feat(zackbiene): deploy self signed TLS certs

README.md

@@ -15,3 +15,13 @@ all commands using these extra parameters, or permanently add the following the
 	plugin-files = <copy path from $NIX_PLUGINS>/lib/nix/plugins
 	extra-builtins-file = /path/to/nix-config/nix/extra-builtins.nix
 	```
+
+# Misc
+
+Generate self-signed cert:
+
+```bash
+openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
+  -keyout zackbiene-selfcert.key -out zackbiene-selfcert.crt -subj \
+  "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"
+```

hosts/zackbiene/esphome.nix

@@ -16,26 +16,33 @@
     ];
   };
 
-  systemd.services.nginx.serviceConfig.SupplementaryGroups = ["esphome"];
+  systemd.services.nginx = {
-  systemd.services.nginx.requires = ["esphome.service"];
+    serviceConfig.SupplementaryGroups = ["esphome"];
-  services.nginx.upstreams = {
+    requires = ["esphome.service"];
-    "esphome" = {
+  };
+
+  services.nginx = {
+    upstreams."esphome" = {
       servers = {"unix:/run/esphome/esphome.sock" = {};};
       extraConfig = ''
         zone esphome 64k;
         keepalive 2;
       '';
     };
-  };
+    virtualHosts."${nodeSecrets.esphome.domain}" = {
-  services.nginx.virtualHosts = {
+      forceSSL = true;
-    #"${nodeSecrets.esphome.domain}" = {
+      #enableACME = true;
-    #  forceSSL = true;
+      sslCertificate = config.rekey.secrets."selfcert.crt".path;
-    #  enableACME = true;
+      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
-    "192.168.1.22" = {
       locations."/" = {
         proxyPass = "http://esphome";
         proxyWebsockets = true;
       };
+      # TODO dynamic definitions for the "local" network, IPv6
+      extraConfig = ''
+        allow 192.168.0.0/22;
+        deny all;
+      '';
     };
   };
 }

hosts/zackbiene/home-assistant.nix

@@ -1,8 +1,11 @@
 {
   lib,
   config,
+  nodeSecrets,
   ...
-}: {
+}: let
+  haPort = 8123;
+in {
   services.home-assistant = {
     enable = true;
     extraComponents = [
@@ -15,8 +18,13 @@
       "zha"
       "mqtt"
     ];
-    openFirewall = true;
     config = {
+      http = {
+        server_host = ["127.0.0.1" "::1"];
+        server_port = haPort;
+        use_x_forwarded_for = true;
+        trusted_proxies = ["127.0.0.1" "::1"];
+      };
       homeassistant = {
         name = "!secret ha_name";
         latitude = "!secret ha_latitude";
@@ -60,4 +68,29 @@
   #   - auth for zigbee2mqtt frontend
   #   - auth for esphome dashboard
   #   - only allow connections from privileged LAN to HA or from vpn range
+
+  services.nginx = {
+    upstreams."homeassistant" = {
+      servers = {"localhost:${toString haPort}" = {};};
+      extraConfig = ''
+        zone homeassistant 64k;
+        keepalive 2;
+      '';
+    };
+    virtualHosts."${nodeSecrets.homeassistant.domain}" = {
+      forceSSL = true;
+      #enableACME = true;
+      sslCertificate = config.rekey.secrets."selfcert.crt".path;
+      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
+      locations."/" = {
+        proxyPass = "http://homeassistant";
+        proxyWebsockets = true;
+      };
+      # TODO dynamic definitions for the "local" network, IPv6
+      extraConfig = ''
+        allow 192.168.0.0/22;
+        deny all;
+      '';
+    };
+  };
 }

hosts/zackbiene/nginx.nix

@@ -4,41 +4,38 @@
   nodeSecrets,
   ...
 }: {
+  rekey.secrets."selfcert.crt" = {
+    file = ./secrets/selfcert.crt.age;
+    mode = "440";
+    group = "nginx";
+  };
+  rekey.secrets."selfcert.key" = {
+    file = ./secrets/selfcert.key.age;
+    mode = "440";
+    group = "nginx";
+  };
+  rekey.secrets."dhparams.pem" = {
+    file = ./secrets/dhparams.pem.age;
+    mode = "440";
+    group = "nginx";
+  };
+
   #security.acme.acceptTerms = true;
   #security.acme.defaults.email = "admin+acme@example.com";
   services.nginx = {
     enable = true;
 
-    # Use recommended settings
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    # Only allow PFS-enabled ciphers with AES256
+    # SSL config
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
-    ## SSL config
+    sslDhparam = config.rekey.secrets."dhparams.pem".path;
-    #ssl_protocols TLSv1.2 TLSv1.3;
+    commonHttpConfig = ''
-    #ssl_dhparam /etc/nginx/dhparam.pem;
+      ssl_ecdh_curve secp384r1;
-    #ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    '';
-    #ssl_ecdh_curve secp384r1;
-    #ssl_session_timeout 10m;
-    #ssl_session_cache shared:SSL:10m;
-    #ssl_session_tickets off;
-    #
-    ## OCSP stapling
-    #ssl_stapling on;
-    #ssl_stapling_verify on;
-
-    virtualHosts = {
-      "${nodeSecrets.zigbee2mqtt.domain}" = {
-        #forceSSL = true;
-        #enableACME = true;
-        locations."/" = {
-          root = "/var/www";
-        };
-      };
-    };
   };
 
   networking.firewall.allowedTCPPorts = [80 443];

hosts/zackbiene/zigbee2mqtt.nix

@@ -1,6 +1,7 @@
 {
   lib,
   config,
+  nodeSecrets,
   ...
 }: {
   rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
@@ -10,7 +11,6 @@
     group = "mosquitto";
   };
 
-  networking.firewall.allowedTCPPorts = [8072];
   services.zigbee2mqtt = {
     enable = true;
     settings = {
@@ -25,7 +25,31 @@
         user = "zigbee2mqtt";
         password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
       };
+      # TODO once > 1.30.2 is out
+      # frontend.host = "/run/zigbee2mqtt/zigbee2mqtt.sock";
       frontend.port = 8072;
     };
   };
+
+  services.nginx = {
+    upstreams."zigbee2mqtt" = {
+      servers = {"localhost:8072" = {};};
+      extraConfig = ''
+        zone zigbee2mqtt 64k;
+        keepalive 2;
+      '';
+    };
+    virtualHosts."${nodeSecrets.zigbee2mqtt.domain}" = {
+      forceSSL = true;
+      #enableACME = true;
+      sslCertificate = config.rekey.secrets."selfcert.crt".path;
+      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
+      locations."/".proxyPass = "http://zigbee2mqtt";
+      # TODO dynamic definitions for the "local" network, IPv6
+      extraConfig = ''
+        allow 192.168.0.0/22;
+        deny all;
+      '';
+    };
+  };
 }