forked from pub-solar/infra
garage: init buckets.pub.solar, use nginx as reverse proxy
https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/
This commit is contained in:
parent
b0790876ec
commit
15b507904f
|
@ -100,6 +100,7 @@
|
|||
#self.nixosModules.promtail
|
||||
|
||||
self.nixosModules.garage
|
||||
self.nixosModules.nginx
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -116,6 +117,7 @@
|
|||
#self.nixosModules.promtail
|
||||
|
||||
self.nixosModules.garage
|
||||
self.nixosModules.nginx
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -132,6 +134,7 @@
|
|||
#self.nixosModules.promtail
|
||||
|
||||
self.nixosModules.garage
|
||||
self.nixosModules.nginx
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -16,12 +16,73 @@
|
|||
mode = "400";
|
||||
};
|
||||
|
||||
age.secrets."acme-namecheap-env" = {
|
||||
file = "${flake.self}/secrets/acme-namecheap-env.age";
|
||||
mode = "400";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
3900
|
||||
3901
|
||||
3902
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
defaults = {
|
||||
environmentFile = config.age.secrets.acme-namecheap-env.path;
|
||||
};
|
||||
certs = {
|
||||
# Wildcard certificate gets created automatically
|
||||
"buckets.${config.pub-solar-os.networking.domain}" = {
|
||||
# disable http challenge
|
||||
webroot = null;
|
||||
# enable dns challenge
|
||||
dnsProvider = "namecheap";
|
||||
dnsPropagationCheck = false;
|
||||
};
|
||||
# Wildcard certificate gets created automatically
|
||||
"web.${config.pub-solar-os.networking.domain}" = {
|
||||
# disable http challenge
|
||||
webroot = null;
|
||||
# enable dns challenge
|
||||
dnsProvider = "namecheap";
|
||||
dnsPropagationCheck = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
upstreams.s3_backend.servers = {
|
||||
"[::1]:3900" = { };
|
||||
};
|
||||
upstreams.web_backend.servers = {
|
||||
"[::1]:3902" = { };
|
||||
};
|
||||
virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = {
|
||||
serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"];
|
||||
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://s3_backend";
|
||||
extraConfig = ''
|
||||
proxy_max_temp_file_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
virtualHosts."web.${config.pub-solar-os.networking.domain}" = {
|
||||
serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"];
|
||||
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://web_backend";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.garage = {
|
||||
enable = true;
|
||||
package = pkgs.garage_1_0_0;
|
||||
|
|
BIN
secrets/acme-namecheap-env.age
Normal file
BIN
secrets/acme-namecheap-env.age
Normal file
Binary file not shown.
|
@ -100,4 +100,6 @@ in
|
|||
# garage
|
||||
"garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys;
|
||||
"garage-admin-token.age".publicKeys = garageKeys ++ adminKeys;
|
||||
|
||||
"acme-namecheap-env.age".publicKeys = garageKeys ++ adminKeys;
|
||||
}
|
||||
|
|
|
@ -99,6 +99,51 @@ resource "namecheap_domain_records" "pub-solar" {
|
|||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
}
|
||||
record {
|
||||
hostname = "buckets"
|
||||
type = "A"
|
||||
address = "85.215.152.22"
|
||||
}
|
||||
record {
|
||||
hostname = "buckets"
|
||||
type = "A"
|
||||
address = "5.255.119.132"
|
||||
}
|
||||
record {
|
||||
hostname = "buckets"
|
||||
type = "A"
|
||||
address = "194.13.83.205"
|
||||
}
|
||||
record {
|
||||
hostname = "buckets"
|
||||
type = "AAAA"
|
||||
address = "2a01:239:35d:f500::1"
|
||||
}
|
||||
record {
|
||||
hostname = "buckets"
|
||||
type = "AAAA"
|
||||
address = "2a04:52c0:124:9d8c::2"
|
||||
}
|
||||
record {
|
||||
hostname = "buckets"
|
||||
type = "AAAA"
|
||||
address = "2a03:4000:43:24e::1"
|
||||
}
|
||||
record {
|
||||
hostname = "*.buckets"
|
||||
type = "CNAME"
|
||||
address = "buckets.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "web"
|
||||
type = "CNAME"
|
||||
address = "buckets.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "*.web"
|
||||
type = "CNAME"
|
||||
address = "buckets.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "tankstelle"
|
||||
type = "A"
|
||||
|
|
Loading…
Reference in a new issue