Added nginx

2024-04-08 17:14:03 +02:00 · 2024-04-08 17:14:03 +02:00 · 222fad61ea
commit 222fad61ea
parent 23dceaa5ba
8 changed files with 217 additions and 91 deletions
--- a/.lego/certificates/wastring.com.crt
+++ b/.lego/certificates/wastring.com.crt
@ -0,0 +1,56 @@
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgISBG3/TJ99rk/zB9SGDddGcNarMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yNDA0MDgxMzM1MjFaFw0yNDA3MDcxMzM1MjBaMBcxFTATBgNVBAMT
+DHdhc3RyaW5nLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNGYDgoBG6UM
+gtNlAGxE66nSAHpBb/hLQgtRlSzB/hh+C+euZQ7I/c50o2Lg/PznW/hPyVrgUaAe
+SN94AN3/OTijggIhMIICHTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGKNQQ1nLOqq
+FfBHpfXc7RH4+xWFMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUG
+CCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3Jn
+MCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMCkGA1UdEQQiMCCC
+EGdpdC53YXN0cmluZy5jb22CDHdhc3RyaW5nLmNvbTATBgNVHSAEDDAKMAgGBmeB
+DAECATCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ADtTd3U+LbmAToswWwb+QDtn
+2E/D9Me9AA0tcm/h+tQXAAABjr4ilgMAAAQDAEcwRQIgSp5OYJdF2myf7mG8G6gw
+ZYEZ0D7oXBQBQIItCnprOCYCIQCcrcX1kiyv+annLcJgiHiCOw2vxx75UDx4kRS7
+08Ki6gB3AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABjr4ilrYA
+AAQDAEgwRgIhAK9A3CVJDnyPZ/VdXKU7ES6Xq6FrhijCS2Qji+7XOIF+AiEA82fk
+pXem/CCKJ6BtaYKBHyBeBlnVSDImEOH74DURIlAwDQYJKoZIhvcNAQELBQADggEB
+AFTIiTbgKDlmFA1BAbULqVdhR9GNAVH2jNofbhSd+4Zk+B5XE4KP8HOTop7yzQ+u
+fnWhakGHPwqH3i5IuF4vokShy4L1TfCihZUf4w45rNt6jpMqLoO0ytmAlDwIAn3e
+Ioru3hqm3HXetP3YwISHY31tWkAWOsib375LnIFnvAlsfMuMMg4UQnNrNcmCH1/5
+9l3b+fKxN25KlX72Uwi66bsBOpX0utavEtkGS+go1wZ28KLUF2wIKkPGjYGzDbZE
+lEXdaQn2ajvf5KAUK8kN41duQziHS9FmQjwHohjYcLHNfaJecFaAlsaesjhxVmeU
+JPBVKnmo4F4HSxTnzL1yyhg=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
--- a/.lego/certificates/wastring.com.issuer.crt
+++ b/.lego/certificates/wastring.com.issuer.crt
@ -0,0 +1,31 @@
+
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
--- a/.lego/certificates/wastring.com.key
+++ b/.lego/certificates/wastring.com.key
@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEII8qtQxul4py8fERm1RRqfg+v0Q5Ew9DBmhUa3hi+OFuoAoGCCqGSM49
+AwEHoUQDQgAE0ZgOCgEbpQyC02UAbETrqdIAekFv+EtCC1GVLMH+GH4L565lDsj9
+znSjYuD8/Odb+E/JWuBRoB5I33gA3f85OA==
+-----END EC PRIVATE KEY-----
--- a/config/server.nix
+++ b/config/server.nix
@ -1,5 +1,5 @@
 # This is your home-manager configuration fileserver
-# Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix)
+# Use this to configure your home environment (it replaces ~/.config/nixnix)
 {
  inputs,
  lib,
@ -28,66 +28,65 @@
    };
  };

-  home.packages =  [
+  home.packages = with pkgs; [
 	# System
-	pkgs.arion
-    pkgs.wget
-    pkgs.killall
-    pkgs.gcc
-    pkgs.gnumake
-    pkgs.htop
-    pkgs.openssh
-    pkgs.xsel
-    pkgs.unzip
-    pkgs.nixops_unstable
-	pkgs.cmake
-    pkgs.networkmanager
-	pkgs.fd
-	pkgs.bat
-	unstable.lego
+	arion
+    wget
+    killall
+    gcc
+    gnumake
+    htop
+    openssh
+    xsel
+    unzip
+    nixops_unstable
+	cmake
+    networkmanager
+	fd
+	bat

 	#Terminal	
-    pkgs.git
-    pkgs.yt-dlp
-	pkgs.fzf
-	pkgs.ripgrep
+    git
+    yt-dlp
+	fzf
+	ripgrep

 	#Desktop
-    pkgs.neovim
-    pkgs.lazygit
+    neovim
+    lazygit

 	#Dev
-    pkgs.python3
-    pkgs.python311Packages.pip
-	pkgs.ranger
-	pkgs.python311Packages.pynvim
-	pkgs.ueberzugpp
+    python3
+    python311Packages.pip
+	ranger
+	python311Packages.pynvim
+	ueberzugpp

