From 43915e51484c25804b3171f096a52e7329ba11c4 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 29 Jun 2024 20:04:38 -0400 Subject: [PATCH] Fixing a random breakage This sucks... I really want to undo it later or otherwise make the public stuff move back to the dmz :( --- .../nixos/nixnuc/containers/nginx-proxy.nix | 3 + modules/hosts/nixos/nixnuc/default.nix | 201 +++++++++++++----- 2 files changed, 155 insertions(+), 49 deletions(-) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index 227352a..d372685 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -54,6 +54,9 @@ in { localAddress = "192.168.23.21/24"; config = { config, pkgs, lib, ... }: { system.stateVersion = "23.11"; + + programs.traceroute.enable = true; + services.nginx = { enable = true; recommendedGzipSettings = true; diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index abd2d4d..508b67c 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -1,9 +1,15 @@ -{ compose2nix, config, pkgs, username, ... }: { +{ compose2nix, config, pkgs, username, ... }: let + http_port = 80; + https_port = 443; + home_domain = "home.technicalissues.us"; + backend_ip = "127.0.0.1"; + mini_watcher = "192.168.23.20"; +in { imports = [ ./hardware-configuration.nix ./containers/audiobookshelf.nix ./containers/psitransfer.nix - ./containers/nginx-proxy.nix + ../../../system/common/linux/lets-encrypt.nix ../../../system/common/linux/restic.nix ]; @@ -52,6 +58,7 @@ firewall.allowedTCPPorts = [ 22 # ssh 80 # http to local Nginx + 443 # https to local Nginx 3000 # PsiTransfer in oci-container 8080 # Tandoor in docker compose 8090 # Wallabag in docker compose @@ -64,20 +71,14 @@ hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4 useDHCP = false; - networkmanager.enable = true; + networkmanager.enable = false; + useNetworkd = true; vlans = { vlan23 = { id = 23; interface = "eno1"; }; }; - bridges = { - br1-23 = { interfaces = [ "vlan23" ]; }; - }; interfaces = { eno1.useDHCP = true; - br1-23 = { - useDHCP = false; - # This enables the container attached to the bridge to be reachable - ipv4.routes = [{ address = "192.168.23.21"; prefixLength = 32; }]; - }; + vlan23.ipv4.addresses = [{ address = "192.168.23.21"; prefixLength = 24; }]; }; }; @@ -107,6 +108,30 @@ # List services that you want to enable: services = { + ## + ## Gandi (gandi.net) + ## + ## Single host update + # protocol=gandi + # zone=example.com + # password=my-gandi-access-token + # use-personal-access-token=yes + # ttl=10800 # optional + # myhost.example.com + ddclient = { + enable = true; + protocol = "gandi"; + zone = "technicalissues.us"; + domains = [ home_domain ]; + username = "unused"; + extraConfig = '' + usev4=webv4 + #usev6=webv6 + #use-personal-access-token=yes + ttl=300 + ''; + passwordFile = "${config.sops.secrets.gandi_api.path}"; + }; fwupd.enable = true; jellyfin = { enable = true; @@ -115,33 +140,125 @@ lldpd.enable = true; nginx = { enable = true; - virtualHosts."jellyfin" = { - default = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - ]; - locations = { - "= /" = { - return = "302 http://$host/web/"; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000 always;"; + } + add_header Strict-Transport-Security $hsts_header; + ''; + virtualHosts = { + "jellyfin" = { + listen = [ + { + addr = "0.0.0.0"; + port = 8099; + } + ]; + locations = { + "= /" = { + return = "302 http://$host/web/"; + }; + "/" = { + proxyPass = "http://127.0.0.1:8096"; + recommendedProxySettings = true; + extraConfig = "proxy_buffering off;"; + }; + "= /web/" = { + proxyPass = "http://127.0.0.1:8096/web/index.html"; + recommendedProxySettings = true; + }; + "/socket" = { + proxyPass = "http://127.0.0.1:8096"; + recommendedProxySettings = true; + proxyWebsockets = true; + }; }; - "/" = { - proxyPass = "http://127.0.0.1:8096"; - recommendedProxySettings = true; - extraConfig = "proxy_buffering off;"; - }; - "= /web/" = { - proxyPass = "http://127.0.0.1:8096/web/index.html"; - recommendedProxySettings = true; - }; - "/socket" = { - proxyPass = "http://127.0.0.1:8096"; - recommendedProxySettings = true; - proxyWebsockets = true; + }; + + "${home_domain}" = { + default = true; + serverAliases = [ "nix-tester.${home_domain}" ]; + listen = [ + { port = http_port; addr = "0.0.0.0"; } + { port = https_port; addr = "0.0.0.0"; ssl = true; } + ]; + enableACME = true; + acmeRoot = null; + addSSL = true; + forceSSL = false; + locations."/" = { + return = "200 '

Hello world ;)

'"; + extraConfig = '' + add_header Content-Type text/html; + ''; }; }; + "ab.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${backend_ip}:13378"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + "atuin.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${mini_watcher}:9999"; + }; + "nc.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + extraConfig = '' + client_max_body_size 0; + underscores_in_headers on; + ''; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${mini_watcher}:8081"; + locations."/".extraConfig = '' + # these are added per https://www.nicemicro.com/tutorials/debian-snap-nextcloud.html + add_header Front-End-Https on; + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 64; + proxy_buffering off; + proxy_max_temp_file_size 0; + ''; + }; + "onlyoffice.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${mini_watcher}:8888"; + }; + "readit.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${backend_ip}:8090"; + }; + "tandoor.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${backend_ip}:8080"; + }; }; }; resolved.enable = true; @@ -151,17 +268,6 @@ "${config.users.users.${username}.home}/compose-files/tandoor" "${config.users.users.${username}.home}/compose-files/wallabag" ]; - tailscale = { - enable = true; - authKeyFile = config.sops.secrets.tailscale_key.path; - extraUpFlags = [ - "--advertise-exit-node" - "--operator=${username}" - "--ssh" - "--advertise-routes=192.168.20.0/22" - ]; - useRoutingFeatures = "both"; - }; zfs.autoScrub.enable = true; }; @@ -177,9 +283,6 @@ owner = "${username}"; path = "/home/${username}/.private-env"; }; - tailscale_key = { - restartUnits = [ "tailscaled-autoconnect.service" ]; - }; }; };