added endpoints
This commit is contained in:
parent
a5d8410635
commit
0436f93900
|
@ -16,7 +16,7 @@
|
||||||
sops.age.sshKeyPaths = [
|
sops.age.sshKeyPaths = [
|
||||||
"/etc/ssh/nixos"
|
"/etc/ssh/nixos"
|
||||||
#"/$HOME/.ssh/nixos"
|
#"/$HOME/.ssh/nixos"
|
||||||
#"/home/gunalx/.ssh/nixos"
|
#"/home/gunalx/.ssh/nixos"
|
||||||
];
|
];
|
||||||
# This is using an age key that is expected to already be in the filesystem
|
# This is using an age key that is expected to already be in the filesystem
|
||||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
|
|
@ -1,6 +1,12 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
{
|
{
|
||||||
|
#declare secrets
|
||||||
|
sops.secrets."acme/certs" = { };
|
||||||
|
sops.secrets."nginx/defaultpass" = {
|
||||||
|
restartUnits = [ "nginx.service" ];
|
||||||
|
owner = "nginx";
|
||||||
|
};
|
||||||
|
networking.domain = "addictedmaker.eu";
|
||||||
#acme and certs helpful blog https://carjorvaz.com/posts/
|
#acme and certs helpful blog https://carjorvaz.com/posts/
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
|
@ -8,10 +14,18 @@
|
||||||
|
|
||||||
certs."${config.networking.domain}" = {
|
certs."${config.networking.domain}" = {
|
||||||
domain = "${config.networking.domain}";
|
domain = "${config.networking.domain}";
|
||||||
extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
|
extraDomainNames = [
|
||||||
dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/
|
"*.${config.networking.domain}"
|
||||||
|
#"${config.networking.domain}"
|
||||||
|
#"lauterer.it"
|
||||||
|
"*.lauterer.it"
|
||||||
|
"*.256.no"
|
||||||
|
];
|
||||||
|
dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/
|
||||||
dnsPropagationCheck = true;
|
dnsPropagationCheck = true;
|
||||||
credentialsFile = config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
|
#need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
|
||||||
|
#credentialsFile = config.sops.secrets."acme/certs".path;
|
||||||
|
credentialsFile = "/run/secrets/acme/certs";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -19,14 +33,6 @@
|
||||||
users.users.nginx.extraGroups = [ "acme" ];
|
users.users.nginx.extraGroups = [ "acme" ];
|
||||||
users.users.root.extraGroups = [ "acme" ];
|
users.users.root.extraGroups = [ "acme" ];
|
||||||
|
|
||||||
#declare secrets
|
|
||||||
sops.secrets."acme/certs" = { };
|
|
||||||
sops.secrets."nginx/defaultpass" = {
|
|
||||||
restartUnits = [ "nginx.service" ];
|
|
||||||
owner = "nginx";
|
|
||||||
};
|
|
||||||
|
|
||||||
#TODO add oauth2 proxy to auth
|
|
||||||
# services.oauth2_proxy = {
|
# services.oauth2_proxy = {
|
||||||
# enable = true;
|
# enable = true;
|
||||||
# }
|
# }
|
||||||
|
@ -68,6 +74,27 @@
|
||||||
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
|
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
virtualHosts."home.lauterer.it" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = config.networking.domain;
|
||||||
|
locations."/" = {
|
||||||
|
proxyWebsockets = true;
|
||||||
|
proxyPass = "http://10.0.0.32:8123";
|
||||||
|
};
|
||||||
|
# ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet.
|
||||||
|
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualHosts."jellyfin.lauterer.it" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = config.networking.domain;
|
||||||
|
locations."/" = {
|
||||||
|
proxyWebsockets = true;
|
||||||
|
proxyPass = "http://100.84.215.84:8096";
|
||||||
|
};
|
||||||
|
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
|
||||||
|
};
|
||||||
|
|
||||||
# virtualHosts.${"vpn."+config.networking.domain} = {
|
# virtualHosts.${"vpn."+config.networking.domain} = {
|
||||||
# forceSSL = true;
|
# forceSSL = true;
|
||||||
# useACMEHost = "${config.networking.domain}";
|
# useACMEHost = "${config.networking.domain}";
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
{
|
{
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
pkgs.openssh
|
pkgs.openssh
|
||||||
pkgs.endlessh
|
pkgs.endlessh-go
|
||||||
pkgs.sshguard
|
pkgs.sshguard
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -21,12 +21,10 @@
|
||||||
# # remove some weaker ciphers
|
# # remove some weaker ciphers
|
||||||
#];
|
#];
|
||||||
};
|
};
|
||||||
services.endlessh = {
|
services.endlessh-go = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 22;
|
port = 22;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
};
|
};
|
||||||
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
|
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue