From c6f54cc96a2ff86770726dd19c50732da63e024c Mon Sep 17 00:00:00 2001 From: BOTAlex Date: Fri, 1 May 2026 19:06:13 +0200 Subject: [PATCH] sync before update --- configuration.nix | 4 +- modules/buildCache.nix | 2 +- networking/caddy.nix | 8 ++++ networking/nginx.nix | 77 +++++++++++++++++++++++------------ users.nix | 1 + vms/kube-daddy/kubernetes.nix | 33 ++++++++++++++- 6 files changed, 96 insertions(+), 29 deletions(-) diff --git a/configuration.nix b/configuration.nix index 155c111..d764535 100755 --- a/configuration.nix +++ b/configuration.nix @@ -27,8 +27,8 @@ ./modules/pigs.nix ./users.nix - # ./networking/caddy.nix - ./networking/nginx.nix + ./networking/caddy.nix + # ./networking/nginx.nix ./modules/buildCache.nix ./modules/nfs.nix diff --git a/modules/buildCache.nix b/modules/buildCache.nix index 2b0af00..c754e3c 100644 --- a/modules/buildCache.nix +++ b/modules/buildCache.nix @@ -13,7 +13,7 @@ imports = [ ./../networking/networkSetup.nix ]; services.caddy = { - enable = true; + # enable = true; virtualHosts."cache.deprived.dev" = { extraConfig = '' reverse_proxy localhost:5444 diff --git a/networking/caddy.nix b/networking/caddy.nix index c056985..c6ccc79 100644 --- a/networking/caddy.nix +++ b/networking/caddy.nix @@ -2,6 +2,8 @@ { imports = [ ./networkSetup.nix ]; + services.caddy.enable = true; + services.caddy.virtualHosts."immich.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:2283 @@ -42,6 +44,12 @@ ''; }; + services.caddy.virtualHosts."api-ikhlas.systemfutura.com" = { + extraConfig = '' + reverse_proxy http://api.ikhlas.dk + ''; + }; + services.caddy.virtualHosts."jelly.deprived.dev" = { extraConfig = '' reverse_proxy * 10.0.0.2:8096 diff --git a/networking/nginx.nix b/networking/nginx.nix index 6fae894..a1e5939 100644 --- a/networking/nginx.nix +++ b/networking/nginx.nix @@ -3,11 +3,13 @@ { imports = [ ./networkSetup.nix ]; + # Ensure the NixOS firewall allows HTTP/HTTPS traffic + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx = { enable = true; - - # Highly recommended: automatically adds standard proxy headers - # (Host, X-Real-IP, X-Forwarded-For, etc.) mirroring Caddy's default behavior. + + # Automatically handles proxy headers (Host, X-Real-IP, X-Forwarded-For, etc.) recommendedProxySettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; @@ -25,33 +27,44 @@ # --- Simple Proxies --- - "immich.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:2283"; - "ha.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:8123"; - "argocd.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:4325"; - "webui.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:3000"; - "jelly.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:8096"; - "netbird.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:3324"; - "seer.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5055"; - "penpot.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5544"; - "www.akupunktur-herlev.dk".locations."/".proxyPass = "http://127.0.0.1:6642"; - "lyrics.hook.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7576"; - "docker.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5000"; - "docker.ui.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:6842"; - "zhenss.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:8388"; - "zcol.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7577"; - "zcollection.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7577"; - "zcollection.mcd.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7578"; - "development.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5173"; - "dev.hook.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:3322"; + "immich.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:2283"; }; + "ha.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:8123"; }; + "argocd.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:4325"; }; + "webui.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3000"; }; + "jelly.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:8096"; }; + "netbird.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:3324"; }; + "seer.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5055"; }; + "penpot.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5544"; }; + "www.akupunktur-herlev.dk" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:6642"; }; + "lyrics.hook.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7576"; }; + "docker.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5000"; }; + "docker.ui.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:6842"; }; + "zhenss.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:8388"; }; + "zcol.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7577"; }; + "zcollection.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7577"; }; + "zcollection.mcd.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7578"; }; + "development.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5173"; }; + "dev.hook.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3322"; }; # --- Redirects --- - - "yaaumma.com".globalRedirect = "www.yaaumma.com"; - "akupunktur-herlev.dk".globalRedirect = "www.akupunktur-herlev.dk"; + + "yaaumma.com" = { + forceSSL = true; + enableACME = true; + globalRedirect = "www.yaaumma.com"; + }; + + "akupunktur-herlev.dk" = { + forceSSL = true; + enableACME = true; + globalRedirect = "www.akupunktur-herlev.dk"; + }; # --- Complex Proxies --- "devcam.deprived.dev" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://192.168.50.85:80"; extraConfig = '' @@ -66,6 +79,8 @@ }; "api.deprived.dev" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:6333"; extraConfig = '' @@ -102,6 +117,8 @@ }; "pocket.deprived.dev" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3433"; extraConfig = '' @@ -138,6 +155,8 @@ }; "spotify.playing.deprived.dev" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8800"; extraConfig = '' @@ -166,6 +185,8 @@ }; "spotify.api.deprived.dev" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:4142"; extraConfig = '' @@ -195,6 +216,8 @@ }; "lyrics.deprived.dev" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:7444"; extraConfig = '' @@ -212,6 +235,8 @@ }; "direct.stream.deprived.dev" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3344"; extraConfig = '' @@ -223,6 +248,8 @@ }; "internal.deprived.dev" = { + forceSSL = true; + enableACME = true; extraConfig = '' if ($request_method !~ ^(GET|POST)$) { return 405; @@ -251,7 +278,7 @@ ''; }; }; - + }; }; } diff --git a/users.nix b/users.nix index c70f253..d62fd79 100644 --- a/users.nix +++ b/users.nix @@ -19,6 +19,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3J4vGo2eWzwXU2K6kaom8pmElX+PaAuasH5BWQ9v7 root@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0esg3ABIcYWxvQKlPuwEE6cbhNcWjisfky0wnGirJ root@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server" ]; }; diff --git a/vms/kube-daddy/kubernetes.nix b/vms/kube-daddy/kubernetes.nix index 57946e4..d2fed31 100644 --- a/vms/kube-daddy/kubernetes.nix +++ b/vms/kube-daddy/kubernetes.nix @@ -63,6 +63,20 @@ in exemptions: namespaces: [ "kube-system" ] ''; + authConfig = pkgs.writeTextFile { + name = "authentication-config.yaml"; + text = '' + issuer: + url: https://auth.deprived.dev/application/o/kubernetes-cluster/ + audiences: kubernetes-cluster + claimMappings: + username: + claim: email + groups: + claim: groups + prefix: "oidc:" + ''; + }; in "--admission-control-config-file=${admissionConfig}"; }; @@ -73,11 +87,28 @@ in addons.dns.enable = true; # needed if you use swap - kubelet.extraOpts = "--fail-swap-on=false --allow-privileged=true --resolv-conf=/run/systemd/resolve/resolv.conf"; + kubelet.extraOpts = "--fail-swap-on=false --resolv-conf=/run/systemd/resolve/resolv.conf"; }; services.flannel = { iface = "br0"; publicIp = "10.0.0.2"; }; + + + systemd.services."cert-provider" = { + description = "serves the cert for control plane on wireguard interface"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.python3}/bin/python3 -m http.server 33333 --bind 10.0.0.2"; + + # Restart settings + Restart = "always"; + RestartSec = "5s"; + WorkingDirectory = "/var/lib/kubernetes/secrets"; + }; + }; }