mediaserver: add nginx

2023-04-14 15:20:51 +02:00 · 2023-04-14 15:20:51 +02:00 · 02cac49d79
commit 02cac49d79
parent 6b7829fef0
6 changed files with 57 additions and 14 deletions
--- a/agenix/hosts/mediaserver/acme/credentials.age
+++ b/agenix/hosts/mediaserver/acme/credentials.age
@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyA1TTFz
+TW9lU1N2VEhQa21mV250YUFFbk1LL2xYcmEzT09SRUMxY0IyK0JJCnlCNjkwR0Nr
+VEV5TVk0aHhjOUNodDZZaUpjVlRLa1ZsY0F1VDlqMTZCencKLT4gc3NoLWVkMjU1
+MTkgWTk0WWlnIGxMbVhCWEFuQ24zL0hoUkJSVzdycGNDRjlobHNma3hYM1JyZ2FX
+cGRIQXcKTkRWelc0dGJIb2Y3UStZZng3S21VNytQUWZQNGtRWGduY0VKNG9lVy91
+WQotPiBoby8xQyJHYy1ncmVhc2UgZW0jazMKWTYyaUwwdEhyUC8vb1EKLS0tIDJT
+SkRBK242YTA3WkNQU3N4bFJXWnlKcENZa0xjTU0xU0NJOWxNNzlKSFkK9F1rNSdf
+76qvHTa2JYv/7S/f1EbK5Y9DX6kgnCgI2p7O2Ywh+mtzon8cFl/UtxZ45fxezFX3
+COdO04nAScl/XCzD6RHI71Q9HxpEOwGg5qx8uqVFubePBsaFXmIXOPfmo/U=
+-----END AGE ENCRYPTED FILE-----
--- a/agenix/hosts/mediaserver/config.nix
+++ b/agenix/hosts/mediaserver/config.nix
@ -4,6 +4,12 @@
      file = ./user/danielPassword.age;
    };

+    acme-credentials = {
+      file = ./acme/credentials.age;
+      owner = "acme";
+      group = "acme";
+    };
+
    tailscale-authkey = {
      file = ./tailscale/authkey.age;
    };
--- a/secrets.nix
+++ b/secrets.nix
@ -58,6 +58,8 @@ in
  # mediaserver
  "agenix/hosts/mediaserver/user/danielPassword.age".publicKeys = mediaserver;

+  "agenix/hosts/mediaserver/acme/credentials.age".publicKeys = mediaserver;
+
  "agenix/hosts/mediaserver/tailscale/authkey.age".publicKeys = mediaserver;

  "agenix/hosts/mediaserver/wireguard/config.age".publicKeys = mediaserver;
--- a/system/hosts/mediaserver.nix
+++ b/system/hosts/mediaserver.nix
@ -11,6 +11,9 @@ in

    ../nixos/git.nix

+    ../nixos/acme-mediaserver.nix
+    ../nixos/nginx.nix
+
    ../nixos/attic.nix

    ../nixos/tailscale.nix
--- a/system/nixos/acme-mediaserver.nix
+++ b/system/nixos/acme-mediaserver.nix
@ -0,0 +1,24 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      email = "acme@kempkens.io";
+      group = "nginx";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.acme-credentials.path;
+      dnsResolver = "1.1.1.1:53";
+      dnsPropagationCheck = true;
+      reloadServices = [ "nginx.service" ];
+    };
+
+    certs = {
+      "internal.kempkens.network" = {
+        domain = "*.internal.kempkens.network";
+        extraDomainNames = [ "jellyfin.home.kempkens.io" ];
+      };
+    };
+  };
+}
--- a/system/nixos/nginx.nix
+++ b/system/nixos/nginx.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:

 {
  services.nginx = {
@ -26,17 +26,14 @@
    '';
  };

-  networking.firewall.interfaces =
-    let
-      nginxTCPPorts = [ 80 443 ];
-      nginxUDPPorts = [ 443 ];
-    in
-    {
-      "enp1s0".allowedTCPPorts = nginxTCPPorts;
-      "enp1s0".allowedUDPPorts = nginxUDPPorts;
-      "enp7s0".allowedTCPPorts = nginxTCPPorts;
-      "enp7s0".allowedUDPPorts = nginxUDPPorts;
-      "tailscale0".allowedTCPPorts = nginxTCPPorts;
-      "tailscale0".allowedUDPPorts = nginxUDPPorts;
+  networking.firewall.interfaces = builtins.listToAttrs
+    (builtins.map
+      (iface: {
+        name = iface;
+        value = {
+          allowedTCPPorts = [ 80 443 ];
+          allowedUDPPorts = [ 443 ];
        };
+      })
+      (lib.mapAttrsToList (name: value: value.matchConfig.Name) config.systemd.network.networks ++ [ "tailscale0" ]));
 }