diff --git a/flake.nix b/flake.nix index cf6dc17..978defe 100644 --- a/flake.nix +++ b/flake.nix @@ -69,6 +69,7 @@ ./modules/kavita.nix ./modules/netdata.nix ./modules/invidious.nix + ./modules/step-ca.nix ./modules/tmpfs.nix ### Hardware ### ./modules/hardware/ssd.nix diff --git a/modules/adguard.nix b/modules/adguard.nix index bf5309d..bd5d31a 100644 --- a/modules/adguard.nix +++ b/modules/adguard.nix @@ -62,9 +62,21 @@ in "domain" = "yt.local"; "answer" = ip; } + { + "domain" = "nextcloud.local"; + "answer" = wireguardIp; + } + { + "domain" = "kavita.local"; + "answer" = wireguardIp; + } + { + "domain" = "yt.local"; + "answer" = wireguardIp; + } { "domain" = "turnserver.local"; - "answer" = "192.168.2.1"; + "answer" = wireguardIp; } { "domain" = "inverter.local"; diff --git a/modules/invidious.nix b/modules/invidious.nix index f5d9eb5..4da565a 100644 --- a/modules/invidious.nix +++ b/modules/invidious.nix @@ -38,6 +38,8 @@ in use_pubsub_feeds = false; channel_refresh_interval = "15m"; + dark_mode = "dark"; + autoplay = true; }; extraSettingsFile = config.age.secrets.invidious-extra-settings.path; @@ -46,8 +48,6 @@ in }; services.nginx.virtualHosts."${fqdn}" = { - listenAddresses = [ vars.ipv4 vars.wireguardIp ]; - locations."/" = { recommendedProxySettings = true; proxyPass = "http://127.0.0.1:8007"; diff --git a/modules/step-ca.nix b/modules/step-ca.nix new file mode 100644 index 0000000..a34ca33 --- /dev/null +++ b/modules/step-ca.nix @@ -0,0 +1,86 @@ +{ pkgs, lib, ... }: +let + root_ca = + '' +-----BEGIN CERTIFICATE----- +MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM +MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx +MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w +IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX +f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7 +y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV +HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj +AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr +gpuVkfVkA8gQCXNs5F9TnxA= +-----END CERTIFICATE----- + ''; + intermediate_ca = + '' +-----BEGIN CERTIFICATE----- +MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww +CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx +N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag +SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs +4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl +pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C +AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF +bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR +DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y +AgN9qNc3Jbo= +-----END CERTIFICATE----- +''; + +in +{ + age.secrets.step-ca-pw = { + file = ../secrets/step-ca-pw.age; + }; + age.secrets.step-ca-key = { + file = ../secrets/step-ca-key.age; + }; + services.step-ca = { + enable = true; + address = "127.0.0.1"; + port = 8443; + intermediatePasswordFile = config.age.secrets.step-ca-pw.path; + settings = { + dnsNames = [ "localhost" "127.0.0.1" "*.local" ]; + root = pkgs.writeTextFile { + name = "root.ca"; + text = root_ca; + }; + crt = pkgs.writeTextFile { + name = "intermediate.ca"; + text = intermediate_ca; + }; + key = config.age.secrets.step_intermediate_ca_key.path; + db = { + type = "badger"; + dataSource = "/var/lib/step-ca/db"; + }; + authority = { + claims = { + minTLSCertDuration = "5m"; + maxTLSCertDuration = "24h"; + defaultTLSCertDuration = "24h"; + }; + provisioners = [ + { + type = "ACME"; + name = "acme"; + forceCN = true; + } + ]; + }; + tls = { + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ]; + minVersion = "1.2"; + maxVersion = "1.3"; + renegotiation = "false"; + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b3ce9c6..aaf3fbd 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,5 +20,6 @@ in "matrix-registration.age".publicKeys = [ nix-test-vm server kop ]; "paperless.age".publicKeys = [ nix-test-vm server kop ]; "kavita.age".publicKeys = [ nix-test-vm server kop ]; - "invidious-extra-settings.age".publicKeys = [ nix-test-vm server kop ]; + "step-ca-pw.age".publicKeys = [ nix-test-vm server kop ]; + "step-ca-key.age".publicKeys = [ nix-test-vm server kop ]; } diff --git a/secrets/step-ca-key.age b/secrets/step-ca-key.age new file mode 100644 index 0000000..7a85a77 Binary files /dev/null and b/secrets/step-ca-key.age differ diff --git a/secrets/step-ca-pw.age b/secrets/step-ca-pw.age new file mode 100644 index 0000000..0da0878 --- /dev/null +++ b/secrets/step-ca-pw.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 yfCCMw OgXEZi4GHlh0htigcyT0c86ZlZvmv5ve6g0Dnk9mhS8 +57hPI3DO/2Lic5JZ/4Cgq1y0tYoZKc+E6LwS62Zi0kg +-> ssh-ed25519 IV3DkQ YG3gxtuOx5sfD7rwAClr+MrFzEgw2sgfpxzZDyT9nj4 +VIP3Hkk9ZBG9BHNPHt4C6LazylU6htJ6gmdamqAYLUw +-> ssh-ed25519 DCzi1A DcsbrGWEyzUB7QKGvlMU9CMB/bq7JVz/aSz7uJprQRg +NpBDT786hL0GZNaY1IsDnU9iFxlYZs8ti1FAfBeHBIQ +-> z-grease |WDf ~K7q9K *xzH^n6{ +6G9KAajGo/o6dcYb/MAOE7AIIZKTTMrN9fh9ACkINLB38ZrREUCsrJDE90sx62nX +MOJKZ3k4 +--- ExlgUArhnqSMlZwWWoFdM/Ugc3fLKbQ9ZCguzqUIlkM +F!0QQm[e6MxB Ԙcq6>H \ No newline at end of file