From 02cac49d79c89fd4ed3f1112b96878e61cf43fb3 Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Fri, 14 Apr 2023 15:20:51 +0200 Subject: [PATCH] mediaserver: add nginx --- agenix/hosts/mediaserver/acme/credentials.age | 11 ++++++++ agenix/hosts/mediaserver/config.nix | 6 +++++ secrets.nix | 2 ++ system/hosts/mediaserver.nix | 3 +++ system/nixos/acme-mediaserver.nix | 24 ++++++++++++++++++ system/nixos/nginx.nix | 25 ++++++++----------- 6 files changed, 57 insertions(+), 14 deletions(-) create mode 100644 agenix/hosts/mediaserver/acme/credentials.age create mode 100644 system/nixos/acme-mediaserver.nix diff --git a/agenix/hosts/mediaserver/acme/credentials.age b/agenix/hosts/mediaserver/acme/credentials.age new file mode 100644 index 0000000..3a8c5ee --- /dev/null +++ b/agenix/hosts/mediaserver/acme/credentials.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyA1TTFz +TW9lU1N2VEhQa21mV250YUFFbk1LL2xYcmEzT09SRUMxY0IyK0JJCnlCNjkwR0Nr +VEV5TVk0aHhjOUNodDZZaUpjVlRLa1ZsY0F1VDlqMTZCencKLT4gc3NoLWVkMjU1 +MTkgWTk0WWlnIGxMbVhCWEFuQ24zL0hoUkJSVzdycGNDRjlobHNma3hYM1JyZ2FX +cGRIQXcKTkRWelc0dGJIb2Y3UStZZng3S21VNytQUWZQNGtRWGduY0VKNG9lVy91 +WQotPiBoby8xQyJHYy1ncmVhc2UgZW0jazMKWTYyaUwwdEhyUC8vb1EKLS0tIDJT +SkRBK242YTA3WkNQU3N4bFJXWnlKcENZa0xjTU0xU0NJOWxNNzlKSFkK9F1rNSdf +76qvHTa2JYv/7S/f1EbK5Y9DX6kgnCgI2p7O2Ywh+mtzon8cFl/UtxZ45fxezFX3 +COdO04nAScl/XCzD6RHI71Q9HxpEOwGg5qx8uqVFubePBsaFXmIXOPfmo/U= +-----END AGE ENCRYPTED FILE----- diff --git a/agenix/hosts/mediaserver/config.nix b/agenix/hosts/mediaserver/config.nix index 2830661..39f2edb 100644 --- a/agenix/hosts/mediaserver/config.nix +++ b/agenix/hosts/mediaserver/config.nix @@ -4,6 +4,12 @@ file = ./user/danielPassword.age; }; + acme-credentials = { + file = ./acme/credentials.age; + owner = "acme"; + group = "acme"; + }; + tailscale-authkey = { file = ./tailscale/authkey.age; }; diff --git a/secrets.nix b/secrets.nix index 321cc6b..bcd6a3d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -58,6 +58,8 @@ in # mediaserver "agenix/hosts/mediaserver/user/danielPassword.age".publicKeys = mediaserver; + "agenix/hosts/mediaserver/acme/credentials.age".publicKeys = mediaserver; + "agenix/hosts/mediaserver/tailscale/authkey.age".publicKeys = mediaserver; "agenix/hosts/mediaserver/wireguard/config.age".publicKeys = mediaserver; diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix index ad596e9..701b99c 100644 --- a/system/hosts/mediaserver.nix +++ b/system/hosts/mediaserver.nix @@ -11,6 +11,9 @@ in ../nixos/git.nix + ../nixos/acme-mediaserver.nix + ../nixos/nginx.nix + ../nixos/attic.nix ../nixos/tailscale.nix diff --git a/system/nixos/acme-mediaserver.nix b/system/nixos/acme-mediaserver.nix new file mode 100644 index 0000000..760b635 --- /dev/null +++ b/system/nixos/acme-mediaserver.nix @@ -0,0 +1,24 @@ +{ config, ... }: + +{ + security.acme = { + acceptTerms = true; + + defaults = { + email = "acme@kempkens.io"; + group = "nginx"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.acme-credentials.path; + dnsResolver = "1.1.1.1:53"; + dnsPropagationCheck = true; + reloadServices = [ "nginx.service" ]; + }; + + certs = { + "internal.kempkens.network" = { + domain = "*.internal.kempkens.network"; + extraDomainNames = [ "jellyfin.home.kempkens.io" ]; + }; + }; + }; +} diff --git a/system/nixos/nginx.nix b/system/nixos/nginx.nix index ccdc8fb..ab79d12 100644 --- a/system/nixos/nginx.nix +++ b/system/nixos/nginx.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, config, ... }: { services.nginx = { @@ -26,17 +26,14 @@ ''; }; - networking.firewall.interfaces = - let - nginxTCPPorts = [ 80 443 ]; - nginxUDPPorts = [ 443 ]; - in - { - "enp1s0".allowedTCPPorts = nginxTCPPorts; - "enp1s0".allowedUDPPorts = nginxUDPPorts; - "enp7s0".allowedTCPPorts = nginxTCPPorts; - "enp7s0".allowedUDPPorts = nginxUDPPorts; - "tailscale0".allowedTCPPorts = nginxTCPPorts; - "tailscale0".allowedUDPPorts = nginxUDPPorts; - }; + networking.firewall.interfaces = builtins.listToAttrs + (builtins.map + (iface: { + name = iface; + value = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 443 ]; + }; + }) + (lib.mapAttrsToList (name: value: value.matchConfig.Name) config.systemd.network.networks ++ [ "tailscale0" ])); }