; # wg
+        interfaces.wg-y.allowedTCPPorts = [ 9586 ]; # wireguard exporter
+      };
+      wireguard.interfaces.wg-y.peers = let vpn = import ../vpn.nix;
+      in lib.mkForce (lib.mapAttrsToList (machine: publicKey: {
+        inherit publicKey;
+        allowedIPs = [ "${vpn.ips.${machine}}/32" ];
+      }) vpn.keys);
+    };
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  };
+}