update from celebrian
This commit is contained in:
parent
5b8b8ae3ec
commit
24e4ce6c41
|
|
@ -8,6 +8,7 @@
|
|||
[ # Include the results of the hardware scan.
|
||||
../../profiles/base.nix
|
||||
../../services/ssh.nix
|
||||
../../services/nginx.nix
|
||||
];
|
||||
|
||||
|
||||
|
|
@ -100,31 +101,31 @@
|
|||
|
||||
|
||||
#vpn stuff
|
||||
#need to run at fresh install to create namespace: headscale namespaces create <namespace_name>
|
||||
services.headscale = {
|
||||
enable = true;
|
||||
user = "headscale";
|
||||
address = "127.0.0.1";
|
||||
port = 8080;
|
||||
settings = {
|
||||
logtail.enabled = false;
|
||||
metrics_listen_addr = "127.0.0.1:9090";
|
||||
server_url = "https://${"vpn."+config.networking.domain}";
|
||||
dns_config = {
|
||||
base_domain = "${config.networking.domain}";
|
||||
magic_dns = true;
|
||||
nameservers = [
|
||||
"1.1.1.1"
|
||||
];
|
||||
};
|
||||
|
||||
##should really implement with fex github and kanidm
|
||||
#oidc = {
|
||||
# issuer = "{config.services.kanidm.serverSettings.origin}";
|
||||
# allowed_domains = Domains;
|
||||
#};
|
||||
};
|
||||
};
|
||||
# #need to run at fresh install to create namespace: headscale namespaces create <namespace_name>
|
||||
# services.headscale = {
|
||||
# enable = true;
|
||||
# user = "headscale";
|
||||
# address = "127.0.0.1";
|
||||
# port = 8080;
|
||||
# settings = {
|
||||
# logtail.enabled = false;
|
||||
# metrics_listen_addr = "127.0.0.1:9090";
|
||||
# server_url = "https://${"vpn."+config.networking.domain}";
|
||||
# dns_config = {
|
||||
# base_domain = "${config.networking.domain}";
|
||||
# magic_dns = true;
|
||||
# nameservers = [
|
||||
# "1.1.1.1"
|
||||
# ];
|
||||
# };
|
||||
#
|
||||
# ##should really implement with fex github and kanidm
|
||||
# #oidc = {
|
||||
# # issuer = "{config.services.kanidm.serverSettings.origin}";
|
||||
# # allowed_domains = Domains;
|
||||
# #};
|
||||
# };
|
||||
# };
|
||||
|
||||
#tailscale
|
||||
services.tailscale.enable = true;
|
||||
|
|
@ -157,9 +158,9 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
|
|||
checkReversePath = "loose";
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedUDPPorts = [
|
||||
8096
|
||||
80
|
||||
443
|
||||
6969
|
||||
#config.services.openssh.ports
|
||||
config.services.tailscale.port
|
||||
config.services.headscale.port
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
imports =
|
||||
[
|
||||
../packages/vim.nix
|
||||
#./sops.nix
|
||||
./sops.nix
|
||||
];
|
||||
|
||||
#nix stuff
|
||||
|
|
|
|||
|
|
@ -10,7 +10,8 @@
|
|||
# This will add secrets.yml to the nix store
|
||||
# You can avoid this by adding a string to the full path instead, i.e.
|
||||
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
||||
sops.defaultSopsFile = ../secrets/secrets.yaml;
|
||||
sops.defaultSopsFile = "/etc/nixos/nix-dotfiles/secrets/secrets.yaml";
|
||||
sops.validateSopsFiles = false;
|
||||
# This will automatically import SSH keys as age keys
|
||||
sops.age.sshKeyPaths = [
|
||||
"/etc/ssh/nixos"
