diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 3b3486c..fbb8851 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -78,4 +78,7 @@ in { enable = true; nginx.enable = true; }; + + security.acme.email = "info+acme@hacc.space"; + security.acme.acceptTerms = true; } diff --git a/configuration/hosts/cdn/node-1/configuration.nix b/configuration/hosts/cdn/node-1/configuration.nix new file mode 100644 index 0000000..ab56c19 --- /dev/null +++ b/configuration/hosts/cdn/node-1/configuration.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-config.nix + ../../../common + ../../../server/cdn-node.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.devices = [ "/dev/sda" ]; + + networking.interfaces.ens3.useDHCP = true; + networking.hostName = "cdn-node-1"; + + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.03"; # Did you read the comment? +} diff --git a/configuration/hosts/cdn/node-1/hardware-config.nix b/configuration/hosts/cdn/node-1/hardware-config.nix new file mode 100644 index 0000000..f5af44c --- /dev/null +++ b/configuration/hosts/cdn/node-1/hardware-config.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/52dddb3d-9294-4105-9157-bf003dc7bdf9"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 1; +} + diff --git a/configuration/hosts/default.nix b/configuration/hosts/default.nix index 0ecdbe5..c95bc6b 100644 --- a/configuration/hosts/default.nix +++ b/configuration/hosts/default.nix @@ -2,13 +2,15 @@ let hosts = { hainich = { ssh.host = "hainich.hacc.space"; - channel = "nixos-unstable"; groups = [ "server" "hacc" ]; }; nixda = { ssh.host = "nixda.hacc.space"; - channel = "nixos-20.09"; - groups = [ "server" "hacc" "live" ]; + groups = [ "server" "desktop" "hacc" "live" ]; + }; + "cdn/node-1" = { + ssh.host = "cdn-node-1.live.hacc.media"; + groups = [ "server" "hacc" "live" "livecdn" "livecdn-node" ]; }; }; pkgs = import {}; diff --git a/configuration/server/cdn-node.nix b/configuration/server/cdn-node.nix new file mode 100644 index 0000000..2262c82 --- /dev/null +++ b/configuration/server/cdn-node.nix @@ -0,0 +1,79 @@ +{config, lib, pkgs, ...}: + +{ + networking.firewall.allowedTCPPorts = [ + 80 # HTTP + 443 # HTTPs + ]; + + services.netdata = { + enable = true; + }; + + # Enable nginx service + services.nginx = { + enable = true; + # Use recommended settings + # Don't use recommended Proxy settings because it does funky things with the setup + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts."${config.networking.hostName}.live.hacc.media" = { + forceSSL = true; + enableACME = true; +# basicAuth = basicAuthLogin; + locations = { + "~* \\.(m3u8)$" = { + proxyPass = "https://cdn-master.live.hacc.media$request_uri"; + extraConfig = '' + #proxy_cache = off; + expires 3s; + auth_basic off; + ''; + }; + "/hls" = { + proxyPass = "https://cdn-master.live.hacc.media$request_uri"; + extraConfig = '' + types { + application/vnd.apple.mpegurl m3u8; + video/mp2t ts; + } + proxy_cache hls; + proxy_ignore_headers Cache-Control; + proxy_cache_valid any 30m; + auth_basic off; + ''; + + }; + "/stats" = { + return = "301 /stats/"; + }; + "~ /stats/(?.*)" = { + proxyPass = "http://127.0.0.1:19999/$ndpath$is_args$args"; + extraConfig = '' + proxy_redirect off; + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + + gzip on; + gzip_proxied any; + gzip_types *; + ''; + }; + + }; + }; + + appendHttpConfig = '' + proxy_cache_path /tmp keys_zone=hls:10m max_size=10g inactive=60m use_temp_path=on; + resolver 1.1.1.1; + ''; + }; +}