diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index 6b419b5..87bc74a 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -1,21 +1,30 @@ -{ inputs, config, disko, hostname, pkgs, sops-nix, username, ... }: { +{ inputs, config, disko, hostname, pkgs, sops-nix, username, ... }: let + http_port = 80; + https_port = 443; +in { imports = [ ./hardware-configuration.nix ./disk-config.nix + ../../../system/common/linux/lets-encrypt.nix ]; + system.stateVersion = "23.11"; + boot.loader.grub = { - # no need to set devices, disko will add all devices that have a EF02 partition to the list already + # no need to set devices, disko will add all devices that have a + # EF02 partition to the list already # devices = [ ]; efiSupport = true; efiInstallAsRemovable = true; }; - system.stateVersion = "23.11"; - networking = { # Open ports in the firewall. - firewall.allowedTCPPorts = [ 22 ]; + firewall.allowedTCPPorts = [ + 22 # ssh + 80 # http to local Nginx + 443 # https to local Nginx + ]; # firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # firewall.enable = false; @@ -29,6 +38,49 @@ services = { fail2ban.enable = true; + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000 always;"; + } + add_header Strict-Transport-Security $hsts_header; + ''; + virtualHosts = { + "nue.technicalissues.us" = { + default = true; + serverAliases = [ "hetznix01.technicalissues.us" ]; + listen = [ + { port = http_port; addr = "0.0.0.0"; } + { port = https_port; addr = "0.0.0.0"; ssl = true; } + ]; + enableACME = true; + acmeRoot = null; + addSSL = true; + forceSSL = false; + locations."/" = { + return = "200 '

Hello world ;)

'"; + extraConfig = '' + add_header Content-Type text/html; + ''; + }; + }; + "utk-eu.technicalissues.us" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://127.0.0.1:3001"; + }; + }; # end virtualHosts + }; # end nginx tailscale = { enable = true; authKeyFile = config.sops.secrets.tailscale_key.path; @@ -40,6 +92,13 @@ ]; useRoutingFeatures = "both"; }; + uptime-kuma = { + enable = true; + settings = { + UPTIME_KUMA_HOST = "127.0.0.1"; + #UPTIME_KUMA_PORT = "3001"; + }; + }; }; sops = { diff --git a/modules/system/common/linux/lets-encrypt.nix b/modules/system/common/linux/lets-encrypt.nix new file mode 100644 index 0000000..0105a8d --- /dev/null +++ b/modules/system/common/linux/lets-encrypt.nix @@ -0,0 +1,26 @@ +{ config, username, ... }: { + + ########################################################################## + # # + # This module sets up Let's Encrypt certs via a DNS challenge to Gandi # + # # + ########################################################################## + + security.acme = { + acceptTerms = true; + defaults = { + email = "lets-encrypt@technicalissues.us"; + credentialFiles = { "GANDIV5_API_KEY_FILE" = "${config.sops.secrets.gandi_api.path}"; }; + #credentialFiles = { "GANDIV5_PERSONAL_ACCESS_TOKEN_FILE" = gandi_dns_pat; }; + dnsProvider = "gandiv5"; + dnsResolver = "ns1.gandi.net"; + # uncomment below for testing + #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + }; + + sops = { + age.keyFile = /home/${username}/.config/sops/age/keys.txt; + secrets.gandi_api.sopsFile = ../secrets.yaml; + }; +}