Fixing a random breakage

This sucks... I really want to undo it later or otherwise make the
public stuff move back to the dmz :(

modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix

@@ -54,6 +54,9 @@ in {
     localAddress = "192.168.23.21/24";
     config = { config, pkgs, lib, ... }: {
       system.stateVersion = "23.11";
+
+      programs.traceroute.enable = true;
+
       services.nginx = {
         enable = true;
         recommendedGzipSettings = true;

modules/hosts/nixos/nixnuc/default.nix

@@ -1,9 +1,15 @@
-{ compose2nix, config, pkgs, username,  ... }: {
+{ compose2nix, config, pkgs, username,  ... }: let
+  http_port = 80;
+  https_port = 443;
+  home_domain = "home.technicalissues.us";
+  backend_ip = "127.0.0.1";
+  mini_watcher = "192.168.23.20";
+in {
   imports = [
     ./hardware-configuration.nix
     ./containers/audiobookshelf.nix
     ./containers/psitransfer.nix
-    ./containers/nginx-proxy.nix
+    ../../../system/common/linux/lets-encrypt.nix
     ../../../system/common/linux/restic.nix
   ];
 
@@ -52,6 +58,7 @@
     firewall.allowedTCPPorts = [
       22 # ssh
       80 # http to local Nginx
+      443 # https to local Nginx
       3000 # PsiTransfer in oci-container
       8080 # Tandoor in docker compose
       8090 # Wallabag in docker compose
@@ -64,20 +71,14 @@
     hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4
 
     useDHCP = false;
-    networkmanager.enable = true;
+    networkmanager.enable = false;
+    useNetworkd = true;
     vlans = {
       vlan23 = { id = 23; interface = "eno1"; };
     };
-    bridges = {
-      br1-23 = { interfaces = [ "vlan23" ]; };
-    };
     interfaces = {
       eno1.useDHCP = true;
-      br1-23 = {
-        useDHCP = false;
-        # This enables the container attached to the bridge to be reachable
-        ipv4.routes = [{ address = "192.168.23.21"; prefixLength = 32; }];
-      };
+      vlan23.ipv4.addresses = [{ address = "192.168.23.21"; prefixLength = 24; }];
     };
   };
 
@@ -107,6 +108,30 @@
 
   # List services that you want to enable:
   services = {
+    ##
+    ## Gandi (gandi.net)
+    ##
+    ## Single host update
+    # protocol=gandi
+    # zone=example.com
+    # password=my-gandi-access-token
+    # use-personal-access-token=yes
+    # ttl=10800 # optional
+    # myhost.example.com
+    ddclient = {
+      enable = true;
+      protocol = "gandi";
+      zone = "technicalissues.us";
+      domains = [ home_domain ];
+      username = "unused";
+      extraConfig = ''
+        usev4=webv4
+        #usev6=webv6
+        #use-personal-access-token=yes
+        ttl=300
+      '';
+      passwordFile = "${config.sops.secrets.gandi_api.path}";
+    };
     fwupd.enable = true;
     jellyfin = {
       enable = true;
@@ -115,33 +140,125 @@
     lldpd.enable = true;
     nginx = {
       enable = true;
-      virtualHosts."jellyfin" = {
-        default = true;
-        listen = [
-          {
-            addr = "0.0.0.0";
-            port = 80;
-          }
-        ];
-        locations = {
-          "= /" = {
-            return = "302 http://$host/web/";
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        map $scheme $hsts_header {
+            https   "max-age=31536000 always;";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+      '';
+      virtualHosts = {
+        "jellyfin" = {
+          listen = [
+            {
+              addr = "0.0.0.0";
+              port = 8099;
+            }
+          ];
+          locations = {
+            "= /" = {
+              return = "302 http://$host/web/";
+            };
+            "/" = {
+              proxyPass = "http://127.0.0.1:8096";
+              recommendedProxySettings = true;
+              extraConfig = "proxy_buffering off;";
+            };
+            "= /web/" = {
+              proxyPass = "http://127.0.0.1:8096/web/index.html";
+              recommendedProxySettings = true;
+            };
+            "/socket" = {
+              proxyPass = "http://127.0.0.1:8096";
+              recommendedProxySettings = true;
+              proxyWebsockets = true;
+            };
           };
-          "/" = {
-            proxyPass = "http://127.0.0.1:8096";
-            recommendedProxySettings = true;
-            extraConfig = "proxy_buffering off;";
-          };
-          "= /web/" = {
-            proxyPass = "http://127.0.0.1:8096/web/index.html";
-            recommendedProxySettings = true;
-          };
-          "/socket" = {
-            proxyPass = "http://127.0.0.1:8096";
-            recommendedProxySettings = true;
-            proxyWebsockets = true;
+        };
+
+        "${home_domain}" = {
+          default = true;
+          serverAliases = [ "nix-tester.${home_domain}" ];
+          listen = [
+            { port = http_port; addr = "0.0.0.0"; }
+            { port = https_port; addr = "0.0.0.0"; ssl = true; }
+          ];
+          enableACME = true;
+          acmeRoot = null;
+          addSSL = true;
+          forceSSL = false;
+          locations."/" = {
+            return = "200 '<h1>Hello world ;)</h1>'";
+            extraConfig = ''
+              add_header Content-Type text/html;
+            '';
           };
         };
+        "ab.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyWebsockets = true;
+          locations."/".proxyPass = "http://${backend_ip}:13378";
+          extraConfig = ''
+            client_max_body_size 0;
+          '';
+        };
+        "atuin.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${mini_watcher}:9999";
+        };
+        "nc.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          extraConfig = ''
+            client_max_body_size 0;
+            underscores_in_headers on;
+          '';
+          locations."/".proxyWebsockets = true;
+          locations."/".proxyPass = "http://${mini_watcher}:8081";
+          locations."/".extraConfig = ''
+            # these are added per https://www.nicemicro.com/tutorials/debian-snap-nextcloud.html
+            add_header Front-End-Https on;
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 64;
+            proxy_buffering off;
+            proxy_max_temp_file_size 0;
+          '';
+        };
+        "onlyoffice.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyWebsockets = true;
+          locations."/".proxyPass = "http://${mini_watcher}:8888";
+        };
+        "readit.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${backend_ip}:8090";
+        };
+        "tandoor.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${backend_ip}:8080";
+        };
       };
     };
     resolved.enable = true;
@@ -151,17 +268,6 @@
       "${config.users.users.${username}.home}/compose-files/tandoor"
       "${config.users.users.${username}.home}/compose-files/wallabag"
     ];
-    tailscale = {
-      enable = true;
-      authKeyFile = config.sops.secrets.tailscale_key.path;
-      extraUpFlags = [
-        "--advertise-exit-node"
-        "--operator=${username}"
-        "--ssh"
-        "--advertise-routes=192.168.20.0/22"
-      ];
-      useRoutingFeatures = "both";
-    };
     zfs.autoScrub.enable = true;
   };
 
@@ -177,9 +283,6 @@
         owner = "${username}";
         path = "/home/${username}/.private-env";
       };
-      tailscale_key = {
-        restartUnits = [ "tailscaled-autoconnect.service" ];
-      };
     };
   };