From 7d27388cd47c8cd849054547d2ad55ea5f41f67d Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sat, 22 Nov 2025 09:02:43 -0800 Subject: configure the reverse proxy on argonath --- machines/nixos/x86_64-linux/argonath.nix | 32 +++++++++++++++++++++++++++++++ profiles/acme.nix | 5 ++--- secrets/acme-cloudflare-env.age | Bin 0 -> 600 bytes secrets/cloudflare-env.age | 11 ----------- secrets/secrets.nix | 2 +- 5 files changed, 35 insertions(+), 15 deletions(-) create mode 100644 secrets/acme-cloudflare-env.age delete mode 100644 secrets/cloudflare-env.age diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix index 14b698a..af70040 100644 --- a/machines/nixos/x86_64-linux/argonath.nix +++ b/machines/nixos/x86_64-linux/argonath.nix @@ -6,6 +6,7 @@ }: { imports = [ + ../../../profiles/acme.nix ../../../profiles/cgroups.nix ../../../profiles/defaults.nix ../../../profiles/hardware/do-droplet.nix @@ -41,6 +42,37 @@ networking.firewall.trustedInterfaces = [ "wg0" ]; networking.firewall.allowedUDPPorts = [ 51871 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts = { + "code.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.100.0.60"; + }; + }; + "fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.100.0.60:8070"; + }; + }; + }; + }; + system.stateVersion = "25.05"; # Did you read the comment? home-manager = { diff --git a/profiles/acme.nix b/profiles/acme.nix index 4bdadad..df04998 100644 --- a/profiles/acme.nix +++ b/profiles/acme.nix @@ -1,13 +1,12 @@ { config, ... }: { - - age.secrets.cloudflare-env.file = ../secrets/cloudflare-env.age; + age.secrets.acme-cloudflare-env.file = ../secrets/acme-cloudflare-env.age; security.acme.acceptTerms = true; security.acme.defaults = { email = "franck@fcuny.net"; dnsResolver = "1.1.1.1:53"; dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.cloudflare-env.path; + credentialsFile = config.age.secrets.acme-cloudflare-env.path; }; } diff --git a/secrets/acme-cloudflare-env.age b/secrets/acme-cloudflare-env.age new file mode 100644 index 0000000..9892917 Binary files /dev/null and b/secrets/acme-cloudflare-env.age differ diff --git a/secrets/cloudflare-env.age b/secrets/cloudflare-env.age deleted file mode 100644 index 01b6a30..0000000 --- a/secrets/cloudflare-env.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 pFjJaA A35k0XBlhihLf5B4ESv0x+ZCXB+belJ98GIDp4znuxM -mBYkR83UPwenM9RxtpYvHZAd5jagiYu/aan/3dUpZ4A --> ssh-ed25519 Y5h84Q ODzj7yMjNHArBFRb1eFlIHlUMcs0zaqmj2saFLkGbUI -WFLyGRjAoRCQkS0JYRnEUTuUvmUy9KWDUCkfAgqtO7g --> ssh-ed25519 8Nmf6A sDeTOEMyfc4xtRLuRjCrhekI2O3byJsU0RY65mazYkE -HzYGQcU79XtADztyXQnEN0sWyHPJ77nRkpDBdZmGIsw --> ssh-ed25519 nr90TQ nVcEeojXY8u51pJ0xColbDxhcefthwYF1rJ0kXhtXjg -MfLI0lh/GsRt5I3zfpfz5nX4vBV+GOmyF3F2b2/USUw ---- giG3+8ZIv8r/dR3wVje3UasMeHBc06nvH8ML3Y1E2NY - MȽPJ\K"7e2VOL9t V$:Xf;VxYYP6۳mff o+Cojj5Bl"Dy%2[I \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e79be04..6e6b31c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -11,7 +11,7 @@ let }; in { - "cloudflare-env.age".publicKeys = [ + "acme-cloudflare-env.age".publicKeys = [ users.fcuny hosts.rivendell hosts.do -- cgit v1.2.3