nix-dotfiles/services/nginx.nix

{ config, pkgs, lib, ... }:
{  
  #declare secrets
  sops.secrets."acme/certs" = {  };
  sops.secrets."nginx/defaultpass" = {
    restartUnits = [ "nginx.service" ];
    owner = "nginx";
  };
  networking.domain = "addictedmaker.eu";
  #acme and certs helpful blog https://carjorvaz.com/posts/
  security.acme = {
    acceptTerms = true;
    defaults.email = "adrian+acme@lauterer.it";
    
    certs."${config.networking.domain}" = {
      domain = "${config.networking.domain}";
      extraDomainNames = [ 
        "*.${config.networking.domain}"
        #"${config.networking.domain}"
        #"lauterer.it"
        "*.lauterer.it"
        "*.256.no"
      ];
      dnsProvider = "domeneshop";   # from here according to provider https://go-acme.github.io/lego/dns/ 
      dnsPropagationCheck = true;
      #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
      #credentialsFile =  config.sops.secrets."acme/certs".path; 
      credentialsFile =  "/run/secrets/acme/certs"; 
    };
  };

  #add proxyserver to acme
  users.users.nginx.extraGroups = [ "acme" ];
  users.users.root.extraGroups = [ "acme" ];

  # services.oauth2_proxy = {
  #   enable = true;
  # }


    #proxy stuff
  services.nginx = {
    enable = true;
    statusPage = true;
    enableReload = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

    logError = "syslog:server=unix:/dev/log";
    commonHttpConfig = ''
     access_log syslog:server=unix:/dev/log;
    '';


    virtualHosts."managment.funn-nas.lauterer.it" = {
      forceSSL = true;
      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "https://100.104.182.48";
      };
      basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
    };

    virtualHosts."funn-nas.lauterer.it" = {
      forceSSL = true;
      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "https://100.104.182.48:30044";
      };
      basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
    };
    
    virtualHosts."home.lauterer.it" = {
      forceSSL = true;
      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "http://10.0.0.32:8123";
      };
      # ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet.
      #basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
    };

    virtualHosts."jellyfin.lauterer.it" = {
      forceSSL = true;
      useACMEHost = config.networking.domain;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "http://100.84.215.84:8096";
      };
      #basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
    };

   # virtualHosts.${"vpn."+config.networking.domain} = {
   #   forceSSL = true;
   #   useACMEHost = "${config.networking.domain}";
   #   locations."/" = {
   #     proxyWebsockets = true;
   #     proxyPass = "http://localhost:${toString config.services.headscale.port}";
   #   };
   # };

   # virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
   #   forceSSL = true;
   #   useACMEHost = "${config.networking.domain}";
   #   locations."/" = {
   #     proxyWebsockets = true;
   #     proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";

   #   };
   # };

   # virtualHosts.${"jellyfin."+config.networking.domain} = {
   #   forceSSL = true;
   #   #enableACME = true;
   #   useACMEHost = "${config.networking.domain}";
   #   locations."/" = {
   #     proxyPass = "http://jellyfin.galadriel";
   #     proxyWebsockets = true;
   #     basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
   #   };
   # };
  };


}
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`{ config, pkgs, lib, ... }:`
update from celebrian 2023-12-06 22:21:44 +01:00			`{`
added endpoints 2023-12-27 22:56:53 +01:00			`#declare secrets`
			`sops.secrets."acme/certs" = { };`
			`sops.secrets."nginx/defaultpass" = {`
			`restartUnits = [ "nginx.service" ];`
			`owner = "nginx";`
			`};`
			`networking.domain = "addictedmaker.eu";`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`#acme and certs helpful blog https://carjorvaz.com/posts/`
			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "adrian+acme@lauterer.it";`

			`certs."${config.networking.domain}" = {`
			`domain = "${config.networking.domain}";`
added endpoints 2023-12-27 22:56:53 +01:00			`extraDomainNames = [`
			`"*.${config.networking.domain}"`
			`#"${config.networking.domain}"`
			`#"lauterer.it"`
			`"*.lauterer.it"`
			`"*.256.no"`
			`];`
			`dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`dnsPropagationCheck = true;`
added endpoints 2023-12-27 22:56:53 +01:00			`#need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml`
			`#credentialsFile = config.sops.secrets."acme/certs".path;`
			`credentialsFile = "/run/secrets/acme/certs";`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`};`
			`};`

