From 43ecaf6f35ee3e522a0f311bb4e5c91b4a7718b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 10:32:38 +0200 Subject: [PATCH 1/9] feat: add reverse proxy --- machines/moritz-server/configuration.nix | 40 ++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/machines/moritz-server/configuration.nix b/machines/moritz-server/configuration.nix index b4b3136..40b4535 100644 --- a/machines/moritz-server/configuration.nix +++ b/machines/moritz-server/configuration.nix @@ -39,4 +39,44 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHlemuKagHwz2T5rEwgJNlVUdUdOXyPtCEzD73CrwY2zmpR4AMj7y9u3Rm7HwHUDjLap1ZFwg+53bAsVP6HFZccCXoIfO/8BL0WDGQJrfgb+A+UiRhSqSvyZ77bGJkadbBkadguz3qR3PHcb41DOlhuqVcHxsY8ceHMxAuyb0pLJVJLeytMD+CHS/r7hoj2hckTNAZ+VhCXBtdZfZ7uPUBxLfluYRNNMmdwCglsg3RUS242nJUzy3A84+CXIGeWmNG9Fu45IDkwMthxSW9klyU9R38R9DBDcugkyb6vz+JKSuRVAa47qh/kmtsYekfL3ul9D2JN32P8S+6ZoXx+gXupGJ0ltwJWAFkhLJ+yeXj9kCOv/mIUmCB14jMGsvKiSwV25O/twyjqe2LEkMVgimgrjEYoHu+ZTyp0iFtUvSrFo4tsAhfWPV9yj4F/hUksW7xKIwq5Niyx7he5M/XddudtnAximyiBDGCdJm1Ejl0UaGa6ZQv7y6VZdx0PyZuraT7l9ub8so6JlE4cVgSSU9vE0IS2QqBuHhsIjh8RVksoTR2NQbeDdGaGpGnq2C8y0rDXwE/EJA4LK45khX/GPn73n8F0kBG8dBrWgRDAEODpmebScO7d5mCeM0z3lPcRmh+3e3DPnVVOl+uR7udlc7NauLzl7q913UtxZaF1PlD7Q== cardno:15_584_308 '' ]; + + networking.firewall.allowedTCPPorts = [80 443]; + services.nginx.enable = true; + services.nginx.recommendedProxySettings = true; + services.nginx.virtualHosts = { + "moritzboeh.me" = { + serverAliases = ["*.moritzboeh.me"]; + locations."/" = { + proxyPass = "http://192.168.0.6"; + }; + }; + "moritz.foo" = { + locations."/" = { + return = "200 'Hello World!'"; + }; + }; + }; + services.nginx.streamConfig = '' + upstream diskstation { + server 192.168.0.6:443; + } + + upstream self { + server 127.0.0.1:443; + } + + map $ssl_preread_server_name $name { + *.moritz.foo self; + moritz.foo self; + *.moritzboeh.me diskstation; + moritzboeh.me diskstation; + default diskstation; + } + + server { + listen 443; + ssl_preread on; + proxy_pass $name; + } + ''; } From f3a10ee9bd8cddf4fabd5d4606d073d417d30cc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 11:32:57 +0200 Subject: [PATCH 2/9] Update vars via generator ddns-updater-conf for machine moritz-server --- .../config.json/machines/moritz-server | 1 + .../ddns-updater-conf/config.json/secret | 19 +++++++++++++++++++ .../config.json/users/moritz | 1 + 3 files changed, 21 insertions(+) create mode 120000 vars/per-machine/moritz-server/ddns-updater-conf/config.json/machines/moritz-server create mode 100644 vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret create mode 120000 vars/per-machine/moritz-server/ddns-updater-conf/config.json/users/moritz diff --git a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/machines/moritz-server b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/machines/moritz-server new file mode 120000 index 0000000..f18ca49 --- /dev/null +++ b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/machines/moritz-server @@ -0,0 +1 @@ +../../../../../../sops/machines/moritz-server \ No newline at end of file diff --git a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret new file mode 100644 index 0000000..366fc7a --- /dev/null +++ b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:lDF4thph/NRRI+JlBiFKy+jNZviS4mzwgGCFlvK/boceLQQhXOB1C3/7OmtNjuz1k4qvLK/7/l/ljBRAZuBQla7o3irnzaXEc+rY1aOHsU3iGdfztoj1951aa9LIuIFrEV1PyxQoESh7hpJVChbx4u9pZgW1/IF3JZ459nl3PrsY7lmvWG9f8zq0UQQidi+KPXqjJ0fKTV4=,iv:oFTWPDfIQYVa+sRG0cErM/dE22Z/6pfhvFbi33e21Bc=,tag:cDRIYq48VSqc3WA8a9907g==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY1hlZlN4OEdGaXl2Tmdw\nd3Z0SmpPai9ab09hb2JPQ2VRYWZCeTducG53CnRpaHpPNlRHckJuNWVidDVvSE9Z\nV1dYZlZuQnNsNUQxZDJjdXB5bXhXUFEKLS0tIGt3L1BaYWZUYTJ1Z3VVdDJhdHN2\nMFpPNGpDRW5oS21yVXV2Y3h6MGRqcTgK2DMKGnxwNr4TT7xWx+R2keghdVJF3rUv\ndP6+Dzr7gJ+H+YWukrNb6LGv1pZ7vUJ0GSes72BE4ibZEu2j92sSLw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS0VPUHBmdU5mUjk4NjBK\nM1kvdm41VFJIM1lFeVlLUzR0WEZoQU5YM1JBClFxU0hBekZkdC9zb3dmZnNzNTZD\nSWRBU3V0R0FFZUdVd2pkcE96b0ZrcXMKLS0tIHYzQWNpRFJGRThEMFRNUEdUZHFr\nVEQxMmg0YjVBOVBINUdwek5YQ0V5aDAKLnTq6/8pz2jdRBxDg1t1twvAO+3JbKxK\nzevTxkYEi1lGI8sviPyRhE9MKvw7ZfBLrnhKRKv9c+0zabh8nSv8VQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-14T09:32:57Z", + "mac": "ENC[AES256_GCM,data:To4PC3Z5ggK+G8K0dlB/iVPpbIr9OoGmaQswUSilokTjn17PYWZLxt3rqvomyQzI0FWoD+GUDokls94EscsZ5ufmQhDKLTEE8x12bsQSb+hOHO7WfAV3vAfiWkEhH0+oP4SNzZv6pyun+YnxvDnh9s0UcD1S7Ng/K7lISZsUlok=,iv:OlGLFeLWklt64bp86CzanBk9DHoB8dBTn7cxe6XH3wU=,tag://VL+T3ZaNnJ/k4YQghw+A==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.1" + } +} diff --git a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/users/moritz b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/users/moritz new file mode 120000 index 0000000..1b45802 --- /dev/null +++ b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/users/moritz @@ -0,0 +1 @@ +../../../../../../sops/users/moritz \ No newline at end of file From 4b79edf158a9ddcb5cf96996aa22db8fe3c6bd8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 12:26:42 +0200 Subject: [PATCH 3/9] Update var ddns-updater-conf/config.json for machine moritz-server --- .../moritz-server/ddns-updater-conf/config.json/secret | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret index 366fc7a..21b5088 100644 --- a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret +++ b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret @@ -1,18 +1,18 @@ { - "data": "ENC[AES256_GCM,data:lDF4thph/NRRI+JlBiFKy+jNZviS4mzwgGCFlvK/boceLQQhXOB1C3/7OmtNjuz1k4qvLK/7/l/ljBRAZuBQla7o3irnzaXEc+rY1aOHsU3iGdfztoj1951aa9LIuIFrEV1PyxQoESh7hpJVChbx4u9pZgW1/IF3JZ459nl3PrsY7lmvWG9f8zq0UQQidi+KPXqjJ0fKTV4=,iv:oFTWPDfIQYVa+sRG0cErM/dE22Z/6pfhvFbi33e21Bc=,tag:cDRIYq48VSqc3WA8a9907g==,type:str]", + "data": "ENC[AES256_GCM,data:Dw==,iv:NA2QCVFVNs2orxTUdSZ9aD4KWUyw29WQpZ2/P3jj4Yo=,tag:VVVXb82Y1SSatli4YnkoXA==,type:str]", "sops": { "age": [ { "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY1hlZlN4OEdGaXl2Tmdw\nd3Z0SmpPai9ab09hb2JPQ2VRYWZCeTducG53CnRpaHpPNlRHckJuNWVidDVvSE9Z\nV1dYZlZuQnNsNUQxZDJjdXB5bXhXUFEKLS0tIGt3L1BaYWZUYTJ1Z3VVdDJhdHN2\nMFpPNGpDRW5oS21yVXV2Y3h6MGRqcTgK2DMKGnxwNr4TT7xWx+R2keghdVJF3rUv\ndP6+Dzr7gJ+H+YWukrNb6LGv1pZ7vUJ0GSes72BE4ibZEu2j92sSLw==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRFpVZjVaSVBQNGtQTE9I\nd0h3NTBqdU1vOTZJU1BZb3lPNWZtc0hPVWpZCnlpcE9DbVNOV29CNEhkL0JGUVlN\nRmE5aGR4TnZRaFE4ampzSUFLZFJINzAKLS0tIHF0c1N5RlR2RVVhelF2bk9GaWsx\nbDlXUFFadmNpOHFXbmFxSzFYc1hzQ1EK1sfLvU44ebgVgEnC5ryKGIS7vYf1vj8R\nCm3zgJJrZQuDgYflOAPpc/LJNlNbu0kewLTFj6Ud/vjLCGYKzBlWFA==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS0VPUHBmdU5mUjk4NjBK\nM1kvdm41VFJIM1lFeVlLUzR0WEZoQU5YM1JBClFxU0hBekZkdC9zb3dmZnNzNTZD\nSWRBU3V0R0FFZUdVd2pkcE96b0ZrcXMKLS0tIHYzQWNpRFJGRThEMFRNUEdUZHFr\nVEQxMmg0YjVBOVBINUdwek5YQ0V5aDAKLnTq6/8pz2jdRBxDg1t1twvAO+3JbKxK\nzevTxkYEi1lGI8sviPyRhE9MKvw7ZfBLrnhKRKv9c+0zabh8nSv8VQ==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYVEzVzlid29YZnRzbmdH\nNkxqV3JnUHVSckMwWjl2aWsxSy9kM3ZSZERNCklUUTYweldUUGEybkF5UUwzTkFW\naEtUL1YwdndhLzRmV1FHNm1KT0dTd0UKLS0tIE41U0FPRFF0WTN2cmk5VXhPQTJ6\nQkt3VHpIWXdNeWFlaGczcnNLUngwaEEK4OrQHBdKnZmQukHZW/77SahvpnoglifM\ndRedAOCH/dpIRh818cnW4D31K0ceate6W9SuHVe5kywFJG4gboRemg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-05-14T09:32:57Z", - "mac": "ENC[AES256_GCM,data:To4PC3Z5ggK+G8K0dlB/iVPpbIr9OoGmaQswUSilokTjn17PYWZLxt3rqvomyQzI0FWoD+GUDokls94EscsZ5ufmQhDKLTEE8x12bsQSb+hOHO7WfAV3vAfiWkEhH0+oP4SNzZv6pyun+YnxvDnh9s0UcD1S7Ng/K7lISZsUlok=,iv:OlGLFeLWklt64bp86CzanBk9DHoB8dBTn7cxe6XH3wU=,tag://VL+T3ZaNnJ/k4YQghw+A==,type:str]", + "lastmodified": "2025-05-14T10:26:42Z", + "mac": "ENC[AES256_GCM,data:oIezWA/o72NCBngWLpi4DNaT3AoWba5ckA0IsLRCnIT8cEw171cuiEQBXwtEROLqiJm4tL1a34w7h4fpgkO3YkWLVyWHlZcMp1dsp6fVYyZur7Gh/R6iuHsngBEtWYlKGzpR1BwMDOv+shuZPe5x0I0IKMStKp+RIIwBhY3LHXc=,iv:Gom7twR5GAp/RRxqvfiMLoCBY9cEH6XDl15NLQK/5CE=,tag:dHaY7GneddTfbkn1+PUuJA==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.1" } From 8cccf6a2b313e6ee5170f4e2580360b7a25ed17e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 12:28:17 +0200 Subject: [PATCH 4/9] Update vars via generator ddns-updater-conf for machine moritz-server --- .../moritz-server/ddns-updater-conf/config.json/secret | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret index 21b5088..b1f9652 100644 --- a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret +++ b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret @@ -1,18 +1,18 @@ { - "data": "ENC[AES256_GCM,data:Dw==,iv:NA2QCVFVNs2orxTUdSZ9aD4KWUyw29WQpZ2/P3jj4Yo=,tag:VVVXb82Y1SSatli4YnkoXA==,type:str]", + "data": "ENC[AES256_GCM,data:Jh+HcaQyfQbE++gZUbZR7nLlbrzEcIJBaZfa2DoRYvXxogkIpyhusr2JdE6EQa2rFP/V+5vEkdHzF3sfRBStIHkO3hO4NskNkyanlCISnSP5Voz/YdcivCy4sZMuYBf7Ji0wzELw5lY/poS9cHCQyAlaFaWNsLZdBXmI6PSnfs69gJKnW/js4SbQe4turjFMetYLGD8f,iv:cpO12WpcgpkcH9a2s3ti8Pj2c34tF3cj5pA8stHUPtA=,tag:j+sTW87NVujYOvrpGsEmrg==,type:str]", "sops": { "age": [ { "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRFpVZjVaSVBQNGtQTE9I\nd0h3NTBqdU1vOTZJU1BZb3lPNWZtc0hPVWpZCnlpcE9DbVNOV29CNEhkL0JGUVlN\nRmE5aGR4TnZRaFE4ampzSUFLZFJINzAKLS0tIHF0c1N5RlR2RVVhelF2bk9GaWsx\nbDlXUFFadmNpOHFXbmFxSzFYc1hzQ1EK1sfLvU44ebgVgEnC5ryKGIS7vYf1vj8R\nCm3zgJJrZQuDgYflOAPpc/LJNlNbu0kewLTFj6Ud/vjLCGYKzBlWFA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UjI4MFVwcHZvVHB3dFM3\nOXJod3ZXS2JId0swckpkMjNVUWZxVndwNGdvClVObTh0Y3VrRjlwS3pQUWI3WHpP\nVUZFUGRycjZTN1FPaXpZTnlPWXJzRTAKLS0tIEc0WHZMS0hISWFWS3BRVUVLTXBy\nQk95T0lGNm81RXA4UHJnSTB2UzFORjQKaukIM2ohI10fuFjG4pmuCgkDyypG1FmA\nJ9tDTRiHSBhwHdtk2tHMddW/FssB01Z28+8A8W04mZdGc8Pi0aZmtw==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYVEzVzlid29YZnRzbmdH\nNkxqV3JnUHVSckMwWjl2aWsxSy9kM3ZSZERNCklUUTYweldUUGEybkF5UUwzTkFW\naEtUL1YwdndhLzRmV1FHNm1KT0dTd0UKLS0tIE41U0FPRFF0WTN2cmk5VXhPQTJ6\nQkt3VHpIWXdNeWFlaGczcnNLUngwaEEK4OrQHBdKnZmQukHZW/77SahvpnoglifM\ndRedAOCH/dpIRh818cnW4D31K0ceate6W9SuHVe5kywFJG4gboRemg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNFh2SWhvWk56M1JMY0VE\nWHlpc09CNC94Q3lLbHBQSVNUMHJXOXd2REZBCmFoQkZvQVBCYi9MUTZGTjN4YmQ2\ncXZQd1dvcm1wRUo4cTdSdnZFcUEyVmcKLS0tIHd2NEhuK0FjWU1iemxFUVNhb3RM\nVzdRN3lpclU1a3l1dVoxdjY2ZXBxYjQKRwYtZ5cDnaAzDhbWN7MRMVmWoxndrxuy\n5il5OGVhI0wmWmhKXX8Q1yN5y8ltG9VTINf2aM/X+JjIOg4y50Nz0Q==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-05-14T10:26:42Z", - "mac": "ENC[AES256_GCM,data:oIezWA/o72NCBngWLpi4DNaT3AoWba5ckA0IsLRCnIT8cEw171cuiEQBXwtEROLqiJm4tL1a34w7h4fpgkO3YkWLVyWHlZcMp1dsp6fVYyZur7Gh/R6iuHsngBEtWYlKGzpR1BwMDOv+shuZPe5x0I0IKMStKp+RIIwBhY3LHXc=,iv:Gom7twR5GAp/RRxqvfiMLoCBY9cEH6XDl15NLQK/5CE=,tag:dHaY7GneddTfbkn1+PUuJA==,type:str]", + "lastmodified": "2025-05-14T10:28:17Z", + "mac": "ENC[AES256_GCM,data:AcW3G9YORP7dE541ggs6hqnK1I5JoZK7e5pMQDAtCh90ANorfKEB6IYfE18udAF6L2w7yTht3jAnLzqy9aLsRp9QEyv6Wx635EidQga5L+0XjnWzB8UTxxkQjnYNgOulWxutb0Bu6KLd6rrUlI1qO635dl1uiDNBZiZ9ztmNj2E=,iv:OkF66OlXfNaB1uFT+BdDfBSuE9DbOarFyDL9tW8+idI=,tag:Bj52Za63itj3UDfhczPD2g==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.1" } From 75256cef4fd3ec0146444bdeaeabc2a02ed6f29f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 12:33:46 +0200 Subject: [PATCH 5/9] feat: add ddns --- machines/moritz-server/configuration.nix | 42 +---------- machines/moritz-server/ddns.nix | 32 ++++++++ machines/moritz-server/reverse-proxy.nix | 93 ++++++++++++++++++++++++ 3 files changed, 127 insertions(+), 40 deletions(-) create mode 100644 machines/moritz-server/ddns.nix create mode 100644 machines/moritz-server/reverse-proxy.nix diff --git a/machines/moritz-server/configuration.nix b/machines/moritz-server/configuration.nix index 40b4535..a2e4b52 100644 --- a/machines/moritz-server/configuration.nix +++ b/machines/moritz-server/configuration.nix @@ -3,6 +3,8 @@ ../../modules/zfs_unencrypted.nix ../../modules/shared.nix ../../modules/moritz/shared.nix + ./reverse-proxy.nix + ./ddns.nix ]; time.timeZone = "Europe/Berlin"; @@ -39,44 +41,4 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHlemuKagHwz2T5rEwgJNlVUdUdOXyPtCEzD73CrwY2zmpR4AMj7y9u3Rm7HwHUDjLap1ZFwg+53bAsVP6HFZccCXoIfO/8BL0WDGQJrfgb+A+UiRhSqSvyZ77bGJkadbBkadguz3qR3PHcb41DOlhuqVcHxsY8ceHMxAuyb0pLJVJLeytMD+CHS/r7hoj2hckTNAZ+VhCXBtdZfZ7uPUBxLfluYRNNMmdwCglsg3RUS242nJUzy3A84+CXIGeWmNG9Fu45IDkwMthxSW9klyU9R38R9DBDcugkyb6vz+JKSuRVAa47qh/kmtsYekfL3ul9D2JN32P8S+6ZoXx+gXupGJ0ltwJWAFkhLJ+yeXj9kCOv/mIUmCB14jMGsvKiSwV25O/twyjqe2LEkMVgimgrjEYoHu+ZTyp0iFtUvSrFo4tsAhfWPV9yj4F/hUksW7xKIwq5Niyx7he5M/XddudtnAximyiBDGCdJm1Ejl0UaGa6ZQv7y6VZdx0PyZuraT7l9ub8so6JlE4cVgSSU9vE0IS2QqBuHhsIjh8RVksoTR2NQbeDdGaGpGnq2C8y0rDXwE/EJA4LK45khX/GPn73n8F0kBG8dBrWgRDAEODpmebScO7d5mCeM0z3lPcRmh+3e3DPnVVOl+uR7udlc7NauLzl7q913UtxZaF1PlD7Q== cardno:15_584_308 '' ]; - - networking.firewall.allowedTCPPorts = [80 443]; - services.nginx.enable = true; - services.nginx.recommendedProxySettings = true; - services.nginx.virtualHosts = { - "moritzboeh.me" = { - serverAliases = ["*.moritzboeh.me"]; - locations."/" = { - proxyPass = "http://192.168.0.6"; - }; - }; - "moritz.foo" = { - locations."/" = { - return = "200 'Hello World!'"; - }; - }; - }; - services.nginx.streamConfig = '' - upstream diskstation { - server 192.168.0.6:443; - } - - upstream self { - server 127.0.0.1:443; - } - - map $ssl_preread_server_name $name { - *.moritz.foo self; - moritz.foo self; - *.moritzboeh.me diskstation; - moritzboeh.me diskstation; - default diskstation; - } - - server { - listen 443; - ssl_preread on; - proxy_pass $name; - } - ''; } diff --git a/machines/moritz-server/ddns.nix b/machines/moritz-server/ddns.nix new file mode 100644 index 0000000..c1ef44a --- /dev/null +++ b/machines/moritz-server/ddns.nix @@ -0,0 +1,32 @@ +{ + config, + pkgs, + inputs, + ... +}: { + services.ddns-updater = { + enable = true; + package = inputs.stable.legacyPackages.