diff --git a/ops/nixos/bvm-netbox/default.nix b/ops/nixos/bvm-netbox/default.nix index 484cf3fd42..76e1a8ed53 100644 --- a/ops/nixos/bvm-netbox/default.nix +++ b/ops/nixos/bvm-netbox/default.nix @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{ config, depot, pkgs, ... }: +{ config, lib, depot, pkgs, ... }: let inherit (depot.ops) secrets; @@ -146,6 +146,7 @@ in { defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; }; defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; }; }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; my.ip.tailscale = "100.81.27.52"; my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6251:1b34"; @@ -219,7 +220,59 @@ in { proxyPass = "http://127.0.0.1:8001"; }; }; + virtualHosts."livetaild.lukegb.dev" = { + forceSSL = true; + sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem"; + sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem"; + locations."/" = { + extraConfig = '' + return 403; + ''; + }; + locations."/.auth/return" = { + extraConfig = '' + if ($arg_state ~ ^a-) { + return 303 https://a.livetaild.lukegb.dev$request_uri; + } + if ($arg_state ~ ^b-) { + return 303 https://b.livetaild.lukegb.dev$request_uri; + } + if ($arg_state ~ ^localhost-) { + return 303 http://localhost:13371$request_uri; + } + return 403; + ''; + }; + }; + virtualHosts."a.livetaild.lukegb.dev" = { + forceSSL = true; + sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem"; + sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem"; + locations."/" = { + proxyPass = "http://10.222.0.2:13371"; + }; + }; + virtualHosts."b.livetaild.lukegb.dev" = { + forceSSL = true; + sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem"; + sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem"; + locations."/" = { + proxyPass = "http://10.222.0.3:13371"; + }; + }; }; + my.vault.acmeCertificates."livetaild.lukegb.dev" = { + hostnames = [ + "livetaild.lukegb.dev" + "*.livetaild.lukegb.dev" + ]; + reloadOrRestartUnits = [ "nginx.service" ]; + }; + users.groups.acme = {}; + users.users.nginx.extraGroups = lib.mkAfter [ "acme" ]; users.groups.ninovpn = {}; users.users.ninovpn = { @@ -231,5 +284,36 @@ in { ]; }; + systemd.network.netdevs."20-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + Address = "10.222.0.1/24"; + PrivateKeyFile = "/home/ninovpn/wg-priv"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c="; + AllowedIPs = ["10.222.0.2/32"]; + }; + } { + wireguardPeerConfig = { + PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo="; + AllowedIPs = ["10.222.0.3/32"]; + }; + }]; + }; + systemd.network.networks."20-wg0" = { + matchConfig.Name = "wg0"; + linkConfig.RequiredForOnline = "no"; + addresses = [{ + addressConfig = { + Address = "10.222.0.1/24"; + }; + }]; + }; + system.stateVersion = "21.05"; }