			`#add proxyserver to acme`
			`users.users.nginx.extraGroups = [ "acme" ];`
			`users.users.root.extraGroups = [ "acme" ];`

			`# services.oauth2_proxy = {`
			`# enable = true;`
			`# }`


			`#proxy stuff`
			`services.nginx = {`
			`enable = true;`
			`statusPage = true;`
			`enableReload = true;`
			`recommendedTlsSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`

moved fail2ban to service file added webhost profile 2023-12-10 21:14:55 +01:00			`logError = "syslog:server=unix:/dev/log";`
			`commonHttpConfig = ''`
			`access_log syslog:server=unix:/dev/log;`
			`'';`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00
moved fail2ban to service file added webhost profile 2023-12-10 21:14:55 +01:00
			`virtualHosts."managment.funn-nas.lauterer.it" = {`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`forceSSL = true;`
moved fail2ban to service file added webhost profile 2023-12-10 21:14:55 +01:00			`useACMEHost = config.networking.domain;`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`locations."/" = {`
			`proxyWebsockets = true;`
moved fail2ban to service file added webhost profile 2023-12-10 21:14:55 +01:00			`proxyPass = "https://100.104.182.48";`
update from celebrian 2023-12-06 22:21:44 +01:00			`};`
moved nginx secret to sops and basicAuthFile 2023-12-10 01:20:18 +01:00			`basicAuthFile = config.sops.secrets."nginx/defaultpass".path;`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`};`

moved fail2ban to service file added webhost profile 2023-12-10 21:14:55 +01:00			`virtualHosts."funn-nas.lauterer.it" = {`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`forceSSL = true;`
moved fail2ban to service file added webhost profile 2023-12-10 21:14:55 +01:00			`useACMEHost = config.networking.domain;`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`locations."/" = {`
			`proxyWebsockets = true;`
update from celebrian 2023-12-06 22:21:44 +01:00			`proxyPass = "https://100.104.182.48:30044";`
			`};`
moved nginx secret to sops and basicAuthFile 2023-12-10 01:20:18 +01:00			`basicAuthFile = config.sops.secrets."nginx/defaultpass".path;`
added endpoints 2023-12-27 22:56:53 +01:00			`};`

			`virtualHosts."home.lauterer.it" = {`
			`forceSSL = true;`
			`useACMEHost = config.networking.domain;`
			`locations."/" = {`
			`proxyWebsockets = true;`
			`proxyPass = "http://10.0.0.32:8123";`
			`};`
			`# ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet.`
			`#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;`
			`};`

			`virtualHosts."jellyfin.lauterer.it" = {`
			`forceSSL = true;`
			`useACMEHost = config.networking.domain;`
			`locations."/" = {`
			`proxyWebsockets = true;`
			`proxyPass = "http://100.84.215.84:8096";`
			`};`
			`#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`};`
update from celebrian 2023-12-06 22:21:44 +01:00
			`# virtualHosts.${"vpn."+config.networking.domain} = {`
			`# forceSSL = true;`
			`# useACMEHost = "${config.networking.domain}";`
			`# locations."/" = {`
			`# proxyWebsockets = true;`
			`# proxyPass = "http://localhost:${toString config.services.headscale.port}";`
			`# };`
			`# };`

			`# virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)`
			`# forceSSL = true;`
			`# useACMEHost = "${config.networking.domain}";`
			`# locations."/" = {`
			`# proxyWebsockets = true;`
			`# proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";`

			`# };`
			`# };`

			`# virtualHosts.${"jellyfin."+config.networking.domain} = {`
			`# forceSSL = true;`
			`# #enableACME = true;`
			`# useACMEHost = "${config.networking.domain}";`
			`# locations."/" = {`
			`# proxyPass = "http://jellyfin.galadriel";`
			`# proxyWebsockets = true;`
moved nginx secret to sops and basicAuthFile 2023-12-10 01:20:18 +01:00			`# basicAuthFile = config.sops.secrets."nginx/defaultpass".path;`
update from celebrian 2023-12-06 22:21:44 +01:00			`# };`
			`# };`
added old config files and started moving stuff to seperate modules. 2023-09-24 03:59:47 +02:00			`};`


			`}`