From 3023a652b1205c546811776984e4c8409c01107d Mon Sep 17 00:00:00 2001
From: Gene Liverman <gene@technicalissues.us>
Date: Thu, 13 Jun 2024 21:08:09 -0400
Subject: [PATCH] Uptime Kuma

---
 modules/hosts/nixos/hetznix01/default.nix    | 69 ++++++++++++++++++--
 modules/system/common/linux/lets-encrypt.nix | 26 ++++++++
 2 files changed, 90 insertions(+), 5 deletions(-)
 create mode 100644 modules/system/common/linux/lets-encrypt.nix

diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix
index 6b419b5..87bc74a 100644
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@@ -1,21 +1,30 @@
-{ inputs, config, disko, hostname, pkgs, sops-nix, username,  ... }: {
+{ inputs, config, disko, hostname, pkgs, sops-nix, username,  ... }: let
+  http_port = 80;
+  https_port = 443;
+in {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+    ../../../system/common/linux/lets-encrypt.nix
   ];
 
+  system.stateVersion = "23.11";
+
   boot.loader.grub = {
-    # no need to set devices, disko will add all devices that have a EF02 partition to the list already
+    # no need to set devices, disko will add all devices that have a
+    # EF02 partition to the list already
     # devices = [ ];
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
 
-  system.stateVersion = "23.11";
-
   networking = {
     # Open ports in the firewall.
-    firewall.allowedTCPPorts = [ 22 ];
+    firewall.allowedTCPPorts = [
+      22 # ssh
+      80 # http to local Nginx
+      443 # https to local Nginx
+    ];
     # firewall.allowedUDPPorts = [ ... ];
     # Or disable the firewall altogether.
     # firewall.enable = false;
@@ -29,6 +38,49 @@
 
   services = {
     fail2ban.enable = true;
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        map $scheme $hsts_header {
+            https   "max-age=31536000 always;";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+      '';
+      virtualHosts = {
+        "nue.technicalissues.us" = {
+          default = true;
+          serverAliases = [ "hetznix01.technicalissues.us" ];
+          listen = [
+            { port = http_port; addr = "0.0.0.0"; }
+            { port = https_port; addr = "0.0.0.0"; ssl = true; }
+          ];
+          enableACME = true;
+          acmeRoot = null;
+          addSSL = true;
+          forceSSL = false;
+          locations."/" = {
+            return = "200 '<h1>Hello world ;)</h1>'";
+            extraConfig = ''
+              add_header Content-Type text/html;
+            '';
+          };
+        };
+        "utk-eu.technicalissues.us" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyWebsockets = true;
+          locations."/".proxyPass = "http://127.0.0.1:3001";
+        };
+      }; # end virtualHosts
+    }; # end nginx
     tailscale = {
       enable = true;
       authKeyFile = config.sops.secrets.tailscale_key.path;
@@ -40,6 +92,13 @@
       ];
       useRoutingFeatures = "both";
     };
+    uptime-kuma = {
+      enable = true;
+      settings = {
+        UPTIME_KUMA_HOST = "127.0.0.1";
+        #UPTIME_KUMA_PORT = "3001";
+      };
+    };
   };
 
   sops = {
diff --git a/modules/system/common/linux/lets-encrypt.nix b/modules/system/common/linux/lets-encrypt.nix
new file mode 100644
index 0000000..0105a8d
--- /dev/null
+++ b/modules/system/common/linux/lets-encrypt.nix
@@ -0,0 +1,26 @@
+{ config, username, ... }: {
+
+  ##########################################################################
+  #                                                                        #
+  #  This module sets up Let's Encrypt certs via a DNS challenge to Gandi  #
+  #                                                                        #
+  ##########################################################################
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "lets-encrypt@technicalissues.us";
+      credentialFiles = { "GANDIV5_API_KEY_FILE" = "${config.sops.secrets.gandi_api.path}"; };
+      #credentialFiles = { "GANDIV5_PERSONAL_ACCESS_TOKEN_FILE" = gandi_dns_pat; };
+      dnsProvider = "gandiv5";
+      dnsResolver = "ns1.gandi.net";
+      # uncomment below for testing
+      #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+  };
+
+  sops = {
+    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+    secrets.gandi_api.sopsFile = ../secrets.yaml;
+  };
+}