Configure nginx to play nice with cloudflare

This commit is contained in:
Oystein Kristoffer Tveit 2022-09-22 00:48:21 +02:00
parent 22419caadd
commit 531bd4bab3
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 62 additions and 73 deletions

View File

@ -4,22 +4,26 @@
lib = pkgs.lib; lib = pkgs.lib;
inherit (secrets) ips ports; inherit (secrets) ips ports;
s = toString;
in in
{ {
security.acme = { # All of these nginx endpoints are hosted through a cloudflare proxy.
defaults.email = "h7x4abk3g@protonmail.com"; # This has several implications for the configuration:
acceptTerms = true; # - The sites I want to protect using a client side certificate needs to
}; # use a client side certificate given by cloudflare, since the client cert set here
# only works to secure communication between nginx and cloudflare
# - I don't need to redirect http traffic to https manually, as cloudflare does it for me
# - I don't need to request ACME certificates manually, as cloudflare does it for me.
services.nginx = let services.nginx = let
generateServerAliases = generateServerAliases =
domains: subdomains: domains: subdomains:
lib.lists.flatten (map (s: map (d: "${s}.${d}") domains) subdomains); lib.lists.flatten (map (s: map (d: "${s}.${d}") domains) subdomains);
s = toString;
in { in {
enable = true; enable = true;
enableReload = true;
statusPage = true; statusPage = true;
@ -33,54 +37,32 @@
inherit (lib.lists) head drop; inherit (lib.lists) head drop;
inherit (secrets) domains keys; inherit (secrets) domains keys;
makeHost = cloudflare-origin-pull-ca = builtins.fetchurl {
subdomains: extraSettings: url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate { sha256 = "0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";
serverAliases = drop 1 (generateServerAliases domains subdomains); };
forceSSL = true;
sslCertificate = keys.certificates.server.crt;
sslCertificateKey = keys.certificates.server.key;
} extraSettings);
makeACMEHost = host =
subdomains: extraSettings: subdomains: extraSettings: let
nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate { settings = with keys.certificates; {
serverAliases = drop 1 (generateServerAliases domains subdomains); serverAliases = drop 1 (generateServerAliases domains subdomains);
enableACME = true; onlySSL = true;
forceSSL = true; sslCertificate = server.crt;
} extraSettings); sslCertificateKey = server.key;
makeClientCertHost =
subdomains: extraSettings:
nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate {
serverAliases = drop 1 (generateServerAliases domains subdomains);
enableACME = true;
forceSSL = true;
extraConfig = ''
ssl_client_certificate ${secrets.keys.certificates.CA.crt};
ssl_verify_client optional;
'';
locations."/".extraConfig = ''
if ($ssl_client_verify != SUCCESS) {
return 403;
}
'';
} extraSettings);
makeProxy = extraConfig = ''
ssl_client_certificate ${cloudflare-origin-pull-ca};
ssl_verify_client on;
'';
};
in
nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate settings extraSettings);
proxy =
subdomains: url: extraSettings: subdomains: url: extraSettings:
makeHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings); host subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
makeACMEProxy =
subdomains: url: extraSettings:
makeACMEHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
makeClientCertProxy =
subdomains: url: extraSettings:
makeClientCertHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
in (listToAttrs [ in (listToAttrs [
# (makeACMEProxy ["gitlab"] "http://unix:/run/gitlab/gitlab-workhorse.socket" {})
{ {
name = "nani.wtf"; name = "nani.wtf";
value = { value = {
@ -90,40 +72,47 @@
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
''; '';
enableACME = true; onlySSL = true;
forceSSL = true;
sslCertificate = keys.certificates.server.crt;
sslCertificateKey = keys.certificates.server.key;
extraConfig = ''
ssl_client_certificate ${cloudflare-origin-pull-ca};
ssl_verify_client on;
'';
}; };
} }
(makeACMEProxy ["plex"] "http://localhost:${s ports.plex}" {}) (proxy ["plex"] "http://localhost:${s ports.plex}" {})
(makeACMEHost ["www"] { root = "${inputs.website.defaultPackage.${pkgs.system}}/"; }) (host ["www"] { root = "${inputs.website.defaultPackage.${pkgs.system}}/"; })
(makeACMEProxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {}) (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
(makeACMEHost ["madmin"] { root = "${pkgs.synapse-admin}/"; }) (host ["madmin"] { root = "${pkgs.synapse-admin}/"; })
(makeACMEProxy ["git"] "http://localhost:${s ports.gitea}" {}) (host ["cache"] { root = "/var/lib/nix-cache"; })
(makeClientCertHost ["cache"] { root = "/var/lib/nix-cache"; }) (proxy ["git"] "http://localhost:${s ports.gitea}" {})
(makeClientCertProxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" { (proxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" {
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
}) })
(makeClientCertProxy ["idrac"] "https://${ips.idrac}" {}) (proxy ["idrac"] "https://${ips.idrac}" {})
(makeClientCertProxy ["searx"] "http://localhost:${s ports.searx}" {}) (proxy ["searx"] "http://localhost:${s ports.searx}" {})
(makeACMEProxy ["dyn"] "http://${ips.crafty}:${s ports.dynmap}" { (proxy ["dyn"] "http://${ips.crafty}:${s ports.dynmap}" {
# basicAuthFile = keys.htpasswds.default; # basicAuthFile = keys.htpasswds.default;
}) })
(makeClientCertProxy ["log"] "http://localhost:${s ports.grafana}" { (proxy ["log"] "http://localhost:${s ports.grafana}" {
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
}) })
(makeClientCertProxy ["pg"] "http://localhost:${s ports.pgadmin}" {}) (proxy ["pg"] "http://localhost:${s ports.pgadmin}" {})
# (makeProxy ["wiki"] "" {}) # (host ["vpn"] "" {})
# (makeHost ["vpn"] "" {}) (proxy ["hydra"] "http://localhost:${s ports.hydra}" {})
(makeACMEProxy ["hydra"] "http://localhost:${s ports.hydra}" {}) (proxy ["air"] "https://${ips.kansei}:${s ports.kansei}" {})
(makeClientCertProxy ["air"] "https://${ips.kansei}:${s ports.kansei}" {})
# (makePassProxy ["sync" "drive"] "" {}) # (proxy ["sync" "drive"] "" {})
# (makePassProxy ["music" "mpd"] "" {}) # (proxy ["music" "mpd"] "" {})
]) // { ]) // {
${config.services.jitsi-meet.hostName} = { # Disabled for time being
enableACME = true; # ${config.services.jitsi-meet.hostName} = {
forceSSL = true; # enableACME = true;
}; # forceSSL = true;
# };
}; };
upstreams = {}; upstreams = {};