diff --git a/hosts/thegeneralist-central/archive/archivebox.nix b/hosts/thegeneralist-central/archive/archivebox.nix index 85859ff..bd5edb1 100644 --- a/hosts/thegeneralist-central/archive/archivebox.nix +++ b/hosts/thegeneralist-central/archive/archivebox.nix @@ -20,14 +20,14 @@ }; }; - pywb = { - image = "docker.io/webrecorder/pywb"; - ports = [ "127.0.0.1:8001:8001" ]; - volumes = [ - "/mnt/usb/services/browsertrix/webrecorder/:/" - "/mnt/usb/services/browsertrix/webrecorder/webarchive:/webarchive" - ]; - }; + # pywb = { + # image = "docker.io/webrecorder/pywb"; + # ports = [ "127.0.0.1:8001:8001" ]; + # volumes = [ + # "/mnt/usb/services/browsertrix/webrecorder/:/" + # "/mnt/usb/services/browsertrix/webrecorder/webarchive:/webarchive" + # ]; + # }; }; environment.systemPackages = [ pkgs.docker ]; diff --git a/hosts/thegeneralist-central/cert.pem.age b/hosts/thegeneralist-central/cert.pem.age index ee2225e..29686e8 100644 Binary files a/hosts/thegeneralist-central/cert.pem.age and b/hosts/thegeneralist-central/cert.pem.age differ diff --git a/hosts/thegeneralist-central/credentials_personal.age b/hosts/thegeneralist-central/credentials_personal.age new file mode 100644 index 0000000..aaa7573 --- /dev/null +++ b/hosts/thegeneralist-central/credentials_personal.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 pp9qdQ Dd/XjOu+4aSiGxiCRcFOD+Hv25SqRqoqb0fk+tHSfSo +wihtf9gMmLhRfr8Lx5NISOn9Y96Au1DWg6xMLx3XAtA +--- HS8dzuvW6BKH9tASzN6Mc90lU3i13aidVzJYcpTTfrU +¶‚k$ú-¹r×jm×›ÛÕÈèÕóR'§íœˆ8ý_¶ÿÑû?/ã9z"q^¯2>)•ÍyCÍ*ÅN¡V…äeìä¥îhiùÌ<L¬ùûûùÈF|1–%ÄœÚ:ÀOGÀ„[ëß×OX “¦†³FÌ4—Ãa›Hõléô63jB}6É b”ºÍkÛPT“ÎmÛ¼ù[Y|Ä™ØÍ7fwǽœ™Ÿ¿T¼ê÷*½‘yz¬Ãøx½ƒŠT?þÝYÞÄe_È% \ No newline at end of file diff --git a/hosts/thegeneralist-central/site.nix b/hosts/thegeneralist-central/site.nix index 2f2690b..b16bd1a 100644 --- a/hosts/thegeneralist-central/site.nix +++ b/hosts/thegeneralist-central/site.nix @@ -1,31 +1,38 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = "thegeneralist01.com"; + family_domain = builtins.getEnv "FAMILY_DOMAIN"; ssl = { - quic = true; + quic = true; useACMEHost = domain; }; -in { - imports = [ ./acme ./dns.nix ./jellyfin ]; +in +{ + imports = [ + ./acme + ./dns.nix + ./jellyfin + ]; # Nginx services.nginx = { - enable = true; - package = pkgs.nginxQuic; - enableQuicBPF = true; + enable = true; + package = pkgs.nginxQuic; + enableQuicBPF = true; - experimentalZstdSettings = true; - recommendedUwsgiSettings = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedBrotliSettings = true; + experimentalZstdSettings = true; + recommendedUwsgiSettings = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; - statusPage = true; - validateConfigFile = true; + statusPage = true; + validateConfigFile = true; - virtualHosts."${domain}" = ssl // { + virtualHosts."${domain}" = ssl // { root = "/var/www/${domain}"; locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404"; @@ -43,13 +50,35 @@ in { ''; }; - virtualHosts."www.${domain}" = ssl // { + virtualHosts."www.${domain}" = ssl // { locations."/".return = "306 https://${domain}$request_uri"; }; - virtualHosts._ = ssl // { - locations."/".return = "307 https://${domain}/404"; + virtualHosts."${family_domain}" = { + root = "/var/www/${family_domain}"; + locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404"; + + extraConfig = '' + if ($http_x_forwarded_proto = "http") { + return 301 https://${family_domain}$request_uri; + } + + location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico|woff2?)$ { + expires 1d; + add_header Cache-Control "public"; + } + + error_page 404 /404.html; + ''; }; + + virtualHosts."www.${family_domain}" = { + locations."/".return = "306 https://${family_domain}$request_uri"; + }; + + # virtualHosts._ = ssl // { + # locations."/".return = "307 https://${domain}/404"; + # }; }; # Cloudflare @@ -57,21 +86,34 @@ in { age.secrets.cftcert.file = ./cert.pem.age; age.secrets.cftcredentials.file = ./credentials.age; + age.secrets.cftcredentials_personal.file = ./credentials_personal.age; services.cloudflared = { enable = true; certificateFile = config.age.secrets.cftcert.path; - tunnels."site" = { - ingress = { - "thegeneralist01.com" = "http://localhost:80"; - "www.thegeneralist01.com" = "http://localhost:80"; - "cache.thegeneralist01.com" = "http://localhost:80"; - }; - default = "http_status:404"; + tunnels = { + "site" = { + ingress = { + "thegeneralist01.com" = "http://localhost:80"; + "www.thegeneralist01.com" = "http://localhost:80"; + "cache.thegeneralist01.com" = "http://localhost:80"; + }; + default = "http_status:404"; - credentialsFile = config.age.secrets.cftcredentials.path; - certificateFile = config.age.secrets.cftcert.path; + credentialsFile = config.age.secrets.cftcredentials.path; + certificateFile = config.age.secrets.cftcert.path; + }; + "personal" = { + ingress = { + "${family_domain}" = "http://localhost:80"; + "www.${family_domain}" = "http://localhost:80"; + }; + default = "http_status:404"; + + credentialsFile = config.age.secrets.cftcredentials_personal.path; + certificateFile = config.age.secrets.cftcert.path; + }; }; }; } diff --git a/secrets.nix b/secrets.nix index ad9a0d8..8ea2f3f 100644 --- a/secrets.nix +++ b/secrets.nix @@ -7,6 +7,7 @@ in { "hosts/thegeneralist-central/acme/acmeEnvironment.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ]; + "hosts/thegeneralist-central/credentials_personal.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ];