commit 82c6413f971ec9ac6fe72e988b1b7a36d7552795
parent abe9541a92e63f3e408ac3a15481621a20002a99
Author: Leah (ctucx) <git@ctu.cx>
Date: Mon, 28 Nov 2022 14:30:02 +0100
parent abe9541a92e63f3e408ac3a15481621a20002a99
Author: Leah (ctucx) <git@ctu.cx>
Date: Mon, 28 Nov 2022 14:30:02 +0100
enable kTLS in nginx everywhere
26 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/configurations/linux/services/prometheus-node-exporter.nix b/configurations/linux/services/prometheus-node-exporter.nix @@ -11,6 +11,7 @@ virtualHosts."${config.networking.fqdn}" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/node-exporter".proxyPass = "http://127.0.0.1:9100/metrics"; }; };
diff --git a/configurations/linux/services/restic-server.nix b/configurations/linux/services/restic-server.nix @@ -25,6 +25,7 @@ virtualHosts."restic.${config.networking.fqdn}" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/" = { proxyPass = "http://127.0.0.1:8000/"; extraConfig = ''
diff --git a/configurations/linux/services/syncthing-nginx.nix b/configurations/linux/services/syncthing-nginx.nix @@ -20,6 +20,7 @@ virtualHosts."syncthing.${config.networking.fqdn}" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8384/"; }; };
diff --git a/machines/lollo/gotosocial.nix b/machines/lollo/gotosocial.nix @@ -44,6 +44,7 @@ services.nginx.virtualHosts."fedi.home.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/.well-known/host-meta".extraConfig = ''return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="lrdd" template="https://fedi.home.ctu.cx/.well-known/webfinger?resource={uri}" type="application/xrd+xml" /></XRD>';''; "= /".return = "307 /@leah";
diff --git a/machines/lollo/radicale.nix b/machines/lollo/radicale.nix @@ -39,6 +39,7 @@ virtualHosts."dav.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://127.0.0.1:5232/"; }; };
diff --git a/machines/lollo/router/dnsmasq.nix b/machines/lollo/router/dnsmasq.nix @@ -123,6 +123,7 @@ in { virtualHosts."dnsmasq.home.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; root = dnsmasq-lease-overview; locations = { "/".tryFiles = "$uri $uri/ /index.php?$query_string";
diff --git a/machines/lollo/smarthome/influxdb2.nix b/machines/lollo/smarthome/influxdb2.nix @@ -14,6 +14,7 @@ virtualHosts."influx.home.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8086/"; }; };
diff --git a/machines/lollo/smarthome/smartied.nix b/machines/lollo/smarthome/smartied.nix @@ -354,6 +354,7 @@ in { virtualHosts."smart.home.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/" = { root = pkgs.smartiePWA;
diff --git a/machines/lollo/websites/flauschehorn.sexy.nix b/machines/lollo/websites/flauschehorn.sexy.nix @@ -74,6 +74,7 @@ in { virtualHosts."flauschehorn.sexy" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/".extraConfig = '' include "${pkgs.nginx}/conf/fastcgi_params";
diff --git a/machines/lollo/websites/music.home.ctu.cx.nix b/machines/lollo/websites/music.home.ctu.cx.nix @@ -19,6 +19,7 @@ in { virtualHosts."music.home.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; root = "/mnt/music_originals"; locations = {
diff --git a/machines/lollo/websites/oeffi.ctu.cx.nix b/machines/lollo/websites/oeffi.ctu.cx.nix @@ -58,6 +58,7 @@ virtualHosts."oeffi.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/".proxyPass = "http://127.0.0.1:8082"; "/assets/".alias = "${pkgs.oeffi-web}/share/oeffi-web/assets/";
diff --git a/machines/lollo/websites/oeffisear.ch.nix b/machines/lollo/websites/oeffisear.ch.nix @@ -66,6 +66,7 @@ virtualHosts."oeffisear.ch" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "@api".proxyPass = "http://127.0.0.1:8081"; "/" = {
diff --git a/machines/lollo/websites/photos.ctu.cx.nix b/machines/lollo/websites/photos.ctu.cx.nix @@ -104,6 +104,7 @@ in { virtualHosts."photos.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; root = "/var/lib/ctucx-gallery"; }; };
