1
0
Fork 0

mediaserver: add nginx

This commit is contained in:
Daniel Kempkens 2023-04-14 15:20:51 +02:00
parent 6b7829fef0
commit 02cac49d79
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
6 changed files with 57 additions and 14 deletions

View file

@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyA1TTFz
TW9lU1N2VEhQa21mV250YUFFbk1LL2xYcmEzT09SRUMxY0IyK0JJCnlCNjkwR0Nr
VEV5TVk0aHhjOUNodDZZaUpjVlRLa1ZsY0F1VDlqMTZCencKLT4gc3NoLWVkMjU1
MTkgWTk0WWlnIGxMbVhCWEFuQ24zL0hoUkJSVzdycGNDRjlobHNma3hYM1JyZ2FX
cGRIQXcKTkRWelc0dGJIb2Y3UStZZng3S21VNytQUWZQNGtRWGduY0VKNG9lVy91
WQotPiBoby8xQyJHYy1ncmVhc2UgZW0jazMKWTYyaUwwdEhyUC8vb1EKLS0tIDJT
SkRBK242YTA3WkNQU3N4bFJXWnlKcENZa0xjTU0xU0NJOWxNNzlKSFkK9F1rNSdf
76qvHTa2JYv/7S/f1EbK5Y9DX6kgnCgI2p7O2Ywh+mtzon8cFl/UtxZ45fxezFX3
COdO04nAScl/XCzD6RHI71Q9HxpEOwGg5qx8uqVFubePBsaFXmIXOPfmo/U=
-----END AGE ENCRYPTED FILE-----

View file

@ -4,6 +4,12 @@
file = ./user/danielPassword.age; file = ./user/danielPassword.age;
}; };
acme-credentials = {
file = ./acme/credentials.age;
owner = "acme";
group = "acme";
};
tailscale-authkey = { tailscale-authkey = {
file = ./tailscale/authkey.age; file = ./tailscale/authkey.age;
}; };

View file

@ -58,6 +58,8 @@ in
# mediaserver # mediaserver
"agenix/hosts/mediaserver/user/danielPassword.age".publicKeys = mediaserver; "agenix/hosts/mediaserver/user/danielPassword.age".publicKeys = mediaserver;
"agenix/hosts/mediaserver/acme/credentials.age".publicKeys = mediaserver;
"agenix/hosts/mediaserver/tailscale/authkey.age".publicKeys = mediaserver; "agenix/hosts/mediaserver/tailscale/authkey.age".publicKeys = mediaserver;
"agenix/hosts/mediaserver/wireguard/config.age".publicKeys = mediaserver; "agenix/hosts/mediaserver/wireguard/config.age".publicKeys = mediaserver;

View file

@ -11,6 +11,9 @@ in
../nixos/git.nix ../nixos/git.nix
../nixos/acme-mediaserver.nix
../nixos/nginx.nix
../nixos/attic.nix ../nixos/attic.nix
../nixos/tailscale.nix ../nixos/tailscale.nix

View file

@ -0,0 +1,24 @@
{ config, ... }:
{
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@kempkens.io";
group = "nginx";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.acme-credentials.path;
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true;
reloadServices = [ "nginx.service" ];
};
certs = {
"internal.kempkens.network" = {
domain = "*.internal.kempkens.network";
extraDomainNames = [ "jellyfin.home.kempkens.io" ];
};
};
};
}

View file

@ -1,4 +1,4 @@
{ pkgs, ... }: { pkgs, lib, config, ... }:
{ {
services.nginx = { services.nginx = {
@ -26,17 +26,14 @@
''; '';
}; };
networking.firewall.interfaces = networking.firewall.interfaces = builtins.listToAttrs
let (builtins.map
nginxTCPPorts = [ 80 443 ]; (iface: {
nginxUDPPorts = [ 443 ]; name = iface;
in value = {
{ allowedTCPPorts = [ 80 443 ];
"enp1s0".allowedTCPPorts = nginxTCPPorts; allowedUDPPorts = [ 443 ];
"enp1s0".allowedUDPPorts = nginxUDPPorts;
"enp7s0".allowedTCPPorts = nginxTCPPorts;
"enp7s0".allowedUDPPorts = nginxUDPPorts;
"tailscale0".allowedTCPPorts = nginxTCPPorts;
"tailscale0".allowedUDPPorts = nginxUDPPorts;
}; };
})
(lib.mapAttrsToList (name: value: value.matchConfig.Name) config.systemd.network.networks ++ [ "tailscale0" ]));
} }