Add nginx & certbot

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-05 11:27:05 +00:00
parent 4354a2149b
commit b0bc3b5184
7 changed files with 258 additions and 2 deletions
--- a/hosts/jupiter/users/nick/configs/console/podman/default.nix
+++ b/hosts/jupiter/users/nick/configs/console/podman/default.nix
@@ -0,0 +1,26 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { config, pkgs, ... }:
 let
  hmConfig = config.home-manager.users.${user};
 in
 {
  home-manager.users.${user}.sops = {
    secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
    templates."containers-auth.json" = {
      content = builtins.readFile (
        (pkgs.formats.json { }).generate "auth.json" {
          auths = {
            "docker.io" = {
              auth = hmConfig.sops.placeholder."registry/docker.io";
            };
          };
        }
      );
      path = "${home}/.config/containers/auth.json";
    };
  };
 }
--- a/hosts/jupiter/users/nick/default.nix
+++ b/hosts/jupiter/users/nick/default.nix
@@ -31,6 +31,8 @@ in
    (import ../../../common/configs/user/console/wget { inherit user home; })
    (import ../../../common/configs/user/console/xdg { inherit user home; })
    (import ../../../common/configs/user/console/zsh { inherit user home; })
    (import ./configs/console/podman { inherit user home; })
  ];
  # echo "password" | mkpasswd -s
--- a/hosts/jupiter/users/storm/configs/console/podman/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix
@@ -0,0 +1,36 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { config, pkgs, ... }:
 let
  hmConfig = config.home-manager.users.${user};
 in
 {
  imports = [
    (import ./nginx { inherit user home; })
  ];
  home-manager.users.${user} = {
    virtualisation.quadlet = {
      autoUpdate.enable = true;
    };
    sops = {
      secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
      templates."containers-auth.json" = {
        content = builtins.readFile (
          (pkgs.formats.json { }).generate "auth.json" {
            auths = {
              "docker.io" = {
                auth = hmConfig.sops.placeholder."registry/docker.io";
              };
            };
          }
        );
        path = "${home}/.config/containers/auth.json";
      };
    };
  };
 }
--- a/hosts/jupiter/users/storm/configs/console/podman/nginx/certbot.sh
+++ b/hosts/jupiter/users/storm/configs/console/podman/nginx/certbot.sh
@@ -0,0 +1,7 @@
 #!/bin/sh
 if [ ! -d "/etc/letsencrypt/live/karaolidis.com" ]; then
  certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d karaolidis.com -d '*.karaolidis.com' -d krlds.com -d '*.krlds.com' --non-interactive --agree-tos --email nick@karaolidis.com
 else
  certbot renew --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
 fi
--- a/hosts/jupiter/users/storm/configs/console/podman/nginx/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/nginx/default.nix
@@ -0,0 +1,93 @@
 {
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
 { config, pkgs, ... }:
 let
  hmConfig = config.home-manager.users.${user};
  inherit (hmConfig.virtualisation.quadlet) networks volumes containers;
 in
 {
  boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0;
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  home-manager.users.${user} = {
    sops = {
      secrets."cloudflare/certbot".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml;
      templates."cloudflare.ini".content = ''
        dns_cloudflare_api_token = ${hmConfig.sops.placeholder."cloudflare/certbot"}
      '';
    };
    virtualisation.quadlet = {
      networks.nginx.networkConfig = {
        subnets = [ "10.89.0.0/16" ];
        gateways = [ "10.89.0.1" ];
      };
      volumes = {
        nginx-log.volumeConfig = { };
        nginx-cache.volumeConfig = { };
        letsencrypt.volumeConfig = { };
      };
      containers = {
        certbot = {
          containerConfig = {
            autoUpdate = "registry";
            image = "docker.io/certbot/dns-cloudflare";
            volumes = [
              "${volumes.letsencrypt.ref}:/etc/letsencrypt"
              "${hmConfig.sops.templates."cloudflare.ini".path}:/etc/letsencrypt/cloudflare.ini:ro"
              "${./certbot.sh}:/entrypoint.sh:ro"
            ];
