1
0

Compare commits

..

5 Commits

5 changed files with 49 additions and 5 deletions

View File

@ -52,6 +52,23 @@
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
appendHttpConfig = ''
server_names_hash_bucket_size 64;
'';
virtualHosts = {
"default" = {
default = true;
rejectSSL = true;
locations."/" = {
return = ''200 "Some piece of infrastructure\n"'';
extraConfig = ''
types { } default_type "text/plain; charset=utf-8";
'';
};
};
};
}; };
security.acme = { security.acme = {

View File

@ -22,6 +22,18 @@
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
networking.nameservers = [ "46.38.255.230" "46.38.252.230" ]; networking.nameservers = [ "46.38.255.230" "46.38.252.230" ];
services.nginx.enable = true;
services.nginx.virtualHosts = {
"chisel.clerie.de" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:3765";
proxyWebsockets = true;
};
};
};
clerie.nginx-port-forward = { clerie.nginx-port-forward = {
enable = true; enable = true;
tcpPorts."2022" = { tcpPorts."2022" = {
@ -32,7 +44,7 @@
clerie.chisel.enable = true; clerie.chisel.enable = true;
networking.firewall.allowedTCPPorts = [ 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = []; networking.firewall.allowedUDPPorts = [];
clerie.monitoring = { clerie.monitoring = {

View File

@ -9,9 +9,9 @@ in {
options = { options = {
clerie.akne = { clerie.akne = {
enable = mkEnableOption "Makes fun stuff with the nixos acme module."; enable = mkEnableOption "Makes fun stuff with the nixos acme module.";
selfSigneOnlyHostNames = mkOption { selfSignedOnlyHostNames = mkOption {
type = with types; listOf str; type = with types; listOf str;
default = {}; default = [];
description = "List of hostnames for which the acme client gets disabled. This hostnames use the self-signed certs instead."; description = "List of hostnames for which the acme client gets disabled. This hostnames use the self-signed certs instead.";
}; };
}; };
@ -34,7 +34,21 @@ in {
} }
) )
] ]
) cfg.selfSigneOnlyHostNames ) cfg.selfSignedOnlyHostNames
)
);
systemd.targets = with lib; listToAttrs (
flatten (
map (
name: [
(
nameValuePair "acme-finished-${name}" {
after = mkForce [ "acme-selfsigned-${name}.service" ];
requires = mkForce [ "acme-selfsigned-${name}.service" ];
}
)
]
) cfg.selfSignedOnlyHostNames
) )
); );
}; };

View File

@ -19,7 +19,7 @@ in {
after = [ "network.target" ]; after = [ "network.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.chisel}/bin/chisel server --port 443 --authfile /var/src/secrets/chisel/users.json"; ExecStart = "${pkgs.chisel}/bin/chisel server --host [::1] --port 3765 --authfile /var/src/secrets/chisel/users.json";
Restart = "always"; Restart = "always";
}; };
}; };

View File

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./policyrouting ./policyrouting
./akne
./anycast_healthchecker ./anycast_healthchecker
./chisel ./chisel
./gre-tunnel ./gre-tunnel