palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

configure hass to be reachable via client certificate

Browse source
This commit is contained in:
Ingolf Wagner 2021-03-28 13:52:29 +02:00
parent 380565cfc5
commit df61e3166e
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
5 changed files with 64 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
configs/sputnik/configuration.nix
View file

@ -4,6 +4,7 @@
<system/proxy> <system/proxy>
./hardware-configuration.nix ./hardware-configuration.nix
<system/server/packages.nix>
./nginx.nix ./nginx.nix
./tinc.nix ./tinc.nix
./codimd.nix ./codimd.nix

41
configs/sputnik/nginx.nix
View file

@ -284,6 +284,47 @@ in {
} // error.locations; } // error.locations;
}; };
"home.ingolf-wagner.de" = {
listen = [
{
addr = "0.0.0.0";
port = 4443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
ssl = false;
}
];
extraConfig = ''
proxy_buffering off;
# client certificate
ssl_client_certificate ${<secrets/client-cert/ca.crt>};
# make verification optional, so we can display a 403 message to those
# who fail authentication
ssl_verify_client optional;
'';
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://pepe.private:8123";
proxyWebsockets = true;
extraConfig = ''
# if the client-side certificate failed to authenticate, show a 403
# message to the client
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
};
}; };
}; };

4
system/all/default.nix
View file

@ -72,6 +72,10 @@
zsh.enable = true; zsh.enable = true;
}; };
# set vim to the default editor
# -----------------------------
programs.vim.defaultEditor = true;
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you # servers. You should change this only after NixOS release notes say you

15
system/server/default.nix
View file

@ -6,6 +6,7 @@
./initssh.nix ./initssh.nix
./graylog-exporter.nix ./graylog-exporter.nix
./prometheus-exporters.nix ./prometheus-exporters.nix
./packages.nix
]; ];
# make sure laptops stay awake when closing the montior # make sure laptops stay awake when closing the montior
@ -17,19 +18,5 @@
# config vim # config vim
programs.custom.vim.enable = true; programs.custom.vim.enable = true;
# no need to to start a service
environment.systemPackages = let
nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
flakeIgnore = [ "E265" "E225" "W292" ];
} (lib.fileContents <assets/nginx-show-config.sh>);
in [
pkgs.mosh
# nginxfmt
pkgs.nginx-config-formatter
nginxShowConfig
];
} }

17
system/server/packages.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, config, lib, ... }:
{
# no need to to start a service
environment.systemPackages = let
nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
flakeIgnore = [ "E265" "E225" "W292" ];
} (lib.fileContents <assets/nginx-show-config.sh>);
in [
pkgs.mosh
# nginxfmt
pkgs.nginx-config-formatter
nginxShowConfig
];
}