diff --git a/common/archive/acme/cloudflare.ini.example b/common/archive/acme/cloudflare.ini.example new file mode 100644 index 0000000..3bb6b44 --- /dev/null +++ b/common/archive/acme/cloudflare.ini.example @@ -0,0 +1 @@ +CF_DNS_API_TOKEN= \ No newline at end of file diff --git a/common/archive/acme/default.nix b/common/archive/acme/default.nix new file mode 100644 index 0000000..1782ce6 --- /dev/null +++ b/common/archive/acme/default.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: { + + # letsencrypt + security.acme = { + acceptTerms = true; + defaults = { + email = "chris@toph.cc"; + dnsProvider = "cloudflare"; + environmentFile = ./cloudflare.ini; + }; + certs = { + "ryot.foo" = { + extraDomainNames = ["*.ryot.foo"]; + }; + }; + }; +} \ No newline at end of file diff --git a/common/archive/caddy/default.nix b/common/archive/caddy/default.nix new file mode 100644 index 0000000..8d90cde --- /dev/null +++ b/common/archive/caddy/default.nix @@ -0,0 +1,17 @@ +{ + services.caddy = { + enable = true; + + virtualHosts = { + "*.ryot.foo" = { + useACMEHost = "ryot.foo"; + extraConfig = builtins.readFile ./ryot.foo.conf; + }; + + "ryot.foo" = { + useACMEHost = "ryot.foo"; + extraConfig = builtins.readFile ./ryot.foo.conf; + }; + }; + }; +} \ No newline at end of file diff --git a/common/archive/caddy/ryot.foo.conf b/common/archive/caddy/ryot.foo.conf new file mode 100644 index 0000000..a750add --- /dev/null +++ b/common/archive/caddy/ryot.foo.conf @@ -0,0 +1,13 @@ +reverse_proxy http://localhost:8080 { + header_up Host {host} + header_up X-Real-IP {remote} + header_up X-Forwarded-For {remote} + header_up X-Forwarded-Proto {scheme} +} + +reverse_proxy https://localhost:4433 { + header_up Host {host} + header_up X-Real-IP {remote} + header_up X-Forwarded-For {remote} + header_up X-Forwarded-Proto {scheme} +} \ No newline at end of file diff --git a/common/archive/mailserver/admin.pass b/common/archive/mailserver/admin.pass new file mode 100644 index 0000000..3dc0b66 --- /dev/null +++ b/common/archive/mailserver/admin.pass @@ -0,0 +1 @@ +$2b$05$RAavFe61.2iBTeGdtCI5EuKmFXxRbh/OL199HjBN74hSBCXzxViqS \ No newline at end of file diff --git a/common/archive/mailserver/admin.pass.example b/common/archive/mailserver/admin.pass.example new file mode 100644 index 0000000..ae3cc31 --- /dev/null +++ b/common/archive/mailserver/admin.pass.example @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/common/archive/mailserver/default.nix b/common/archive/mailserver/default.nix new file mode 100644 index 0000000..262fa5b --- /dev/null +++ b/common/archive/mailserver/default.nix @@ -0,0 +1,19 @@ +{ + enable = true; + fqdn = "mail.ryot.foo"; + domains = [ "ryot.foo" ]; + + enableImapSsl = true; + enableSubmissionSsl = true; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "[REDACTED]" = { + hashedPassword = builtins.readFile ./admin.pass; + aliases = ["[REDACTED]"]; + }; + }; + + certificateScheme = "acme"; +} \ No newline at end of file diff --git a/host/proxy/default.nix b/host/proxy/default.nix index 4993ebf..77971d9 100644 --- a/host/proxy/default.nix +++ b/host/proxy/default.nix @@ -1,29 +1,40 @@ -{ modulesPath, config, pkgs, hostName, ... }: +{ + modulesPath, + config, + pkgs, + hostName, + ... +}: { ## MODULES & IMPORTS ## - imports = [ - # Common Modules - ../../common/acme - ../../common/lxc - ../../common/ssh + imports = [ + # Common Modules + ../../common/acme + ../../common/lxc + ../../common/ssh - # Import hardware configuration. - ./hardware.nix + # Import hardware configuration. + ./hardware.nix - # Local Modules + # Local Modules - # caddy - ./modules/caddy - ./modules/cloudflared - ]; + # caddy + ./modules/caddy + ./modules/cloudflared + ]; ## NETWORKING ## networking.firewall = { - allowedTCPPorts = [ 22 80 443 14333 ]; + allowedTCPPorts = [ + 22 + 80 + 443 + 14333 + ]; allowedUDPPorts = [ 53 ]; interfaces.podman1 = { # so that containers find eachother's names - allowedUDPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; }; }; @@ -35,7 +46,7 @@ ranger sshfs ]; - + environment.etc = { "cloudflared/.keep" = { text = "This directory is used to store cloudflared configuration files.";