genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-27 01:17:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Uptime Kuma

Browse source
This commit is contained in:
Gene Liverman 2024-06-13 21:08:09 -04:00
parent ab733daa16
commit 3023a652b1
2 changed files with 90 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

69
modules/hosts/nixos/hetznix01/default.nix
View file

@ -1,21 +1,30 @@
{ inputs, config, disko, hostname, pkgs, sops-nix, username, ... }: {
{ inputs, config, disko, hostname, pkgs, sops-nix, username, ... }: let
http_port = 80;
https_port = 443;
in {
imports = [
./hardware-configuration.nix
./disk-config.nix
../../../system/common/linux/lets-encrypt.nix
];
system.stateVersion = "23.11";
boot.loader.grub = {
# no need to set devices, disko will add all devices that have a EF02 partition to the list already
# no need to set devices, disko will add all devices that have a
# EF02 partition to the list already
# devices = [ ];
efiSupport = true;
efiInstallAsRemovable = true;
};
system.stateVersion = "23.11";
networking = {
# Open ports in the firewall.
firewall.allowedTCPPorts = [ 22 ];
firewall.allowedTCPPorts = [
22 # ssh
80 # http to local Nginx
443 # https to local Nginx
];
# firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# firewall.enable = false;
@ -29,6 +38,49 @@
services = {
fail2ban.enable = true;
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000 always;";
}
add_header Strict-Transport-Security $hsts_header;
'';
virtualHosts = {
"nue.technicalissues.us" = {
default = true;
serverAliases = [ "hetznix01.technicalissues.us" ];
listen = [
{ port = http_port; addr = "0.0.0.0"; }
{ port = https_port; addr = "0.0.0.0"; ssl = true; }
];
enableACME = true;
acmeRoot = null;
addSSL = true;
forceSSL = false;
locations."/" = {
return = "200 '<h1>Hello world ;)</h1>'";
extraConfig = ''
add_header Content-Type text/html;
'';
};
};
"utk-eu.technicalissues.us" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
}; # end virtualHosts
}; # end nginx
tailscale = {
enable = true;
authKeyFile = config.sops.secrets.tailscale_key.path;
@ -40,6 +92,13 @@
];
useRoutingFeatures = "both";
};
uptime-kuma = {
enable = true;
settings = {
UPTIME_KUMA_HOST = "127.0.0.1";
#UPTIME_KUMA_PORT = "3001";
};
};
};
sops = {

26
modules/system/common/linux/lets-encrypt.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, username, ... }: {
##########################################################################
# #
# This module sets up Let's Encrypt certs via a DNS challenge to Gandi #
# #
##########################################################################
security.acme = {
acceptTerms = true;
defaults = {
email = "lets-encrypt@technicalissues.us";
credentialFiles = { "GANDIV5_API_KEY_FILE" = "${config.sops.secrets.gandi_api.path}"; };
#credentialFiles = { "GANDIV5_PERSONAL_ACCESS_TOKEN_FILE" = gandi_dns_pat; };
dnsProvider = "gandiv5";
dnsResolver = "ns1.gandi.net";
# uncomment below for testing
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
};
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
secrets.gandi_api.sopsFile = ../secrets.yaml;
};
}