nix-dotfiles/services/nginx.nix

140 lines
4.0 KiB
Nix
Raw Normal View History

{ config, pkgs, lib, ... }:
2023-12-06 22:21:44 +01:00
{
2023-12-27 22:56:53 +01:00
#declare secrets
sops.secrets."acme/certs" = { };
sops.secrets."nginx/defaultpass" = {
restartUnits = [ "nginx.service" ];
owner = "nginx";
};
2024-03-29 19:24:52 +01:00
networking.enableIPv6 = false; # lol for some reason acme works without ipv6
networking.domain = "lauterer.it";
#acme and certs helpful blog https://carjorvaz.com/posts/
security.acme = {
acceptTerms = true;
defaults.email = "adrian+acme@lauterer.it";
certs."${config.networking.domain}" = {
2024-03-29 19:24:52 +01:00
domain = "*.${config.networking.domain}";
2023-12-27 22:56:53 +01:00
extraDomainNames = [
2024-03-29 19:24:52 +01:00
"${config.networking.domain}"
2023-12-27 22:56:53 +01:00
#"${config.networking.domain}"
#"lauterer.it"
2024-03-29 19:24:52 +01:00
#"*.lauterer.it"
#"*.256.no"
2023-12-27 22:56:53 +01:00
];
2024-03-29 19:24:52 +01:00
#server = "https://acme-staging-v02.api.letsencrypt.org/directory"; #for testing.
enableDebugLogs = true;
dnsResolver = "ns1.hyp.net:53";
2023-12-27 22:56:53 +01:00
dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/
dnsPropagationCheck = true;
2023-12-27 22:56:53 +01:00
#need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
2024-03-29 19:24:52 +01:00
credentialsFile = config.sops.secrets."acme/certs".path;
};
};
#add proxyserver to acme
users.users.nginx.extraGroups = [ "acme" ];
users.users.root.extraGroups = [ "acme" ];
# services.oauth2_proxy = {
# enable = true;
# }
#proxy stuff
services.nginx = {
enable = true;
statusPage = true;
enableReload = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
logError = "syslog:server=unix:/dev/log";
commonHttpConfig = ''
access_log syslog:server=unix:/dev/log;
'';
virtualHosts."managment.funn-nas.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://100.104.182.48";
2023-12-06 22:21:44 +01:00
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."funn-nas.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
2023-12-06 22:21:44 +01:00
proxyPass = "https://100.104.182.48:30044";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
2023-12-27 22:56:53 +01:00
};
virtualHosts."home.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://10.0.0.32:8123";
};
# ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet.
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."jellyfin.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.84.215.84:8096";
};
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
2023-12-06 22:21:44 +01:00
# virtualHosts.${"vpn."+config.networking.domain} = {
# forceSSL = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyWebsockets = true;
# proxyPass = "http://localhost:${toString config.services.headscale.port}";
# };
# };
# virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
# forceSSL = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyWebsockets = true;
# proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
# };
# };
# virtualHosts.${"jellyfin."+config.networking.domain} = {
# forceSSL = true;
# #enableACME = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyPass = "http://jellyfin.galadriel";
# proxyWebsockets = true;
# basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
2023-12-06 22:21:44 +01:00
# };
# };
};
}