mediaserver: add nginx
This commit is contained in:
parent
6b7829fef0
commit
02cac49d79
6 changed files with 57 additions and 14 deletions
11
agenix/hosts/mediaserver/acme/credentials.age
Normal file
11
agenix/hosts/mediaserver/acme/credentials.age
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyA1TTFz
|
||||||
|
TW9lU1N2VEhQa21mV250YUFFbk1LL2xYcmEzT09SRUMxY0IyK0JJCnlCNjkwR0Nr
|
||||||
|
VEV5TVk0aHhjOUNodDZZaUpjVlRLa1ZsY0F1VDlqMTZCencKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgWTk0WWlnIGxMbVhCWEFuQ24zL0hoUkJSVzdycGNDRjlobHNma3hYM1JyZ2FX
|
||||||
|
cGRIQXcKTkRWelc0dGJIb2Y3UStZZng3S21VNytQUWZQNGtRWGduY0VKNG9lVy91
|
||||||
|
WQotPiBoby8xQyJHYy1ncmVhc2UgZW0jazMKWTYyaUwwdEhyUC8vb1EKLS0tIDJT
|
||||||
|
SkRBK242YTA3WkNQU3N4bFJXWnlKcENZa0xjTU0xU0NJOWxNNzlKSFkK9F1rNSdf
|
||||||
|
76qvHTa2JYv/7S/f1EbK5Y9DX6kgnCgI2p7O2Ywh+mtzon8cFl/UtxZ45fxezFX3
|
||||||
|
COdO04nAScl/XCzD6RHI71Q9HxpEOwGg5qx8uqVFubePBsaFXmIXOPfmo/U=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
|
@ -4,6 +4,12 @@
|
||||||
file = ./user/danielPassword.age;
|
file = ./user/danielPassword.age;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
acme-credentials = {
|
||||||
|
file = ./acme/credentials.age;
|
||||||
|
owner = "acme";
|
||||||
|
group = "acme";
|
||||||
|
};
|
||||||
|
|
||||||
tailscale-authkey = {
|
tailscale-authkey = {
|
||||||
file = ./tailscale/authkey.age;
|
file = ./tailscale/authkey.age;
|
||||||
};
|
};
|
||||||
|
|
|
@ -58,6 +58,8 @@ in
|
||||||
# mediaserver
|
# mediaserver
|
||||||
"agenix/hosts/mediaserver/user/danielPassword.age".publicKeys = mediaserver;
|
"agenix/hosts/mediaserver/user/danielPassword.age".publicKeys = mediaserver;
|
||||||
|
|
||||||
|
"agenix/hosts/mediaserver/acme/credentials.age".publicKeys = mediaserver;
|
||||||
|
|
||||||
"agenix/hosts/mediaserver/tailscale/authkey.age".publicKeys = mediaserver;
|
"agenix/hosts/mediaserver/tailscale/authkey.age".publicKeys = mediaserver;
|
||||||
|
|
||||||
"agenix/hosts/mediaserver/wireguard/config.age".publicKeys = mediaserver;
|
"agenix/hosts/mediaserver/wireguard/config.age".publicKeys = mediaserver;
|
||||||
|
|
|
@ -11,6 +11,9 @@ in
|
||||||
|
|
||||||
../nixos/git.nix
|
../nixos/git.nix
|
||||||
|
|
||||||
|
../nixos/acme-mediaserver.nix
|
||||||
|
../nixos/nginx.nix
|
||||||
|
|
||||||
../nixos/attic.nix
|
../nixos/attic.nix
|
||||||
|
|
||||||
../nixos/tailscale.nix
|
../nixos/tailscale.nix
|
||||||
|
|
24
system/nixos/acme-mediaserver.nix
Normal file
24
system/nixos/acme-mediaserver.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
|
||||||
|
defaults = {
|
||||||
|
email = "acme@kempkens.io";
|
||||||
|
group = "nginx";
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
credentialsFile = config.age.secrets.acme-credentials.path;
|
||||||
|
dnsResolver = "1.1.1.1:53";
|
||||||
|
dnsPropagationCheck = true;
|
||||||
|
reloadServices = [ "nginx.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
certs = {
|
||||||
|
"internal.kempkens.network" = {
|
||||||
|
domain = "*.internal.kempkens.network";
|
||||||
|
extraDomainNames = [ "jellyfin.home.kempkens.io" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, lib, config, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
|
@ -26,17 +26,14 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.interfaces =
|
networking.firewall.interfaces = builtins.listToAttrs
|
||||||
let
|
(builtins.map
|
||||||
nginxTCPPorts = [ 80 443 ];
|
(iface: {
|
||||||
nginxUDPPorts = [ 443 ];
|
name = iface;
|
||||||
in
|
value = {
|
||||||
{
|
allowedTCPPorts = [ 80 443 ];
|
||||||
"enp1s0".allowedTCPPorts = nginxTCPPorts;
|
allowedUDPPorts = [ 443 ];
|
||||||
"enp1s0".allowedUDPPorts = nginxUDPPorts;
|
};
|
||||||
"enp7s0".allowedTCPPorts = nginxTCPPorts;
|
})
|
||||||
"enp7s0".allowedUDPPorts = nginxUDPPorts;
|
(lib.mapAttrsToList (name: value: value.matchConfig.Name) config.systemd.network.networks ++ [ "tailscale0" ]));
|
||||||
"tailscale0".allowedTCPPorts = nginxTCPPorts;
|
|
||||||
"tailscale0".allowedUDPPorts = nginxUDPPorts;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue