From 0436f939004ac5efa138511ffabf77486fd7a8eb Mon Sep 17 00:00:00 2001 From: Adrian G L Date: Wed, 27 Dec 2023 22:56:53 +0100 Subject: [PATCH] added endpoints --- profiles/sops.nix | 2 +- services/nginx.nix | 51 +++++++++++++++++++++++++++++++++++----------- services/ssh.nix | 6 ++---- 3 files changed, 42 insertions(+), 17 deletions(-) diff --git a/profiles/sops.nix b/profiles/sops.nix index da0aad5..2f63232 100644 --- a/profiles/sops.nix +++ b/profiles/sops.nix @@ -16,7 +16,7 @@ sops.age.sshKeyPaths = [ "/etc/ssh/nixos" #"/$HOME/.ssh/nixos" - #"/home/gunalx/.ssh/nixos" + #"/home/gunalx/.ssh/nixos" ]; # This is using an age key that is expected to already be in the filesystem sops.age.keyFile = "/var/lib/sops-nix/key.txt"; diff --git a/services/nginx.nix b/services/nginx.nix index ccb793c..394eca1 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,6 +1,12 @@ { config, pkgs, lib, ... }: { - + #declare secrets + sops.secrets."acme/certs" = { }; + sops.secrets."nginx/defaultpass" = { + restartUnits = [ "nginx.service" ]; + owner = "nginx"; + }; + networking.domain = "addictedmaker.eu"; #acme and certs helpful blog https://carjorvaz.com/posts/ security.acme = { acceptTerms = true; @@ -8,10 +14,18 @@ certs."${config.networking.domain}" = { domain = "${config.networking.domain}"; - extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"]; - dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/ + extraDomainNames = [ + "*.${config.networking.domain}" + #"${config.networking.domain}" + #"lauterer.it" + "*.lauterer.it" + "*.256.no" + ]; + dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/ dnsPropagationCheck = true; - credentialsFile = config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml + #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml + #credentialsFile = config.sops.secrets."acme/certs".path; + credentialsFile = "/run/secrets/acme/certs"; }; }; @@ -19,14 +33,6 @@ users.users.nginx.extraGroups = [ "acme" ]; users.users.root.extraGroups = [ "acme" ]; - #declare secrets - sops.secrets."acme/certs" = { }; - sops.secrets."nginx/defaultpass" = { - restartUnits = [ "nginx.service" ]; - owner = "nginx"; - }; - - #TODO add oauth2 proxy to auth # services.oauth2_proxy = { # enable = true; # } @@ -67,6 +73,27 @@ }; basicAuthFile = config.sops.secrets."nginx/defaultpass".path; }; + + virtualHosts."home.lauterer.it" = { + forceSSL = true; + useACMEHost = config.networking.domain; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://10.0.0.32:8123"; + }; + # ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet. + #basicAuthFile = config.sops.secrets."nginx/defaultpass".path; + }; + + virtualHosts."jellyfin.lauterer.it" = { + forceSSL = true; + useACMEHost = config.networking.domain; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://100.84.215.84:8096"; + }; + #basicAuthFile = config.sops.secrets."nginx/defaultpass".path; + }; # virtualHosts.${"vpn."+config.networking.domain} = { # forceSSL = true; diff --git a/services/ssh.nix b/services/ssh.nix index 37e5514..a530b3f 100644 --- a/services/ssh.nix +++ b/services/ssh.nix @@ -2,7 +2,7 @@ { environment.systemPackages = [ pkgs.openssh - pkgs.endlessh + pkgs.endlessh-go pkgs.sshguard ]; @@ -21,12 +21,10 @@ # # remove some weaker ciphers #]; }; - services.endlessh = { + services.endlessh-go = { enable = true; port = 22; openFirewall = true; }; services.sshguard.enable = true; #protection against brute force attacks like fail2ban - - }