From 3f717f4b2842791ac215283d124631fe027b8bd3 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Sun, 9 Apr 2023 00:37:43 +0200
Subject: [PATCH] wip: home proxy

---
 secret/hosts/attic.nix      | Bin 200 -> 304 bytes
 system/hosts/attic.nix      |   2 ++
 system/nixos/home-proxy.nix |  17 +++++++++++++++++
 3 files changed, 19 insertions(+)
 create mode 100644 system/nixos/home-proxy.nix

diff --git a/secret/hosts/attic.nix b/secret/hosts/attic.nix
index 4c114d917be854b428f28436b8fa065d807336ab..a793b5b5bf290868daa73a7af843886e193e4a79 100644
GIT binary patch
literal 304
zcmV-00nh#bM@dveQdv+`0Ha$$uZ293Q<6muWRcIVqjHu3DJp~s)%<Kzx%^4~cF|vv
zU<s~(@$pGp=_GQzq9!=JKh;i4n1&GYQECiQpGV?L998;OB$6dI^NlLcvY5*DFiF(S
zp56(cPXzYjLpBP(RyPNa)?VBY>15_<V47LE4?C3a(P|UZt5L^`%eC(ep`zq$-+hWa
zAFl9{9(&H_u6)@w8-K-fSR*D%WeTO~Xt(vQwbG{_7wai{&AwDuVqic?%CEQ~iHOBr
z1e}?t@Knk3v!$KBbc6*3@4+JDL2WLAYoH=}HLU>^DstMJ%bf_g(HD@0XS5>$FmG$T
zkkS#Xg5i!vwMpY^<kyz0ofm=tx@j@}{@4PL;4l54e=1(hcVZcY(M;@0dw?_8{<N-6
CHJ2Lz

literal 200
zcmV;(05|^tM@dveQdv+`0F5$*WMB-=D^^uSt57d=<{7CgI$sQ|0Ha9d+#OVe#6LB4
zkn#X;3Xzp0jHw44^?po%;bIIC@V}zX5O>5st&YgClv*2z%^8vHI|o$W_OafY1xK<%
zW^<<OXi<{mDBIm5Xyh7OzDLlp5oj=|n<f^;SZ4JAG+rEMyQO0%yh^M46x%oE7*_7C
zlzT}$km~rt=nj-Yxrt5l`L<<QR$$7oyK96+f8y>0KSR)iU283l&2XS;z+~{kEMst@
CgkFyT

diff --git a/system/hosts/attic.nix b/system/hosts/attic.nix
index 25a2537..632d73a 100644
--- a/system/hosts/attic.nix
+++ b/system/hosts/attic.nix
@@ -17,6 +17,8 @@ in
 
     (import ../nixos/atticd.nix (args // { inherit secret; }))
 
+    (import ../nixos/home-proxy.nix (args // { inherit secret; }))
+
     ../nixos/tailscale.nix
   ];
 
diff --git a/system/nixos/home-proxy.nix b/system/nixos/home-proxy.nix
new file mode 100644
index 0000000..8ffb7c2
--- /dev/null
+++ b/system/nixos/home-proxy.nix
@@ -0,0 +1,17 @@
+{ pkgs, config, secret, ... }:
+
+{
+  services.nginx.streamConfig = ''
+    upstream home {
+      resolver 1.1.1.1 ipv6=off;
+      server ${secret.nginx.upstream.home.hostname}:${secret.nginx.upstream.home.port};
+    }
+
+    server {
+      listen ${secret.nginx.upstream.home.port};
+      proxy_pass home;
+    }
+  '';
+
+  networking.firewall.interfaces."enp1s0".allowedTCPPorts = [ secret.nginx.upstream.home.port ];
+}