Merge remote-tracking branch 'refs/remotes/origin/main'

2025-12-06 08:07:45 +00:00 · 2024-11-29 16:33:35 +00:00 · 2024-11-29 16:33:35 +00:00 · 51fc35cc23
commit 51fc35cc23
parent 8bbe4f9a6c 62833663ad
4 changed files with 96 additions and 17 deletions
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@ -10,5 +10,6 @@
    ./headscale.nix
    ./photoprism.nix
    ./search.nix
+    ./nginx.nix
  ];
 }
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@ -0,0 +1,69 @@
+{ pkgs, lib, config, ... }: {
+  options.mods.server.nginx = {
+    enable = lib.mkEnableOption {
+      default = false;
+      description = "enables nginx reverse proxy";
+    };
+  };
+
+  config = lib.mkIf config.mods.server.nginx.enable {
+    # ACME won't be able to authenticate your domain
+    # if ports 80 & 443 aren't open in your firewall.
+    networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
+    security.acme.defaults.email = "acme@muon.host";
+    security.acme.acceptTerms = true;
+
+    services.nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # Only allow PFS-enabled ciphers with AES256
+      # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        # map $scheme $hsts_header {
+            # https   "max-age=31536000; includeSubdomains; preload";
+        # }
+        # add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+
+        # required when the server wants to use HTTP Authentication
+        proxy_pass_header Authorization;
+      '';
+
+      virtualHosts = let
+        base = locations: {
+          inherit locations;
+
+          forceSSL = true;
+          enableACME = true;
+        };
+        proxy = port:
+          base { "/".proxyPass = "http://10.0.0.3:" + toString (port) + "/"; };
+      in {
+        # Define example.com as reverse-proxied service on 127.0.0.1:3000
+        "photos.muon.host" = proxy 2283 // { default = true; };
+      };
+    };
+  };
+}
--- a/modules/nixos/server/wireguard.nix
+++ b/modules/nixos/server/wireguard.nix
@ -6,9 +6,8 @@
    };
  };

-
  config = lib.mkIf config.mods.server.wireguard.enable {
-     networking.nat = {
+    networking.nat = {
      enable = true;
      enableIPv6 = true;
      externalInterface = "ens3";
@ -51,6 +50,11 @@
            presharedKeyFile = "/home/muon/wireguard-keys/psk-muon";
            allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
          }
+          { # peer1
+            publicKey = "ohf/tGV9bjDDh/i9U5+DNvFtn+Glm8Wy1ieHoPvXfCo=";
+            presharedKeyFile = "/home/muon/wireguard-keys/psk-muho";
+            allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ];
+          }
          # More peers can be added here.
        ];
      };
@ -58,9 +62,11 @@

    services.dnsmasq = {
      enable = true;
-      extraConfig = ''
-        interface=wg0
-      '';
+      settings.bind-interfaces = true;
+      settings.interface = "wg0";
+      # extraConfig = ''
+      #   interface=wg0
+      # '';
    };

    # networking.wireguard.interfaces = {