add proxy config

2026-03-01 09:22:05 +07:00 · 2026-03-01 09:22:05 +07:00 · 7e96bea32a
commit 7e96bea32a
parent ed86cd0917
3 changed files with 52 additions and 10 deletions
--- a/modules/system/homelab/dns.nix
+++ b/modules/system/homelab/dns.nix
@ -1,10 +1,14 @@
-{ homelab, ... }: {
+{ homelab, username, ... }: {
  services.adguardhome = {
    enable = true;
-    host = "0.0.0.0";
+    host = "127.0.0.1"; # bind web ui to localhost since we're using reverse proxy authentication
    port = 8088;
    mutableSettings = false;
    settings = {
+      # users = [{
+      #   name = "${username}";
+      #   password = "${username}";
+      # }];
      dns = {
        upstream_dns = [ "https://security.cloudflare-dns.com/dns-query" ];
        bootstrap_dns = [ "1.1.1.2" "1.0.0.2" ];
@ -20,13 +24,7 @@
        parental_enabled = true;
        rewrites_enabled = true;
        filtering_enabled = true;
-        safe_search = {
-          enabled = true;
-          youtube = true;
-          google = true;
-          bing = true;
-          duckduckgo = true;
-        };
+        safe_search.enabled = true;
        rewrites = map (e: { enabled = true; domain = builtins.elemAt e 0; answer = builtins.elemAt e 1; }) [
          [ "router.dns.${homelab.domain}"     "10.3.14.1"                  ]
          [ "main.dns.${homelab.domain}"       "10.3.14.42"                 ]
--- a/modules/system/homelab/proxy.nix
+++ b/modules/system/homelab/proxy.nix
@ -0,0 +1,40 @@
+{ homelab, ... }: let
+  base = "proxy.${homelab.domain}";
+  proxyMappings = {
+    "dns"     = { dest = "http://localhost:8088"; auth = true; };
+  };
+in {
+  users.users.nginx.extraGroups = [ "acme" ];
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${homelab.domain}";
+    certs."${base}" = {
+      domain = "*.${base}";
+      extraDomainNames = [ base ];
+      dnsProvider = "cloudflare";
+      environmentFile = "/var/lib/acme/cloudflare.env";
+      # ^^^contents: CLOUDFLARE_DNS_API_TOKEN=XXXXX
+    };
+  };
+  
+  services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts = builtins.mapAttrs (subdomain: cfg: {
+        forceSSL = true;
+        useACMEHost = base;
+        
+        locations."/" = {
+          proxyPass = cfg.dest;
+          proxyWebsockets = true;
+          basicAuthFile = if cfg.auth then "/var/lib/nginx/.htpasswd" else null;
+          extraConfig = ''
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+      }) proxyMappings;
+    };
+}