diff --git a/hosts/common/optional/nixos-containers/reverse-proxy.nix b/hosts/common/optional/nixos-containers/reverse-proxy.nix index bbb57d2..ea82408 100644 --- a/hosts/common/optional/nixos-containers/reverse-proxy.nix +++ b/hosts/common/optional/nixos-containers/reverse-proxy.nix @@ -2,6 +2,7 @@ pkgs, lib, configVars, + inputs, ... }: let containerName = "reverse-proxy"; @@ -10,6 +11,7 @@ gatewayIp = configVars.networking.addresses.gateway.ip; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + sops-nix = inputs.sops-nix; dockerContainerIp = configVars.networking.addresses.docker.ip; bdWorker = configVars.networking.addresses.bd-worker.ip; pihole = configVars.networking.addresses.pihole.ip; @@ -33,13 +35,40 @@ in { privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; + bindMounts = { + "/etc/ssh/ssh_host_ed25519_key" = { + hostPath = "/etc/ssh/ssh_host_ed25519_key"; + isReadOnly = true; + }; + }; config = { pkgs, lib, config, ... - }: { + }: let + secretsDirectory = builtins.toString inputs.nix-secrets; + secretsFile = "${secretsDirectory}/secrets.yaml"; + in { + sops = { + defaultSopsFile = "${secretsFile}"; + validateSopsFiles = false; + + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + }; + }; + + sops.secrets = { + "ssl_keys/lan-selfsigned.crt" = { + mode = "0644"; + }; + "ssl_keys/lan-selfsigned.key" = { + mode = "0644"; + }; + }; + networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ @@ -52,6 +81,7 @@ in { enable = true; allowedTCPPorts = [ 80 + 443 ]; }; useHostResolvConf = lib.mkForce false; @@ -60,6 +90,7 @@ in { services.resolved.enable = true; imports = [ + sops-nix.nixosModules.sops ]; environment.systemPackages = [ @@ -72,27 +103,51 @@ in { enable = true; virtualHosts = { "jellyfin.lan" = { + forceSSL = true; + sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; + sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${dockerContainerIp}:8096"; }; "mempool.lan" = { + forceSSL = true; + sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; + sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${bitcoinNode}:4080"; + extraConfig = '' + proxy_set_header Host mempool.lan; + ''; }; "grafana.lan" = { + forceSSL = true; + sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; + sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${metricsServer}:2342"; extraConfig = '' proxy_set_header Host grafana.lan; ''; }; "metrics.lan" = { + forceSSL = true; + sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; + sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${metricsServer}:9001"; }; "searx.lan" = { + forceSSL = true; + sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; + sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${dockerContainerIp}:8855"; }; "dns.lan" = { + forceSSL = true; + sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; + sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${pihole}:80"; }; "prefect.lan" = { + forceSSL = true; + sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; + sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${bdWorker}:4200"; }; };