wizzy/home-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-server/services/wireguard-outer.nix
Ellie 4f4302b7b7 .
2026-02-15 15:51:28 -08:00

143 lines
3.3 KiB
Nix
Raw Permalink Blame History

{ lib, pkgs, config, ... }:
{
sops.secrets."wireguard/private_key" = {
sopsFile = ./secrets/wireguard_vps.yaml;
mode = "0400";
};
networking.firewall.allowedTCPPorts = [
80
443
2222
6697
];
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.wireguard.interfaces."wg0" = {
ips = [ "10.10.0.1/24" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets."wireguard/private_key".path;
peers = [
{
publicKey = "s2plHABMTF83iqrCHlQ+o5ieJSAfudx3upm3v77y1DI=";
allowedIPs = [ "10.10.0.2/32" ];
}
];
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
defaultListen = [
{ addr = "0.0.0.0"; }
{ addr = "[::]"; }
];
virtualHosts."matrix.ellie.town" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.10.0.2:8008";
};
};
# virtualHosts."akkoma.ellie.town" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://10.10.0.2:4000";
# proxyWebsockets = true;
# extraConfig = ''
# client_max_body_size 16m;
# '';
# };
# };
# virtualHosts."media.ellie.town" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://10.10.0.2:4000";
# extraConfig = ''
# client_max_body_size 16m;
# '';
# };
# };
virtualHosts."forgejo.ellie.town" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.10.0.2:3000";
};
};
virtualHosts."irc.ellie.town" = {
enableACME = true;
forceSSL = true;
};
streamConfig = ''
log_format forgejo_ssh '$remote_addr [$time_local] $protocol $status';
upstream ergo {
server 10.10.0.2:6667;
}
server {
listen 6697 ssl;
ssl_certificate /var/lib/acme/irc.ellie.town/fullchain.pem;
ssl_certificate_key /var/lib/acme/irc.ellie.town/key.pem;
proxy_pass ergo;
}
upstream forgejo_ssh {
server 10.10.0.2:2222;
}
server {
listen 2222;
proxy_pass forgejo_ssh;
access_log /var/log/nginx/forgejo-ssh.log forgejo_ssh;
}
'';
virtualHosts."ellie.town" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.server":"matrix.ellie.town:443"}';'';
locations."= /.well-known/matrix/client".extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.homeserver":{"base_url":"https://matrix.ellie.town"}}';'';
};
};
environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
[Definition]
failregex = ^<HOST> \[.+\] TCP \d+
'';
services.fail2ban.jails.forgejo-ssh.settings = {
enabled = true;
filter = "forgejo-ssh";
logpath = "/var/log/nginx/forgejo-ssh.log";
maxretry = 10;
findtime = 60;
bantime = "1h";
port = 2222;
};
security.acme = {
acceptTerms = true;
defaults.email = "wizzeh@protonmail.com";
};
}
Reference in a new issue View git blame Copy permalink