diff --git a/configuration.nix b/configuration.nix index e926e50..04c1dfb 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: let kubeMasterIP = "192.168.11.2"; @@ -25,6 +25,7 @@ in [ # Include the results of the hardware scan. ./hardware-configuration.nix ./containers.nix + ./nginx.nix ]; nix.settings.trusted-users = [ "root" "liu" ]; @@ -125,7 +126,7 @@ in extraGroups = [ "networkmanager" "wheel" "docker" ]; }; users.extraGroups.docker.members = [ "liu" ]; - + users.users.nginx.extraGroups = [ "acme" ]; fonts = { fontDir.enable = true; enableDefaultPackages = true; @@ -165,7 +166,7 @@ in serviceConfig = { Type = "simple"; User = "root"; - ExecStart = "${pkgs.easytier}/bin/easytier-core --file-log-level debug -i 10.144.144.1 --network-name 5b601a6b-fbc0-4c26-b8fb-0b6be0edfbf9 --network-secret d112e133-c80d-4b48-86bc-a2ec83a5e652 -e tcp://oracle-amd-ubuntu-1.ly-dodo.win:11010"; + ExecStart = "${pkgs.easytier}/bin/easytier-core --file-log-level debug -i 10.144.144.1 --network-name 5b601a6b-fbc0-4c26-b8fb-0b6be0edfbf9 --network-secret d112e133-c80d-4b48-86bc-a2ec83a5e652 -n 192.168.11.0/24 -e tcp://oracle-amd-ubuntu-1.ly-dodo.win:11010"; # ... }; path = with pkgs; [iptables-legacy iproute2 bash]; @@ -177,7 +178,7 @@ in # Allow unfree packages nixpkgs.config.allowUnfree = true; # services.netclient.enable = true; -# services.netbird.enable = true; + # services.netbird.enable = true; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ @@ -243,6 +244,22 @@ in openFirewall = true; host = "0.0.0.0"; }; + security.acme = { + acceptTerms = true; + defaults.email = "leon.liuyang.d@gmail.com"; + + certs."home.ly-dodo.win" = { + domain = "*.home.ly-dodo.win"; + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1:53"; + dnsPropagationCheck = true; + environmentFile = "${pkgs.writeText "cloudflare-creds" '' + CLOUDFLARE_DNS_API_TOKEN=2HvBOy8LzwnvssuL4jZxOVlMtHoLP981FJRY2cQF + ''}"; + }; + }; + + systemd.services.caddy.serviceConfig.EnvironmentFile = ["/opt/caddy/env"]; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nginx.nix b/nginx.nix new file mode 100644 index 0000000..e64f78a --- /dev/null +++ b/nginx.nix @@ -0,0 +1,35 @@ + +{ config, lib, pkgs, modulesPath, ... }: + +{ + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = + let + proxy = port: { + forceSSL = true; + useACMEHost = "home.ly-dodo.win"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + # required when the target is also TLS server with multiple hosts + # "proxy_ssl_server_name on;" + + + # required when the server wants to use HTTP Authentication + "proxy_pass_header Authorization;" + ; + }; + + }; + in { + "open-webui.home.ly-dodo.win" = proxy 8080; + "adguard.home.ly-dodo.win" = proxy 8082; + "plex.home.ly-dodo.win" = proxy 32400; + "qbittorrent.home.ly-dodo.win" = proxy 30011; + "paperless.home.ly-dodo.win" = proxy 30012; + }; + }; +}