added endpoints

This commit is contained in:
Adrian Gunnar Lauterer 2023-12-27 22:56:53 +01:00
parent a5d8410635
commit 0436f93900
3 changed files with 42 additions and 17 deletions

View File

@ -1,6 +1,12 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
#declare secrets
sops.secrets."acme/certs" = { };
sops.secrets."nginx/defaultpass" = {
restartUnits = [ "nginx.service" ];
owner = "nginx";
};
networking.domain = "addictedmaker.eu";
#acme and certs helpful blog https://carjorvaz.com/posts/ #acme and certs helpful blog https://carjorvaz.com/posts/
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
@ -8,10 +14,18 @@
certs."${config.networking.domain}" = { certs."${config.networking.domain}" = {
domain = "${config.networking.domain}"; domain = "${config.networking.domain}";
extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"]; extraDomainNames = [
dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/ "*.${config.networking.domain}"
#"${config.networking.domain}"
#"lauterer.it"
"*.lauterer.it"
"*.256.no"
];
dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/
dnsPropagationCheck = true; dnsPropagationCheck = true;
credentialsFile = config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
#credentialsFile = config.sops.secrets."acme/certs".path;
credentialsFile = "/run/secrets/acme/certs";
}; };
}; };
@ -19,14 +33,6 @@
users.users.nginx.extraGroups = [ "acme" ]; users.users.nginx.extraGroups = [ "acme" ];
users.users.root.extraGroups = [ "acme" ]; users.users.root.extraGroups = [ "acme" ];
#declare secrets
sops.secrets."acme/certs" = { };
sops.secrets."nginx/defaultpass" = {
restartUnits = [ "nginx.service" ];
owner = "nginx";
};
#TODO add oauth2 proxy to auth
# services.oauth2_proxy = { # services.oauth2_proxy = {
# enable = true; # enable = true;
# } # }
@ -68,6 +74,27 @@
basicAuthFile = config.sops.secrets."nginx/defaultpass".path; basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
}; };
virtualHosts."home.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://10.0.0.32:8123";
};
# ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet.
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."jellyfin.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.84.215.84:8096";
};
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
# virtualHosts.${"vpn."+config.networking.domain} = { # virtualHosts.${"vpn."+config.networking.domain} = {
# forceSSL = true; # forceSSL = true;
# useACMEHost = "${config.networking.domain}"; # useACMEHost = "${config.networking.domain}";

View File

@ -2,7 +2,7 @@
{ {
environment.systemPackages = [ environment.systemPackages = [
pkgs.openssh pkgs.openssh
pkgs.endlessh pkgs.endlessh-go
pkgs.sshguard pkgs.sshguard
]; ];
@ -21,12 +21,10 @@
# # remove some weaker ciphers # # remove some weaker ciphers
#]; #];
}; };
services.endlessh = { services.endlessh-go = {
enable = true; enable = true;
port = 22; port = 22;
openFirewall = true; openFirewall = true;
}; };
services.sshguard.enable = true; #protection against brute force attacks like fail2ban services.sshguard.enable = true; #protection against brute force attacks like fail2ban
} }