sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(zackbiene): deploy self signed TLS certs

Browse source
This commit is contained in:
oddlama 2023-03-24 17:38:28 +01:00
parent 81fb519e88
commit cbb6f906ec
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
9 changed files with 109 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -15,3 +15,13 @@ all commands using these extra parameters, or permanently add the following the
plugin-files = <copy path from $NIX_PLUGINS>/lib/nix/plugins
extra-builtins-file = /path/to/nix-config/nix/extra-builtins.nix
```
# Misc
Generate self-signed cert:
```bash
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout zackbiene-selfcert.key -out zackbiene-selfcert.crt -subj \
"/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"
```

27
hosts/zackbiene/esphome.nix
View file

@ -16,26 +16,33 @@
];
};
systemd.services.nginx.serviceConfig.SupplementaryGroups = ["esphome"];
systemd.services.nginx.requires = ["esphome.service"];
services.nginx.upstreams = {
"esphome" = {
systemd.services.nginx = {
serviceConfig.SupplementaryGroups = ["esphome"];
requires = ["esphome.service"];
};
services.nginx = {
upstreams."esphome" = {
servers = {"unix:/run/esphome/esphome.sock" = {};};
extraConfig = ''
zone esphome 64k;
keepalive 2;
'';
};
};
services.nginx.virtualHosts = {
#"${nodeSecrets.esphome.domain}" = {
# forceSSL = true;
# enableACME = true;
"192.168.1.22" = {
virtualHosts."${nodeSecrets.esphome.domain}" = {
forceSSL = true;
#enableACME = true;
sslCertificate = config.rekey.secrets."selfcert.crt".path;
sslCertificateKey = config.rekey.secrets."selfcert.key".path;
locations."/" = {
proxyPass = "http://esphome";
proxyWebsockets = true;
};
# TODO dynamic definitions for the "local" network, IPv6
extraConfig = ''
allow 192.168.0.0/22;
deny all;
'';
};
};
}

37
hosts/zackbiene/home-assistant.nix
View file

@ -1,8 +1,11 @@
{
lib,
config,
nodeSecrets,
...
}: {
}: let
haPort = 8123;
in {
services.home-assistant = {
enable = true;
extraComponents = [
@ -15,8 +18,13 @@
"zha"
"mqtt"
];
openFirewall = true;
config = {
http = {
server_host = ["127.0.0.1" "::1"];
server_port = haPort;
use_x_forwarded_for = true;
trusted_proxies = ["127.0.0.1" "::1"];
};
homeassistant = {
name = "!secret ha_name";
latitude = "!secret ha_latitude";
@ -60,4 +68,29 @@
# - auth for zigbee2mqtt frontend
# - auth for esphome dashboard
# - only allow connections from privileged LAN to HA or from vpn range
services.nginx = {
upstreams."homeassistant" = {
servers = {"localhost:${toString haPort}" = {};};
extraConfig = ''
zone homeassistant 64k;
keepalive 2;
'';
};
virtualHosts."${nodeSecrets.homeassistant.domain}" = {
forceSSL = true;
#enableACME = true;
sslCertificate = config.rekey.secrets."selfcert.crt".path;
sslCertificateKey = config.rekey.secrets."selfcert.key".path;
locations."/" = {
proxyPass = "http://homeassistant";
proxyWebsockets = true;
};
# TODO dynamic definitions for the "local" network, IPv6
extraConfig = ''
allow 192.168.0.0/22;
deny all;
'';
};
};
}

47
hosts/zackbiene/nginx.nix
View file

@ -4,41 +4,38 @@
nodeSecrets,
...
}: {
rekey.secrets."selfcert.crt" = {
file = ./secrets/selfcert.crt.age;
mode = "440";
group = "nginx";
};
rekey.secrets."selfcert.key" = {
file = ./secrets/selfcert.key.age;
mode = "440";
group = "nginx";
};
rekey.secrets."dhparams.pem" = {
file = ./secrets/dhparams.pem.age;
mode = "440";
group = "nginx";
};
#security.acme.acceptTerms = true;
#security.acme.defaults.email = "admin+acme@example.com";
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
## SSL config
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_dhparam /etc/nginx/dhparam.pem;
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
#ssl_ecdh_curve secp384r1;
#ssl_session_timeout 10m;
#ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
#
## OCSP stapling
#ssl_stapling on;
#ssl_stapling_verify on;
virtualHosts = {
"${nodeSecrets.zigbee2mqtt.domain}" = {
#forceSSL = true;
#enableACME = true;
locations."/" = {
root = "/var/www";
};
};
};
# SSL config
sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
sslDhparam = config.rekey.secrets."dhparams.pem".path;
commonHttpConfig = ''
ssl_ecdh_curve secp384r1;
'';
};
networking.firewall.allowedTCPPorts = [80 443];

BIN
hosts/zackbiene/secrets/dhparams.pem.age Normal file
View file

Binary file not shown.

BIN
hosts/zackbiene/secrets/secrets.nix.age
View file

Binary file not shown.

BIN
hosts/zackbiene/secrets/selfcert.crt.age Normal file
View file

Binary file not shown.

BIN
hosts/zackbiene/secrets/selfcert.key.age Normal file
View file

Binary file not shown.

26
hosts/zackbiene/zigbee2mqtt.nix
View file

@ -1,6 +1,7 @@
{
lib,
config,
nodeSecrets,
...
}: {
rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
@ -10,7 +11,6 @@
group = "mosquitto";
};
networking.firewall.allowedTCPPorts = [8072];
services.zigbee2mqtt = {
enable = true;
settings = {
@ -25,7 +25,31 @@
user = "zigbee2mqtt";
password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
};
# TODO once > 1.30.2 is out
# frontend.host = "/run/zigbee2mqtt/zigbee2mqtt.sock";
frontend.port = 8072;
};
};
services.nginx = {
upstreams."zigbee2mqtt" = {
servers = {"localhost:8072" = {};};
extraConfig = ''
zone zigbee2mqtt 64k;
keepalive 2;
'';
};
virtualHosts."${nodeSecrets.zigbee2mqtt.domain}" = {
forceSSL = true;
#enableACME = true;
sslCertificate = config.rekey.secrets."selfcert.crt".path;
sslCertificateKey = config.rekey.secrets."selfcert.key".path;
locations."/".proxyPass = "http://zigbee2mqtt";
# TODO dynamic definitions for the "local" network, IPv6
extraConfig = ''
allow 192.168.0.0/22;
deny all;
'';
};
};
}