diff --git a/README.md b/README.md index 69e1e44..68f6a26 100644 --- a/README.md +++ b/README.md @@ -15,3 +15,13 @@ all commands using these extra parameters, or permanently add the following the plugin-files = /lib/nix/plugins extra-builtins-file = /path/to/nix-config/nix/extra-builtins.nix ``` + +# Misc + +Generate self-signed cert: + +```bash +openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ + -keyout zackbiene-selfcert.key -out zackbiene-selfcert.crt -subj \ + "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1" +``` diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index 73a5a0f..6d1df01 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -16,26 +16,33 @@ ]; }; - systemd.services.nginx.serviceConfig.SupplementaryGroups = ["esphome"]; - systemd.services.nginx.requires = ["esphome.service"]; - services.nginx.upstreams = { - "esphome" = { + systemd.services.nginx = { + serviceConfig.SupplementaryGroups = ["esphome"]; + requires = ["esphome.service"]; + }; + + services.nginx = { + upstreams."esphome" = { servers = {"unix:/run/esphome/esphome.sock" = {};}; extraConfig = '' zone esphome 64k; keepalive 2; ''; }; - }; - services.nginx.virtualHosts = { - #"${nodeSecrets.esphome.domain}" = { - # forceSSL = true; - # enableACME = true; - "192.168.1.22" = { + virtualHosts."${nodeSecrets.esphome.domain}" = { + forceSSL = true; + #enableACME = true; + sslCertificate = config.rekey.secrets."selfcert.crt".path; + sslCertificateKey = config.rekey.secrets."selfcert.key".path; locations."/" = { proxyPass = "http://esphome"; proxyWebsockets = true; }; + # TODO dynamic definitions for the "local" network, IPv6 + extraConfig = '' + allow 192.168.0.0/22; + deny all; + ''; }; }; } diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index 88a5529..6f42e53 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -1,8 +1,11 @@ { lib, config, + nodeSecrets, ... -}: { +}: let + haPort = 8123; +in { services.home-assistant = { enable = true; extraComponents = [ @@ -15,8 +18,13 @@ "zha" "mqtt" ]; - openFirewall = true; config = { + http = { + server_host = ["127.0.0.1" "::1"]; + server_port = haPort; + use_x_forwarded_for = true; + trusted_proxies = ["127.0.0.1" "::1"]; + }; homeassistant = { name = "!secret ha_name"; latitude = "!secret ha_latitude"; @@ -60,4 +68,29 @@ # - auth for zigbee2mqtt frontend # - auth for esphome dashboard # - only allow connections from privileged LAN to HA or from vpn range + + services.nginx = { + upstreams."homeassistant" = { + servers = {"localhost:${toString haPort}" = {};}; + extraConfig = '' + zone homeassistant 64k; + keepalive 2; + ''; + }; + virtualHosts."${nodeSecrets.homeassistant.domain}" = { + forceSSL = true; + #enableACME = true; + sslCertificate = config.rekey.secrets."selfcert.crt".path; + sslCertificateKey = config.rekey.secrets."selfcert.key".path; + locations."/" = { + proxyPass = "http://homeassistant"; + proxyWebsockets = true; + }; + # TODO dynamic definitions for the "local" network, IPv6 + extraConfig = '' + allow 192.168.0.0/22; + deny all; + ''; + }; + }; } diff --git a/hosts/zackbiene/nginx.nix b/hosts/zackbiene/nginx.nix index b41df56..069529b 100644 --- a/hosts/zackbiene/nginx.nix +++ b/hosts/zackbiene/nginx.nix @@ -4,41 +4,38 @@ nodeSecrets, ... }: { + rekey.secrets."selfcert.crt" = { + file = ./secrets/selfcert.crt.age; + mode = "440"; + group = "nginx"; + }; + rekey.secrets."selfcert.key" = { + file = ./secrets/selfcert.key.age; + mode = "440"; + group = "nginx"; + }; + rekey.secrets."dhparams.pem" = { + file = ./secrets/dhparams.pem.age; + mode = "440"; + group = "nginx"; + }; + #security.acme.acceptTerms = true; #security.acme.defaults.email = "admin+acme@example.com"; services.nginx = { enable = true; - # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - ## SSL config - #ssl_protocols TLSv1.2 TLSv1.3; - #ssl_dhparam /etc/nginx/dhparam.pem; - #ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - #ssl_ecdh_curve secp384r1; - #ssl_session_timeout 10m; - #ssl_session_cache shared:SSL:10m; - #ssl_session_tickets off; - # - ## OCSP stapling - #ssl_stapling on; - #ssl_stapling_verify on; - - virtualHosts = { - "${nodeSecrets.zigbee2mqtt.domain}" = { - #forceSSL = true; - #enableACME = true; - locations."/" = { - root = "/var/www"; - }; - }; - }; + # SSL config + sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL"; + sslDhparam = config.rekey.secrets."dhparams.pem".path; + commonHttpConfig = '' + ssl_ecdh_curve secp384r1; + ''; }; networking.firewall.allowedTCPPorts = [80 443]; diff --git a/hosts/zackbiene/secrets/dhparams.pem.age b/hosts/zackbiene/secrets/dhparams.pem.age new file mode 100644 index 0000000..e49ceb2 Binary files /dev/null and b/hosts/zackbiene/secrets/dhparams.pem.age differ diff --git a/hosts/zackbiene/secrets/secrets.nix.age b/hosts/zackbiene/secrets/secrets.nix.age index f1cb24b..01af9ce 100644 Binary files a/hosts/zackbiene/secrets/secrets.nix.age and b/hosts/zackbiene/secrets/secrets.nix.age differ diff --git a/hosts/zackbiene/secrets/selfcert.crt.age b/hosts/zackbiene/secrets/selfcert.crt.age new file mode 100644 index 0000000..8b8e1d9 Binary files /dev/null and b/hosts/zackbiene/secrets/selfcert.crt.age differ diff --git a/hosts/zackbiene/secrets/selfcert.key.age b/hosts/zackbiene/secrets/selfcert.key.age new file mode 100644 index 0000000..4d54ae4 Binary files /dev/null and b/hosts/zackbiene/secrets/selfcert.key.age differ diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix index 93e6e3b..df5e07e 100644 --- a/hosts/zackbiene/zigbee2mqtt.nix +++ b/hosts/zackbiene/zigbee2mqtt.nix @@ -1,6 +1,7 @@ { lib, config, + nodeSecrets, ... }: { rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = { @@ -10,7 +11,6 @@ group = "mosquitto"; }; - networking.firewall.allowedTCPPorts = [8072]; services.zigbee2mqtt = { enable = true; settings = { @@ -25,7 +25,31 @@ user = "zigbee2mqtt"; password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password"; }; + # TODO once > 1.30.2 is out + # frontend.host = "/run/zigbee2mqtt/zigbee2mqtt.sock"; frontend.port = 8072; }; }; + + services.nginx = { + upstreams."zigbee2mqtt" = { + servers = {"localhost:8072" = {};}; + extraConfig = '' + zone zigbee2mqtt 64k; + keepalive 2; + ''; + }; + virtualHosts."${nodeSecrets.zigbee2mqtt.domain}" = { + forceSSL = true; + #enableACME = true; + sslCertificate = config.rekey.secrets."selfcert.crt".path; + sslCertificateKey = config.rekey.secrets."selfcert.key".path; + locations."/".proxyPass = "http://zigbee2mqtt"; + # TODO dynamic definitions for the "local" network, IPv6 + extraConfig = '' + allow 192.168.0.0/22; + deny all; + ''; + }; + }; }