Add ngixn with ssl in front of minio

2021-10-06 10:59:39 +02:00
parent e92f1a6bff
commit 7226e50139
5 changed files with 125 additions and 4 deletions
--- a/clusters/fs1/default.nix
+++ b/clusters/fs1/default.nix
@@ -5,7 +5,6 @@ let
  #   sha256 = "1ckzhh24mgz6jd1xhfgx0i9mijk6xjqxwsshnvq789xsavrmsc36";
  # }) {};
  pkgs = import <nixpkgs> {};
-
  name = "fs1-0";
  address = "10.1.30.10";
 in {
@@ -20,7 +19,7 @@ in {
      loader.grub = {
        enable = true;
        version = 2;
-        device = "/dev/sda1";
+        device = "/dev/sda";
      };
    };

@@ -57,6 +56,36 @@ in {
        '';
        initca = ./ca;
      };
+
+      certs = {
+        enable = true;
+        caBundle = ./ca;
+        certs = [
+          {
+            name = "fs1-0";
+            SANs = [ "fs1-0.itpartner.intern" "10.1.30.10" ];
+            owner = "nginx";
+            group = "nginx";
+          }
+        ];
+      };
+    };
+
+    services.prometheus.exporters = {
+      node = {
+        enable = true;
+        openFirewall = true;
+      };
+    };
+
+    services.minio = {
+      enable = true;
+      region = "fs1";
+      browser = true;
+      accessKey = "admin";
+      secretKey = "en to tre fire";
+      listenAddress = "0.0.0.0:9000";
+      dataDir = [ "/vol/s3" ];
    };

    networking = {
@@ -73,8 +102,39 @@ in {
          prefixLength = 24;
        } ];
      };
+      firewall = {
+        allowedTCPPorts = [ 443 9000 9001 ];
+        allowedUDPPorts = [];
+      };
    };

+    services.nginx = {
+      enable = true;
+      statusPage = true;
+      virtualHosts = {
+        "fs1-0.itpartner.intern" = {
+          forceSSL = true;
+          enableACME = false;
+          sslTrustedCertificate = "/var/lib/secrets/ca.pem";
+          sslCertificate = "/var/lib/secrets/fs1-0.pem";
+          sslCertificateKey = "/var/lib/secrets/fs1-0-key.pem";
+          serverAliases = [];
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:9001";
+            extraConfig = ''
+              allow all;
+            '';
+          };
+        };
+
+      };
+    };
+
+    # nixos 21.11 will fix this properly
+    nixpkgs.overlays = [ (import ../../modules/overlays/minio.nix) ];
+    systemd.services.minio.serviceConfig.ExecStart = lib.mkForce
+      "${pkgs.minio}/bin/minio server --json --address :9000 --console-address :9001 --config-dir=/var/lib/minio/config /vol/s3";
+
    imports = [ ../../nixos ../../modules ./fs1-0.nix ];
  };
 }