oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add ngixn with ssl in front of minio

Browse Source
This commit is contained in:
Jonas Juselius
2021-10-06 10:59:39 +02:00
parent e92f1a6bff
commit 7226e50139
5 changed files with 125 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
clusters/fs1/default.nix
View File

@@ -5,7 +5,6 @@ let
# sha256 = "1ckzhh24mgz6jd1xhfgx0i9mijk6xjqxwsshnvq789xsavrmsc36";
# }) {};
pkgs = import <nixpkgs> {};
name = "fs1-0";
address = "10.1.30.10";
in {
@@ -20,7 +19,7 @@ in {
loader.grub = {
enable = true;
version = 2;
device = "/dev/sda1";
device = "/dev/sda";
};
};
@@ -57,6 +56,36 @@ in {
'';
initca = ./ca;
};
certs = {
enable = true;
caBundle = ./ca;
certs = [
{
name = "fs1-0";
SANs = [ "fs1-0.itpartner.intern" "10.1.30.10" ];
owner = "nginx";
group = "nginx";
}
];
};
};
services.prometheus.exporters = {
node = {
enable = true;
openFirewall = true;
};
};
services.minio = {
enable = true;
region = "fs1";
browser = true;
accessKey = "admin";
secretKey = "en to tre fire";
listenAddress = "0.0.0.0:9000";
dataDir = [ "/vol/s3" ];
};
networking = {
@@ -73,7 +102,38 @@ in {
prefixLength = 24;
} ];
};
firewall = {
allowedTCPPorts = [ 443 9000 9001 ];
allowedUDPPorts = [];
};
};
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"fs1-0.itpartner.intern" = {
forceSSL = true;
enableACME = false;
sslTrustedCertificate = "/var/lib/secrets/ca.pem";
sslCertificate = "/var/lib/secrets/fs1-0.pem";
sslCertificateKey = "/var/lib/secrets/fs1-0-key.pem";
serverAliases = [];
locations."/" = {
proxyPass = "http://127.0.0.1:9001";
extraConfig = ''
allow all;
'';
};
};
};
};
# nixos 21.11 will fix this properly
nixpkgs.overlays = [ (import ../../modules/overlays/minio.nix) ];
systemd.services.minio.serviceConfig.ExecStart = lib.mkForce
"${pkgs.minio}/bin/minio server --json --address :9000 --console-address :9001 --config-dir=/var/lib/minio/config /vol/s3";
imports = [ ../../nixos ../../modules ./fs1-0.nix ];
};

1
clusters/fs1/fs1-0.nix
View File

@@ -25,5 +25,4 @@
swapDevices = [ ];
virtualisation.vmware.guest.enable = true;
}

62
clusters/fs2/default.nix
View File

@@ -42,6 +42,7 @@ in {
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== ski027@uit.no"
];
};
fs = {
enable = true;
nfs.enable = true;
@@ -50,6 +51,36 @@ in {
'';
initca = ./ca;
};
certs = {
enable = true;
caBundle = ./ca;
certs = [
{
name = "fs2-0";
SANs = [ "fs2-0.itpartner.intern" "10.1.8.10" ];
owner = "nginx";
group = "nginx";
}
];
};
};
services.minio = {
enable = true;
region = "fs2";
browser = true;
accessKey = "admin";
secretKey = "en to tre fire";
listenAddress = "0.0.0.0:9000";
dataDir = [ "/vol/s3" ];
};
services.prometheus.exporters = {
node = {
enable = true;
openFirewall = true;
};
};
networking = {
@@ -66,7 +97,38 @@ in {
prefixLength = 24;
} ];
};
firewall = {
allowedTCPPorts = [ 443 9000 9001 ];
allowedUDPPorts = [];
};
};
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"fs2-0.itpartner.intern" = {
forceSSL = true;
enableACME = false;
sslTrustedCertificate = "/var/lib/secrets/ca.pem";
sslCertificate = "/var/lib/secrets/fs2-0.pem";
sslCertificateKey = "/var/lib/secrets/fs2-0-key.pem";
serverAliases = [];
locations."/" = {
proxyPass = "http://127.0.0.1:9001";
extraConfig = ''
allow all;
'';
};
};
};
};
# nixos 21.11 will fix this properly
nixpkgs.overlays = [ (import ../../modules/overlays/minio.nix) ];
systemd.services.minio.serviceConfig.ExecStart = lib.mkForce
"${pkgs.minio}/bin/minio server --json --address :9000 --console-address :9001 --config-dir=/var/lib/minio/config /vol/s3";
imports = [ ../../nixos ../../modules ./fs2-0.nix ];
};

0
clusters/stokes/stokes.nix → clusters/stokes/morph.nix
View File

2
modules

Submodule modules updated: 6880bb839e...328fe7a33a