hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nginx

Browse source
This commit is contained in:
Henri Dohmen 2025-06-05 22:55:17 +02:00
parent c26cc20f57
commit d53e340966
8 changed files with 93 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

1
host/roam/default.nix
View file

@ -7,7 +7,6 @@
./networking.nix ./networking.nix
./security.nix ./security.nix
./services.nix ./services.nix
./wireguard.nix
]; ];
# ====== DON'T CHANGE ====== # ====== DON'T CHANGE ======

29
host/roam/networking.nix
View file

@ -1,4 +1,8 @@
{ ... }: { var, ... }:
let
wireguard-port = 51820;
in
{ {
networking = { networking = {
enableIPv6 = true; enableIPv6 = true;
@ -16,10 +20,25 @@
address = "fe80::1"; address = "fe80::1";
interface = "ens3"; interface = "ens3";
}; };
nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ wireguard-port ];
wireguard = {
enable = true;
interfaces."wg0" = {
ips = var.wg.wireguard-network."roam".ips;
listenPort = wireguard-port;
privateKeyFile = var.wg.keyFile;
peers = var.wg.peers-for "roam";
};
};
}; };
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
} }

20
host/roam/services.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: { var, config, ... }:
let let
headscale-domain = "headscale.hdohmen.de"; headscale-domain = "headscale.hdohmen.de";
in in
@ -6,6 +6,24 @@ in
services = { services = {
nginx = { nginx = {
enable = true; enable = true;
defaultListen = [
{
addr = var.wg.ips.roam;
ssl = true;
}
];
virtualHosts."roam.lan" = {
locations."/" = { };
};
virtualHostsPub."roam.hdohmen.de" = {
enableACME = true;
locations."/" = { };
};
};
openssh = {
enable = true;
settings.PasswordAuthentication = false;
}; };
}; };

25
host/roam/wireguard.nix
View file

@ -1,25 +0,0 @@
{ var, lib, ... }:
let
wireguard-port = 51820;
in
{
networking = {
nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ wireguard-port ];
wireguard = {
enable = true;
interfaces."wg0" = {
ips = var.wg.wireguard-network."roam".ips;
listenPort = wireguard-port;
privateKeyFile = var.wg.keyFile;
peers = var.wg.peers-for "roam";
};
};
};
}

2
mod/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: { ... }:
{ {
imports = [ ]; imports = [ ./nginx.nix ];
} }

44
mod/nginx.nix Normal file
View file

@ -0,0 +1,44 @@
{
lib,
options,
config,
...
}:
with lib;
{
options.services.nginx.virtualHostsPub = mkOption {
type = options.services.nginx.virtualHosts.type;
default = { };
description = "Declarative vhost config listening to ::0 and 0.0.0.0";
};
config = {
services.nginx.virtualHosts = builtins.mapAttrs (
_: v:
v
// {
addSSL = true;
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::0]";
port = 443;
ssl = true;
}
{
addr = "[::0]";
port = 80;
}
];
}
) config.services.nginx.virtualHostsPub;
};
}

2
var/lan-dns.nix
View file

@ -8,7 +8,7 @@ let
}) var.wg.ips; }) var.wg.ips;
in in
rec { rec {
hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: "${v}\t${n}") hosts); hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v}\t${n}") hosts);
hosts = hosts =
lan-hosts lan-hosts
// lib.mapAttrs' (name: value: { // lib.mapAttrs' (name: value: {

6
var/wg.nix
View file

@ -15,13 +15,15 @@ rec {
}; };
"solo" = { "solo" = {
publicKey = publicKey."solo"; publicKey = publicKey."solo";
ips = [ "10.10.11.2/24" ]; ips = [ "10.10.11.2/32" ];
allowedIPs = [ "10.10.11.2/32" ]; allowedIPs = [ "10.10.11.2/32" ];
persistentKeepalive = 13;
}; };
"c2" = { "c2" = {
publicKey = publicKey."c2"; publicKey = publicKey."c2";
ips = [ "10.10.11.3/24" ]; ips = [ "10.10.11.3/32" ];
allowedIPs = [ "10.10.11.3/32" ]; allowedIPs = [ "10.10.11.3/32" ];
persistentKeepalive = 19;
}; };
}; };
keyFile = "/var/secrets/wg.key"; keyFile = "/var/secrets/wg.key";