sam/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add ssl certs to reverse proxy

Browse source
This commit is contained in:
Sam 2025-01-26 23:59:29 +00:00
parent b145fadcb3
commit 3c0baaed18
1 changed files with 56 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
hosts/common/optional/nixos-containers/reverse-proxy.nix
View file

@ -2,6 +2,7 @@
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "reverse-proxy";
@ -10,6 +11,7 @@
gatewayIp = configVars.networking.addresses.gateway.ip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
sops-nix = inputs.sops-nix;
dockerContainerIp = configVars.networking.addresses.docker.ip;
bdWorker = configVars.networking.addresses.bd-worker.ip;
pihole = configVars.networking.addresses.pihole.ip;
@ -33,13 +35,40 @@ in {
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
pkgs,
lib,
config,
...
}: {
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
sops.secrets = {
"ssl_keys/lan-selfsigned.crt" = {
mode = "0644";
};
"ssl_keys/lan-selfsigned.key" = {
mode = "0644";
};
};
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
@ -52,6 +81,7 @@ in {
enable = true;
allowedTCPPorts = [
80
443
];
};
useHostResolvConf = lib.mkForce false;
@ -60,6 +90,7 @@ in {
services.resolved.enable = true;
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
@ -72,27 +103,51 @@ in {
enable = true;
virtualHosts = {
"jellyfin.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${dockerContainerIp}:8096";
};
"mempool.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${bitcoinNode}:4080";
extraConfig = ''
proxy_set_header Host mempool.lan;
'';
};
"grafana.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${metricsServer}:2342";
extraConfig = ''
proxy_set_header Host grafana.lan;
'';
};
"metrics.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${metricsServer}:9001";
};
"searx.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${dockerContainerIp}:8855";
};
"dns.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${pihole}:80";
};
"prefect.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${bdWorker}:4200";
};
};