Nickiel/nicks-nix-config
1
0
Fork 0
mirror of https://github.com/Nickiel12/nicks-nix-config.git synced 2024-11-22 20:59:32 -08:00
Code Issues Projects Releases Packages Wiki Activity

Got acme certs working, but broken port forward

Browse source
This commit is contained in:
Nickiel12 2023-04-07 16:50:38 -07:00
parent 39e25fd6c3
commit c1d9023ce8
4 changed files with 74 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
hosts/Alaska/containers/nextcloud.nix
View file

@ -6,12 +6,17 @@
containers.nextcloud = { containers.nextcloud = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
# The host address is the address of the parent machine from inside the container
hostAddress = "192.168.100.10"; hostAddress = "192.168.100.10";
# The local address field is the "inside the container" address of this machine
# Or what it says when you run 'ip a' inside the container
localAddress = "192.168.100.11"; localAddress = "192.168.100.11";
# These are the same as above, but for ipv6
hostAddress6 = "fc00::1"; hostAddress6 = "fc00::1";
localAddress6 = "fc00::2"; localAddress6 = "fc00::2";
# allowed filepaths and container-internal mount points # allowed filepaths and container-internal mount points
# I believe "hostPath" is the system-wide, non-conatainer path
bindMounts = { bindMounts = {
"/Aurora/nextcloud" = { "/Aurora/nextcloud" = {
hostPath = "/Aurora/nextcloud"; hostPath = "/Aurora/nextcloud";
@ -30,8 +35,7 @@
package = pkgs.nextcloud25; package = pkgs.nextcloud25;
enableBrokenCiphersForSSE = false; enableBrokenCiphersForSSE = false;
#nginx.enable = true; https = true;
#https = true;
hostName = "192.168.100.10"; hostName = "192.168.100.10";
home = "/Aurora/nextcloud"; home = "/Aurora/nextcloud";
@ -41,9 +45,10 @@
}; };
config = { config = {
#overwriteProtocal = "https"; overwriteProtocol = "https";
extraTrustedDomains = [ extraTrustedDomains = [
"10.0.0.206" "10.0.0.184"
"files.nickiel.net"
]; ];
dbtype = "pgsql"; dbtype = "pgsql";

17
hosts/Alaska/default.nix
View file

@ -11,6 +11,7 @@
environment.systemPackages = [ environment.systemPackages = [
pkgs.mdadm pkgs.mdadm
pkgs.cloudflared
]; ];
networking = { networking = {
@ -19,15 +20,17 @@
internalInterfaces = ["ve-+"]; internalInterfaces = ["ve-+"];
externalInterface = "enp2s0"; # Make sure this is actually set to your internet adapter externalInterface = "enp2s0"; # Make sure this is actually set to your internet adapter
# You can find a list with `ip a` and look for the first identifier after the number (e.g.: 1: enp2s0) # You can find a list with `ip a` and look for the first identifier after the number (e.g.: 1: enp2s0)
# Lazy IPv6 connectivity for the container # Lazy IPv6 connectivity for the container
enableIPv6 = true; enableIPv6 = true;
forwardPorts = [
{ #forwardPorts = [
sourcePort = 80; #{
proto = "tcp"; # sourcePort = 80;
destination = "192.168.100.11:80"; # proto = "tcp";
} # destination = "192.168.100.11:80";
]; #}
#];
}; };
firewall = { firewall = {
enable = true; enable = true;

22
hosts/Alaska/modules/acme.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, pkgs, ... }:
{
security.acme.acceptTerms = true;
security.acme.defaults.email = "nicholasyoungsumner@gmail.com";
# Use one configuration to to make the cert for all the sub domains
security.acme.certs."acmechallenge.nickiel.net" = {
webroot = "/var/lib/acme/.challenges";
email = "nicholasyoungsumner@gmail.com";
# Ensure that the web server you use can read the generated certs
# Take a look at the group option for the web server you choose.
group = "nginx";
# Since we have a wildcard vhost to handle port 80,
# we can generate certs for anything!
# Just make sure your DNS resolves them.
extraDomainNames = [ "files.nickiel.net" ];
};
users.users.nginx.extraGroups = [ "acme" ];
}

43
hosts/Alaska/modules/nginx.nix
View file

@ -1,23 +1,46 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = [
security.acme = { (import ./acme.nix)
acceptTerms = true; ];
defaults.email = "nicholasyoungsumner@gmail.com";
};
services.nginx = { services.nginx = {
enable = false; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts."10.0.0.206" = { virtualHosts = {
addSSL = true; "nickiel.net" = {
forceSSL = true; locations."/" = {
enableACME = true; root = "/var/lib/acme/nickiel.net";
};
};
"files.nickiel.net" = {
#forceSSL = true;
#enableACME = true;
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
proxyPass = "http://192.168.100.11:80";
proxyWebsockets = true;
};
};
"acmechallenge.nickiel.net" = {
# Catchall vhost, will redirect users to HTTPS for all vhosts
serverAliases = [ "*.nickiel.net" ];
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = "301 https://$host$request_uri";
};
};
}; };
}; };
} }