mirror of
https://github.com/genebean/dots.git
synced 2026-03-27 09:27:44 -04:00
102 lines
2.8 KiB
Nix
102 lines
2.8 KiB
Nix
{ config, ... }: let
|
|
http_port = 8080;
|
|
https_port = 8444;
|
|
gandi_api = "${config.sops.secrets.gandi_api.path}";
|
|
#gandi_dns_pat = "${config.sops.secrets.gandi_dns_pat.path}";
|
|
home_domain = "home.technicalissues.us";
|
|
in {
|
|
sops.secrets.gandi_api = {
|
|
sopsFile = ../../../../system/common/secrets.yaml;
|
|
restartUnits = [
|
|
"container@nginx-proxy.service"
|
|
];
|
|
};
|
|
#sops.secrets.gandi_dns_pat = {
|
|
# sopsFile = ../../../../system/common/secrets.yaml;
|
|
# restartUnits = [
|
|
# "container@nginx-proxy.service"
|
|
# ];
|
|
#};
|
|
|
|
##
|
|
## Gandi (gandi.net)
|
|
##
|
|
## Single host update
|
|
# protocol=gandi
|
|
# zone=example.com
|
|
# password=my-gandi-access-token
|
|
# use-personal-access-token=yes
|
|
# ttl=10800 # optional
|
|
# myhost.example.com
|
|
services.ddclient = {
|
|
enable = true;
|
|
protocol = "gandi";
|
|
zone = "technicalissues.us";
|
|
domains = [ home_domain ];
|
|
username = "unused";
|
|
extraConfig = ''
|
|
usev4=webv4
|
|
#usev6=webv6
|
|
#use-personal-access-token=yes
|
|
ttl=300
|
|
'';
|
|
passwordFile = gandi_api; };
|
|
|
|
containers.nginx-proxy = {
|
|
bindMounts."${gandi_api}".isReadOnly = true;
|
|
#bindMounts."${gandi_dns_pat}".isReadOnly = true;
|
|
autoStart = true;
|
|
privateNetwork = true;
|
|
hostBridge = "br1-23";
|
|
localAddress = "192.168.23.21/24";
|
|
config = { config, pkgs, lib, ... }: {
|
|
system.stateVersion = "23.11";
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
virtualHosts = {
|
|
"nix-tester.${home_domain}" = {
|
|
default = true;
|
|
listen = [
|
|
{ port = http_port; addr = "0.0.0.0"; }
|
|
{ port = https_port; addr = "0.0.0.0"; ssl = true; }
|
|
];
|
|
enableACME = true;
|
|
acmeRoot = null;
|
|
addSSL = true;
|
|
forceSSL = false;
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "lets-encrypt@technicalissues.us";
|
|
credentialFiles = { "GANDIV5_API_KEY_FILE" = gandi_api; };
|
|
#credentialFiles = { "GANDIV5_PERSONAL_ACCESS_TOKEN_FILE" = gandi_dns_pat; };
|
|
dnsProvider = "gandiv5";
|
|
# uncomment below for testing
|
|
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
};
|
|
};
|
|
|
|
networking = {
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ http_port https_port ];
|
|
};
|
|
defaultGateway = "192.168.23.1";
|
|
# Use systemd-resolved inside the container
|
|
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
|
|
useHostResolvConf = lib.mkForce false;
|
|
};
|
|
|
|
services.resolved.enable = true;
|
|
};
|
|
};
|
|
}
|