diff --git a/hosts/freun-dev/configuration.nix b/hosts/freun-dev/configuration.nix index df62907..9303c2c 100644 --- a/hosts/freun-dev/configuration.nix +++ b/hosts/freun-dev/configuration.nix @@ -36,14 +36,26 @@ in networking.useDHCP = false; networking.nftables.enable = true; - services.octodns.records."" = { - A = { - ttl = 86400; - values = [ ipv4Address ]; + services.octodns.records = { + "" = { + A = { + ttl = 86400; + values = [ ipv4Address ]; + }; + AAAA = { + ttl = 86400; + values = [ ipv6Address ]; + }; }; - AAAA = { - ttl = 86400; - values = [ ipv6Address ]; + "ts" = { + A = { + ttl = 86400; + values = [ "100.84.105.63" ]; + }; + AAAA = { + ttl = 86400; + values = [ "fd7a:115c:a1e0::7901:693f" ]; + }; }; }; diff --git a/hosts/freun-dev/secrets.nix b/hosts/freun-dev/secrets.nix index b53bc01..1e3e2ef 100644 --- a/hosts/freun-dev/secrets.nix +++ b/hosts/freun-dev/secrets.nix @@ -26,6 +26,7 @@ "mosquitto/mokkimaatti" "gitlab-runner/default" "gitlab-runner/docker" + "hetzner" ] ) // { diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix index f1cdbce..96ae7d8 100644 --- a/hosts/freun-dev/services.nix +++ b/hosts/freun-dev/services.nix @@ -19,6 +19,7 @@ in { virtualisation.podman.enable = true; virtualisation.oci-containers.backend = "podman"; + security.acme.defaults.environmentFile = secrets.hetzner.path; modules.storageBoxMounts = { ${immichDataDir} = { @@ -387,12 +388,17 @@ in enable = true; subdomain = "ledger"; stateDir = "${syncthingDataDir}/ledger"; - basicAuthFile = secrets.hledger-basic-auth.path; user = config.systemd.services.syncthing.serviceConfig.User; group = config.systemd.services.syncthing.serviceConfig.Group; + extraOptions = [ "--forecast" ]; journalFiles = [ "main.ldg" ]; }; + + webserver = { + acme.dnsChallenge = true; + tailscaleAuth.expectedTailnet = "tempel-vibes.ts.net"; + }; }; } diff --git a/modules/services/hledger-web.nix b/modules/services/hledger-web.nix index bdec1c0..607af93 100644 --- a/modules/services/hledger-web.nix +++ b/modules/services/hledger-web.nix @@ -8,9 +8,6 @@ in subdomain = lib.mkOption { type = lib.types.str; }; - basicAuthFile = lib.mkOption { - type = lib.types.path; - }; user = lib.mkOption { type = lib.types.str; }; @@ -24,13 +21,45 @@ in hledger-web = { allow = lib.mkDefault "edit"; baseUrl = "https://${fqdn}"; + serveApi = true; + extraOptions = [ + "--exchange=€" + ]; }; webserver = { enable = lib.mkDefault true; - vHosts.${fqdn}.locations."/" = { - proxyPort = cfg.port; - basicAuthFile = cfg.basicAuthFile; + vHosts.${fqdn} = { + tailscaleAuth = true; + extraConfig = '' + root /var/www/ledgio; + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT' always; + add_header Access-Control-Allow-Headers 'Content-Type' always; + + location ~ \.(html|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { + try_files $uri =404; + } + ''; + + locations = { + "@api" = { + proxyPort = cfg.port; + }; + + "/".extraConfig = '' + if ($request_method = OPTIONS) { + add_header Content-Type text/plain; + add_header Content-Length 0; + add_header Access-Control-Allow-Origin $http_origin; + add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT'; + add_header Access-Control-Allow-Headers 'Content-Type'; + return 204; + } + + try_files $uri $uri/ @api; + ''; + }; }; }; }; diff --git a/modules/services/webserver.nix b/modules/services/webserver.nix index 5464539..c7967cc 100644 --- a/modules/services/webserver.nix +++ b/modules/services/webserver.nix @@ -37,6 +37,10 @@ let type = lib.types.bool; default = false; }; + extraConfig = lib.mkOption { + type = lib.types.lines; + default = ""; + }; }; }; }; @@ -59,6 +63,10 @@ in type = lib.types.attrsOf types.vhost; default = { }; }; + tailscaleAuth.expectedTailnet = lib.mkOption { + type = lib.types.str; + default = ""; + }; }; config = lib.mkIf cfg.enable { @@ -75,11 +83,17 @@ in tailscaleAuth = { enable = (lib.length tailscaleAuthVhosts) > 0; virtualHosts = tailscaleAuthVhosts; + expectedTailnet = cfg.tailscaleAuth.expectedTailnet; }; virtualHosts = lib.mapAttrs ( _: - { proxyBuffering, locations, ... }: + { + proxyBuffering, + locations, + extraConfig, + ... + }: { forceSSL = true; enableACME = true; @@ -88,6 +102,7 @@ in extraConfig = lib.concatLines [ (lib.optionalString (!proxyBuffering) "proxy_buffering off;") "charset utf-8;" + extraConfig ]; locations = lib.mapAttrs ( _: @@ -115,12 +130,17 @@ in }; octodns.records = lib.filterAttrs (name: _: name != config.networking.domain) ( - lib.mapAttrs' (fqdn: _: { - name = lib.removeSuffix ".${config.networking.domain}" fqdn; - value = { - CNAME.toRoot = true; - }; - }) cfg.vHosts + lib.mapAttrs' ( + fqdn: + { tailscaleAuth, ... }: + { + name = lib.removeSuffix ".${config.networking.domain}" fqdn; + value = { + CNAME = + if tailscaleAuth then { target = "ts.${config.networking.domain}."; } else { toRoot = true; }; + }; + } + ) cfg.vHosts ); }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6b292b7..30f7836 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -36,6 +36,9 @@ in "mosquitto/mokkimaatti.age".publicKeys = users ++ [ freun-dev ]; "gitlab-runner/default.age".publicKeys = users ++ [ freun-dev ]; "gitlab-runner/docker.age".publicKeys = users ++ [ freun-dev ]; - "hetzner.age".publicKeys = users ++ [ apu ]; + "hetzner.age".publicKeys = users ++ [ + apu + freun-dev + ]; "hledger-basic-auth.age".publicKeys = users ++ [ freun-dev ]; }