From 02cac49d79c89fd4ed3f1112b96878e61cf43fb3 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Fri, 14 Apr 2023 15:20:51 +0200
Subject: [PATCH] mediaserver: add nginx

---
 agenix/hosts/mediaserver/acme/credentials.age | 11 ++++++++
 agenix/hosts/mediaserver/config.nix           |  6 +++++
 secrets.nix                                   |  2 ++
 system/hosts/mediaserver.nix                  |  3 +++
 system/nixos/acme-mediaserver.nix             | 24 ++++++++++++++++++
 system/nixos/nginx.nix                        | 25 ++++++++-----------
 6 files changed, 57 insertions(+), 14 deletions(-)
 create mode 100644 agenix/hosts/mediaserver/acme/credentials.age
 create mode 100644 system/nixos/acme-mediaserver.nix

diff --git a/agenix/hosts/mediaserver/acme/credentials.age b/agenix/hosts/mediaserver/acme/credentials.age
new file mode 100644
index 0000000..3a8c5ee
--- /dev/null
+++ b/agenix/hosts/mediaserver/acme/credentials.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyA1TTFz
+TW9lU1N2VEhQa21mV250YUFFbk1LL2xYcmEzT09SRUMxY0IyK0JJCnlCNjkwR0Nr
+VEV5TVk0aHhjOUNodDZZaUpjVlRLa1ZsY0F1VDlqMTZCencKLT4gc3NoLWVkMjU1
+MTkgWTk0WWlnIGxMbVhCWEFuQ24zL0hoUkJSVzdycGNDRjlobHNma3hYM1JyZ2FX
+cGRIQXcKTkRWelc0dGJIb2Y3UStZZng3S21VNytQUWZQNGtRWGduY0VKNG9lVy91
+WQotPiBoby8xQyJHYy1ncmVhc2UgZW0jazMKWTYyaUwwdEhyUC8vb1EKLS0tIDJT
+SkRBK242YTA3WkNQU3N4bFJXWnlKcENZa0xjTU0xU0NJOWxNNzlKSFkK9F1rNSdf
+76qvHTa2JYv/7S/f1EbK5Y9DX6kgnCgI2p7O2Ywh+mtzon8cFl/UtxZ45fxezFX3
+COdO04nAScl/XCzD6RHI71Q9HxpEOwGg5qx8uqVFubePBsaFXmIXOPfmo/U=
+-----END AGE ENCRYPTED FILE-----
diff --git a/agenix/hosts/mediaserver/config.nix b/agenix/hosts/mediaserver/config.nix
index 2830661..39f2edb 100644
--- a/agenix/hosts/mediaserver/config.nix
+++ b/agenix/hosts/mediaserver/config.nix
@@ -4,6 +4,12 @@
       file = ./user/danielPassword.age;
     };
 
+    acme-credentials = {
+      file = ./acme/credentials.age;
+      owner = "acme";
+      group = "acme";
+    };
+
     tailscale-authkey = {
       file = ./tailscale/authkey.age;
     };
diff --git a/secrets.nix b/secrets.nix
index 321cc6b..bcd6a3d 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -58,6 +58,8 @@ in
   # mediaserver
   "agenix/hosts/mediaserver/user/danielPassword.age".publicKeys = mediaserver;
 
+  "agenix/hosts/mediaserver/acme/credentials.age".publicKeys = mediaserver;
+
   "agenix/hosts/mediaserver/tailscale/authkey.age".publicKeys = mediaserver;
 
   "agenix/hosts/mediaserver/wireguard/config.age".publicKeys = mediaserver;
diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix
index ad596e9..701b99c 100644
--- a/system/hosts/mediaserver.nix
+++ b/system/hosts/mediaserver.nix
@@ -11,6 +11,9 @@ in
 
     ../nixos/git.nix
 
+    ../nixos/acme-mediaserver.nix
+    ../nixos/nginx.nix
+
     ../nixos/attic.nix
 
     ../nixos/tailscale.nix
diff --git a/system/nixos/acme-mediaserver.nix b/system/nixos/acme-mediaserver.nix
new file mode 100644
index 0000000..760b635
--- /dev/null
+++ b/system/nixos/acme-mediaserver.nix
@@ -0,0 +1,24 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      email = "acme@kempkens.io";
+      group = "nginx";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.acme-credentials.path;
+      dnsResolver = "1.1.1.1:53";
+      dnsPropagationCheck = true;
+      reloadServices = [ "nginx.service" ];
+    };
+
+    certs = {
+      "internal.kempkens.network" = {
+        domain = "*.internal.kempkens.network";
+        extraDomainNames = [ "jellyfin.home.kempkens.io" ];
+      };
+    };
+  };
+}
diff --git a/system/nixos/nginx.nix b/system/nixos/nginx.nix
index ccdc8fb..ab79d12 100644
--- a/system/nixos/nginx.nix
+++ b/system/nixos/nginx.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:
 
 {
   services.nginx = {
@@ -26,17 +26,14 @@
     '';
   };
 
-  networking.firewall.interfaces =
-    let
-      nginxTCPPorts = [ 80 443 ];
-      nginxUDPPorts = [ 443 ];
-    in
-    {
-      "enp1s0".allowedTCPPorts = nginxTCPPorts;
-      "enp1s0".allowedUDPPorts = nginxUDPPorts;
-      "enp7s0".allowedTCPPorts = nginxTCPPorts;
-      "enp7s0".allowedUDPPorts = nginxUDPPorts;
-      "tailscale0".allowedTCPPorts = nginxTCPPorts;
-      "tailscale0".allowedUDPPorts = nginxUDPPorts;
-    };
+  networking.firewall.interfaces = builtins.listToAttrs
+    (builtins.map
+      (iface: {
+        name = iface;
+        value = {
+          allowedTCPPorts = [ 80 443 ];
+          allowedUDPPorts = [ 443 ];
+        };
+      })
+      (lib.mapAttrsToList (name: value: value.matchConfig.Name) config.systemd.network.networks ++ [ "tailscale0" ]));
 }