From e95cec051f75f361af235a223e9cb7b3a2707faf Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sat, 20 Jan 2024 15:33:51 -0800 Subject: [PATCH] fix(hakurei): access --- modules/nixos/kanidm.nix | 18 +++++------------- nixos/access/proxmox.nix | 21 +++++++++++++++++++-- nixos/access/zigbee2mqtt.nix | 8 +++++++- overlays/local/default.nix | 1 + overlays/local/snakeoil.nix | 30 ++++++++++++++++++++++++++++++ 5 files changed, 62 insertions(+), 16 deletions(-) create mode 100644 overlays/local/snakeoil.nix diff --git a/modules/nixos/kanidm.nix b/modules/nixos/kanidm.nix index 28dc9514..0114ad76 100644 --- a/modules/nixos/kanidm.nix +++ b/modules/nixos/kanidm.nix @@ -56,18 +56,10 @@ in { services.kanidm = { server.unencrypted.package = let - cert = pkgs.runCommand "kanidm-cert" { + cert = pkgs.mkSnakeOil { + name = "kanidm-cert"; inherit (cfg.server.unencrypted) domain; - nativeBuildInputs = [ pkgs.buildPackages.minica ]; - } '' - install -d $out - cd $out - minica \ - --ca-key ca.key.pem \ - --ca-cert ca.cert.pem \ - --domains $domain - cat $domain/cert.pem ca.cert.pem > $domain.pem - ''; + }; in mkOptionDefault cert; clientSettings = mkIf cfg.enableServer { uri = mkDefault cfg.serverSettings.origin; @@ -82,8 +74,8 @@ in { ); } (mkIf cfg.server.unencrypted.enable { - tls_chain = "${cfg.server.unencrypted.package}/${cfg.server.unencrypted.domain}.pem"; - tls_key = "${cfg.server.unencrypted.package}/${cfg.server.unencrypted.domain}/key.pem"; + tls_chain = "${cfg.server.unencrypted.package}/fullchain.pem"; + tls_key = "${cfg.server.unencrypted.package.key}/key.pem"; }) ]; }; diff --git a/nixos/access/proxmox.nix b/nixos/access/proxmox.nix index cd70c94a..8701ea29 100644 --- a/nixos/access/proxmox.nix +++ b/nixos/access/proxmox.nix @@ -1,15 +1,29 @@ { config, lib, + pkgs, ... }: let inherit (lib.modules) mkIf mkDefault; inherit (lib.strings) escapeRegex; + inherit (lib.lists) singleton optional; + inherit (config.services) tailscale; proxyPass = "https://reisen.local.gensokyo.zone:8006/"; + unencrypted = pkgs.mkSnakeOil { + name = "prox-local-cert"; + domain = singleton "prox.local.${config.networking.domain}" + ++ optional tailscale.enable "prox.tail.${config.networking.domain}"; + }; + sslCertificate = unencrypted.fullchain; + sslCertificateKey = unencrypted.key; in { services.nginx.virtualHosts."prox.${config.networking.domain}" = { locations."/" = { extraConfig = '' + if ($http_x_forwarded_proto = http) { + return 302 https://$host$request_uri; + } + set $prox_prefix '''; include ${config.sops.secrets.access-proxmox.path}; if ($request_uri ~ "^/([^/]+).*") { @@ -24,7 +38,7 @@ in { if ($prox_prefix != $prox_expected) { return 501; } - if ($request_uri ~ "^/([^/]+)") { + if ($request_uri ~ "^/([^/]+)$") { rewrite /(.*) /prox/$1 last; } rewrite /[^/]+/(.*) /prox/$1; @@ -49,12 +63,15 @@ in { }; services.nginx.virtualHosts."prox.local.${config.networking.domain}" = { local.enable = mkDefault true; + forceSSL = mkDefault true; + inherit sslCertificate sslCertificateKey; locations."/" = { inherit proxyPass; }; }; - services.nginx.virtualHosts."prox.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable { + services.nginx.virtualHosts."prox.tail.${config.networking.domain}" = mkIf tailscale.enable { local.enable = mkDefault true; + inherit sslCertificate sslCertificateKey; locations."/" = { inherit proxyPass; }; diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix index 126259fd..75331c85 100644 --- a/nixos/access/zigbee2mqtt.nix +++ b/nixos/access/zigbee2mqtt.nix @@ -5,7 +5,7 @@ }: let inherit (lib.options) mkOption; - inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; + inherit (lib.modules) mkIf mkDefault mkOptionDefault; cfg = config.services.zigbee2mqtt; access = config.services.nginx.access.zigbee2mqtt; proxyPass = mkDefault "http://${access.host}:${toString access.port}"; @@ -51,6 +51,12 @@ in { inherit proxyPass extraConfig; }; }; + "z2m.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable { + local.enable = true; + locations."/" = { + inherit proxyPass extraConfig; + }; + }; }; }; } diff --git a/overlays/local/default.nix b/overlays/local/default.nix index fd8370a4..fb30f111 100644 --- a/overlays/local/default.nix +++ b/overlays/local/default.nix @@ -17,6 +17,7 @@ final: prev: { wezterm = final.callPackage ./wezterm { inherit (final.darwin.apple_sdk.frameworks) Cocoa CoreGraphics Foundation UserNotifications; }; + mkSnakeOil = final.callPackage ./snakeoil.nix { }; terraform-providers = prev.terraform-providers // { diff --git a/overlays/local/snakeoil.nix b/overlays/local/snakeoil.nix new file mode 100644 index 00000000..ddf47394 --- /dev/null +++ b/overlays/local/snakeoil.nix @@ -0,0 +1,30 @@ +{ + runCommand, + buildPackages, + lib, +}: let + inherit (lib.strings) concatStringsSep; + inherit (lib.lists) toList head; +in { domain, name }: runCommand name { + domains = concatStringsSep "," (toList domain); + domain = head (toList domain); + nativeBuildInputs = [ buildPackages.minica ]; + outputs = [ "out" "key" "cakey" "ca" "cert" "fullchain" ]; +} '' + install -d $out + minica \ + --ca-key ca.key.pem \ + --ca-cert ca.pem \ + --domains "$domains" + mv ca.pem $ca + mv ca.key.pem $cakey + mv $domain/cert.pem $cert + mv $domain/key.pem $key + cat $cert $ca > $fullchain + + ln -s $fullchain $out/fullchain.pem + ln -s $key $out/key.pem + ln -s $cakey $out/ca.key.pem + ln -s $cert $out/cert.pem + ln -s $ca $out/ca.pem +''