${pkgs.system}.ddns-updater; + environment = { + # LOG_LEVEL = "debug"; + CONFIG_FILEPATH = config.clan.core.vars.generators.ddns-updater-conf.files."config.json".path; + }; + }; + systemd.services.ddns-updater = { + serviceConfig = { + User = "ddns-updater"; + Group = "ddns-updater"; + }; + }; + users.users.ddns-updater = { + name = "ddns-updater"; + group = "ddns-updater"; + isSystemUser = true; + }; + users.groups.ddns-updater = {}; + clan.core.vars.generators.ddns-updater-conf.prompts."config.json" = { + persist = true; + type = "multiline"; + }; + clan.core.vars.generators.ddns-updater-conf.files."config.json".owner = "ddns-updater"; +} diff --git a/machines/moritz-server/reverse-proxy.nix b/machines/moritz-server/reverse-proxy.nix new file mode 100644 index 0000000..8635ebe --- /dev/null +++ b/machines/moritz-server/reverse-proxy.nix @@ -0,0 +1,93 @@ +{ + services.fail2ban = { + enable = true; + bantime-increment.enable = true; + jails = let + nginx_error_log = "/var/log/nginx/access.log"; + in { + nginx-botsearch.settings = { + enabled = true; + port = "http,https"; + filter = "nginx-botsearch"; + backend = "auto"; + logpath = nginx_error_log; + }; + nginx-forbidden.settings = { + enabled = true; + port = "http,https"; + filter = "nginx-forbidden"; + backend = "auto"; + logpath = nginx_error_log; + }; + nginx-http-auth.settings = { + enabled = true; + port = "http,https"; + filter = "nginx-http-auth"; + backend = "auto"; + logpath = nginx_error_log; + }; + nginx-4xx.settings = { + enabled = true; + port = "http,https"; + filter = "nginx-4xx"; + backend = "auto"; + logpath = nginx_error_log; + }; + }; + ignoreIP = [ + "192.168.0.0/24" + ]; + }; + environment.etc = { + "fail2ban/filter.d/nginx-4xx.conf".text = '' + [Definition] + failregex = ^.*"(GET|POST).*" (404|444|403|400) .*$ + + ignoreregex = .*(robots.txt|favicon.ico|jpg|png) + + journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx + ''; + }; + + networking.firewall.allowedTCPPorts = [80 443]; + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "moritzboeh.me" = { + serverAliases = ["*.moritzboeh.me"]; + locations."/" = { + proxyPass = "http://192.168.0.6"; + }; + }; + "moritz.foo" = { + locations."/" = { + return = "200 'Hello World!'"; + }; + }; + }; + streamConfig = '' + upstream diskstation { + server 192.168.0.6:443; + } + + upstream self { + server 127.0.0.1:443; + } + + map $ssl_preread_server_name $name { + *.moritz.foo self; + moritz.foo self; + *.moritzboeh.me diskstation; + moritzboeh.me diskstation; + default diskstation; + } + + server { + listen 443; + ssl_preread on; + proxy_pass $name; + } + ''; + }; +} From a05310119a4e92c22d06590eb944c47bd88dd2be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 12:49:41 +0200 Subject: [PATCH 6/9] Update vars via generator acme for machine moritz-server --- .../acme/vars/machines/moritz-server | 1 + .../moritz-server/acme/vars/secret | 19 +++++++++++++++++++ .../moritz-server/acme/vars/users/moritz | 1 + 3 files changed, 21 insertions(+) create mode 120000 vars/per-machine/moritz-server/acme/vars/machines/moritz-server create mode 100644 vars/per-machine/moritz-server/acme/vars/secret create mode 120000 vars/per-machine/moritz-server/acme/vars/users/moritz diff --git a/vars/per-machine/moritz-server/acme/vars/machines/moritz-server b/vars/per-machine/moritz-server/acme/vars/machines/moritz-server new file mode 120000 index 0000000..f18ca49 --- /dev/null +++ b/vars/per-machine/moritz-server/acme/vars/machines/moritz-server @@ -0,0 +1 @@ +../../../../../../sops/machines/moritz-server \ No newline at end of file diff --git a/vars/per-machine/moritz-server/acme/vars/secret b/vars/per-machine/moritz-server/acme/vars/secret new file mode 100644 index 0000000..e9a18c8 --- /dev/null +++ b/vars/per-machine/moritz-server/acme/vars/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:EX6Z5HsNB61krzSoQymtNG5QDELVCWPw6rceI3oBWMLwIf2Pn6jj59hlDSrDtwbcDnk8fWs/WPkHkuhR5JSQS+yJdiUiokbiRtP9X1P+pvOQHS8=,iv:vNBKu+lRstr2QGeU1DeOn8mSpPUHZeY0OxkepOYPrvI=,tag:O4sIlpU5fuDhpqsaDOZ5Bg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1WWFLYVcvcUZ2UnUxemF1\nQWRUdjFRZDU0NUZRZ2t0R1BMeFkwUFhTMWpjCkJHU05oRVpqTzI0bURndjJjWFdC\nZXRkeVJkbCtKZlE4c2Z4TlkzQXdFN2cKLS0tIEJNRmhvZzl0R2ExQ3BTcFloNVZD\nZzZBTFpMMUhkSUF0RzFZUVBTMzM1aU0Ktcfs+r6uZ5DEGUSUshhqMsLohbbjy4Bj\nnnsNLgjemmYS+7wSXpqdLFBn2EltnPzRGEVF6uq06WPW54idVOHWYA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVFRuSEUwZXNXUTB3ekkr\nV3dYeURxNkJEUVBiOWQrN3ZHZ2pob1oyWWxNCjBIOGVlOGNUTlNEenBBam9PUUM4\nNlNDdVBJUU5NeFNJQmFwZGhIcVpXcmsKLS0tIG9ZaldlY2haZXZnT29jRmxvQ25x\ncUNKZUNlcVpBNElDNlJac2ZmSjBrVlkKcp3PAzfB/fqz1pFJB1IyrvAgjVi0sr64\n1i84TqEZheXyeGYhH1xheKKzV13cPX375A129Bg9X0ohOp+IHBiGzA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-14T10:49:41Z", + "mac": "ENC[AES256_GCM,data:uMRaQ75O7hESoszSUxIeh9dkTnBEIdvLMytNWF/KSzPOSBQwv3fl0nqe88V7RrWl3gbZMUfcSmZ1+ClpeWlh69+clkVc/ix5kpypqABm1WQzDtjJs2HsCB/o8vVU2JuN0M0DctCyoZgf8duwQsdkqzXA9TE20pABNDOw17l3dks=,iv:CVhdXvKPiQQGAZh1N5x+cD3aebdqkxHBuO/B98D+4SI=,tag:oEoQBxEPDkYxL/Sybq/Wog==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.1" + } +} diff --git a/vars/per-machine/moritz-server/acme/vars/users/moritz b/vars/per-machine/moritz-server/acme/vars/users/moritz new file mode 120000 index 0000000..1b45802 --- /dev/null +++ b/vars/per-machine/moritz-server/acme/vars/users/moritz @@ -0,0 +1 @@ +../../../../../../sops/users/moritz \ No newline at end of file From 08e5c21dc3b1466a6707de2169b1df4a1a201fc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 13:49:53 +0200 Subject: [PATCH 7/9] Update vars via generator acme for machine moritz-server --- vars/per-machine/moritz-server/acme/vars/secret | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vars/per-machine/moritz-server/acme/vars/secret b/vars/per-machine/moritz-server/acme/vars/secret index e9a18c8..5484887 100644 --- a/vars/per-machine/moritz-server/acme/vars/secret +++ b/vars/per-machine/moritz-server/acme/vars/secret @@ -1,18 +1,18 @@ { - "data": "ENC[AES256_GCM,data:EX6Z5HsNB61krzSoQymtNG5QDELVCWPw6rceI3oBWMLwIf2Pn6jj59hlDSrDtwbcDnk8fWs/WPkHkuhR5JSQS+yJdiUiokbiRtP9X1P+pvOQHS8=,iv:vNBKu+lRstr2QGeU1DeOn8mSpPUHZeY0OxkepOYPrvI=,tag:O4sIlpU5fuDhpqsaDOZ5Bg==,type:str]", + "data": "ENC[AES256_GCM,data:nXGv5y5uiqtGFTEz2m0J0uY61xC+rHV+rygJi7IEM9IYjBSdl1BBuvStNMhBJQ+6pKzJrj+H4eplEA==,iv:kz93P9IDxwRlF7eJAoJ/f90H7+FWYW9KeCsUYvwpB/w=,tag:zZphQDNof82LRTWUgJPDlw==,type:str]", "sops": { "age": [ { "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1WWFLYVcvcUZ2UnUxemF1\nQWRUdjFRZDU0NUZRZ2t0R1BMeFkwUFhTMWpjCkJHU05oRVpqTzI0bURndjJjWFdC\nZXRkeVJkbCtKZlE4c2Z4TlkzQXdFN2cKLS0tIEJNRmhvZzl0R2ExQ3BTcFloNVZD\nZzZBTFpMMUhkSUF0RzFZUVBTMzM1aU0Ktcfs+r6uZ5DEGUSUshhqMsLohbbjy4Bj\nnnsNLgjemmYS+7wSXpqdLFBn2EltnPzRGEVF6uq06WPW54idVOHWYA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cUxHVUY3N2NBNUFhTjVQ\nL2Q0YjVBNlY0WnovUUpzZmp2Q1h4WGFaMUI0Cm5nZlJocGs2VkNoZzVMc245bXVD\nQ1l1QzNHZHFKMjQ2UzlzYjhLbkNVQWsKLS0tIEVya3dpOTlRNDRIRVdOSTN0V3dS\nVWVMN0JBdmh0d25NNHBDVEQyeFpTMEkKY2BE6JZ+4IAfUl1FamH3W9EfXwfCFi+U\nbg1UJpMqw6pii+XbnLb3WUYZck6JRtyDLvdEPdoI+wTFD08463p83g==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVFRuSEUwZXNXUTB3ekkr\nV3dYeURxNkJEUVBiOWQrN3ZHZ2pob1oyWWxNCjBIOGVlOGNUTlNEenBBam9PUUM4\nNlNDdVBJUU5NeFNJQmFwZGhIcVpXcmsKLS0tIG9ZaldlY2haZXZnT29jRmxvQ25x\ncUNKZUNlcVpBNElDNlJac2ZmSjBrVlkKcp3PAzfB/fqz1pFJB1IyrvAgjVi0sr64\n1i84TqEZheXyeGYhH1xheKKzV13cPX375A129Bg9X0ohOp+IHBiGzA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbGxvK2lFSnFLM2RoSG9K\nekZ5VjdmYmwyUWtFK241WVF6YjhWZEZJdGxZCnpXMnp6YndvdlF2RzJManVXbjZV\nR3g3KytUUU9kdmIxRU5LSVZPaHYwMlkKLS0tIDhmejhEcit2YmVrNFp5eFgrbDls\nV2pNZUg3U293Z0hMRytyRExQRmE0aUkKNqaT6R5IDw6I9IXGsKcUsem04XQSTmCU\nW8iAehs524XzGE4+6SERDM1qrfKno1vJpmS2qG8/s1HicycjmMfQRw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-05-14T10:49:41Z", - "mac": "ENC[AES256_GCM,data:uMRaQ75O7hESoszSUxIeh9dkTnBEIdvLMytNWF/KSzPOSBQwv3fl0nqe88V7RrWl3gbZMUfcSmZ1+ClpeWlh69+clkVc/ix5kpypqABm1WQzDtjJs2HsCB/o8vVU2JuN0M0DctCyoZgf8duwQsdkqzXA9TE20pABNDOw17l3dks=,iv:CVhdXvKPiQQGAZh1N5x+cD3aebdqkxHBuO/B98D+4SI=,tag:oEoQBxEPDkYxL/Sybq/Wog==,type:str]", + "lastmodified": "2025-05-14T11:49:53Z", + "mac": "ENC[AES256_GCM,data:9faPbY2mUIp/A1oDqan4cpadJah30PpGZ2feFPohCn9Gy/xYYjqhqEwIpjvwf+MRCvqdC6n4jvOT8AVUHiwrtr19/In2CWpPMrFsw08nCzO9L9TJAfDnqYLdqtdHF3DgEFIzy0wi5iSRe5/lo79GW8uMdS7ULf4T26WKfGzsk6o=,iv:w2OXdQH1mB+NvAJedYmtkDU2m0HywnCEP1MMhHh8lW8=,tag:XYitYG0iDpPbWjShOW+icg==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.1" } From dad5fb17ec7659d93e85d033d719d00cbca7e1e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 13:53:23 +0200 Subject: [PATCH 8/9] Update vars via generator ddns-updater-conf for machine moritz-server --- .../moritz-server/ddns-updater-conf/config.json/secret | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret index b1f9652..1245742 100644 --- a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret +++ b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret @@ -1,18 +1,18 @@ { - "data": "ENC[AES256_GCM,data:Jh+HcaQyfQbE++gZUbZR7nLlbrzEcIJBaZfa2DoRYvXxogkIpyhusr2JdE6EQa2rFP/V+5vEkdHzF3sfRBStIHkO3hO4NskNkyanlCISnSP5Voz/YdcivCy4sZMuYBf7Ji0wzELw5lY/poS9cHCQyAlaFaWNsLZdBXmI6PSnfs69gJKnW/js4SbQe4turjFMetYLGD8f,iv:cpO12WpcgpkcH9a2s3ti8Pj2c34tF3cj5pA8stHUPtA=,tag:j+sTW87NVujYOvrpGsEmrg==,type:str]", + "data": "ENC[AES256_GCM,data:xAfwazWdkDc86yIcFWuuBoyrGA/lFHzT6AKAGy691zM5Um6QAREZo7gCyuGLmRs5zu5mDkg4M5xAYwja0PYOfWvBiOLcYdFwzeeYqfFv7B9FSwGCn45EIRhFZOJH4VXaZDUDTsNN5RgwJbjl9d4exveJr8a0XBVZzIn/OK6tT2VnBcTRFw3Wd7LoVwXl/gXaHD9G8DTgJLmH16zRnvFw2o33ykRItHo5mfpkRJiX1Wv432ir9WOmUN5DOVYAXQrBdk9llId3hURqhWfPcysJzpESJBK8EdnkSq0PBJRTmRo+kMxXhVKCph0r9Pzg1zJxzChr28ZNWD2aumF0O59uNc7+XE7o4dd3eMK1sQ21VkRScgeJTTGtYxbMXEMplO2+yPw=,iv:x0ALrHu5i9UAn2nA2WcckOqBVBcOmLzIgvwS5ZADXSA=,tag:Y5agVeJwMFrikJrXZ3UtiQ==,type:str]", "sops": { "age": [ { "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UjI4MFVwcHZvVHB3dFM3\nOXJod3ZXS2JId0swckpkMjNVUWZxVndwNGdvClVObTh0Y3VrRjlwS3pQUWI3WHpP\nVUZFUGRycjZTN1FPaXpZTnlPWXJzRTAKLS0tIEc0WHZMS0hISWFWS3BRVUVLTXBy\nQk95T0lGNm81RXA4UHJnSTB2UzFORjQKaukIM2ohI10fuFjG4pmuCgkDyypG1FmA\nJ9tDTRiHSBhwHdtk2tHMddW/FssB01Z28+8A8W04mZdGc8Pi0aZmtw==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbTBrRzFxeDBLaWFHcWpa\nRUl2d1l3OTVhVkZvKzd2NW9lb0c5UjI1ZkJRCm5oSVV2TXdya0NhOG5qUm04NXdH\nek9nYjdtTVhHTHhuTjJGZk9jOWhUQlkKLS0tIEV2NFNCdEFuWCtONmMyYnYxdE5n\nTDJlSnlUY3g2WkxWWXBBZXZudWJnd1UKKYHj7q6Vto5+fSfZyi4Gw4kTBcP+aMzX\nmGbYPi5Gik9EU8AIrB0tD5H3D/ZSD2N0I3AfIgLlC69wcYxlf8XtnA==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNFh2SWhvWk56M1JMY0VE\nWHlpc09CNC94Q3lLbHBQSVNUMHJXOXd2REZBCmFoQkZvQVBCYi9MUTZGTjN4YmQ2\ncXZQd1dvcm1wRUo4cTdSdnZFcUEyVmcKLS0tIHd2NEhuK0FjWU1iemxFUVNhb3RM\nVzdRN3lpclU1a3l1dVoxdjY2ZXBxYjQKRwYtZ5cDnaAzDhbWN7MRMVmWoxndrxuy\n5il5OGVhI0wmWmhKXX8Q1yN5y8ltG9VTINf2aM/X+JjIOg4y50Nz0Q==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWZHdKb0MzdHA1MzNJVFhs\nNU44a0tGYTlCbXI4bU5wTDAwcEF6RThXb1ZBCk9iWnFQRFpqK3J1ZEMxd1Z2Ymdt\nNGVidjE3OWl6Nm4rL01SVi90NjlyVHMKLS0tIG9RUURLSVd6bUhNbE1kNFVRanFV\nQzZMUmNkNTlHNmtwR2xzL2laZzZVMFEKYTj14fT03nW+RGKlCdKtffA31tRBMnuo\nY/6SAAWGm0pqUP0mGT4hKr/5bSmFcMoTEy64LVBkWU0dd2dIn5urCA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-05-14T10:28:17Z", - "mac": "ENC[AES256_GCM,data:AcW3G9YORP7dE541ggs6hqnK1I5JoZK7e5pMQDAtCh90ANorfKEB6IYfE18udAF6L2w7yTht3jAnLzqy9aLsRp9QEyv6Wx635EidQga5L+0XjnWzB8UTxxkQjnYNgOulWxutb0Bu6KLd6rrUlI1qO635dl1uiDNBZiZ9ztmNj2E=,iv:OkF66OlXfNaB1uFT+BdDfBSuE9DbOarFyDL9tW8+idI=,tag:Bj52Za63itj3UDfhczPD2g==,type:str]", + "lastmodified": "2025-05-14T11:53:23Z", + "mac": "ENC[AES256_GCM,data:Eq8h9tW+T8Fcl4/jYKC52xGZAGs5DR9vsYBYdCAfTmoz4HfowA/zfn7QY8Yqn3Mf3ifh7uUZD2GyEq3E3v18VZe6yTRlTsVsC1pm1Jl6lN1OXOOV/kowcsLE8o7mRMrGqSozjRYVZUwzaR49B1vPYwX44rpNLQmie+BCZBCNI8M=,iv:Y8BMtJzQryO3tepaAPgWI7ngdKKGLF0rrlyQWLF3n4E=,tag:r9nmFgzDmaxJaF8gOuZhKA==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.1" } From d2ace8d73a7747fdb11a4b183b28c83f97a04da0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 15:25:46 +0200 Subject: [PATCH 9/9] fix: nginx and acme config --- machines/moritz-server/reverse-proxy.nix | 50 +++++++++++++++++++----- 1 file changed, 41 insertions(+), 9 deletions(-) diff --git a/machines/moritz-server/reverse-proxy.nix b/machines/moritz-server/reverse-proxy.nix index 8635ebe..a265d2c 100644 --- a/machines/moritz-server/reverse-proxy.nix +++ b/machines/moritz-server/reverse-proxy.nix @@ -1,4 +1,4 @@ -{ +{config, ...}: { services.fail2ban = { enable = true; bantime-increment.enable = true; @@ -49,9 +49,10 @@ ''; }; - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [80 1443 443]; services.nginx = { enable = true; + logError = "stderr info"; recommendedProxySettings = true; virtualHosts = { "moritzboeh.me" = { @@ -61,8 +62,20 @@ }; }; "moritz.foo" = { + forceSSL = true; + useACMEHost = "moritz.foo"; locations."/" = { - return = "200 'Hello World!'"; + return = "301 https://www.moritz.foo"; + }; + }; + "www.moritz.foo" = { + forceSSL = true; + useACMEHost = "any.moritz.foo"; + locations."/" = { + extraConfig = '' + add_header Content-Type text/html; + ''; + return = "200 'Hello World'"; }; }; }; @@ -76,18 +89,37 @@ } map $ssl_preread_server_name $name { - *.moritz.foo self; - moritz.foo self; - *.moritzboeh.me diskstation; - moritzboeh.me diskstation; - default diskstation; + hostnames; + .moritz.foo self; + .moritzboeh.me diskstation; } server { - listen 443; + listen 1443; ssl_preread on; proxy_pass $name; } ''; }; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@moritzboeh.me"; + defaults.dnsResolver = "1.1.1.1:53"; + certs."moritz.foo" = { + dnsProvider = "cloudflare"; + group = "nginx"; + environmentFile = config.clan.core.vars.generators.acme.files.vars.path; + }; + certs."any.moritz.foo" = { + domain = "*.moritz.foo"; + dnsProvider = "cloudflare"; + group = "nginx"; + environmentFile = config.clan.core.vars.generators.acme.files.vars.path; + }; + }; + clan.core.vars.generators.acme.prompts.vars = { + persist = true; + type = "multiline"; + }; }