diff --git a/flake.nix b/flake.nix index 1ecc950..76b1cc9 100644 --- a/flake.nix +++ b/flake.nix @@ -27,7 +27,7 @@ }; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nur, ... }@inputs: + outputs = { nixpkgs, nixpkgs-unstable, nur, ... }@inputs: let mkPkgs = system: import nixpkgs { inherit system; diff --git a/system/machines/server/modules/frigate/default.nix b/system/machines/server/modules/frigate/default.nix index 402cfcc..e067de0 100644 --- a/system/machines/server/modules/frigate/default.nix +++ b/system/machines/server/modules/frigate/default.nix @@ -7,7 +7,6 @@ let domain = "ramos.codes"; user = config.sops.placeholder."RTSP_USER"; pass = config.sops.placeholder."RTSP_PASS"; - privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;"; in { @@ -240,13 +239,9 @@ in services.nginx.virtualHosts."frigate.${domain}" = mkIf nginx.enable { useACMEHost = domain; forceSSL = true; - locations."/" = { - extraConfig = privateAccessRules; - }; locations."/go2rtc/" = { proxyPass = "http://127.0.0.1:1984/"; proxyWebsockets = true; - extraConfig = privateAccessRules; }; }; diff --git a/system/machines/server/modules/immich/default.nix b/system/machines/server/modules/immich/default.nix index f38e079..031336d 100644 --- a/system/machines/server/modules/immich/default.nix +++ b/system/machines/server/modules/immich/default.nix @@ -6,7 +6,6 @@ let nginx = config.modules.system.nginx; domain = "ramos.codes"; port = 2283; - privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;"; in { @@ -52,7 +51,6 @@ in locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; - extraConfig = privateAccessRules; }; }; }; diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix index ca4fbf0..44ad00f 100644 --- a/system/machines/server/modules/nginx/default.nix +++ b/system/machines/server/modules/nginx/default.nix @@ -4,23 +4,11 @@ with lib; let cfg = config.modules.system.nginx; domain = "ramos.codes"; - privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") cfg.privateAllowCidrs + "\ndeny all;"; in { options.modules.system.nginx = { enable = mkEnableOption "Nginx Reverse Proxy"; - - privateAllowCidrs = mkOption { - type = types.listOf types.str; - default = [ - "192.168.0.0/24" - "10.8.0.0/24" - ]; - description = '' - CIDR ranges allowed to access private vhosts (LAN + WireGuard). - ''; - }; }; config = mkIf cfg.enable { @@ -40,12 +28,25 @@ in }; }; + services.sslh = { + enable = true; + listenAddresses = [ "0.0.0.0" ]; + port = 443; + settings = { + protocols = [ + { name = "ssh"; host = "127.0.0.1"; port = "22"; } + { name = "tls"; host = "127.0.0.1"; port = "4443"; } + ]; + }; + }; + services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; eventsConfig = "worker_connections 4096;"; + defaultSSLListenPort = 4443; # Catch-all default - friendly error for unknown subdomains virtualHosts."_" = { @@ -77,7 +78,6 @@ in locations."/" = { proxyPass = "http://192.168.0.23:3080"; proxyWebsockets = true; - extraConfig = privateAccessRules; }; }; @@ -87,7 +87,6 @@ in locations."/" = { proxyPass = "http://192.168.0.23:8000"; proxyWebsockets = true; - extraConfig = privateAccessRules; }; }; @@ -97,7 +96,6 @@ in locations."/" = { proxyPass = "http://192.168.0.23:8188"; proxyWebsockets = true; - extraConfig = privateAccessRules; }; }; }; diff --git a/system/machines/server/modules/sandpack/default.nix b/system/machines/server/modules/sandpack/default.nix index d8b46a1..e4e5a9c 100644 --- a/system/machines/server/modules/sandpack/default.nix +++ b/system/machines/server/modules/sandpack/default.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.modules.system.sandpack; domain = "ramos.codes"; - privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;"; staticBrowserServer = pkgs.stdenvNoCC.mkDerivation (finalAttrs: let pnpm = pkgs.pnpm_10; @@ -98,8 +97,6 @@ in locations."/" = { proxyPass = "http://127.0.0.1:4333"; extraConfig = '' - ${privateAccessRules} - add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; @@ -119,8 +116,6 @@ in locations."/" = { proxyPass = "http://127.0.0.1:4324"; extraConfig = '' - ${privateAccessRules} - add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; diff --git a/system/machines/server/modules/webdav/default.nix b/system/machines/server/modules/webdav/default.nix index 1eb5684..1b90573 100644 --- a/system/machines/server/modules/webdav/default.nix +++ b/system/machines/server/modules/webdav/default.