diff --git a/hosts/pi4/default.nix b/hosts/pi4/default.nix index 8d0e097..a40eee6 100644 --- a/hosts/pi4/default.nix +++ b/hosts/pi4/default.nix @@ -9,6 +9,7 @@ ./hardware.nix ./mailserver.nix ./nextcloud.nix + ./nginx.nix ./podman.nix ./security ]; diff --git a/hosts/pi4/forgejo.nix b/hosts/pi4/forgejo.nix index 5bd13f5..9603bb7 100644 --- a/hosts/pi4/forgejo.nix +++ b/hosts/pi4/forgejo.nix @@ -6,12 +6,21 @@ ... }: let + cfg = config.services.forgejo; + srv = cfg.settings.server; domain = "beta.code.${common.domain}"; passwordKey = "forgejo/admin-pass"; runnerTokenKey = "forgejo/runner-token"; in { services = { + nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}"; + serverAliases = [ "beta.git.${common.domain}" ]; + }; + forgejo = { enable = true; database.type = "postgres"; diff --git a/hosts/pi4/mailserver.nix b/hosts/pi4/mailserver.nix index f86dcf0..2c10b70 100644 --- a/hosts/pi4/mailserver.nix +++ b/hosts/pi4/mailserver.nix @@ -33,10 +33,14 @@ in # Use Let's Encrypt certificates. Note that this needs to set up a stripped # down nginx and opens port 80. - # certificateScheme = "acme-nginx"; + certificateScheme = "acme-nginx"; }; - # security.acme.acceptTerms = true; - # security.acme.defaults.email = "security@example.com"; + + networking.firewall.allowedTCPPorts = [ + 25 + 465 + 587 + ]; services.nginx.virtualHosts.${cfg.fqdn}.listen = lib.mkForce [ { diff --git a/hosts/pi4/nginx.nix b/hosts/pi4/nginx.nix new file mode 100644 index 0000000..c93b88e --- /dev/null +++ b/hosts/pi4/nginx.nix @@ -0,0 +1,76 @@ +{ + common, + ... +}: +let + domain = common.domain; + proxyTo = address: port: { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "${address}:${builtins.toString port}"; + }; + proxyLocations = locations: { + enableACME = true; + forceSSL = true; + inherit locations; + }; + homelab = common.localIpAddr 231; + homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems + redirect = subdomain: { + globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}"; + }; +in +{ + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + # Beta is currently stable + "beta.${domain}" = redirect ""; + "git.${domain}" = redirect "code"; + "kitchenowl.${domain}" = redirect "grocery"; + # Gitea + "code.${domain}" = homelabProxy 3000; + # Nextcloud + "nextcloud.${domain}" = proxyLocations { + "/".proxyPass = "${homelab}:11000"; + "/.well-known/carddav".return = "301 /remote.php/dav"; + "/.well-known/caldav".return = "301 /remote.php/dav"; + }; + # Kitchenowl + "grocery.${domain}" = homelabProxy 800; + # Actual budget + "budget.${domain}" = homelabProxy 5006; + # Uptime Kuma + "status.${domain}" = homelabProxy 3001; + # Headscale + "vpm.${domain}" = proxyLocations { + "/web".proxyPass = "${homelab}:8084"; + "/".proxyPass = "${homelab}:8082"; + }; + # Headscale SmartDNS + "dns.${domain}" = homelabProxy 8082; + # FreshRSS + "rss.${domain}" = homelabProxy 8085; + # Ente backend + "api.ente.${domain}" = homelabProxy 8083; + # Ente Photos frontend + "ente.${domain}" = homelabProxy 3003; + # Ente Auth frontend + "mfa.${domain}" = homelabProxy 3004; + # Homepage / portfolio + "${domain}" = homelabProxy 4321; + # Yamtrack + "track.${domain}" = homelabProxy 8090; + # Donetick + "chore.${domain}" = homelabProxy 2021; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@${domain}"; + }; +}