sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
mynixos-config/hosts/ward/guests/web-proxy.nix

87 lines
2.3 KiB
Nix
Raw Permalink Blame History

{
config,
globals,
...
}:
let
inherit (config.repo.secrets.local) acme;
fritzboxDomain = "fritzbox.${globals.domains.personal}";
in
{
microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files
globals.wireguard.proxy-home.hosts.${config.node.name} = {
firewallRuleForAll.allowedTCPPorts = [
80
443
];
firewallRuleForAll.allowedUDPPorts = [
443
];
};
# This node shall monitor the infrastructure
meta.telegraf.availableMonitoringNetworks = [
"internet"
"home-wan"
"home-lan.vlans.services"
];
age.secrets.acme-cloudflare-dns-token = {
rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age";
mode = "440";
group = "acme";
};
age.secrets.acme-cloudflare-zone-token = {
rekeyFile = config.node.secretsDir + "/acme-cloudflare-zone-token.age";
mode = "440";
group = "acme";
};
security.acme = {
acceptTerms = true;
defaults = {
credentialFiles = {
CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
};
dnsProvider = "cloudflare";
dnsPropagationCheck = true;
reloadServices = [ "nginx" ];
};
inherit (acme) certs wildcardDomains;
};
services.nginx = {
upstreams.fritzbox = {
servers.${globals.net.home-wan.hosts.fritzbox.ipv4} = { };
extraConfig = ''
zone grafana 64k;
keepalive 2;
'';
};
virtualHosts.${fritzboxDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/" = {
proxyPass = "http://fritzbox";
proxyWebsockets = true;
};
# Allow using self-signed certs. We just want to make sure the connection
# is over TLS.
extraConfig = ''
proxy_ssl_verify off;
allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv6};
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
deny all;
'';
};
};
users.groups.acme.members = [ "nginx" ];
services.nginx.enable = true;
services.nginx.recommendedSetup = true;
}
Reference in a new issue View git blame Copy permalink