diff --git a/hosts/mups/configuration.nix b/hosts/mups/configuration.nix index ffdd5b9..01984dc 100644 --- a/hosts/mups/configuration.nix +++ b/hosts/mups/configuration.nix @@ -1,12 +1,9 @@ { config, lib, pkgs, inputs, system, ... }: -let - cfg = config.mods; +let cfg = config.mods; in { # Hardware - imports = [ - ./hardware-configuration.nix - ]; + imports = [ ./hardware-configuration.nix ]; # System mods.user.name = "muon"; @@ -30,20 +27,24 @@ in { mods.server.sync.address = "100.85.27.29"; mods.server.sync.port = "8385"; - mods.server.media.enable = true; - mods.server.photoprism.enable = true; + mods.server.media.enable = false; + mods.server.photoprism.enable = false; mods.server.wireguard.enable = true; mods.server.headscale.enable = false; + mods.server.nginx.enable = true; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; boot.initrd.checkJournalingFS = false; - + users.users.muon = { - openssh.authorizedKeys.keys = - [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is'' ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILmAOd9VbhyJeibt6Vrb101MNTk5W8+rh94Djv/C+pyu muon@muho" + ]; }; # services.static-web-server = { @@ -59,8 +60,10 @@ in { # Enable the OpenSSH daemon. services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = - [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is'' ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is" + ]; networking.firewall = { enable = true; diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index d3c88a1..73dd6eb 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -10,5 +10,6 @@ ./headscale.nix ./photoprism.nix ./search.nix + ./nginx.nix ]; } diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix new file mode 100644 index 0000000..fe792ae --- /dev/null +++ b/modules/nixos/server/nginx.nix @@ -0,0 +1,69 @@ +{ pkgs, lib, config, ... }: { + options.mods.server.nginx = { + enable = lib.mkEnableOption { + default = false; + description = "enables nginx reverse proxy"; + }; + }; + + config = lib.mkIf config.mods.server.nginx.enable { + # ACME won't be able to authenticate your domain + # if ports 80 & 443 aren't open in your firewall. + networking.firewall = { allowedTCPPorts = [ 443 80 ]; }; + security.acme.defaults.email = "acme@muon.host"; + security.acme.acceptTerms = true; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + # map $scheme $hsts_header { + # https "max-age=31536000; includeSubdomains; preload"; + # } + # add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + + # required when the server wants to use HTTP Authentication + proxy_pass_header Authorization; + ''; + + virtualHosts = let + base = locations: { + inherit locations; + + forceSSL = true; + enableACME = true; + }; + proxy = port: + base { "/".proxyPass = "http://10.0.0.3:" + toString (port) + "/"; }; + in { + # Define example.com as reverse-proxied service on 127.0.0.1:3000 + "photos.muon.host" = proxy 2283 // { default = true; }; + }; + }; + }; +} diff --git a/modules/nixos/server/wireguard.nix b/modules/nixos/server/wireguard.nix index ca61000..f49d998 100644 --- a/modules/nixos/server/wireguard.nix +++ b/modules/nixos/server/wireguard.nix @@ -6,9 +6,8 @@ }; }; - config = lib.mkIf config.mods.server.wireguard.enable { - networking.nat = { + networking.nat = { enable = true; enableIPv6 = true; externalInterface = "ens3"; @@ -51,6 +50,11 @@ presharedKeyFile = "/home/muon/wireguard-keys/psk-muon"; allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ]; } + { # peer1 + publicKey = "ohf/tGV9bjDDh/i9U5+DNvFtn+Glm8Wy1ieHoPvXfCo="; + presharedKeyFile = "/home/muon/wireguard-keys/psk-muho"; + allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ]; + } # More peers can be added here. ]; }; @@ -58,9 +62,11 @@ services.dnsmasq = { enable = true; - extraConfig = '' - interface=wg0 - ''; + settings.bind-interfaces = true; + settings.interface = "wg0"; + # extraConfig = '' + # interface=wg0 + # ''; }; # networking.wireguard.interfaces = {