From 7e96bea32a8012bdb6c5b37e8309f876fcf85848 Mon Sep 17 00:00:00 2001 From: Satria Date: Sun, 1 Mar 2026 09:22:05 +0700 Subject: [PATCH] add proxy config --- flake.nix | 6 ++++- modules/system/homelab/dns.nix | 16 ++++++------- modules/system/homelab/proxy.nix | 40 ++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 10 deletions(-) create mode 100644 modules/system/homelab/proxy.nix diff --git a/flake.nix b/flake.nix index 83d52e2..bf79a3e 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,8 @@ url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; }; - + + sops.url = "github:Mic92/sops-nix"; gl.url = "github:nix-community/nixGL"; ctp.url = "github:catppuccin/nix"; }; @@ -29,6 +30,8 @@ specialArgs = args // { hostname = host; }; modules = [ ./hosts/${host}/config.nix + inputs.ctp.nixosModules.catppuccin + inputs.sops.nixosModules.sops ]; }; @@ -38,6 +41,7 @@ modules = [ ./hosts/${host}/config.nix inputs.ctp.nixosModules.catppuccin + inputs.sops.nixosModules.sops inputs.hm.nixosModules.home-manager { home-manager = { diff --git a/modules/system/homelab/dns.nix b/modules/system/homelab/dns.nix index 1984e48..946d80c 100644 --- a/modules/system/homelab/dns.nix +++ b/modules/system/homelab/dns.nix @@ -1,10 +1,14 @@ -{ homelab, ... }: { +{ homelab, username, ... }: { services.adguardhome = { enable = true; - host = "0.0.0.0"; + host = "127.0.0.1"; # bind web ui to localhost since we're using reverse proxy authentication port = 8088; mutableSettings = false; settings = { + # users = [{ + # name = "${username}"; + # password = "${username}"; + # }]; dns = { upstream_dns = [ "https://security.cloudflare-dns.com/dns-query" ]; bootstrap_dns = [ "1.1.1.2" "1.0.0.2" ]; @@ -20,13 +24,7 @@ parental_enabled = true; rewrites_enabled = true; filtering_enabled = true; - safe_search = { - enabled = true; - youtube = true; - google = true; - bing = true; - duckduckgo = true; - }; + safe_search.enabled = true; rewrites = map (e: { enabled = true; domain = builtins.elemAt e 0; answer = builtins.elemAt e 1; }) [ [ "router.dns.${homelab.domain}" "10.3.14.1" ] [ "main.dns.${homelab.domain}" "10.3.14.42" ] diff --git a/modules/system/homelab/proxy.nix b/modules/system/homelab/proxy.nix new file mode 100644 index 0000000..bceb11d --- /dev/null +++ b/modules/system/homelab/proxy.nix @@ -0,0 +1,40 @@ +{ homelab, ... }: let + base = "proxy.${homelab.domain}"; + proxyMappings = { + "dns" = { dest = "http://localhost:8088"; auth = true; }; + }; +in { + users.users.nginx.extraGroups = [ "acme" ]; + security.acme = { + acceptTerms = true; + defaults.email = "admin@${homelab.domain}"; + certs."${base}" = { + domain = "*.${base}"; + extraDomainNames = [ base ]; + dnsProvider = "cloudflare"; + environmentFile = "/var/lib/acme/cloudflare.env"; + # ^^^contents: CLOUDFLARE_DNS_API_TOKEN=XXXXX + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = builtins.mapAttrs (subdomain: cfg: { + forceSSL = true; + useACMEHost = base; + + locations."/" = { + proxyPass = cfg.dest; + proxyWebsockets = true; + basicAuthFile = if cfg.auth then "/var/lib/nginx/.htpasswd" else null; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }) proxyMappings; + }; +} \ No newline at end of file