diff --git a/modules/services/adguard.nix b/modules/services/adguard.nix index 5ba1cdc..8d9bee4 100644 --- a/modules/services/adguard.nix +++ b/modules/services/adguard.nix @@ -18,6 +18,11 @@ in { default = true; description = "use https for the adguard instance"; }; + acme-url = lib.mkOption { + type = lib.types.str; + default = "https://127.0.0.1:8443/acme/kop-acme/directory"; + description = "acme url for the adguard instance"; + }; }; config = let @@ -28,14 +33,12 @@ in { networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; - security.acme.certs."${cfg.fqdn}".server = - "https://127.0.0.1:8443/acme/kop-acme/directory"; + security.acme.certs."${cfg.fqdn}".server = cfg.acme-url; # nginx reverse proxy + services.nginx.enable = true; services.nginx.virtualHosts.${cfg.fqdn} = { forceSSL = cfg.useHttps; enableACME = cfg.useHttps; - quic = cfg.useHttps; - http3 = cfg.useHttps; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.port}"; diff --git a/modules/services/step-ca.nix b/modules/services/step-ca.nix index 900de00..9aa192f 100644 --- a/modules/services/step-ca.nix +++ b/modules/services/step-ca.nix @@ -43,13 +43,14 @@ in owner = "step-ca"; group = "step-ca"; }; + networking.firewall.allowedTCPPorts = [ 8443 ]; services.step-ca = { enable = true; - address = "127.0.0.1"; + address = ""; port = 8443; intermediatePasswordFile = config.age.secrets.step-ca-pw.path; settings = { - dnsNames = [ "localhost" "127.0.0.1" "*.home.arpa" ]; + dnsNames = [ "localhost" "127.0.0.1" "*.home.arpa" "192.168.0.10" ]; root = pkgs.writeTextFile { name = "root.ca"; text = root_ca; diff --git a/systems/amd-server/configuration.nix b/systems/amd-server/configuration.nix index 2a67473..0c22724 100644 --- a/systems/amd-server/configuration.nix +++ b/systems/amd-server/configuration.nix @@ -17,6 +17,7 @@ nftables.enable = true; cli-tools.enable = true; virt-manager.enable = true; + static-ip.ip = "192.168.0.20"; nix = { index.enable = true; ld.enable = true; @@ -29,17 +30,22 @@ wooting.enable = true; }; services = { + acme.enable = true; smartd.enable = true; + #adguard = { + # enable = true; + # acme-url = "https://192.168.0.10:8443/acme/kop-acme/directory"; + #}; }; graphical = { audio.enable = true; sddm.enable = true; - nightlight.enable = true; - i3.enable = true; + #nightlight.enable = true; + #i3.enable = true; xfce.enable = true; shared.enable = true; - games.enable = true; - basics.enable = true; + #games.enable = true; + #basics.enable = true; }; }; mainUser.layout = "de"; @@ -59,6 +65,22 @@ }; }; + security.pki.certificates = [ + '' + -----BEGIN CERTIFICATE----- + MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM + MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx + MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w + IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX + f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7 + y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV + HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj + AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr + gpuVkfVkA8gQCXNs5F9TnxA= + -----END CERTIFICATE----- + '' + ]; + services.xrdp.enable = true; services.xrdp.defaultWindowManager = "xfce4-session"; services.xrdp.openFirewall = false;