            entrypoint = "/entrypoint.sh";
          };
          serviceConfig = {
            Type = "oneshot";
            Restart = "on-failure";
          };
          unitConfig = {
            Wants = [ "network-online.target" ];
            After = [
              "network-online.target"
              "sops-nix.service"
            ];
          };
        };
        nginx.containerConfig = {
          autoUpdate = "registry";
          image = "docker.io/library/nginx:latest";
          networks = [ networks.nginx.ref ];
          publishPorts = [
            "80"
            "443"
          ];
          volumes = [
            "${./nginx.conf}:/etc/nginx/nginx.conf:ro"
            "${volumes.nginx-log.ref}:/var/log/nginx"
            "${volumes.nginx-cache.ref}:/var/run/nginx/cache"
            "${volumes.letsencrypt.ref}:/etc/letsencrypt:ro"
          ];
        };
      };
    };
    systemd.user.timers.${containers.certbot._serviceName} = {
      Timer = {
        OnBootSec = "5min";
        OnUnitActiveSec = "12h";
        Persistent = true;
      };
      Install.WantedBy = [ "timers.target" ];
    };
  };
 }
--- a/hosts/jupiter/users/storm/configs/console/podman/nginx/nginx.conf
+++ b/hosts/jupiter/users/storm/configs/console/podman/nginx/nginx.conf
@@ -0,0 +1,73 @@
 include /etc/nginx/modules/*.conf;
 worker_processes auto;
 pcre_jit on;
 error_log stderr;
 pid /run/nginx.pid;
 events {
    worker_connections 1024;
 }
 http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    access_log /var/log/nginx/access.log;
    resolver 10.89.0.1 valid=30s;
    server_tokens off;
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
    client_max_body_size 0;
    client_body_buffer_size 128k;
    large_client_header_buffers 4 16k;
    sendfile on;
    tcp_nodelay on;
    tcp_nopush on;
    keepalive_timeout 30;
    send_timeout 5m;
    types_hash_max_size 2048;
    variables_hash_max_size 2048;
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types
        text/plain
        text/css
        text/javascript
        text/xml
        application/json
        application/x-javascript
        application/xml
        application/xml+rss
        font/eot
        font/otf
        font/ttf
        image/svg+xml;
    gzip_min_length 256;
    proxy_cache_path /var/run/nginx/cache
                     levels=1:2
                     keys_zone=auth_cache:50m
                     keys_zone=default_cache:100m
                     max_size=10g
                     inactive=60m
                     use_temp_path=off;
    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
    proxy_cache_revalidate on;
    proxy_cache_min_uses 1;
    proxy_cache_background_update on;
    proxy_cache_lock on;
    include /etc/nginx/conf.d/*.conf;
 }
--- a/hosts/jupiter/users/storm/default.nix
+++ b/hosts/jupiter/users/storm/default.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -10,18 +10,37 @@ in
    ../../../common/configs/user/options.nix
    (import ../../../common/configs/user/console/home-manager { inherit user home; })
    (import ../../../common/configs/user/console/neovim { inherit user home; })
    (import ../../../common/configs/user/console/podman { inherit user home; })
    (import ../../../common/configs/user/console/sops { inherit user home; })
    (import ../../../common/configs/user/console/tmux { inherit user home; })
    (import ../../../common/configs/user/console/zsh { inherit user home; })
    (import ./configs/console/podman { inherit user home; })
  ];
  # echo "password" | mkpasswd -s
  sops.secrets."${user}-password" = {
    sopsFile = ../../../../secrets/personal/secrets.yaml;
    key = "password";
    neededForUsers = true;
  };
  users.users.${user} = {
    inherit home;
    createHome = true;
    isSystemUser = true;
    createHome = true;
    description = "Container Runner";
    hashedPasswordFile = config.sops.secrets."${user}-password".path;
    extraGroups = [ "wheel" ];
    linger = true;
    uid = lib.strings.toInt (builtins.readFile ./uid);
    group = user;
    autoSubUidGidRange = true;
    useDefaultShell = true;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"
    ];
  };
  users.groups.${user}.gid = lib.strings.toInt (builtins.readFile ./uid);