|
||||
|
|
@ -24,6 +25,6 @@
|
|||
|
||||
# This is the actual specification of the secrets.
|
||||
#sops.secrets."myservice/my_subdir/my_secret" = {};
|
||||
sops.secrets."acme/certs/domeneshop" = { };
|
||||
sops.secrets."acme/certs" = { };
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
basicAuthUser = "guest";
|
||||
basicAuthPass = "12345678";
|
||||
basicAuthPass = "";
|
||||
in
|
||||
{
|
||||
|
||||
|
|
@ -15,7 +15,7 @@ in
|
|||
extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
|
||||
dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/
|
||||
dnsPropagationCheck = true;
|
||||
credentialsFile = config.sops.secrets."acme/certs/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
|
||||
credentialsFile = config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -39,37 +39,62 @@ in
|
|||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
virtualHosts.${"vpn."+config.networking.domain} = {
|
||||
|
||||
virtualHosts.${"managment.funn-nas.lauterer.it"} = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "${config.networking.domain}";
|
||||
locations."/" = {
|
||||
proxyWebsockets = true;
|
||||
proxyPass = "http://localhost:${toString config.services.headscale.port}";
|
||||
proxyPass = "http://100.104.182.48";
|
||||
};
|
||||
};
|
||||
|
||||
virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
|
||||
forceSSL = true;
|
||||
useACMEHost = "${config.networking.domain}";
|
||||
locations."/" = {
|
||||
proxyWebsockets = true;
|
||||
proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
virtualHosts.${"jellyfin."+config.networking.domain} = {
|
||||
forceSSL = true;
|
||||
#enableACME = true;
|
||||
useACMEHost = "${config.networking.domain}";
|
||||
locations."/" = {
|
||||
proxyPass = "http://jellyfin.galadriel";
|
||||
proxyWebsockets = true;
|
||||
basicAuth = {
|
||||
guest = basicAuthPass;
|
||||
};
|
||||
};
|
||||
|
||||
virtualHosts.${"funn-nas.lauterer.it"} = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "${config.networking.domain}";
|
||||
locations."/" = {
|
||||
proxyWebsockets = true;
|
||||
proxyPass = "https://100.104.182.48:30044";
|
||||
};
|
||||
basicAuth = {
|
||||
guest = basicAuthPass;
|
||||
};
|
||||
};
|
||||
|
||||
# virtualHosts.${"vpn."+config.networking.domain} = {
|
||||
# forceSSL = true;
|
||||
# useACMEHost = "${config.networking.domain}";
|
||||
# locations."/" = {
|
||||
# proxyWebsockets = true;
|
||||
# proxyPass = "http://localhost:${toString config.services.headscale.port}";
|
||||
# };
|
||||
# };
|
||||
|
||||
# virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
|
||||
# forceSSL = true;
|
||||
# useACMEHost = "${config.networking.domain}";
|
||||
# locations."/" = {
|
||||
# proxyWebsockets = true;
|
||||
# proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
|
||||
|
||||
# };
|
||||
# };
|
||||
|
||||
# virtualHosts.${"jellyfin."+config.networking.domain} = {
|
||||
# forceSSL = true;
|
||||
# #enableACME = true;
|
||||
# useACMEHost = "${config.networking.domain}";
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://jellyfin.galadriel";
|
||||
# proxyWebsockets = true;
|
||||
# basicAuth = {
|
||||
# guest = basicAuthPass;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -13,13 +13,13 @@
|
|||
startWhenNeeded = true;
|
||||
ports = [ 6969 ];
|
||||
openFirewall = true;
|
||||
settings.Ciphers = [
|
||||
"chacha20-poly1305@openssh.com"
|
||||
"aes256-gcm@openssh.com"
|
||||
"aes128-gcm@openssh.com"
|
||||
"aes256-ctr"
|
||||
# remove some weaker ciphers
|
||||
];
|
||||
#settings.Ciphers = [
|
||||
# "chacha20-poly1305@openssh.com"
|
||||
# "aes256-gcm@openssh.com"
|
||||
# "aes128-gcm@openssh.com"
|
||||
# "aes256-ctr"
|
||||
# # remove some weaker ciphers
|
||||
#];
|
||||
};
|
||||
services.endlessh = {
|
||||
enable = true;
|
||||
|
|
|
|||
Loading…
Reference in New Issue