From d189ffa38d03d9074a87e58c837129e919dd5397 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 24 Jan 2025 23:35:38 +0000 Subject: [PATCH] add reverse proxy and domain names to config --- .../optional/desktop/common/firefox.nix | 36 +++--- .../nixos-containers/reverse-proxy.nix | 112 ++++++++++++++++++ hosts/semita/default.nix | 1 + 3 files changed, 135 insertions(+), 14 deletions(-) create mode 100644 hosts/common/optional/nixos-containers/reverse-proxy.nix diff --git a/home/common/optional/desktop/common/firefox.nix b/home/common/optional/desktop/common/firefox.nix index 3c17bd1..0b7a2df 100644 --- a/home/common/optional/desktop/common/firefox.nix +++ b/home/common/optional/desktop/common/firefox.nix @@ -5,7 +5,6 @@ ... }: let user = config.home.username; - bitcoinNodeIp = configVars.networking.addresses.bitcoin-node.ip; dockerContainerIp = configVars.networking.addresses.docker.ip; in { programs.firefox = { @@ -22,14 +21,8 @@ in { { template = "https://search.nixos.org/packages"; params = [ - { - name = "type"; - value = "packages"; - } - { - name = "query"; - value = "{searchTerms}"; - } + { name = "type"; value = "packages"; } + { name = "query"; value = "{searchTerms}"; } ]; } ]; @@ -43,7 +36,7 @@ in { definedAliases = ["@nw"]; }; "Searx" = { - urls = [{template = "http://${dockerContainerIp}:8855/?q={searchTerms}";}]; + urls = [{template = "http://searx.lan/?q={searchTerms}";}]; iconUpdateURL = "https://docs.searxng.org/_static/searxng-wordmark.svg"; updateInterval = 24 * 60 * 60 * 1000; # every day definedAliases = ["@searx"]; @@ -60,11 +53,27 @@ in { bookmarks = [ { name = "Jellyfin"; - url = "http://${dockerContainerIp}:8096"; + url = "http://jellyfin.lan"; + } + { + name = "Pihole"; + url = "http://dns.lan"; + } + { + name = "Searx"; + url = "http://searx.lan"; } { name = "Mempool"; - url = "http://${bitcoinNodeIp}:4080"; + url = "http://mempool.lan"; + } + { + name = "Grafana"; + url = "http://grafana.lan"; + } + { + name = "Prometheus"; + url = "http://prometheus.lan"; } { name = "Nixos Package Search"; @@ -80,7 +89,7 @@ in { "identity.fxaccounts.enabled" = false; "signon.rememberSignons" = false; "browser.compactmode.show" = true; - "browser.startup.homepage" = "http://${dockerContainerIp}:8855"; + "browser.startup.homepage" = "http://searx.lan"; "browser.search.defaultenginename" = "Searx"; "browser.search.order.1" = "Searx"; }; @@ -91,7 +100,6 @@ in { bitwarden sponsorblock darkreader - vimium privacy-badger zotero-connector ]; diff --git a/hosts/common/optional/nixos-containers/reverse-proxy.nix b/hosts/common/optional/nixos-containers/reverse-proxy.nix new file mode 100644 index 0000000..b2abf5c --- /dev/null +++ b/hosts/common/optional/nixos-containers/reverse-proxy.nix @@ -0,0 +1,112 @@ +{ + pkgs, + lib, + configVars, + ... +}: let + containerName = "reverse-proxy"; + containerIp = configVars.networking.addresses.reverse-proxy.ip; + + gatewayIp = configVars.networking.addresses.gateway.ip; + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + + dockerContainerIp = configVars.networking.addresses.docker.ip; + bdWorker = configVars.networking.addresses.bd-worker.ip; + pihole = configVars.networking.addresses.pihole.ip; + bitcoinNode = configVars.networking.addresses.bitcoin-node.ip; + metricsServer = configVars.networking.addresses.metrics-server.ip; +in { + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "br0"; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${containerName}" + ]; + }; + + containers."${containerName}" = { + enableTun = true; + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + nixpkgs = pkgs.path; + + config = { + pkgs, + lib, + config, + ... + }: { + networking = { + defaultGateway = "${gatewayIp}"; + interfaces.eth0.ipv4.addresses = [ + { + "address" = "${containerIp}"; + "prefixLength" = 24; + } + ]; + firewall = { + enable = true; + allowedTCPPorts = [ + 80 + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + imports = [ + ]; + + environment.systemPackages = [ + pkgs.vim + pkgs.git + pkgs.nginx + ]; + + services.nginx = { + enable = true; + virtualHosts = { + "jellyfin.lan" = { + locations."/".proxyPass = "http://${dockerContainerIp}:8096"; + }; + "mempool.lan" = { + locations."/".proxyPass = "http://${bitcoinNode}:4080"; + }; + "grafana.lan" = { + locations."/".proxyPass = "http://${metricsServer}:2342"; + }; + "metrics.lan" = { + locations."/".proxyPass = "http://${metricsServer}:9001"; + }; + "searx.lan" = { + locations."/".proxyPass = "http://${dockerContainerIp}:8855"; + }; + "dns.lan" = { + locations."/".proxyPass = "http://${pihole}:80"; + }; + "prefect.lan" = { + locations."/".proxyPass = "http://${bdWorker}:4200"; + }; + }; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users = { + root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + }; + + system.stateVersion = "24.05"; + }; + }; +} diff --git a/hosts/semita/default.nix b/hosts/semita/default.nix index aaa4a37..afcb549 100644 --- a/hosts/semita/default.nix +++ b/hosts/semita/default.nix @@ -60,6 +60,7 @@ in { ../common/optional/fileserver/nfs-client/personal.nix ../common/optional/distributed-builds/local-machine.nix + ../common/optional/nixos-containers/reverse-proxy.nix outputs.nixosModules.nixosAutoUpgrade ];