From 24e4ce6c41fe3c9537bc40ad0e230fe947dc4167 Mon Sep 17 00:00:00 2001 From: Adrian G L Date: Wed, 6 Dec 2023 22:21:44 +0100 Subject: [PATCH] update from celebrian --- machines/celebrian/configuration.nix | 53 ++++++++++++----------- profiles/base.nix | 2 +- profiles/sops.nix | 5 ++- services/nginx.nix | 65 +++++++++++++++++++--------- services/ssh.nix | 14 +++--- 5 files changed, 83 insertions(+), 56 deletions(-) diff --git a/machines/celebrian/configuration.nix b/machines/celebrian/configuration.nix index 1f29b7a..3148eff 100644 --- a/machines/celebrian/configuration.nix +++ b/machines/celebrian/configuration.nix @@ -8,6 +8,7 @@ [ # Include the results of the hardware scan. ../../profiles/base.nix ../../services/ssh.nix + ../../services/nginx.nix ]; @@ -100,31 +101,31 @@ #vpn stuff - #need to run at fresh install to create namespace: headscale namespaces create - services.headscale = { - enable = true; - user = "headscale"; - address = "127.0.0.1"; - port = 8080; - settings = { - logtail.enabled = false; - metrics_listen_addr = "127.0.0.1:9090"; - server_url = "https://${"vpn."+config.networking.domain}"; - dns_config = { - base_domain = "${config.networking.domain}"; - magic_dns = true; - nameservers = [ - "1.1.1.1" - ]; - }; - - ##should really implement with fex github and kanidm - #oidc = { - # issuer = "{config.services.kanidm.serverSettings.origin}"; - # allowed_domains = Domains; - #}; - }; - }; +# #need to run at fresh install to create namespace: headscale namespaces create +# services.headscale = { +# enable = true; +# user = "headscale"; +# address = "127.0.0.1"; +# port = 8080; +# settings = { +# logtail.enabled = false; +# metrics_listen_addr = "127.0.0.1:9090"; +# server_url = "https://${"vpn."+config.networking.domain}"; +# dns_config = { +# base_domain = "${config.networking.domain}"; +# magic_dns = true; +# nameservers = [ +# "1.1.1.1" +# ]; +# }; +# +# ##should really implement with fex github and kanidm +# #oidc = { +# # issuer = "{config.services.kanidm.serverSettings.origin}"; +# # allowed_domains = Domains; +# #}; +# }; +# }; #tailscale services.tailscale.enable = true; @@ -157,9 +158,9 @@ users.users."gunalx".openssh.authorizedKeys.keys = [ checkReversePath = "loose"; trustedInterfaces = [ "tailscale0" ]; allowedUDPPorts = [ - 8096 80 443 + 6969 #config.services.openssh.ports config.services.tailscale.port config.services.headscale.port diff --git a/profiles/base.nix b/profiles/base.nix index d66c8c6..4daa019 100644 --- a/profiles/base.nix +++ b/profiles/base.nix @@ -3,7 +3,7 @@ imports = [ ../packages/vim.nix - #./sops.nix + ./sops.nix ]; #nix stuff diff --git a/profiles/sops.nix b/profiles/sops.nix index 258856c..0ddbf93 100644 --- a/profiles/sops.nix +++ b/profiles/sops.nix @@ -10,7 +10,8 @@ # This will add secrets.yml to the nix store # You can avoid this by adding a string to the full path instead, i.e. # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; - sops.defaultSopsFile = ../secrets/secrets.yaml; + sops.defaultSopsFile = "/etc/nixos/nix-dotfiles/secrets/secrets.yaml"; + sops.validateSopsFiles = false; # This will automatically import SSH keys as age keys sops.age.sshKeyPaths = [ "/etc/ssh/nixos" @@ -24,6 +25,6 @@ # This is the actual specification of the secrets. #sops.secrets."myservice/my_subdir/my_secret" = {}; - sops.secrets."acme/certs/domeneshop" = { }; + sops.secrets."acme/certs" = { }; } diff --git a/services/nginx.nix b/services/nginx.nix index 754066f..543f207 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,9 +1,9 @@ { config, pkgs, lib, ... }: let basicAuthUser = "guest"; - basicAuthPass = "12345678"; + basicAuthPass = ""; in -{ +{ #acme and certs helpful blog https://carjorvaz.com/posts/ security.acme = { @@ -15,7 +15,7 @@ in extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"]; dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/ dnsPropagationCheck = true; - credentialsFile = config.sops.secrets."acme/certs/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml + credentialsFile = config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml }; }; @@ -39,37 +39,62 @@ in recommendedGzipSettings = true; recommendedOptimisation = true; - virtualHosts.${"vpn."+config.networking.domain} = { + + virtualHosts.${"managment.funn-nas.lauterer.it"} = { forceSSL = true; useACMEHost = "${config.networking.domain}"; locations."/" = { proxyWebsockets = true; - proxyPass = "http://localhost:${toString config.services.headscale.port}"; + proxyPass = "http://100.104.182.48"; + }; + basicAuth = { + guest = basicAuthPass; }; }; - virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.) + virtualHosts.${"funn-nas.lauterer.it"} = { forceSSL = true; useACMEHost = "${config.networking.domain}"; locations."/" = { proxyWebsockets = true; - proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}"; - + proxyPass = "https://100.104.182.48:30044"; + }; + basicAuth = { + guest = basicAuthPass; }; }; - virtualHosts.${"jellyfin."+config.networking.domain} = { - forceSSL = true; - #enableACME = true; - useACMEHost = "${config.networking.domain}"; - locations."/" = { - proxyPass = "http://jellyfin.galadriel"; - proxyWebsockets = true; - basicAuth = { - guest = basicAuthPass; - }; - }; - }; + # virtualHosts.${"vpn."+config.networking.domain} = { + # forceSSL = true; + # useACMEHost = "${config.networking.domain}"; + # locations."/" = { + # proxyWebsockets = true; + # proxyPass = "http://localhost:${toString config.services.headscale.port}"; + # }; + # }; + + # virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.) + # forceSSL = true; + # useACMEHost = "${config.networking.domain}"; + # locations."/" = { + # proxyWebsockets = true; + # proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}"; + + # }; + # }; + + # virtualHosts.${"jellyfin."+config.networking.domain} = { + # forceSSL = true; + # #enableACME = true; + # useACMEHost = "${config.networking.domain}"; + # locations."/" = { + # proxyPass = "http://jellyfin.galadriel"; + # proxyWebsockets = true; + # basicAuth = { + # guest = basicAuthPass; + # }; + # }; + # }; }; diff --git a/services/ssh.nix b/services/ssh.nix index 328b77b..37e5514 100644 --- a/services/ssh.nix +++ b/services/ssh.nix @@ -13,13 +13,13 @@ startWhenNeeded = true; ports = [ 6969 ]; openFirewall = true; - settings.Ciphers = [ - "chacha20-poly1305@openssh.com" - "aes256-gcm@openssh.com" - "aes128-gcm@openssh.com" - "aes256-ctr" - # remove some weaker ciphers - ]; + #settings.Ciphers = [ + # "chacha20-poly1305@openssh.com" + # "aes256-gcm@openssh.com" + # "aes128-gcm@openssh.com" + # "aes256-ctr" + # # remove some weaker ciphers + #]; }; services.endlessh = { enable = true;