sync before update

2026-05-06 10:02:30 +02:00 · 2026-05-01 19:06:13 +02:00 · 2026-05-01 19:06:13 +02:00 · c6f54cc96a
commit c6f54cc96a
parent 8e1dd6fbb1
6 changed files with 96 additions and 29 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -27,8 +27,8 @@
    ./modules/pigs.nix

    ./users.nix
-    # ./networking/caddy.nix
-    ./networking/nginx.nix
+    ./networking/caddy.nix
+    # ./networking/nginx.nix
    ./modules/buildCache.nix

    ./modules/nfs.nix
--- a/modules/buildCache.nix
+++ b/modules/buildCache.nix
@ -13,7 +13,7 @@
  imports = [ ./../networking/networkSetup.nix ];

  services.caddy = {
-    enable = true;
+    # enable = true;
    virtualHosts."cache.deprived.dev" = {
      extraConfig = ''
        reverse_proxy localhost:5444
--- a/networking/caddy.nix
+++ b/networking/caddy.nix
@ -2,6 +2,8 @@
 {
  imports = [ ./networkSetup.nix ];

+  services.caddy.enable = true;
+
  services.caddy.virtualHosts."immich.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:2283
@ -42,6 +44,12 @@
    '';
  };

+  services.caddy.virtualHosts."api-ikhlas.systemfutura.com" = {
+    extraConfig = ''
+      reverse_proxy http://api.ikhlas.dk
+    '';
+  };
+
  services.caddy.virtualHosts."jelly.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 10.0.0.2:8096
--- a/networking/nginx.nix
+++ b/networking/nginx.nix
@ -3,11 +3,13 @@
 {
  imports = [ ./networkSetup.nix ];

+  # Ensure the NixOS firewall allows HTTP/HTTPS traffic
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
  services.nginx = {
    enable = true;
-    
-    # Highly recommended: automatically adds standard proxy headers 
-    # (Host, X-Real-IP, X-Forwarded-For, etc.) mirroring Caddy's default behavior.
+
+    # Automatically handles proxy headers (Host, X-Real-IP, X-Forwarded-For, etc.)
    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
@ -25,33 +27,44 @@

      # --- Simple Proxies ---

-      "immich.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:2283";
-      "ha.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:8123";
-      "argocd.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:4325";
-      "webui.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:3000";
-      "jelly.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:8096";
-      "netbird.deprived.dev".locations."/".proxyPass = "http://10.0.0.2:3324";
-      "seer.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5055";
-      "penpot.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5544";
-      "www.akupunktur-herlev.dk".locations."/".proxyPass = "http://127.0.0.1:6642";
-      "lyrics.hook.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7576";
-      "docker.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5000";
-      "docker.ui.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:6842";
-      "zhenss.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:8388";
-      "zcol.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7577";
-      "zcollection.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7577";
-      "zcollection.mcd.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:7578";
-      "development.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:5173";
-      "dev.hook.deprived.dev".locations."/".proxyPass = "http://127.0.0.1:3322";
+      "immich.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:2283"; };
+      "ha.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:8123"; };
+      "argocd.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:4325"; };
+      "webui.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3000"; };
+      "jelly.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:8096"; };
+      "netbird.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://10.0.0.2:3324"; };
+      "seer.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5055"; };
+      "penpot.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5544"; };
+      "www.akupunktur-herlev.dk" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:6642"; };
+      "lyrics.hook.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7576"; };
+      "docker.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5000"; };
+      "docker.ui.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:6842"; };
+      "zhenss.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:8388"; };
+      "zcol.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7577"; };
+      "zcollection.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7577"; };
+      "zcollection.mcd.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:7578"; };
+      "development.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5173"; };
+      "dev.hook.deprived.dev" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3322"; };

      # --- Redirects ---
-      
-      "yaaumma.com".globalRedirect = "www.yaaumma.com";
-      "akupunktur-herlev.dk".globalRedirect = "www.akupunktur-herlev.dk";
+
+      "yaaumma.com" = {
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = "www.yaaumma.com";
+      };
+
+      "akupunktur-herlev.dk" = {
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = "www.akupunktur-herlev.dk";
+      };

      # --- Complex Proxies ---

      "devcam.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
        locations."/" = {
          proxyPass = "http://192.168.50.85:80";
          extraConfig = ''
@ -66,6 +79,8 @@
      };

      "api.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:6333";
          extraConfig = ''
@ -102,6 +117,8 @@
      };

      "pocket.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:3433";
          extraConfig = ''
@ -138,6 +155,8 @@
      };

      "spotify.playing.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:8800";
          extraConfig = ''
@ -166,6 +185,8 @@
      };

      "spotify.api.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:4142";
          extraConfig = ''
@ -195,6 +216,8 @@
      };

      "lyrics.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:7444";
          extraConfig = ''
@ -212,6 +235,8 @@
      };

      "direct.stream.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:3344";
          extraConfig = ''
@ -223,6 +248,8 @@
      };

      "internal.deprived.dev" = {
+        forceSSL = true;
+        enableACME = true;
        extraConfig = ''
          if ($request_method !~ ^(GET|POST)$) {
              return 405;
@ -251,7 +278,7 @@
          '';
        };
      };
-      
+
    };
  };
 }
--- a/users.nix
+++ b/users.nix
@ -19,6 +19,7 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3J4vGo2eWzwXU2K6kaom8pmElX+PaAuasH5BWQ9v7 root@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0esg3ABIcYWxvQKlPuwEE6cbhNcWjisfky0wnGirJ root@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"
    ];
  };

--- a/vms/kube-daddy/kubernetes.nix
+++ b/vms/kube-daddy/kubernetes.nix
@ -63,6 +63,20 @@ in
                exemptions:
                  namespaces: [ "kube-system" ]
          '';
+          authConfig = pkgs.writeTextFile {
+            name = "authentication-config.yaml";
+            text = ''
+              issuer:
+                url: https://auth.deprived.dev/application/o/kubernetes-cluster/
+                audiences: kubernetes-cluster
+              claimMappings:
+                username:
+                  claim: email
+                groups:
+                  claim: groups
+                  prefix: "oidc:"
+            '';
+          };
        in
        "--admission-control-config-file=${admissionConfig}";
    };
@ -73,11 +87,28 @@ in
    addons.dns.enable = true;

    # needed if you use swap
-    kubelet.extraOpts = "--fail-swap-on=false --allow-privileged=true --resolv-conf=/run/systemd/resolve/resolv.conf";
+    kubelet.extraOpts = "--fail-swap-on=false --resolv-conf=/run/systemd/resolve/resolv.conf";
  };

  services.flannel = {
    iface = "br0";
    publicIp = "10.0.0.2";
  };
+
+
+  systemd.services."cert-provider" = {
+    description = "serves the cert for control plane on wireguard interface";
+
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.python3}/bin/python3 -m http.server 33333 --bind 10.0.0.2";
+
+      # Restart settings
+      Restart = "always";
+      RestartSec = "5s";
+      WorkingDirectory = "/var/lib/kubernetes/secrets";
+    };
+  };
 }