diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index 979005e9a7..ffa7d3682c 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -106,6 +106,10 @@ in { ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }]; }; firewall.allowPing = true; + firewall.allowedTCPPorts = [ + 80 443 # HTTP/nginx + 6697 # znc + ]; }; my.ip.tailscale = "100.79.173.25"; @@ -124,6 +128,11 @@ in { users.users = { lukegb.extraGroups = [ "bird2" ]; }; + users.groups = { + znc-acme = { + members = [ "znc" "nginx" ]; + }; + }; services.lukegbgp = let local = { asn = 205479; @@ -152,5 +161,34 @@ in { }; }; + services.znc = { + enable = true; + mutable = true; + dataDir = "/persist/etc/znc"; + useLegacyConfig = false; + }; + security.acme = { + acceptTerms = true; + email = "letsencrypt@lukegb.com"; + certs."znc.lukegb.com" = { + webroot = "/var/lib/acme/.challenges"; + group = "znc-acme"; + extraDomainNames = ["akiichiro.lukegb.com"]; + }; + }; + services.nginx = { + enable = true; + virtualHosts = { + "clouvider-lon01.as205479.net" = { + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + system.stateVersion = "20.09"; }