update

2024-11-19 05:13:13 +09:00 · 2024-11-19 05:13:13 +09:00 · 57788dfbaa
commit 57788dfbaa
parent 22c0fd8a46
2 changed files with 56 additions and 4 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:

 let
  kubeMasterIP = "192.168.11.2";
@ -25,6 +25,7 @@ in
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./containers.nix
+      ./nginx.nix
    ];

  nix.settings.trusted-users = [ "root" "liu" ];
@ -125,7 +126,7 @@ in
    extraGroups = [ "networkmanager" "wheel" "docker" ];
  };
  users.extraGroups.docker.members = [ "liu" ];
-
+  users.users.nginx.extraGroups = [ "acme" ];
  fonts = {
    fontDir.enable = true;
    enableDefaultPackages = true;
@ -165,7 +166,7 @@ in
    serviceConfig = {
      Type = "simple";
      User = "root";
-      ExecStart = "${pkgs.easytier}/bin/easytier-core --file-log-level debug -i 10.144.144.1 --network-name 5b601a6b-fbc0-4c26-b8fb-0b6be0edfbf9 --network-secret d112e133-c80d-4b48-86bc-a2ec83a5e652 -e tcp://oracle-amd-ubuntu-1.ly-dodo.win:11010";
+      ExecStart = "${pkgs.easytier}/bin/easytier-core --file-log-level debug -i 10.144.144.1 --network-name 5b601a6b-fbc0-4c26-b8fb-0b6be0edfbf9 --network-secret d112e133-c80d-4b48-86bc-a2ec83a5e652 -n 192.168.11.0/24 -e tcp://oracle-amd-ubuntu-1.ly-dodo.win:11010";
      # ...
    };
    path = with pkgs; [iptables-legacy iproute2 bash];
@ -177,7 +178,7 @@ in
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
  # services.netclient.enable = true;
-#  services.netbird.enable = true;
+  # services.netbird.enable = true;
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
@ -243,6 +244,22 @@ in
    openFirewall = true;
    host = "0.0.0.0";
  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "leon.liuyang.d@gmail.com";
+
+    certs."home.ly-dodo.win" = {
+      domain = "*.home.ly-dodo.win";
+      dnsProvider = "cloudflare";
+      dnsResolver = "1.1.1.1:53";
+      dnsPropagationCheck = true;
+      environmentFile = "${pkgs.writeText "cloudflare-creds" ''
+        CLOUDFLARE_DNS_API_TOKEN=2HvBOy8LzwnvssuL4jZxOVlMtHoLP981FJRY2cQF
+      ''}";
+    };
+  };
+
+  systemd.services.caddy.serviceConfig.EnvironmentFile = ["/opt/caddy/env"];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/nginx.nix
+++ b/nginx.nix
@ -0,0 +1,35 @@
+
+{ config, lib, pkgs, modulesPath, ... }:
+
+{ 
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = 
+      let
+        proxy = port: {
+          forceSSL = true;
+          useACMEHost = "home.ly-dodo.win";
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString port}";
+            proxyWebsockets = true; # needed if you need to use WebSocket
+            extraConfig =
+              # required when the target is also TLS server with multiple hosts
+              # "proxy_ssl_server_name on;" +
+              
+              # required when the server wants to use HTTP Authentication
+              "proxy_pass_header Authorization;"
+              ;
+          };
+
+        };  
+      in {
+      "open-webui.home.ly-dodo.win" = proxy 8080;
+      "adguard.home.ly-dodo.win" = proxy 8082;
+      "plex.home.ly-dodo.win" = proxy 32400;
+      "qbittorrent.home.ly-dodo.win" = proxy 30011;
+      "paperless.home.ly-dodo.win" = proxy 30012;
+    };
+  };
+}