{ config, pkgs, lib, ... }: { #declare secrets sops.secrets."acme/certs" = { }; sops.secrets."nginx/defaultpass" = { restartUnits = [ "nginx.service" ]; owner = "nginx"; }; networking.enableIPv6 = false; # lol for some reason acme works without ipv6 networking.domain = "lauterer.it"; #acme and certs helpful blog https://carjorvaz.com/posts/ security.acme = { acceptTerms = true; defaults.email = "adrian+acme@lauterer.it"; certs."${config.networking.domain}" = { domain = "*.${config.networking.domain}"; extraDomainNames = [ "${config.networking.domain}" #"${config.networking.domain}" #"lauterer.it" #"*.lauterer.it" #"*.256.no" ]; #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; #for testing. enableDebugLogs = true; dnsResolver = "ns1.hyp.net:53"; dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/ dnsPropagationCheck = true; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml credentialsFile = config.sops.secrets."acme/certs".path; }; }; #add proxyserver to acme users.users.nginx.extraGroups = [ "acme" ]; users.users.root.extraGroups = [ "acme" ]; # services.oauth2_proxy = { # enable = true; # } #proxy stuff services.nginx = { enable = true; statusPage = true; enableReload = true; recommendedTlsSettings = true; recommendedProxySettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; logError = "syslog:server=unix:/dev/log"; commonHttpConfig = '' access_log syslog:server=unix:/dev/log; ''; virtualHosts."managment.funn-nas.lauterer.it" = { forceSSL = true; useACMEHost = config.networking.domain; locations."/" = { proxyWebsockets = true; proxyPass = "https://100.104.182.48"; }; basicAuthFile = config.sops.secrets."nginx/defaultpass".path; }; virtualHosts."funn-nas.lauterer.it" = { forceSSL = true; useACMEHost = config.networking.domain; locations."/" = { proxyWebsockets = true; proxyPass = "https://100.104.182.48:30044"; }; basicAuthFile = config.sops.secrets."nginx/defaultpass".path; }; virtualHosts."home.lauterer.it" = { forceSSL = true; useACMEHost = config.networking.domain; locations."/" = { proxyWebsockets = true; proxyPass = "http://10.0.0.32:8123"; }; # ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet. #basicAuthFile = config.sops.secrets."nginx/defaultpass".path; }; virtualHosts."jellyfin.lauterer.it" = { forceSSL = true; useACMEHost = config.networking.domain; locations."/" = { proxyWebsockets = true; proxyPass = "http://100.84.215.84:8096"; }; #basicAuthFile = config.sops.secrets."nginx/defaultpass".path; }; # virtualHosts.${"vpn."+config.networking.domain} = { # forceSSL = true; # useACMEHost = "${config.networking.domain}"; # locations."/" = { # proxyWebsockets = true; # proxyPass = "http://localhost:${toString config.services.headscale.port}"; # }; # }; # virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.) # forceSSL = true; # useACMEHost = "${config.networking.domain}"; # locations."/" = { # proxyWebsockets = true; # proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}"; # }; # }; # virtualHosts.${"jellyfin."+config.networking.domain} = { # forceSSL = true; # #enableACME = true; # useACMEHost = "${config.networking.domain}"; # locations."/" = { # proxyPass = "http://jellyfin.galadriel"; # proxyWebsockets = true; # basicAuthFile = config.sops.secrets."nginx/defaultpass".path; # }; # }; }; }