blob: dd20df33e990b58974901ed4ac24e34af0bd6119 (
plain) (
tree)
|
|
{
inputs,
lib,
pkgs,
config,
adminUser,
...
}:
{
imports = [
../../../profiles/cgroups.nix
../../../profiles/defaults.nix
../../../profiles/disk/basic-vm.nix
../../../profiles/hardware/do-droplet.nix
../../../profiles/home-manager.nix
../../../profiles/server.nix
];
age = {
secrets = {
cloudflare-nginx = {
file = ../../../secrets/cloudflare-nginx.age;
};
wireguard = {
file = ../../../secrets/do/wireguard.age;
};
};
};
disko.devices.disk.disk1.device = "/dev/vda";
networking.hostName = "do-rproxy";
networking.wireguard = {
enable = true;
interfaces.wg0 = {
ips = [ "10.100.0.50/32" ];
listenPort = 51871;
privateKeyFile = config.age.secrets.wireguard.path;
peers = [
{
# vm-synology
publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
allowedIPs = [ "10.100.0.40/32" ];
persistentKeepalive = 25;
}
{
# rivendell
publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
allowedIPs = [ "10.100.0.60/32" ];
persistentKeepalive = 25;
}
];
};
};
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.firewall.allowedUDPPorts = [ 51871 ];
system.stateVersion = "25.05"; # Did you read the comment?
networking.firewall.allowedTCPPorts = [
80
443
];
security.acme = {
acceptTerms = true;
defaults.email = "franck@fcuny.net";
certs = {
"code.fcuny.net" = {
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1";
reloadServices = [ "nginx.service" ];
credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
};
"go.fcuny.net" = {
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1";
reloadServices = [ "nginx.service" ];
credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
};
"id.fcuny.net" = {
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1";
reloadServices = [ "nginx.service" ];
credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
};
"fcuny.net" = {
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1";
reloadServices = [ "nginx.service" ];
credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
};
};
};
services.nginx =
let
accounts = [
{
user = "franck@fcuny.net";
realm = "fcuny.net";
}
];
webfingerConfig = {
"= /.well-known/webfinger" = {
extraConfig = ''
return 307 /__webfinger/$arg_resource;
'';
};
"~ ^/__webfinger/(acct:[^/]+@[^/]+)" = {
root = pkgs.linkFarm "webfinger-entries" (
lib.listToAttrs (
map (acct: {
name = "acct:${acct.user}";
value = pkgs.writeText "webfinger-${acct.user}" ''
{
"subject": "acct:${acct.user}",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://id.fcuny.net/realms/${acct.realm}"
}
]
}
'';
}) accounts
)
);
tryFiles = "/$1 =404";
extraConfig = ''
add_header Content-Type application/json;
'';
};
};
in
{
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
"code.fcuny.net" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.100.0.60:3000";
};
locations."/metrics" = {
proxyPass = "http://10.100.0.60:3000/metrics";
extraConfig = ''
deny all;
access_log off;
'';
};
};
"go.fcuny.net" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.100.0.40:8070";
};
};
"id.fcuny.net" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations = (
{
"/" = {
proxyPass = "http://10.100.0.60:8080";
};
}
// webfingerConfig
);
};
"fcuny.net" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
root = "${inputs.my-site.packages.x86_64-linux.default}/";
locations = {
"/".tryFiles = "$uri $uri/ $uri/index.html =404";
}
// webfingerConfig;
extraConfig = ''
error_page 404 /404;
'';
};
};
};
home-manager = {
users.${adminUser.name} = {
imports = [
../../../home/profiles/minimal.nix
];
};
};
}
|
