expose home assistant over ts network

This commit is contained in:
Cyryl Płotnicki 2023-04-22 22:37:02 +01:00
parent 358af0b453
commit 843067ad77
5 changed files with 51 additions and 10 deletions

View file

@ -1,8 +1,49 @@
{ config, pkgs, inputs, lib, ... }: { config, pkgs, inputs, lib, ... }:
let port = 8123; let
port = 8123;
path = "/data/nginx";
certPath = "${path}/cert.pem";
keyPath = "${path}/key.pem";
in { in {
imports = [ ./virtualisation.nix ]; imports = [ ../nginx.nix ./virtualisation.nix ];
networking.firewall.allowedTCPPorts = [ port ]; networking.firewall.allowedTCPPorts = [ port ];
services.nginx = {
virtualHosts = {
"bolty.raptor-carp.ts.net" = {
forceSSL = true;
enableACME = false;
locations."/" = {
proxyPass = "http://10.0.0.244:8123";
proxyWebsockets = true;
};
sslCertificateKey = keyPath;
sslCertificate = certPath;
};
};
};
systemd.services.nginx-tailscale-certs = {
script = ''
mkdir -p ${path}
cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
chown -Rv nginx:nginx ${path}
'';
serviceConfig = {
Type = "oneshot";
ReloadPropagatedFrom = "tailscale-cert.service";
};
before = [ "nginx.service" ];
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"network-online.target"
"tailscaled.service"
"tailscale-cert.service"
];
wants = [ "tailscale-cert.service" ];
};
} }

View file

@ -11,6 +11,7 @@
address = [ "10.0.0.8/24" ]; address = [ "10.0.0.8/24" ];
gateway = [ "10.0.0.1" ]; gateway = [ "10.0.0.1" ];
DHCP = "no"; DHCP = "no";
dns = [ "100.100.100.100" "9.9.9.9" ];
}; };
systemd.network.networks."eth" = { systemd.network.networks."eth" = {

View file

@ -6,10 +6,6 @@ let
certPath = "${basePath}/cert.pem"; certPath = "${basePath}/cert.pem";
in { in {
imports = [ ]; imports = [ ];
services.nginx.virtualHosts."${fqdn}" = {
sslCertificateKey = keyPath;
sslCertificate = certPath;
};
systemd.services.tailscale-cert-make-path = { systemd.services.tailscale-cert-make-path = {
script = '' script = ''

View file

@ -72,8 +72,6 @@ let
}; };
}; };
in { in {
imports = [ ../nginx.nix ];
users = { users = {
users."${systemUserName}" = { users."${systemUserName}" = {
inherit uid; inherit uid;

View file

@ -1,7 +1,12 @@
{ config, pkgs, ... }: { { config, pkgs, ... }: {
imports = [ ./server-security.nix ./tailscale ]; imports = [ ./server-security.nix ./tailscale ];
networking.nameservers = networking.nameservers = [
[ "9.9.9.9" "2620:fe::fe" "149.112.112.112" "2620:fe::9" ]; "100.100.100.100"
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
services.nscd = { services.nscd = {
enable = true; enable = true;
enableNsncd = true; enableNsncd = true;