satr14/nix-flake
1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add proxy config

Browse source
This commit is contained in:
Satria 2026-03-01 09:22:05 +07:00
commit 7e96bea32a
3 changed files with 52 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

4
flake.nix
View file

@ -7,6 +7,7 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops.url = "github:Mic92/sops-nix";
gl.url = "github:nix-community/nixGL"; gl.url = "github:nix-community/nixGL";
ctp.url = "github:catppuccin/nix"; ctp.url = "github:catppuccin/nix";
}; };
@ -29,6 +30,8 @@
specialArgs = args // { hostname = host; }; specialArgs = args // { hostname = host; };
modules = [ modules = [
./hosts/${host}/config.nix ./hosts/${host}/config.nix
inputs.ctp.nixosModules.catppuccin
inputs.sops.nixosModules.sops
]; ];
}; };
@ -38,6 +41,7 @@
modules = [ modules = [
./hosts/${host}/config.nix ./hosts/${host}/config.nix
inputs.ctp.nixosModules.catppuccin inputs.ctp.nixosModules.catppuccin
inputs.sops.nixosModules.sops
inputs.hm.nixosModules.home-manager inputs.hm.nixosModules.home-manager
{ {
home-manager = { home-manager = {

16
modules/system/homelab/dns.nix
View file

@ -1,10 +1,14 @@
{ homelab, ... }: { { homelab, username, ... }: {
services.adguardhome = { services.adguardhome = {
enable = true; enable = true;
host = "0.0.0.0"; host = "127.0.0.1"; # bind web ui to localhost since we're using reverse proxy authentication
port = 8088; port = 8088;
mutableSettings = false; mutableSettings = false;
settings = { settings = {
# users = [{
# name = "${username}";
# password = "${username}";
# }];
dns = { dns = {
upstream_dns = [ "https://security.cloudflare-dns.com/dns-query" ]; upstream_dns = [ "https://security.cloudflare-dns.com/dns-query" ];
bootstrap_dns = [ "1.1.1.2" "1.0.0.2" ]; bootstrap_dns = [ "1.1.1.2" "1.0.0.2" ];
@ -20,13 +24,7 @@
parental_enabled = true; parental_enabled = true;
rewrites_enabled = true; rewrites_enabled = true;
filtering_enabled = true; filtering_enabled = true;
safe_search = { safe_search.enabled = true;
enabled = true;
youtube = true;
google = true;
bing = true;
duckduckgo = true;
};
rewrites = map (e: { enabled = true; domain = builtins.elemAt e 0; answer = builtins.elemAt e 1; }) [ rewrites = map (e: { enabled = true; domain = builtins.elemAt e 0; answer = builtins.elemAt e 1; }) [
[ "router.dns.${homelab.domain}" "10.3.14.1" ] [ "router.dns.${homelab.domain}" "10.3.14.1" ]
[ "main.dns.${homelab.domain}" "10.3.14.42" ] [ "main.dns.${homelab.domain}" "10.3.14.42" ]

40
modules/system/homelab/proxy.nix Normal file
View file

@ -0,0 +1,40 @@
{ homelab, ... }: let
base = "proxy.${homelab.domain}";
proxyMappings = {
"dns" = { dest = "http://localhost:8088"; auth = true; };
};
in {
users.users.nginx.extraGroups = [ "acme" ];
security.acme = {
acceptTerms = true;
defaults.email = "admin@${homelab.domain}";
certs."${base}" = {
domain = "*.${base}";
extraDomainNames = [ base ];
dnsProvider = "cloudflare";
environmentFile = "/var/lib/acme/cloudflare.env";
# ^^^contents: CLOUDFLARE_DNS_API_TOKEN=XXXXX
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = builtins.mapAttrs (subdomain: cfg: {
forceSSL = true;
useACMEHost = base;
locations."/" = {
proxyPass = cfg.dest;
proxyWebsockets = true;
basicAuthFile = if cfg.auth then "/var/lib/nginx/.htpasswd" else null;
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
}) proxyMappings;
};
}