diff --git a/.sops.yaml b/.sops.yaml index da2e6db..a2f4e2d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -10,12 +10,13 @@ keys: - &mastodon age19efecaur72d92g452zpe4uxjtwev2ktjtaezascxg9l2p8544s8s05d93r - &paperless age1zj3tzzcpyq5s66phlrf2g203am7vl6vxg2jlpr8vy6u385xljapqt0d2fr - &vikunja age1h7yq7n8gcw35apr7jn8r66dwss4hfcdv0sf4ankfxquyavlrqukqhr0lrc + - &nginx age1ypq3n3e7gnwqddq5dgkdsfm0wqagrm5pl5tkunzp44lcezsllumqsjz0hz creation_rules: - path_regex: secrets\/all\/* key_groups: - pgp: [*clara] - age: [*wireguard, *mcserver, *zammad, *forgejo, *mastodon, *paperless, *vikunja] + age: [*wireguard, *mcserver, *zammad, *forgejo, *mastodon, *paperless, *vikunja, *nginx] - path_regex: secrets\/wireguard\/* key_groups: - pgp: [*clara] diff --git a/configs/containers/nginx_container.nix b/configs/containers/nginx_container.nix new file mode 100644 index 0000000..9ec30e1 --- /dev/null +++ b/configs/containers/nginx_container.nix @@ -0,0 +1,23 @@ +{ lib, pkgs, config, ... }: { + + deployment = { + targetHost = "10.0.0.2"; + targetPort = 22; + targetUser = "root"; + }; + networking = { + hostName = "nginx"; + interfaces.eth0 = { + ipAddress = "10.0.0.2"; + prefixLength = 16; + }; + defaultGateway = { + address = "10.0.0.254"; + interface = "eth0"; + }; + }; + imports = [ + ../container_config.nix + ../services/nginx.nix + ]; +} diff --git a/configs/services/nginx.nix b/configs/services/nginx.nix new file mode 100644 index 0000000..61c4eb9 --- /dev/null +++ b/configs/services/nginx.nix @@ -0,0 +1,30 @@ +{ lib, pkgs, config, ... }: +{ + services.nginx = { + enable = true; + + virtualHosts = { + "pve.infra.cdaut.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "https://10.0.0.254:8006"; + }; + }; + "corerouter.infra.cdaut.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.0.0.1:80"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@cdaut.de"; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/flake.nix b/flake.nix index d425d61..ac48600 100644 --- a/flake.nix +++ b/flake.nix @@ -12,8 +12,6 @@ specialArgs = { inherit inputs; }; }; - #mcserver = import ./configs/containers/mc_container.nix; - wireguard = import ./configs/containers/wg_container.nix; zammad = import ./configs/containers/zammad_container.nix; @@ -22,9 +20,9 @@ mastodon = import ./configs/containers/mastodon_container.nix; - #paperless = import ./configs/containers/paperless_container.nix; - vikunja = import ./configs/containers/vikunja_container.nix; + + nginx = import ./configs/containers/nginx_container.nix; }; }; } diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml index a60cd82..d24c757 100644 --- a/secrets/all/secrets.yaml +++ b/secrets/all/secrets.yaml @@ -4,87 +4,96 @@ sops: - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZlNQem5ZYVhSbzB5T2pU - ZHFreDNkVHBiRThteDBqcjhsYkQ5R3B6NGtBCkRlMlRoN3NxeGo1QVE0ZEdYRjNE - dGdtVHJiL2JHU3BmbVB5YWVyRWhSMVUKLS0tIEJDVzY2ZUN0ZDYvcFRQbVdSZnUv - bXZIQjJXZnlLb1M5UHBMSEdsZFBLZUEKgNoMGAblrQDCUcTHyK/9pE/84wJLR2cu - qgLuL9oPGT4jpPf/WWTVNgfwrBNBbrFoDjF0fe3WpukBrEHIRf+3KA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaWFLVVVrallkZEJGZkJm + bFBaNzkrRkU4MFVJZUxiSGZWdldSVGJLV2tNCnhod0g5emhQdExiMjhmb3Jxa2c0 + bStqbnN2UnE3S1RIbi9iU21ITWZ4NlUKLS0tIGVrYjFVbGNOUmFvSXFBQzNraW1T + bWdvTG90S1pvVHJ0NUFqd2FCemp5Sm8KuNksM73Cd9Z+ecMGpIAhJieozze37ThN + u8dLFFdnv2MWKqOvK99yNcUCvkKOY5VN2hCT+vfqt/9pek76eUaDog== -----END AGE ENCRYPTED FILE----- - recipient: age1jlt47gkctq7vfrykqlyg9um5mypy872pvtfql7kkpvhnemlex4mq89a3a8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTGVOZ2xqdEJlWitXaFc0 - bGc1RkdLazNKV2gxcVdBRERGeXgwQUxRWEZrCitGYlRSNUFsc3dqUW04OCt5NEJH - N2JoSUFISGIxM3doRy9pdFBRRkEzOFEKLS0tIHJJbVh1RGZQb3krd2NyQ1J3TXpO - MytTbEt4QzlCdENCZlQyT000ZThuM2sKMEjebD+XvT5aLBxzoXRn6x9OKyr7g+en - zEgNDK6IHtypxB9goafmJlYLamESx5eYtwYtZyXNO5a5lKbZHCOe+Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbitVenBHYWswWlpKb3NG + SG5VVERDQkc2Um1GV1ZkN0xzeW1iWlpYR3pBClIvNWRqOFA1SjJPNENqWjVRaXZR + R3ZmSzJxcGhyNEN5eGk4SDdnTnFFcHMKLS0tIFA0cThkTGtxdjUvVjJKVGY2aU1n + WENOM0cxRmF2TlBmRXFqU3phU2tDSDAKOiT/zbpRRmiQstLAJw1Mip4eoZ/OuCAW + qeK7wczzwZOnAcfUOdgjjOBFy9prU/AdcfH0I3THASgrIG8xrmHSKg== -----END AGE ENCRYPTED FILE----- - recipient: age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1ZldFNENrMVF3bXFmclhM - MldYYVB3ZmVPNVJmTDhBUE53NFlrYkUxK2lNCmRmOTJzM0VOcG1iQkh6dWRDd21h - bFRiSGwzS3doRkEvN1hWSTA4YmdSRlEKLS0tIFBxYTluNUY2WVFvYUZ3WWRXZ3Ft - MVJLR3pxWXZENjV2OG5XclpwcWlHU00Kl+EsQMZsU4AggLAckfdsbHYV05AH8isn - fHXLacbn8R3Gn/Y+055QAvx4vtDL82gI1EhZzOMOXOG8vPY4R/263Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHc0RiYkN1eFpCaTFlVmpW + TEtyRUh1Ty8zTlZOMmVDTkFVOEJVTHhmTEJjCjhsdjZKQ210am1acEQyZ3pleVJ1 + ZlN5dWdqampvaWl2SnVsRFRFRGw5Vk0KLS0tIE1PV3RGMVZoMitDME00S1M4alZz + TEw1K2ZKaDBMQlhBcjRoSFc3Zk5MRjgKoktTEbB/HEKlcNiS8jYQ5GqqhoL6K2/J + sMW42vi1a4Dk/+dRAMsmVjhSZiROhSA+1XaMByLBCHOVSdFEcdNgGw== -----END AGE ENCRYPTED FILE----- - recipient: age1vd33efsea2509hm0dwmhkuu7mm2kgw6tsss6lmzsqfg7gat06qyqys3qfh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbWoyekZWSFMrVml3QktX - L055SDZUellDNkFxNXZrOStmdVoxaURYbWh3Cm95V3JSeCtqOVlCVkVOem1sMWpK - STd4aVRaTzhsamxpV3hVbjB0bTl6azQKLS0tIHF6eW83WHF4eE9yTEg3RUpKbU1h - YklpbjFLbGtVcndKOEN1dVdKWUo2clEK+QctIupLf2ecNMqWzIQFCfXmVmWzfQGU - OzBpKIHLg8B/dvFtmpl30xnWJvS7V/QbvK22kHnbI/t5ngbCeHVBew== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUFNuekl6cnBrb0h3cytV + V3Z4dnBuOGZ3SE5CNEp3V2Facisvb0tLUERnCjhuSU9MTnhnYThJQ0dIUzRmNzY5 + S1gzaTMxQUhoTXFTU0NXdThPT25Tck0KLS0tIE1uNVJaaHl4V0RmQWR0TzZ1SW0w + ckZMdVlkWHEvL0RPL3pyeStPNmtiMk0KbIhfCRvpRv+vVrqVfLpjEKdSs68GJ2NE + gbdqKRlnyPe+uZNpZmgP2sNH9QdJvGpvrnxQPZ4j/s7aIFhvHSYY1g== -----END AGE ENCRYPTED FILE----- - recipient: age19efecaur72d92g452zpe4uxjtwev2ktjtaezascxg9l2p8544s8s05d93r enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbS80S0ZjeXBKdU1KRTlU - WG44TDU1cTRPdnExZk5iYjFZTWdGRUpJbHk4Ck54anU1dXdseDFXQ2pyb09RKzBD - Q2xCcjUyZU5WdU5INmJNSHJZM2phTW8KLS0tIGJydkVUQnhjbGVyK3cwYTdsV3k5 - Sm9hTUFHTVJiWEtuK21FaGlWaGxWRGcK3ppnyVtA0oY75KbURzMKpNn9QvtG/nQ/ - IpRGO6XBDthO35ES402nw2PXBzQB5sss5dc2VTSwgK1M3vAwyHAd5Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Q3JoZ2lPN2s4L0MrcGtn + MjM5ZjdMRzRKVXU5azdmY2kzOTMzUkYzeFdFCk5qbDFGQUtReDNDWUhKWjRaZzQx + NEZqWTkvd29sY2NJSTRWcDJBTC8rd1UKLS0tIGFPS1g2OEdmYmZvRE9jZC9oNG9X + andaVldXZS9Jc3FOTWdvbUhVVUtONU0KThDBMfftZBn7WeoIBx5CTv/hJtjvbXLA + +6KmZSoG3VPMzqdOy61s8RbZqwKMzeWl1ydHIvKcyvo2BmJSAZ/6CA== -----END AGE ENCRYPTED FILE----- - recipient: age1zj3tzzcpyq5s66phlrf2g203am7vl6vxg2jlpr8vy6u385xljapqt0d2fr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eG1EbzZCZDI4ajdaV0VL - NjFJL1dVVjlVcGlQbUJGR2o3QnQyVjJya2tzCkhKM3Qrb1k3bjBtZkx3Uzc5dVdn - RHVnbDVNZkdJKzR2YmpFSFNRM2NzOGMKLS0tIFgwR0ZabVhyR0RiREpYMlhFNWN4 - bDVaczBxVEMrUmxETmdsK0t4MHQrbFkKz2PeQZWcBRfzPafszHiQG8sOLE2/cKvD - ByIVnZNoOeC0SszjXQABmHYFpqkUU5S4tFG1tZyv2hlIYn3Iwx0iDw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRWMxSzR4eUJnMFpBOGRJ + RzRIczZxbUdjUHRoUU4zYytwcUlMZWE4Q1JZCklWNXh6WSthdXdZTHVoWHJjTlYr + Um5UMlM0TVBoTTEyaXlyYjVpbXVPYXcKLS0tIGVWRjhaZC9DaGgzOStaaU85ODlW + Zm5ZSDd3MGpFVmtZL0c0WWV1M0ZKT2cKOm+HUuHskz6RsQVsVW+OcRr90yBqeNa3 + PlgWRJ05uh8XETJVoZTkcbvyw7ZWWJzPzYCus1lWg1W9xVcsJwAn4Q== -----END AGE ENCRYPTED FILE----- - recipient: age1h7yq7n8gcw35apr7jn8r66dwss4hfcdv0sf4ankfxquyavlrqukqhr0lrc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZWRPV3hzTGwzbGVDVG51 - ZWYwVmM4d1BBVnozTGk4bG5abldVdW5tK0M4Cjl4b1N1STQyNHNGSFI3THlrZzAz - N2lzdmZ4YnNoV2RaeTNiTEhybjhFTnMKLS0tIDhIQW1QdHAxUFQ1YU9ZT2Jxd0tu - OFpNSU9nM1pHSG9SR0FmTERXMkFTV0UKAV1wVmoyNHiukTlElQRZVN3p7WBbYMNQ - Hx+2/3sA3nDE6XtMBRuHReGl6/SXoM6xN5944meMP2AriYblSorWfw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bjVmS1BIK2k5UFZBSnlv + UXNmKzBsNU4yUVgrS05ta0c2VloxME9rUEIwCkRYM3ozVDZxallXRDVpMXpXelQ3 + cWMxbzllYXYwQ3BaVWxHTS94czFWUUEKLS0tICtObVczWlVSYlc2a1dib2Z5YVRx + TVl1TFk1bW9mNEN1ZURQdXZpVDNPWmcK2n2SyP1Hu+kQqJ8Qegu67olwBnAd8Bpz + 2who1jOs6/y7JSuXFTLKTkr60atqpjMwHRJbzL/0/jkij0fyVwmgEw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ypq3n3e7gnwqddq5dgkdsfm0wqagrm5pl5tkunzp44lcezsllumqsjz0hz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTzZGMUQybitqcFpkcmFL + dnZXOGZCbTJMazZOM3FObXVSZGdpY0xCcTB3CmhnVDJ0OGxOVU1YZzV2Y05tV01r + aDBVcTdaSU5neUNMa3kxTkxiaTd6NTQKLS0tIEJVS2JpT2pQeGNuWTRvYUZCQ1Q1 + TWdOc0g3aEZRTTZCUXVVbCttWjNLcUkKUDAOEIGxztVtG+Y7hyZuedPTvCH25Nt2 + ECZpPN+QeMtwQ21eFC9v95RLrY97SV9TD5DgzZim06hgAcQq1ST2gg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-08-08T15:38:19Z" mac: ENC[AES256_GCM,data:IoqrJyCNad4/OFH6y24kYMwnkF3OWfsw77POg00btvw7FoPoaSJ76RySMs6hgWs202bDYSDi44OvbgCVeNPkhe9eyM0gwF0Gf0cE3wirc+qj2qfL9/lMOTZm02WymMglJf6xTcPo3BH00XryR7ptid9+WrB0S2aBVNlcXSBwpzY=,iv:aLI2SyUzWqp/4XFPhogq2vq/u47bs6Gmgc/PRMe+GmM=,tag:jVnW7EkqDRfQluGTiw0olA==,type:str] pgp: - - created_at: "2025-10-19T17:09:58Z" + - created_at: "2025-10-30T11:25:33Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAzwtBoBqH5ZOARAApJ6Ek/s3Ri9fGj0SpbUnYrqXQ7S2KA2sorVcqySH5K+d - Bro+YGdeFgIXgFWBBKIKkU0EA9mB+D04XQbWkmSvf7FfLYqQROlUvUGeOGIbnpA3 - yXbaqqz2ix7wIOfkgS+m1xYyigmgnU5aBr7Bq/9oPaAusBi9KKZD3gIjhAKvQY50 - g08Le2VTcYN0m2oC4QYPVspZiMl3h3b2xzBlZltglCJnATg0PQ4vj9X8DZr12s08 - KJZgTBWma2YNCQ/pXytVvA7k2sEXxmdh/7cNEtWoMmWC/x1gjnPVf2z/Ys6+uoHY - 2E2S+CFq/tFEk7pLXcUFmbQW09LRXSZSmgCDcH2uynWpCep+nSiKuUpzznhoqZNr - xljuh0tuDtmXVVfdmJonr//NzxYClEtqfrH5MYapLH2yPBE5v311/utogux9dBqd - OkGetGk8BYl2OgNJSNni0hYm0wxLyLdHDYmwyGSUEiZD5c3v8aHStDSv3rY0KQd4 - TP5J+e1G01jdrdl0YLQqAkiQsnI7lrWIwbX19C+/wT9t9q5PG0H8PuHD7SENUDm5 - FST45Wv4PAHNi53HnUTP7pHhSkVnMKKN/vqy1DolxMlEx5W7NrN3Fmw4GQGGAjPa - 30GSlti8H7sBfwR79sLK9KLY1XsaM9J9ldFvg0wQib8O3vhCM9lobWp3rUlIW6PS - XgFIqpUBa3KHz4pw5gpB9LQ98V+smo6ZgwKXy2YsFdi9bvTE3PhycEl67A5awo3C - mzOqESujdSjKpyaxbTGutA7Sfhhv8XBY/RBtcCdbGRXD7SJc3qGX0wUCz5K+y9k= - =3N1+ + hQIMAzwtBoBqH5ZOARAAqVknm2mmAFX7nYejdt0rla0inc3/3dnDzVgwoAmMplTH + eI+3Ri43KRz5ohNxKqC4OtalOLdPC4uYo6J+zTY13vkGqJKrryOhdpISv2CABop5 + sHtykv1Qce2mFFn/MBHi6k75E8lyBV5WkTKhKEAi8CFRF53XeQdVk4omBhp5O1q2 + gBO2jo5gR36fHo5xUxeEd1sHGpdYTeKA7YQa2NhuZkL7xoRww1/Olc6oah3wyNX9 + aQHjqYbtbbt9W0VirdHk5FYQb4y1I3HYnbfzOC8e74Ae1ioGwgcS7wLHIChaDPuC + mKjtk/L+nFW+cLMZFykPN6+OHX2zNoNxgWP0u9RHtVxBPqrZixfMcdAA+5Oyab0h + 7u4KKCBcRYpzW1kKXebLzXn56bpiySWVEjS+6JNUU7y4CgIK7iGYLVZTzkVpC2NA + Zva+bje3lEb6Emhu2HBoUtzEzk097BfOeQKCaep5hZHOzh8TombOQRBG1E7gGXDZ + HlQCOdCvJR73Xpl9vXBBSNyykUN6wPZtoJhbcRL/TtAA3wV+IhNJ2tNUxj8qaCVb + Q7zmNOU1OqcSBbXjIPs9zZGizA1mEKPGCwQULuztt7x83y9e1VK+EAs2hd7dc3V/ + va96T17jgcvknhneen2LBgbwbaQLYljnl2nAyPWVlhnXonReN1XwPG9VrSOGsQvS + XgHwxNiW3AtttmLDIC4pWfFuL81dHmtuGyUxQrkVVbH6Q7zKGkKyFDAGu5IkvCRj + 5TSuPUAkfITvdi8U2cgBcBfGUsah5hb1S1aFsNrgTxtvchENR/6lJu8/xatIrVE= + =xCKw -----END PGP MESSAGE----- fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 unencrypted_suffix: _unencrypted