configure hass to be reachable via client certificate

2021-03-28 13:52:29 +02:00 · 2021-03-28 13:52:29 +02:00 · df61e3166e
commit df61e3166e
parent 380565cfc5
5 changed files with 64 additions and 14 deletions
--- a/configs/sputnik/configuration.nix
+++ b/configs/sputnik/configuration.nix
@ -4,6 +4,7 @@
    <system/proxy>
    ./hardware-configuration.nix

+    <system/server/packages.nix>
    ./nginx.nix
    ./tinc.nix
    ./codimd.nix
--- a/configs/sputnik/nginx.nix
+++ b/configs/sputnik/nginx.nix
@ -284,6 +284,47 @@ in {
        } // error.locations;
      };

+
+      "home.ingolf-wagner.de" = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 4443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+            ssl = false;
+          }
+        ];
+        extraConfig = ''
+          proxy_buffering off;
+          # client certificate
+          ssl_client_certificate ${<secrets/client-cert/ca.crt>};
+          # make verification optional, so we can display a 403 message to those
+          # who fail authentication
+          ssl_verify_client optional;
+        '';
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://pepe.private:8123";
+          proxyWebsockets = true;
+          extraConfig = ''
+            # if the client-side certificate failed to authenticate, show a 403
+            # message to the client
+            if ($ssl_client_verify != SUCCESS) {
+              return 403;
+            }
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+          '';
+        };
+      };
+
+
    };
  };

--- a/system/all/default.nix
+++ b/system/all/default.nix
@ -72,6 +72,10 @@
    zsh.enable = true;
  };

+  # set vim to the default editor
+  # -----------------------------
+  programs.vim.defaultEditor = true;
+
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
--- a/system/server/default.nix
+++ b/system/server/default.nix
@ -6,6 +6,7 @@
    ./initssh.nix
    ./graylog-exporter.nix
    ./prometheus-exporters.nix
+    ./packages.nix
  ];

  # make sure laptops stay awake when closing the montior
@ -17,19 +18,5 @@
  # config vim
  programs.custom.vim.enable = true;

-  # no need to to start a service
-  environment.systemPackages = let
-
-    nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
-      flakeIgnore = [ "E265" "E225" "W292" ];
-    } (lib.fileContents <assets/nginx-show-config.sh>);
-  in [
-    pkgs.mosh
-
-    # nginxfmt
-    pkgs.nginx-config-formatter
-    nginxShowConfig
-  ];
-
 }

--- a/system/server/packages.nix
+++ b/system/server/packages.nix
@ -0,0 +1,17 @@
+{ pkgs, config, lib, ... }:
+{
+
+  # no need to to start a service
+  environment.systemPackages = let
+
+    nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
+      flakeIgnore = [ "E265" "E225" "W292" ];
+    } (lib.fileContents <assets/nginx-show-config.sh>);
+  in [
+    pkgs.mosh
+
+    # nginxfmt
+    pkgs.nginx-config-formatter
+    nginxShowConfig
+  ];
+}