32 lines
1.1 KiB
Nix
32 lines
1.1 KiB
Nix
|
# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
|
||
|
#
|
||
|
# SPDX-License-Identifier: Apache-2.0
|
||
|
|
||
|
{ depot, lib, ... }:
|
||
|
let
|
||
|
aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
|
||
|
in {
|
||
|
networking.interfaces.lo.ipv4.addresses = (
|
||
|
map (address: { inherit address; prefixLength = 32; }) aliasIPs);
|
||
|
networking.firewall.allowedTCPPorts = [
|
||
|
80 443
|
||
|
];
|
||
|
|
||
|
users.users.minotarproxy.isSystemUser = true;
|
||
|
|
||
|
systemd.services.minotarproxy = {
|
||
|
description = "Minotar proxy";
|
||
|
wants = ["network-online.target"];
|
||
|
wantedBy = ["multi-user.target"];
|
||
|
serviceConfig = {
|
||
|
ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
|
||
|
User = "minotarproxy";
|
||
|
Restart = "always";
|
||
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||
|
};
|
||
|
};
|
||
|
systemd.tmpfiles.rules = [
|
||
|
"d /run/minotarproxy 0700 minotarproxy - -"
|
||
|
];
|
||
|
}
|