diff --git a/machines/lollo/websites/storage.home.ctu.cx/default.nix b/machines/lollo/websites/storage.home.ctu.cx/default.nix @@ -5,7 +5,8 @@ services.nginx.virtualHosts = { "storage.home.ctu.cx" = { enableACME = true; - forceSSL = true; + forceSSL = true; + kTLS = true; basicAuthFile = "/var/src/secrets/nginx/storage.htpasswd";
diff --git a/machines/lollo/websites/things.home.ctu.cx.nix b/machines/lollo/websites/things.home.ctu.cx.nix @@ -32,6 +32,7 @@ virtualHosts."things.home.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; root = pkgs.ctucx-things; locations = { "/".index = "index.php index.html";
diff --git a/machines/lollo/websites/wifionic.de.nix b/machines/lollo/websites/wifionic.de.nix @@ -46,6 +46,7 @@ in { virtualHosts."wifionic.de" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/".root = pkgs.mobile-coverage-map;
diff --git a/machines/lollo/websites/wiki.home.ctu.cx.nix b/machines/lollo/websites/wiki.home.ctu.cx.nix @@ -56,6 +56,7 @@ virtualHosts."wiki.home.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; root = "/var/lib/hugo-wiki"; }; };
diff --git a/machines/trabbi/git/cgit.nix b/machines/trabbi/git/cgit.nix @@ -64,6 +64,7 @@ in { virtualHosts."cgit.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/".tryFiles = "$uri @cgit"; "/assets/".alias = "${cgitAssets}/";
diff --git a/machines/trabbi/git/stagit.nix b/machines/trabbi/git/stagit.nix @@ -184,6 +184,7 @@ in { "cgit.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "~ '^/[a-zA-Z0-9._-]+/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$'".return = "307 https://git.ctu.cx$request_uri"; "~ '^/([a-zA-Z0-9_.]+)/*$'".return = "307 https://git.ctu.cx/$1"; @@ -203,6 +204,7 @@ in { "git.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; root = "/var/lib/stagit"; locations = { "~ '^/[a-zA-Z0-9._-]+/raw'".extraConfig = ''
diff --git a/machines/trabbi/grafana/default.nix b/machines/trabbi/grafana/default.nix @@ -68,6 +68,7 @@ virtualHosts."grafana.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://127.0.0.1:3001/"; }; };
diff --git a/machines/trabbi/matrix-synapse.nix b/machines/trabbi/matrix-synapse.nix @@ -60,6 +60,7 @@ "ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/.well-known/matrix/server".extraConfig = '' add_header Content-Type application/json; return 200 "{\"m.server\": \"matrix.ctu.cx:443\"}"; @@ -73,6 +74,7 @@ "matrix.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/_matrix".proxyPass = "http://127.0.0.1:8008"; "/".root = pkgs.cinny.override {
diff --git a/machines/trabbi/pleroma/default.nix b/machines/trabbi/pleroma/default.nix @@ -55,6 +55,7 @@ "pleroma.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/" = { proxyPass = "http://127.0.0.1:4000/"; proxyWebsockets = true; @@ -63,6 +64,7 @@ "ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/.well-known/host-meta".extraConfig = "return 301 https://pleroma.ctu.cx$request_uri;"; }; };
diff --git a/machines/trabbi/prometheus.nix b/machines/trabbi/prometheus.nix @@ -53,6 +53,7 @@ virtualHosts."prometheus.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://127.0.0.1:9090/"; }; };
diff --git a/machines/trabbi/websites/bikemap.ctu.cx/default-gpx2tiles.nix b/machines/trabbi/websites/bikemap.ctu.cx/default-gpx2tiles.nix @@ -105,6 +105,7 @@ in { virtualHosts."ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/bikemap/".alias = "/var/lib/bikemap/"; };
diff --git a/machines/trabbi/websites/bikemap.ctu.cx/default.nix b/machines/trabbi/websites/bikemap.ctu.cx/default.nix @@ -130,6 +130,7 @@ in { virtualHosts."bikemap.ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; root = "/var/lib/bikemap/"; }; };
diff --git a/machines/trabbi/websites/ctu.cx.nix b/machines/trabbi/websites/ctu.cx.nix @@ -9,6 +9,7 @@ virtualHosts."ctu.cx" = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/".root = ./ctu.cx; "/netzabdeckung.html".return = "307 https://wifionic.de/";