From 96d5711503aabe859fc62b598b3bf798639164ff Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sun, 20 Feb 2022 18:36:34 +0100 Subject: [PATCH] Secret services are now under cover --- lib/default.nix | 16 ++++++++++++++++ machines/lisa/default.nix | 4 ++-- modules/deluge/default.nix | 2 +- modules/jackett/default.nix | 2 +- modules/lidarr/default.nix | 2 +- modules/radarr/default.nix | 2 +- modules/sonarr/default.nix | 2 +- 7 files changed, 23 insertions(+), 7 deletions(-) diff --git a/lib/default.nix b/lib/default.nix index 170181c..1e2ded9 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -52,6 +52,22 @@ in }; }; + mkPrivateSubdomain = name: port: { + luj.nginx.enable = true; + services.nginx.virtualHosts."${name}.julienmalka.me" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + extraConfig = '' + allow 10.100.0.0/24; + deny all; + ''; + }; + }; + }; + + luj = import ./luj.nix final; } diff --git a/machines/lisa/default.nix b/machines/lisa/default.nix index 4f4db35..0aec296 100644 --- a/machines/lisa/default.nix +++ b/machines/lisa/default.nix @@ -68,7 +68,7 @@ prefixLength = 120; }]; - networking.nameservers = [ "8.8.8.8" ]; + networking.nameservers = [ "10.100.0.2" ]; networking.hostId = "fbb334ae"; services.zfs.autoSnapshot.enable = true; services.zfs.autoScrub.enable = true; @@ -123,7 +123,7 @@ publicKey = "TAIP4faPBx6gk1cifC6fdfIP6slo1ir+HMVKxQXBejo="; } { - allowedIPs = [ "10.100.0.8" ]; + allowedIPs = [ "10.100.0.8/32" ]; publicKey = "EmWRWnZfr60ekm4ZLdwa6gXU6V3p39p6tWOZ03dL+DA="; } ]; diff --git a/modules/deluge/default.nix b/modules/deluge/default.nix index b7a2bb6..ab547e9 100644 --- a/modules/deluge/default.nix +++ b/modules/deluge/default.nix @@ -54,7 +54,7 @@ in }; } - (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port))]); + (mkIf cfg.nginx.enable (mkPrivateSubdomain cfg.nginx.subdomain port))]); diff --git a/modules/jackett/default.nix b/modules/jackett/default.nix index 951ca63..41fcf51 100644 --- a/modules/jackett/default.nix +++ b/modules/jackett/default.nix @@ -38,7 +38,7 @@ in } - (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port))]); + (mkIf cfg.nginx.enable (mkPrivateSubdomain cfg.nginx.subdomain port))]); diff --git a/modules/lidarr/default.nix b/modules/lidarr/default.nix index ea9f95c..8c0a1d7 100644 --- a/modules/lidarr/default.nix +++ b/modules/lidarr/default.nix @@ -38,7 +38,7 @@ in }; } - (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port) )]); + (mkIf cfg.nginx.enable (mkPrivateSubdomain cfg.nginx.subdomain port) )]); diff --git a/modules/radarr/default.nix b/modules/radarr/default.nix index 2900ede..daa5715 100644 --- a/modules/radarr/default.nix +++ b/modules/radarr/default.nix @@ -38,7 +38,7 @@ in }; } - (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port)) + (mkIf cfg.nginx.enable (mkPrivateSubdomain cfg.nginx.subdomain port)) ]); diff --git a/modules/sonarr/default.nix b/modules/sonarr/default.nix index dd23564..229488a 100644 --- a/modules/sonarr/default.nix +++ b/modules/sonarr/default.nix @@ -38,7 +38,7 @@ in }; } - (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port) )]); + (mkIf cfg.nginx.enable (mkPrivateSubdomain cfg.nginx.subdomain port) )]);