configure the reverse proxy on argonath

5 files changed, 35 insertions, 15 deletions

diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix
index 14b698a..af70040 100644
--- a/machines/nixos/x86_64-linux/argonath.nix
+++ b/machines/nixos/x86_64-linux/argonath.nix
@@ -6,6 +6,7 @@
 }:
 {
   imports = [
+    ../../../profiles/acme.nix
     ../../../profiles/cgroups.nix
     ../../../profiles/defaults.nix
     ../../../profiles/hardware/do-droplet.nix
@@ -41,6 +42,37 @@
   networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.firewall.allowedUDPPorts = [ 51871 ];
 
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "code.fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://10.100.0.60";
+        };
+      };
+      "fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://10.100.0.60:8070";
+        };
+      };
+    };
+  };
+
   system.stateVersion = "25.05"; # Did you read the comment?
 
   home-manager = {
diff --git a/profiles/acme.nix b/profiles/acme.nix
index 4bdadad..df04998 100644
--- a/profiles/acme.nix
+++ b/profiles/acme.nix
@@ -1,13 +1,12 @@
 { config, ... }:
 {
-
-  age.secrets.cloudflare-env.file = ../secrets/cloudflare-env.age;
+  age.secrets.acme-cloudflare-env.file = ../secrets/acme-cloudflare-env.age;
 
   security.acme.acceptTerms = true;
   security.acme.defaults = {
     email = "franck@fcuny.net";
     dnsResolver = "1.1.1.1:53";
     dnsProvider = "cloudflare";
-    credentialsFile = config.age.secrets.cloudflare-env.path;
+    credentialsFile = config.age.secrets.acme-cloudflare-env.path;
   };
 }
diff --git a/secrets/acme-cloudflare-env.age b/secrets/acme-cloudflare-env.age
new file mode 100644
index 0000000..9892917
--- /dev/null
+++ b/secrets/acme-cloudflare-env.age
diff --git a/secrets/cloudflare-env.age b/secrets/cloudflare-env.age
deleted file mode 100644
index 01b6a30..0000000
--- a/secrets/cloudflare-env.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 pFjJaA A35k0XBlhihLf5B4ESv0x+ZCXB+belJ98GIDp4znuxM
-mBYkR83UPwenM9RxtpYvHZAd5jagiYu/aan/3dUpZ4A
--> ssh-ed25519 Y5h84Q ODzj7yMjNHArBFRb1eFlIHlUMcs0zaqmj2saFLkGbUI
-WFLyGRjAoRCQkS0JYRnEUTuUvmUy9KWDUCkfAgqtO7g
--> ssh-ed25519 8Nmf6A sDeTOEMyfc4xtRLuRjCrhekI2O3byJsU0RY65mazYkE
-HzYGQcU79XtADztyXQnEN0sWyHPJ77nRkpDBdZmGIsw
--> ssh-ed25519 nr90TQ nVcEeojXY8u51pJ0xColbDxhcefthwYF1rJ0kXhtXjg
-MfLI0lh/GsRt5I3zfpfz5nX4vBV+GOmyF3F2b2/USUw
---- giG3+8ZIv8r/dR3wVje3UasMeHBc06nvH8ML3Y1E2NY
-���
�M�ȽPJ\����K"�7�e2VO���������L��9�t���V$��:�Xf��;V���xY��Y�P�6۳m���ff
�o�+��Coj�j��5����Bl"Dy��%������2[��I
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e79be04..6e6b31c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,7 +11,7 @@ let
   };
 in
 {
-  "cloudflare-env.age".publicKeys = [
+  "acme-cloudflare-env.age".publicKeys = [
     users.fcuny
     hosts.rivendell
     hosts.do