made web_services dir

2026-04-17 04:58:19 -04:00 · 2026-04-13 18:53:27 -04:00
parent 5ddf1c4cab
commit d6eec926e7
5 changed files with 39 additions and 30 deletions
--- a/systems/jeeves/services/acme.nix
+++ b/systems/jeeves/services/acme.nix
@@ -1,63 +0,0 @@
-{
-  users.users.haproxy.extraGroups = [ "acme" ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "Richie@tmmworkshop.com";
-
-    certs."gitea.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-
-    certs."audiobookshelf.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-
-    certs."cache.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-
-    certs."jellyfin.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-
-    certs."share.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-  };
-
-  # Minimal nginx to serve ACME HTTP-01 challenge files for HAProxy
-  services.nginx = {
-    enable = true;
-    virtualHosts."acme-challenge" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 8402;
-        }
-      ];
-      locations."/.well-known/acme-challenge/" = {
-        root = "/var/lib/acme/.challenges";
-      };
-    };
-  };
-
-  # Ensure the challenge directory exists with correct permissions
-  systemd.tmpfiles.rules = [
-    "d /var/lib/acme/.challenges 0750 acme acme - -"
-    "d /var/lib/acme/.challenges/.well-known 0750 acme acme - -"
-    "d /var/lib/acme/.challenges/.well-known/acme-challenge 0750 acme acme - -"
-  ];
-
-  users.users.nginx.extraGroups = [ "acme" ];
-}
--- a/systems/jeeves/services/haproxy.cfg
+++ b/systems/jeeves/services/haproxy.cfg
@@ -1,78 +0,0 @@
-global
-  log stdout format raw local0
-  # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
-  stats timeout 30s
-
-defaults
-  log global
-  mode http
-  option httplog
-  retries 3
-  maxconn 2000
-  timeout connect 5s
-  timeout client 50s
-  timeout server 50s
-  timeout http-request 10s
-  timeout http-keep-alive 2s
-  timeout queue 5s
-  timeout tunnel 2m
-  timeout client-fin 1s
-  timeout server-fin 1s
-
-
-#Application Setup
-frontend ContentSwitching
-  bind *:80 v4v6
-  bind *:443 v4v6 ssl crt /var/lib/acme/audiobookshelf.tmmworkshop.com/full.pem crt /var/lib/acme/cache.tmmworkshop.com/full.pem crt /var/lib/acme/jellyfin.tmmworkshop.com/full.pem crt /var/lib/acme/share.tmmworkshop.com/full.pem crt /var/lib/acme/gitea.tmmworkshop.com/full.pem
-  mode  http
-
-  # ACME challenge routing (must be first)
-  acl is_acme path_beg /.well-known/acme-challenge/
-  use_backend acme_challenge if is_acme
-
-  # tmmworkshop.com
-  acl host_audiobookshelf  hdr(host) -i audiobookshelf.tmmworkshop.com
-  acl host_cache  hdr(host) -i cache.tmmworkshop.com
-  acl host_jellyfin  hdr(host) -i jellyfin.tmmworkshop.com
-  acl host_share  hdr(host) -i share.tmmworkshop.com
-  acl host_gitea  hdr(host) -i gitea.tmmworkshop.com
-
-  # Hosts allowed to serve plain HTTP (add entries to skip the HTTPS redirect)
-  acl allow_http hdr(host) -i __none__
-  # acl allow_http hdr(host) -i example.tmmworkshop.com
-
-  # Redirect all HTTP to HTTPS unless on the allow list or ACME challenge
-  http-request redirect scheme https code 301 if !{ ssl_fc } !allow_http !is_acme
-
-  use_backend audiobookshelf_nodes if host_audiobookshelf
-  use_backend cache_nodes  if host_cache
-  use_backend jellyfin if host_jellyfin
-  use_backend share_nodes  if host_share
-  use_backend gitea  if host_gitea
-
-backend acme_challenge
-  mode http
-  server acme 127.0.0.1:8402
-
-backend audiobookshelf_nodes
-  mode http
-  server server 127.0.0.1:8000
-
-backend cache_nodes
-  mode http
-  server server 127.0.0.1:5000
-
-backend jellyfin
-    option httpchk
-    option forwardfor
-    http-check send meth GET uri /health
-    http-check expect string Healthy
-    server jellyfin 127.0.0.1:8096
-
-backend share_nodes
-  mode http
-  server server 127.0.0.1:8091
-
-backend gitea
-  mode http
-  server server 127.0.0.1:6443
--- a/systems/jeeves/services/haproxy.nix
+++ b/systems/jeeves/services/haproxy.nix
@@ -1,11 +0,0 @@
-{
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
-  services.haproxy = {
-    enable = true;
-    config = builtins.readFile ./haproxy.cfg;
-  };
-}