Merge remote-tracking branch 'refs/remotes/origin/main'

2025-12-06 08:07:45 +00:00 · 2024-11-29 16:33:35 +00:00 · 2024-11-29 16:33:35 +00:00 · 51fc35cc23
commit 51fc35cc23
parent 8bbe4f9a6c 62833663ad
4 changed files with 96 additions and 17 deletions
--- a/hosts/mups/configuration.nix
+++ b/hosts/mups/configuration.nix
@ -1,12 +1,9 @@
 { config, lib, pkgs, inputs, system, ... }:
-let
-  cfg = config.mods;
+let cfg = config.mods;

 in {
  # Hardware
-  imports = [
-    ./hardware-configuration.nix
-  ];
+  imports = [ ./hardware-configuration.nix ];

  # System
  mods.user.name = "muon";
@ -30,11 +27,12 @@ in {
  mods.server.sync.address = "100.85.27.29";
  mods.server.sync.port = "8385";

-  mods.server.media.enable = true;
-  mods.server.photoprism.enable = true;
+  mods.server.media.enable = false;
+  mods.server.photoprism.enable = false;

  mods.server.wireguard.enable = true;
  mods.server.headscale.enable = false;
+  mods.server.nginx.enable = true;

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
@ -42,8 +40,11 @@ in {
  boot.initrd.checkJournalingFS = false;

  users.users.muon = {
-    openssh.authorizedKeys.keys =
-      [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is'' ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILmAOd9VbhyJeibt6Vrb101MNTk5W8+rh94Djv/C+pyu muon@muho"
+    ];
  };

  # services.static-web-server = {
@ -59,8 +60,10 @@ in {

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
-  users.users.root.openssh.authorizedKeys.keys =
-    [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is'' ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is"
+  ];

  networking.firewall = {
    enable = true;
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@ -10,5 +10,6 @@
    ./headscale.nix
    ./photoprism.nix
    ./search.nix
+    ./nginx.nix
  ];
 }
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@ -0,0 +1,69 @@
+{ pkgs, lib, config, ... }: {
+  options.mods.server.nginx = {
+    enable = lib.mkEnableOption {
+      default = false;
+      description = "enables nginx reverse proxy";
+    };
+  };
+
+  config = lib.mkIf config.mods.server.nginx.enable {
+    # ACME won't be able to authenticate your domain
+    # if ports 80 & 443 aren't open in your firewall.
+    networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
+    security.acme.defaults.email = "acme@muon.host";
+    security.acme.acceptTerms = true;
+
+    services.nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # Only allow PFS-enabled ciphers with AES256
+      # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        # map $scheme $hsts_header {
+            # https   "max-age=31536000; includeSubdomains; preload";
+        # }
+        # add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+
+        # required when the server wants to use HTTP Authentication
+        proxy_pass_header Authorization;
+      '';
+
+      virtualHosts = let
+        base = locations: {
+          inherit locations;
+
+          forceSSL = true;
+          enableACME = true;
+        };
+        proxy = port:
+          base { "/".proxyPass = "http://10.0.0.3:" + toString (port) + "/"; };
+      in {
+        # Define example.com as reverse-proxied service on 127.0.0.1:3000
+        "photos.muon.host" = proxy 2283 // { default = true; };
+      };
+    };
+  };
+}
--- a/modules/nixos/server/wireguard.nix
+++ b/modules/nixos/server/wireguard.nix
@ -6,7 +6,6 @@
    };
  };

-
  config = lib.mkIf config.mods.server.wireguard.enable {
    networking.nat = {
      enable = true;
@ -51,6 +50,11 @@
            presharedKeyFile = "/home/muon/wireguard-keys/psk-muon";
            allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
          }
+          { # peer1
+            publicKey = "ohf/tGV9bjDDh/i9U5+DNvFtn+Glm8Wy1ieHoPvXfCo=";
+            presharedKeyFile = "/home/muon/wireguard-keys/psk-muho";
+            allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ];
+          }
          # More peers can be added here.
        ];
      };
@ -58,9 +62,11 @@

    services.dnsmasq = {
      enable = true;
-      extraConfig = ''
-        interface=wg0
-      '';
+      settings.bind-interfaces = true;
+      settings.interface = "wg0";
+      # extraConfig = ''
+      #   interface=wg0
+      # '';
    };

    # networking.wireguard.interfaces = {