sync before update

configuration.nix

@@ -27,8 +27,8 @@
     ./modules/pigs.nix
 
     ./users.nix
-    # ./networking/caddy.nix
+    ./networking/caddy.nix
-    ./networking/nginx.nix
+    # ./networking/nginx.nix
     ./modules/buildCache.nix
 
     ./modules/nfs.nix

modules/buildCache.nix

@@ -13,7 +13,7 @@
   imports = [ ./../networking/networkSetup.nix ];
 
   services.caddy = {
-    enable = true;
+    # enable = true;
     virtualHosts."cache.deprived.dev" = {
       extraConfig = ''
         reverse_proxy localhost:5444

networking/caddy.nix

@@ -2,6 +2,8 @@
 {
   imports = [ ./networkSetup.nix ];
 
+  services.caddy.enable = true;
+
   services.caddy.virtualHosts."immich.deprived.dev" = {
     extraConfig = ''
       reverse_proxy * 127.0.0.1:2283
@@ -42,6 +44,12 @@
     '';
   };
 
+  services.caddy.virtualHosts."api-ikhlas.systemfutura.com" = {
+    extraConfig = ''
+      reverse_proxy http://api.ikhlas.dk
+    '';
+  };
+
   services.caddy.virtualHosts."jelly.deprived.dev" = {
     extraConfig = ''
       reverse_proxy * 10.0.0.2:8096

networking/nginx.nix

@@ -3,11 +3,13 @@
 {
   imports = [ ./networkSetup.nix ];
 
+  # Ensure the NixOS firewall allows HTTP/HTTPS traffic
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
   services.nginx = {
     enable = true;
 
-    # Highly recommended: automatically adds standard proxy headers 
+    # Automatically handles proxy headers (Host, X-Real-IP, X-Forwarded-For, etc.)
-    # (Host, X-Real-IP, X-Forwarded-For, etc.) mirroring Caddy's default behavior.
     recommendedProxySettings = true;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
@@ -25,33 +27,44 @@
 
       # --- Simple Proxies ---
 
-      "immich.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:2283";
+      "immich.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:2283"; };
-      "ha.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:8123";
+      "ha.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:8123"; };
-      "argocd.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:4325";
+      "argocd.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:4325"; };
-      "webui.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:3000";
+      "webui.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3000"; };
-      "jelly.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:8096";
+      "jelly.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:8096"; };
-      "netbird.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:3324";
+      "netbird.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:3324"; };
-      "seer.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5055";
+      "seer.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5055"; };
-      "penpot.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5544";
+      "penpot.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5544"; };
-      "www.akupunktur-herlev.dk".locations."/".proxyPass = "http://127.0.0.1:6642";
+      "www.akupunktur-herlev.dk" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:6642"; };
-      "lyrics.hook.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7576";
+      "lyrics.hook.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7576"; };
-      "docker.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5000";
+      "docker.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5000"; };
-      "docker.ui.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:6842";
+      "docker.ui.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:6842"; };
-      "zhenss.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:8388";
+      "zhenss.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:8388"; };
-      "zcol.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7577";
+      "zcol.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7577"; };
-      "zcollection.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7577";
+      "zcollection.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7577"; };
-      "zcollection.mcd.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7578";
+      "zcollection.mcd.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7578"; };
-      "development.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5173";
+      "development.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5173"; };
-      "dev.hook.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:3322";
+      "dev.hook.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3322"; };
 
       # --- Redirects ---
 
-      "yaaumma.com".globalRedirect = "www.yaaumma.com";
+      "yaaumma.com" = {
-      "akupunktur-herlev.dk".globalRedirect = "www.akupunktur-herlev.dk";
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = "www.yaaumma.com";
+      };
+
+      "akupunktur-herlev.dk" = {
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = "www.akupunktur-herlev.dk";
+      };
 
       # --- Complex Proxies ---
 
       "devcam.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
         locations."/" = {
           proxyPass = "http://192.168.50.85:80";
           extraConfig = ''
@@ -66,6 +79,8 @@
       };
 
       "api.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:6333";
           extraConfig = ''
@@ -102,6 +117,8 @@
       };
 
       "pocket.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:3433";
           extraConfig = ''
@@ -138,6 +155,8 @@
       };
 
       "spotify.playing.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:8800";
           extraConfig = ''
@@ -166,6 +185,8 @@
       };
 
       "spotify.api.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:4142";
           extraConfig = ''
@@ -195,6 +216,8 @@
       };
 
       "lyrics.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:7444";
           extraConfig = ''
@@ -212,6 +235,8 @@
       };
 
       "direct.stream.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:3344";
           extraConfig = ''
@@ -223,6 +248,8 @@
       };
 
       "internal.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
         extraConfig = ''
           if ($request_method !~ ^(GET|POST)$) {
               return 405;

users.nix

@@ -19,6 +19,7 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3J4vGo2eWzwXU2K6kaom8pmElX+PaAuasH5BWQ9v7 root@nixos"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0esg3ABIcYWxvQKlPuwEE6cbhNcWjisfky0wnGirJ root@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"
     ];
   };
 

vms/kube-daddy/kubernetes.nix

@@ -63,6 +63,20 @@ in
                 exemptions:
                   namespaces: [ "kube-system" ]
           '';
+          authConfig = pkgs.writeTextFile {
+            name = "authentication-config.yaml";
+            text = ''
+              issuer:
+                url: https://auth.deprived.dev/application/o/kubernetes-cluster/
+                audiences: kubernetes-cluster
+              claimMappings:
+                username:
+                  claim: email
+                groups:
+                  claim: groups
+                  prefix: "oidc:"
+            '';
+          };
         in
         "--admission-control-config-file=${admissionConfig}";
     };
@@ -73,11 +87,28 @@ in
     addons.dns.enable = true;
 
     # needed if you use swap
-    kubelet.extraOpts = "--fail-swap-on=false --allow-privileged=true --resolv-conf=/run/systemd/resolve/resolv.conf";
+    kubelet.extraOpts = "--fail-swap-on=false --resolv-conf=/run/systemd/resolve/resolv.conf";
   };
 
   services.flannel = {
     iface = "br0";
     publicIp = "10.0.0.2";
   };
+
+
+  systemd.services."cert-provider" = {
+    description = "serves the cert for control plane on wireguard interface";
+
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.python3}/bin/python3 -m http.server 33333 --bind 10.0.0.2";
+
+      # Restart settings
+      Restart = "always";
+      RestartSec = "5s";
+      WorkingDirectory = "/var/lib/kubernetes/secrets";
+    };
+  };
 }