genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-05-31 15:45:21 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add dots.ports module: fleet-wide service port registry (nixnuc + hetznix01)

Browse source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Gene Liverman 2026-05-28 22:42:49 -04:00
parent 84a5c695b0
commit 94fdc678e4
No known key found for this signature in database
15 changed files with 353 additions and 135 deletions
Download patch file Download diff file Expand all files Collapse all files

56
modules/hosts/nixos/hetznix01/post-install/nginx.nix
View file

@ -1,8 +1,6 @@
{ config, ... }:
let
domain = "technicalissues.us";
http_port = 80;
https_port = 443;
private_btc = "umbrel.${config.private-flake.tailnetDomain}";
in
{
@ -25,13 +23,13 @@ in
streamConfig = ''
server {
# https://docs.emqx.com/en/emqx/latest/deploy/cluster/lb-nginx.html
listen 8883 ssl;
listen ${toString config.dots.ports.mqtt-tls.port} ssl;
ssl_session_timeout 10m;
ssl_certificate ${config.security.acme.certs."mqtt.${domain}".directory}/fullchain.pem;
ssl_certificate_key ${config.security.acme.certs."mqtt.${domain}".directory}/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
proxy_pass 127.0.0.0:1883;
proxy_pass 127.0.0.0:${toString config.dots.ports.mqtt.port};
proxy_protocol on;
proxy_connect_timeout 10s;
# Default keep-alive time is 10 minutes
@ -41,17 +39,17 @@ in
}
server {
listen 0.0.0.0:8333;
listen 0.0.0.0:9333;
listen [::]:8333;
listen [::]:9333;
proxy_pass ${private_btc}:8333;
listen 0.0.0.0:${toString config.dots.ports.bitcoin-core.port};
listen 0.0.0.0:${toString config.dots.ports.bitcoin-knots.port};
listen [::]:${toString config.dots.ports.bitcoin-core.port};
listen [::]:${toString config.dots.ports.bitcoin-knots.port};
proxy_pass ${private_btc}:${toString config.dots.ports.bitcoin-core.port};
}
server {
listen 0.0.0.0:9735;
listen [::]:9735;
proxy_pass ${private_btc}:9735;
listen 0.0.0.0:${toString config.dots.ports.lnd.port};
listen [::]:${toString config.dots.ports.lnd.port};
proxy_pass ${private_btc}:${toString config.dots.ports.lnd.port};
}
'';
virtualHosts = {
@ -137,32 +135,32 @@ in
"matrix.${domain}" = {
listen = [
{
port = http_port;
inherit (config.dots.ports.http) port;
addr = "0.0.0.0";
}
{
port = http_port;
inherit (config.dots.ports.http) port;
addr = "[::]";
}
{
port = https_port;
inherit (config.dots.ports.https) port;
addr = "0.0.0.0";
ssl = true;
}
{
port = https_port;
inherit (config.dots.ports.https) port;
addr = "[::]";
ssl = true;
}
{
port = 8448;
inherit (config.dots.ports.matrix-federation) port;
addr = "0.0.0.0";
ssl = true;
}
{
port = 8448;
inherit (config.dots.ports.matrix-federation) port;
addr = "[::]";
ssl = true;
}
@ -182,9 +180,9 @@ in
};
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
"/_matrix".proxyPass = "http://[::1]:8008";
"/_matrix".proxyPass = "http://[::1]:${toString config.dots.ports.matrix-synapse.port}";
# Forward requests for e.g. SSO and password-resets.
"/_synapse/client".proxyPass = "http://[::1]:8008";
"/_synapse/client".proxyPass = "http://[::1]:${toString config.dots.ports.matrix-synapse.port}";
};
};
"mqtt.${domain}" = {
@ -199,7 +197,7 @@ in
forceSSL = true;
basicAuthFile = config.sops.secrets.owntracks_basic_auth.path;
# OwnTracks Frontend container
locations."/".proxyPass = "http://127.0.0.1:8082";
locations."/".proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-frontend.port}";
};
"pack1828.org" = {
enableACME = true;
@ -217,26 +215,26 @@ in
locations = {
# OwnTracks Recorder
"/" = {
proxyPass = "http://127.0.0.1:8083";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}";
};
"/pub" = {
# Client apps need to point to this path
extraConfig = "proxy_set_header X-Limit-U $remote_user;";
proxyPass = "http://127.0.0.1:8083/pub";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}/pub";
};
"/static/" = {
proxyPass = "http://127.0.0.1:8083/static/";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}/static/";
};
"/utils/" = {
proxyPass = "http://127.0.0.1:8083/utils/";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}/utils/";
};
"/view/" = {
extraConfig = "proxy_buffering off;";
proxyPass = "http://127.0.0.1:8083/view/";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}/view/";
};
"/ws" = {
extraConfig = "rewrite ^/(.*) /$1 break;";
proxyPass = "http://127.0.0.1:8083";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}";
};
};
};
@ -244,7 +242,7 @@ in
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:8001";
locations."/".proxyPass = "http://127.0.0.1:${toString config.dots.ports.plausible.port}";
locations."/".proxyWebsockets = true;
extraConfig = ''
access_log /var/log/nginx/stats.${domain}.log;
@ -259,7 +257,7 @@ in
acmeRoot = null;
forceSSL = true;
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
locations."/".proxyPass = "http://127.0.0.1:${toString config.dots.ports.uptime-kuma.port}";
};
}; # end virtualHosts
}; # end nginx