Merge remote-tracking branch 'refs/remotes/origin/main'

hosts/mups/configuration.nix

@@ -1,12 +1,9 @@
 { config, lib, pkgs, inputs, system, ... }:
-let
+let cfg = config.mods;
-  cfg = config.mods;
 
 in {
   # Hardware
-  imports = [
+  imports = [ ./hardware-configuration.nix ];
-    ./hardware-configuration.nix
-  ];
 
   # System
   mods.user.name = "muon";
@@ -30,11 +27,12 @@ in {
   mods.server.sync.address = "100.85.27.29";
   mods.server.sync.port = "8385";
 
-  mods.server.media.enable = true;
+  mods.server.media.enable = false;
-  mods.server.photoprism.enable = true;
+  mods.server.photoprism.enable = false;
 
   mods.server.wireguard.enable = true;
   mods.server.headscale.enable = false;
+  mods.server.nginx.enable = true;
 
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
@@ -42,8 +40,11 @@ in {
   boot.initrd.checkJournalingFS = false;
 
   users.users.muon = {
-    openssh.authorizedKeys.keys =
+    openssh.authorizedKeys.keys = [
-      [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is'' ];
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILmAOd9VbhyJeibt6Vrb101MNTk5W8+rh94Djv/C+pyu muon@muho"
+    ];
   };
 
   # services.static-web-server = {
@@ -59,8 +60,10 @@ in {
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
-  users.users.root.openssh.authorizedKeys.keys =
+  users.users.root.openssh.authorizedKeys.keys = [
-    [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is'' ];
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is"
+  ];
 
   networking.firewall = {
     enable = true;

modules/nixos/server/default.nix

@@ -10,5 +10,6 @@
     ./headscale.nix
     ./photoprism.nix
     ./search.nix
+    ./nginx.nix
   ];
 }

modules/nixos/server/nginx.nix

@@ -0,0 +1,69 @@
+{ pkgs, lib, config, ... }: {
+  options.mods.server.nginx = {
+    enable = lib.mkEnableOption {
+      default = false;
+      description = "enables nginx reverse proxy";
+    };
+  };
+
+  config = lib.mkIf config.mods.server.nginx.enable {
+    # ACME won't be able to authenticate your domain
+    # if ports 80 & 443 aren't open in your firewall.
+    networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
+    security.acme.defaults.email = "acme@muon.host";
+    security.acme.acceptTerms = true;
+
+    services.nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # Only allow PFS-enabled ciphers with AES256
+      # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        # map $scheme $hsts_header {
+            # https   "max-age=31536000; includeSubdomains; preload";
+        # }
+        # add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+
+        # required when the server wants to use HTTP Authentication
+        proxy_pass_header Authorization;
+      '';
+
+      virtualHosts = let
+        base = locations: {
+          inherit locations;
+
+          forceSSL = true;
+          enableACME = true;
+        };
+        proxy = port:
+          base { "/".proxyPass = "http://10.0.0.3:" + toString (port) + "/"; };
+      in {
+        # Define example.com as reverse-proxied service on 127.0.0.1:3000
+        "photos.muon.host" = proxy 2283 // { default = true; };
+      };
+    };
+  };
+}

modules/nixos/server/wireguard.nix

@@ -6,9 +6,8 @@
     };
   };
 
-
   config = lib.mkIf config.mods.server.wireguard.enable {
-     networking.nat = {
+    networking.nat = {
       enable = true;
       enableIPv6 = true;
       externalInterface = "ens3";
@@ -51,6 +50,11 @@
             presharedKeyFile = "/home/muon/wireguard-keys/psk-muon";
             allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
           }
+          { # peer1
+            publicKey = "ohf/tGV9bjDDh/i9U5+DNvFtn+Glm8Wy1ieHoPvXfCo=";
+            presharedKeyFile = "/home/muon/wireguard-keys/psk-muho";
+            allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ];
+          }
           # More peers can be added here.
         ];
       };
@@ -58,9 +62,11 @@
 
     services.dnsmasq = {
       enable = true;
-      extraConfig = ''
+      settings.bind-interfaces = true;
-        interface=wg0
+      settings.interface = "wg0";
-      '';
+      # extraConfig = ''
+      #   interface=wg0
+      # '';
     };
 
     # networking.wireguard.interfaces = {