2023-09-24 03:59:47 +02:00
{ config , pkgs , lib , . . . }:
2023-12-06 22:21:44 +01:00
{
2023-09-24 03:59:47 +02:00
#acme and certs helpful blog https://carjorvaz.com/posts/
security . acme = {
acceptTerms = true ;
defaults . email = " a d r i a n + a c m e @ l a u t e r e r . i t " ;
certs . " ${ config . networking . domain } " = {
domain = " ${ config . networking . domain } " ;
extraDomainNames = [ " * . ${ config . networking . domain } " " l a u t e r e r . i t " " * . l a u t e r e r . i t " " * . 2 5 6 . n o " " * . 2 5 6 . n o " ] ;
dnsProvider = " d o m e n e s h o p " ; # from here according to privider https://go-acme.github.io/lego/dns/
dnsPropagationCheck = true ;
2023-12-06 22:21:44 +01:00
credentialsFile = config . sops . secrets . " a c m e / c e r t s " . path ; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
2023-09-24 03:59:47 +02:00
} ;
} ;
#add proxyserver to acme
users . users . nginx . extraGroups = [ " a c m e " ] ;
users . users . root . extraGroups = [ " a c m e " ] ;
2023-12-10 18:34:28 +01:00
#declare secrets
sops . secrets . " a c m e / c e r t s " = { } ;
sops . secrets . " n g i n x / d e f a u l t p a s s " = {
restartUnits = [ " n g i n x . s e r v i c e " ] ;
owner = " n g i n x " ;
} ;
2023-09-24 03:59:47 +02:00
#TODO add oauth2 proxy to auth
# services.oauth2_proxy = {
# enable = true;
# }
#proxy stuff
services . nginx = {
enable = true ;
statusPage = true ;
enableReload = true ;
recommendedTlsSettings = true ;
recommendedProxySettings = true ;
recommendedGzipSettings = true ;
recommendedOptimisation = true ;
2023-12-06 22:21:44 +01:00
virtualHosts . ${ " m a n a g m e n t . f u n n - n a s . l a u t e r e r . i t " } = {
2023-09-24 03:59:47 +02:00
forceSSL = true ;
useACMEHost = " ${ config . networking . domain } " ;
locations . " / " = {
proxyWebsockets = true ;
2023-12-06 22:21:44 +01:00
proxyPass = " h t t p : / / 1 0 0 . 1 0 4 . 1 8 2 . 4 8 " ;
} ;
2023-12-10 01:20:18 +01:00
basicAuthFile = config . sops . secrets . " n g i n x / d e f a u l t p a s s " . path ;
2023-09-24 03:59:47 +02:00
} ;
2023-12-06 22:21:44 +01:00
virtualHosts . ${ " f u n n - n a s . l a u t e r e r . i t " } = {
2023-09-24 03:59:47 +02:00
forceSSL = true ;
useACMEHost = " ${ config . networking . domain } " ;
locations . " / " = {
proxyWebsockets = true ;
2023-12-06 22:21:44 +01:00
proxyPass = " h t t p s : / / 1 0 0 . 1 0 4 . 1 8 2 . 4 8 : 3 0 0 4 4 " ;
} ;
2023-12-10 01:20:18 +01:00
basicAuthFile = config . sops . secrets . " n g i n x / d e f a u l t p a s s " . path ;
2023-09-24 03:59:47 +02:00
} ;
2023-12-06 22:21:44 +01:00
# virtualHosts.${"vpn."+config.networking.domain} = {
# forceSSL = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyWebsockets = true;
# proxyPass = "http://localhost:${toString config.services.headscale.port}";
# };
# };
# virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
# forceSSL = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyWebsockets = true;
# proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
# };
# };
# virtualHosts.${"jellyfin."+config.networking.domain} = {
# forceSSL = true;
# #enableACME = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyPass = "http://jellyfin.galadriel";
# proxyWebsockets = true;
2023-12-10 01:20:18 +01:00
# basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
2023-12-06 22:21:44 +01:00
# };
# };
2023-09-24 03:59:47 +02:00
} ;
}