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.modules.system.webdav; domain = "ramos.codes"; - privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;"; in { @@ -51,8 +50,6 @@ in locations."/" = { proxyPass = "http://127.0.0.1:8090"; extraConfig = '' - ${privateAccessRules} - proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/system/machines/server/modules/wireguard/default.nix b/system/machines/server/modules/wireguard/default.nix deleted file mode 100644 index ff3f516..0000000 --- a/system/machines/server/modules/wireguard/default.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ pkgs, lib, config, ... }: - -with lib; -let - cfg = config.modules.system.wireguard; -in -{ - options.modules.system.wireguard = { - enable = mkEnableOption "WireGuard VPN"; - - address = mkOption { - type = types.str; - default = "10.8.0.1/24"; - description = "WireGuard interface address with CIDR"; - }; - - subnet = mkOption { - type = types.str; - default = "10.8.0.0/24"; - description = "WireGuard subnet used for peer allocations"; - }; - - listenPort = mkOption { - type = types.port; - default = 51820; - description = "WireGuard UDP listen port"; - }; - - privateKeyFile = mkOption { - type = types.str; - default = "/var/lib/wireguard/server.key"; - description = "Path to WireGuard server private key"; - }; - - peers = mkOption { - type = types.listOf (types.submodule ({ ... }: { - options = { - publicKey = mkOption { - type = types.str; - description = "Peer public key"; - }; - - allowedIPs = mkOption { - type = types.listOf types.str; - description = "Allowed IPs for peer, usually a single /32"; - }; - - presharedKeyFile = mkOption { - type = types.nullOr types.str; - default = null; - description = "Optional preshared key file"; - }; - - persistentKeepalive = mkOption { - type = types.nullOr types.int; - default = 25; - description = "Persistent keepalive interval seconds"; - }; - }; - })); - default = [ ]; - description = "WireGuard peers"; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedUDPPorts = [ cfg.listenPort ]; - networking.nat.internalInterfaces = mkAfter [ "wg0" ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/wireguard 0700 root root -" - ]; - - systemd.services.wireguard-generate-key = { - description = "Generate WireGuard server key if missing"; - before = [ "wireguard-wg0.service" ]; - wantedBy = [ "wireguard-wg0.service" ]; - serviceConfig = { - Type = "oneshot"; - }; - path = with pkgs; [ wireguard-tools coreutils ]; - script = '' - set -euo pipefail - - if [ ! -s "${cfg.privateKeyFile}" ]; then - umask 077 - wg genkey | tee "${cfg.privateKeyFile}" | wg pubkey > /var/lib/wireguard/server.pub - elif [ ! -s /var/lib/wireguard/server.pub ]; then - umask 077 - wg pubkey < "${cfg.privateKeyFile}" > /var/lib/wireguard/server.pub - fi - ''; - }; - - networking.wireguard.interfaces.wg0 = { - ips = [ cfg.address ]; - listenPort = cfg.listenPort; - privateKeyFile = cfg.privateKeyFile; - peers = map (peer: { - inherit (peer) publicKey allowedIPs; - presharedKeyFile = peer.presharedKeyFile; - persistentKeepalive = peer.persistentKeepalive; - }) cfg.peers; - }; - }; -} diff --git a/system/machines/server/system.nix b/system/machines/server/system.nix index 1d4065c..c5c839a 100644 --- a/system/machines/server/system.nix +++ b/system/machines/server/system.nix @@ -19,15 +19,6 @@ frigate.enable = true; immich.enable = true; webdav.enable = false; - wireguard = { - enable = true; - peers = [ - { - publicKey = "HRFsVXn3jeqKQLQIl0cB6KC/qia7M1gQf2lqG5HDxF8="; - allowedIPs = [ "10.8.0.2/32" ]; - } - ]; - }; # bitcoin = { # enable = true; # electrum.enable = true; @@ -181,7 +172,7 @@ cache-size = 1000; # Camera network DHCP (isolated - no gateway = no internet) - interface = [ "enp2s0f1" "wg0" ]; + interface = "enp2s0f1"; bind-interfaces = true; dhcp-range = "192.168.1.100,192.168.1.200,24h"; @@ -194,11 +185,6 @@ }; }; - systemd.services.dnsmasq = { - after = [ "wireguard-wg0.service" ]; - wants = [ "wireguard-wg0.service" ]; - }; - services.fail2ban = { enable = true; maxretry = 5; diff --git a/user/modules/utils/dev/default.nix b/user/modules/utils/dev/default.nix index 89c4809..1c10315 100644 --- a/user/modules/utils/dev/default.nix +++ b/user/modules/utils/dev/default.nix @@ -3,14 +3,13 @@ with lib; let cfg = config.modules.user.utils.dev; + in { options.modules.user.utils.dev = { enable = mkEnableOption "user.utils.dev"; }; config = mkIf cfg.enable { home.packages = with pkgs; [ unstable.claude-code unstable.codex - unstable.opencode - bubblewrap nix-init