 	#LSP
-    pkgs.nil
-	pkgs.python311Packages.python-lsp-server
-	pkgs.marksman
-    pkgs.clojure-lsp
-    pkgs.omnisharp-roslyn
-    pkgs.haskell-language-server
-	pkgs.java-language-server
-	pkgs.nodePackages_latest.bash-language-server
-	pkgs.dockerfile-language-server-nodejs
-	pkgs.yaml-language-server
-	pkgs.ansible-language-server
-	pkgs.lua-language-server
-	pkgs.tree-sitter
-	pkgs.nodejs_21
-	pkgs.nodePackages_latest.vls
-	pkgs.nodePackages_latest.volar
-	pkgs.vscode-langservers-extracted
+    nil
+	python311Packages.python-lsp-server
+	marksman
+    clojure-lsp
+    omnisharp-roslyn
+    haskell-language-server
+	java-language-server
+	nodePackages_latest.bash-language-server
+	dockerfile-language-server-nodejs
+	yaml-language-server
+	ansible-language-server
+	lua-language-server
+	tree-sitter
+	nodejs_21
+	nodePackages_latest.vls
+	nodePackages_latest.volar
+	vscode-langservers-extracted

    #VPN
-    pkgs.openvpn
-    pkgs.networkmanagerapplet
-    pkgs.networkmanager-l2tp
-    pkgs.strongswan
-    pkgs.ansible
+    openvpn
+    networkmanagerapplet
+    networkmanager-l2tp
+    strongswan
+    ansible
  ];
  programs.home-manager.enable = true;

--- a/flake.lock
+++ b/flake.lock
@ -92,17 +92,33 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1711668574,
-        "narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=",
-        "owner": "nixos",
+        "lastModified": 1712439257,
+        "narHash": "sha256-aSpiNepFOMk9932HOax0XwNxbA38GOUVOiXfUVPOrck=",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
+        "rev": "ff0dbd94265ac470dda06a657d5fe49de93b4599",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1712437997,
+        "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
@ -113,23 +129,7 @@
        "home-manager": "home-manager",
        "nix-gaming": "nix-gaming",
        "nixpkgs": "nixpkgs_2",
-        "unstable": "unstable"
-      }
-    },
-    "unstable": {
-      "locked": {
-        "lastModified": 1712439257,
-        "narHash": "sha256-aSpiNepFOMk9932HOax0XwNxbA38GOUVOiXfUVPOrck=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "ff0dbd94265ac470dda06a657d5fe49de93b4599",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "nixpkgs-unstable": "nixpkgs-unstable"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -3,8 +3,8 @@

  inputs = {
    # Nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
-    unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+	nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";

    # Home manager
    home-manager.url = "github:nix-community/home-manager/release-23.11";
@ -18,11 +18,18 @@
  outputs = {
    self,
    nixpkgs,
-    unstable,
    home-manager,
+	nixpkgs-unstable,
    ...
  } @ inputs: let
    inherit (self) outputs;
+	system = "x86_64-linux";
+	overlay-unstable = final: prev: {
+        unstable = import nixpkgs-unstable {
+			inherit system;
+          config.allowUnfree = true;
+        };
+      };
  in {
    # NixOS configuration entrypoint
    # Available through 'nixos-rebuild --flake .#your-hostname'
@ -41,7 +48,11 @@
      };
      server = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs outputs;};
-        modules = [./maskiner/server/configuration.nix];
+		inherit system;
+        modules = [
+			({nixpkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+			./maskiner/server/configuration.nix
+		];
      };
    };

--- a/maskiner/server/configuration.nix
+++ b/maskiner/server/configuration.nix
@ -25,6 +25,7 @@

 	environment.systemPackages = with pkgs; [
 	  mergerfs
+		unstable.lego
 	];
 	fileSystems."/data" = {
 	  fsType = "fuse.mergerfs";
--- a/moduler/common/nginx.nix
+++ b/moduler/common/nginx.nix
@ -1,26 +1,49 @@

 { pkgs, lib, ... }:
 {
-  security.acme = {
-    acceptTerms = true;
-    email = "fredrik@wastring.com";
+networking.firewall = {
+    allowedTCPPorts = [ 80 443 ];
+  };
+virtualisation.oci-containers = {
+    containers = {
+      "gitea" = {
+        image = "gitea/gitea:1.15.6-rootless";
+        ports = [ "3030:3000" ];
+      };
+    };
  };
-   
  services.nginx = {
    enable = true;
+
+    # Use recommended settings
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
-	virtualHosts."wastring.com" = { default = true; useACMEHost = "wastring.com"; addSSL = true; locations."/".proxyPass = "http://172.17.0.1:3030/";  };
+
+    # Only allow PFS-enabled ciphers with AES256
+    # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    # Add any further config to match your needs, e.g.:
+    virtualHosts = let
+      base = locations: {
+        inherit locations;
+
+        addSSL = true;
+		sslCertificateKey = "/home/fw/nix-config/.lego/certificates/wastring.com.key";
+		sslCertificate = "/home/fw/nix-config/.lego/certificates/wastring.com.crt";
+		# sslTrustedCertificate = "/home/fw/nix-config/.lego/certificates/wastring.com.issuer.crt";
+      };
+      proxy = port: base {
+        "/" = {
+			proxyPass = "http://172.17.0.1:" + toString(port) + "/";
+			proxyWebsockets = true;
+		};
+      };
+    in {
+      # Define example.com as reverse-proxied service on 127.0.0.1:3000
+      "git.wastring.com" = proxy 3030 // { default = true; };
+    };
 };
  
-  # security.acme.certs."wastring.com" = {
-  # 		group = "nginx";
-		# domain = "wastring.com";
-		# dnsProvider = "gandiv5";
-		# dnsResolver = "1.1.1.1:53";
-		# dnsPropagationCheck = true;
-		# credentialsFile = "/home/fw/credentials";
-  #   };
 }