From d53e3409662415738ef38dcc75a2c4a82e1b0e61 Mon Sep 17 00:00:00 2001 From: Henri Dohmen Date: Thu, 5 Jun 2025 22:55:17 +0200 Subject: [PATCH] nginx --- host/roam/default.nix | 1 - host/roam/networking.nix | 29 +++++++++++++++++++++----- host/roam/services.nix | 20 +++++++++++++++++- host/roam/wireguard.nix | 25 ----------------------- mod/default.nix | 2 +- mod/nginx.nix | 44 ++++++++++++++++++++++++++++++++++++++++ var/lan-dns.nix | 2 +- var/wg.nix | 6 ++++-- 8 files changed, 93 insertions(+), 36 deletions(-) delete mode 100644 host/roam/wireguard.nix create mode 100644 mod/nginx.nix diff --git a/host/roam/default.nix b/host/roam/default.nix index dc8b1b6..dd9a50e 100644 --- a/host/roam/default.nix +++ b/host/roam/default.nix @@ -7,7 +7,6 @@ ./networking.nix ./security.nix ./services.nix - ./wireguard.nix ]; # ====== DON'T CHANGE ====== diff --git a/host/roam/networking.nix b/host/roam/networking.nix index dc4603a..f437bf2 100644 --- a/host/roam/networking.nix +++ b/host/roam/networking.nix @@ -1,4 +1,8 @@ -{ ... }: +{ var, ... }: +let + wireguard-port = 51820; +in + { networking = { enableIPv6 = true; @@ -16,10 +20,25 @@ address = "fe80::1"; interface = "ens3"; }; + + nat = { + enable = true; + externalInterface = "ens3"; + internalInterfaces = [ "wg0" ]; + }; + + firewall.allowedUDPPorts = [ wireguard-port ]; + + wireguard = { + enable = true; + interfaces."wg0" = { + ips = var.wg.wireguard-network."roam".ips; + listenPort = wireguard-port; + privateKeyFile = var.wg.keyFile; + peers = var.wg.peers-for "roam"; + }; + }; + }; - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; } diff --git a/host/roam/services.nix b/host/roam/services.nix index fc396e2..ea5ca67 100644 --- a/host/roam/services.nix +++ b/host/roam/services.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ var, config, ... }: let headscale-domain = "headscale.hdohmen.de"; in @@ -6,6 +6,24 @@ in services = { nginx = { enable = true; + defaultListen = [ + { + addr = var.wg.ips.roam; + ssl = true; + } + ]; + virtualHosts."roam.lan" = { + locations."/" = { }; + }; + virtualHostsPub."roam.hdohmen.de" = { + enableACME = true; + locations."/" = { }; + }; + }; + + openssh = { + enable = true; + settings.PasswordAuthentication = false; }; }; diff --git a/host/roam/wireguard.nix b/host/roam/wireguard.nix deleted file mode 100644 index bc743b3..0000000 --- a/host/roam/wireguard.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ var, lib, ... }: -let - wireguard-port = 51820; -in -{ - networking = { - nat = { - enable = true; - externalInterface = "ens3"; - internalInterfaces = [ "wg0" ]; - }; - - firewall.allowedUDPPorts = [ wireguard-port ]; - - wireguard = { - enable = true; - interfaces."wg0" = { - ips = var.wg.wireguard-network."roam".ips; - listenPort = wireguard-port; - privateKeyFile = var.wg.keyFile; - peers = var.wg.peers-for "roam"; - }; - }; - }; -} diff --git a/mod/default.nix b/mod/default.nix index 7437af2..405bdc1 100644 --- a/mod/default.nix +++ b/mod/default.nix @@ -1,4 +1,4 @@ { ... }: { - imports = [ ]; + imports = [ ./nginx.nix ]; } diff --git a/mod/nginx.nix b/mod/nginx.nix new file mode 100644 index 0000000..5c0d66d --- /dev/null +++ b/mod/nginx.nix @@ -0,0 +1,44 @@ +{ + lib, + options, + config, + ... +}: +with lib; +{ + options.services.nginx.virtualHostsPub = mkOption { + type = options.services.nginx.virtualHosts.type; + default = { }; + description = "Declarative vhost config listening to ::0 and 0.0.0.0"; + }; + + config = { + services.nginx.virtualHosts = builtins.mapAttrs ( + _: v: + v + // { + addSSL = true; + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "[::0]"; + port = 443; + ssl = true; + } + { + addr = "[::0]"; + port = 80; + } + ]; + } + ) config.services.nginx.virtualHostsPub; + }; +} diff --git a/var/lan-dns.nix b/var/lan-dns.nix index ce50ff1..24f2891 100644 --- a/var/lan-dns.nix +++ b/var/lan-dns.nix @@ -8,7 +8,7 @@ let }) var.wg.ips; in rec { - hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: "${v}\t${n}") hosts); + hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v}\t${n}") hosts); hosts = lan-hosts // lib.mapAttrs' (name: value: { diff --git a/var/wg.nix b/var/wg.nix index d3ac12d..64253b1 100644 --- a/var/wg.nix +++ b/var/wg.nix @@ -15,13 +15,15 @@ rec { }; "solo" = { publicKey = publicKey."solo"; - ips = [ "10.10.11.2/24" ]; + ips = [ "10.10.11.2/32" ]; allowedIPs = [ "10.10.11.2/32" ]; + persistentKeepalive = 13; }; "c2" = { publicKey = publicKey."c2"; - ips = [ "10.10.11.3/24" ]; + ips = [ "10.10.11.3/32" ]; allowedIPs = [ "10.10.11.3/32" ]; + persistentKeepalive = 19; }; }; keyFile = "/var/secrets/wg.key";