nginx

host/roam/default.nix

@@ -7,7 +7,6 @@
     ./networking.nix
     ./security.nix
     ./services.nix
-    ./wireguard.nix
   ];
 
   # ====== DON'T CHANGE ======

host/roam/networking.nix

@@ -1,4 +1,8 @@
-{ ... }:
+{ var, ... }:
+let
+  wireguard-port = 51820;
+in
+
 {
   networking = {
     enableIPv6 = true;
@@ -16,10 +20,25 @@
       address = "fe80::1";
       interface = "ens3";
     };
+
+    nat = {
+      enable = true;
+      externalInterface = "ens3";
+      internalInterfaces = [ "wg0" ];
+    };
+
+    firewall.allowedUDPPorts = [ wireguard-port ];
+
+    wireguard = {
+      enable = true;
+      interfaces."wg0" = {
+        ips = var.wg.wireguard-network."roam".ips;
+        listenPort = wireguard-port;
+        privateKeyFile = var.wg.keyFile;
+        peers = var.wg.peers-for "roam";
+      };
+    };
+
   };
 
-  services.openssh = {
-    enable = true;
-    settings.PasswordAuthentication = false;
-  };
 }

host/roam/services.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ var, config, ... }:
 let
   headscale-domain = "headscale.hdohmen.de";
 in
@@ -6,6 +6,24 @@ in
   services = {
     nginx = {
       enable = true;
+      defaultListen = [
+        {
+          addr = var.wg.ips.roam;
+          ssl = true;
+        }
+      ];
+      virtualHosts."roam.lan" = {
+        locations."/" = { };
+      };
+      virtualHostsPub."roam.hdohmen.de" = {
+        enableACME = true;
+        locations."/" = { };
+      };
+    };
+
+    openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
     };
   };
 

host/roam/wireguard.nix

@@ -1,25 +0,0 @@
-{ var, lib, ... }:
-let
-  wireguard-port = 51820;
-in
-{
-  networking = {
-    nat = {
-      enable = true;
-      externalInterface = "ens3";
-      internalInterfaces = [ "wg0" ];
-    };
-
-    firewall.allowedUDPPorts = [ wireguard-port ];
-
-    wireguard = {
-      enable = true;
-      interfaces."wg0" = {
-        ips = var.wg.wireguard-network."roam".ips;
-        listenPort = wireguard-port;
-        privateKeyFile = var.wg.keyFile;
-        peers = var.wg.peers-for "roam";
-      };
-    };
-  };
-}

mod/default.nix

@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ];
+  imports = [ ./nginx.nix ];
 }

mod/nginx.nix

@@ -0,0 +1,44 @@
+{
+  lib,
+  options,
+  config,
+  ...
+}:
+with lib;
+{
+  options.services.nginx.virtualHostsPub = mkOption {
+    type = options.services.nginx.virtualHosts.type;
+    default = { };
+    description = "Declarative vhost config listening to ::0 and 0.0.0.0";
+  };
+
+  config = {
+    services.nginx.virtualHosts = builtins.mapAttrs (
+      _: v:
+      v
+      // {
+        addSSL = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "[::0]";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::0]";
+            port = 80;
+          }
+        ];
+      }
+    ) config.services.nginx.virtualHostsPub;
+  };
+}

var/lan-dns.nix

@@ -8,7 +8,7 @@ let
   }) var.wg.ips;
 in
 rec {
-  hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: "${v}\t${n}") hosts);
+  hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v}\t${n}") hosts);
   hosts =
     lan-hosts
     // lib.mapAttrs' (name: value: {

var/wg.nix

@@ -15,13 +15,15 @@ rec {
     };
     "solo" = {
       publicKey = publicKey."solo";
-      ips = [ "10.10.11.2/24" ];
+      ips = [ "10.10.11.2/32" ];
       allowedIPs = [ "10.10.11.2/32" ];
+      persistentKeepalive = 13;
     };
     "c2" = {
       publicKey = publicKey."c2";
-      ips = [ "10.10.11.3/24" ];
+      ips = [ "10.10.11.3/32" ];
       allowedIPs = [ "10.10.11.3/32" ];
+      persistentKeepalive = 19;
     };
   };
   keyFile = "/var/secrets/wg.key";