{ pkgs, lib, configVars, inputs, ... }: let containerName = "reverse-proxy"; containerIp = configVars.networking.addresses.reverse-proxy.ip; gatewayIp = configVars.networking.addresses.gateway.ip; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; sops-nix = inputs.sops-nix; dockerContainerIp = configVars.networking.addresses.docker.ip; bdWorker = configVars.networking.addresses.bd-worker.ip; pihole = configVars.networking.addresses.pihole.ip; bitcoinNode = configVars.networking.addresses.bitcoin-node.ip; metricsServer = configVars.networking.addresses.metrics-server.ip; in { networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; containers."${containerName}" = { enableTun = true; autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { "/etc/ssh/ssh_host_ed25519_key" = { hostPath = "/etc/ssh/ssh_host_ed25519_key"; isReadOnly = true; }; }; config = { pkgs, lib, config, ... }: let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; in { sops = { defaultSopsFile = "${secretsFile}"; validateSopsFiles = false; age = { sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; }; }; sops.secrets = { "ssl_keys/lan-selfsigned.crt" = { mode = "0644"; }; "ssl_keys/lan-selfsigned.key" = { mode = "0644"; }; }; networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; imports = [ sops-nix.nixosModules.sops ]; environment.systemPackages = [ pkgs.vim pkgs.git pkgs.nginx ]; services.nginx = { enable = true; virtualHosts = { "jellyfin.lan" = { forceSSL = true; sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${dockerContainerIp}:8096"; }; "mempool.lan" = { forceSSL = true; sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${bitcoinNode}:4080"; extraConfig = '' proxy_set_header Host mempool.lan; ''; }; "grafana.lan" = { forceSSL = true; sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${metricsServer}:2342"; extraConfig = '' proxy_set_header Host grafana.lan; ''; }; "metrics.lan" = { forceSSL = true; sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${metricsServer}:9001"; }; "searx.lan" = { forceSSL = true; sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${dockerContainerIp}:8855"; }; "dns.lan" = { forceSSL = true; sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${pihole}:80"; }; "prefect.lan" = { forceSSL = true; sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}"; sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}"; locations."/".proxyPass = "http://${bdWorker}:4200"; }; }; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users = { root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; }; system.stateVersion = "24.05"; }; }; }