Nickiel/nicks-nix-config
1
0
Fork 0
mirror of https://github.com/Nickiel12/nicks-nix-config.git synced 2024-11-22 12:49:32 -08:00
Code Issues Projects Releases Packages Wiki Activity

Got acme certs working, but broken port forward

Browse source
This commit is contained in:
Nickiel12 2023-04-07 16:50:38 -07:00
parent 39e25fd6c3
commit c1d9023ce8
4 changed files with 74 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
hosts/Alaska/containers/nextcloud.nix
View file

@ -6,12 +6,17 @@
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
# The host address is the address of the parent machine from inside the container
hostAddress = "192.168.100.10";
# The local address field is the "inside the container" address of this machine
# Or what it says when you run 'ip a' inside the container
localAddress = "192.168.100.11";
# These are the same as above, but for ipv6
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
# allowed filepaths and container-internal mount points
# I believe "hostPath" is the system-wide, non-conatainer path
bindMounts = {
"/Aurora/nextcloud" = {
hostPath = "/Aurora/nextcloud";
@ -30,8 +35,7 @@
package = pkgs.nextcloud25;
enableBrokenCiphersForSSE = false;
#nginx.enable = true;
#https = true;
https = true;
hostName = "192.168.100.10";
home = "/Aurora/nextcloud";
@ -41,9 +45,10 @@
};
config = {
#overwriteProtocal = "https";
overwriteProtocol = "https";
extraTrustedDomains = [
"10.0.0.206"
"10.0.0.184"
"files.nickiel.net"
];
dbtype = "pgsql";

17
hosts/Alaska/default.nix
View file

@ -11,6 +11,7 @@
environment.systemPackages = [
pkgs.mdadm
pkgs.cloudflared
];
networking = {
@ -19,15 +20,17 @@
internalInterfaces = ["ve-+"];
externalInterface = "enp2s0"; # Make sure this is actually set to your internet adapter
# You can find a list with `ip a` and look for the first identifier after the number (e.g.: 1: enp2s0)
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
forwardPorts = [
{
sourcePort = 80;
proto = "tcp";
destination = "192.168.100.11:80";
}
];
#forwardPorts = [
#{
# sourcePort = 80;
# proto = "tcp";
# destination = "192.168.100.11:80";
#}
#];
};
firewall = {
enable = true;

22
hosts/Alaska/modules/acme.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, pkgs, ... }:
{
security.acme.acceptTerms = true;
security.acme.defaults.email = "nicholasyoungsumner@gmail.com";
# Use one configuration to to make the cert for all the sub domains
security.acme.certs."acmechallenge.nickiel.net" = {
webroot = "/var/lib/acme/.challenges";
email = "nicholasyoungsumner@gmail.com";
# Ensure that the web server you use can read the generated certs
# Take a look at the group option for the web server you choose.
group = "nginx";
# Since we have a wildcard vhost to handle port 80,
# we can generate certs for anything!
# Just make sure your DNS resolves them.
extraDomainNames = [ "files.nickiel.net" ];
};
users.users.nginx.extraGroups = [ "acme" ];
}

43
hosts/Alaska/modules/nginx.nix
View file

@ -1,23 +1,46 @@
{ config, lib, pkgs, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "nicholasyoungsumner@gmail.com";
};
imports = [
(import ./acme.nix)
];
services.nginx = {
enable = false;
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."10.0.0.206" = {
addSSL = true;
forceSSL = true;
enableACME = true;
virtualHosts = {
"nickiel.net" = {
locations."/" = {
root = "/var/lib/acme/nickiel.net";
};
};
"files.nickiel.net" = {
#forceSSL = true;
#enableACME = true;
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
proxyPass = "http://192.168.100.11:80";
proxyWebsockets = true;
};
};
"acmechallenge.nickiel.net" = {
# Catchall vhost, will redirect users to HTTPS for all vhosts
serverAliases = [ "*.nickiel.net" ];
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = "301 https://$host$request_uri";
};
};
};
};
}