AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

disable cloudflare proxy

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-11-20 03:49:52 +03:00
parent d6b3d75db8
commit 78528c258b
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
2 changed files with 36 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
machines/NixOS-VPS/services/xtls.nix
View File

@ -5,6 +5,7 @@ let
cert-pem = config.sops.secrets."cert.pem".path; cert-pem = config.sops.secrets."cert.pem".path;
nginx-conf = config.sops.secrets."nginx.conf".path; nginx-conf = config.sops.secrets."nginx.conf".path;
marzban-env = config.sops.secrets.marzban.path; marzban-env = config.sops.secrets.marzban.path;
fqdn = "wg.ataraxiadev.com";
in { in {
disabledModules = [ "${modulesPath}/services/web-apps/ocis.nix" ]; disabledModules = [ "${modulesPath}/services/web-apps/ocis.nix" ];
imports = [ inputs.ataraxiasjel-nur.nixosModules.ocis ]; imports = [ inputs.ataraxiasjel-nur.nixosModules.ocis ];
@ -20,17 +21,21 @@ in {
sopsFile = inputs.self.secretsDir + /nixos-vps/marzban.env; sopsFile = inputs.self.secretsDir + /nixos-vps/marzban.env;
restartUnits = [ "podman-marzban.service" ]; restartUnits = [ "podman-marzban.service" ];
}; };
cf-dns-api = {
sopsFile = inputs.self.secretsDir + /misc.yaml;
owner = "acme";
};
in { in {
"cert.key" = nginx; "cert.key" = nginx;
"cert.pem" = nginx; "cert.pem" = nginx;
"nginx.conf" = nginx; "nginx.conf" = nginx;
marzban = marzban; inherit cf-dns-api marzban;
}; };
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
marzban = { marzban = {
autoStart = true; autoStart = true;
image = "ghcr.io/gozargah/marzban:v0.4.9"; image = "ghcr.io/gozargah/marzban:v0.7.0";
environmentFiles = [ marzban-env ]; environmentFiles = [ marzban-env ];
extraOptions = [ "--network=host" ]; extraOptions = [ "--network=host" ];
volumes = [ volumes = [
@ -42,8 +47,10 @@ in {
image = "docker.io/nginx:latest"; image = "docker.io/nginx:latest";
extraOptions = [ "--network=host" ]; extraOptions = [ "--network=host" ];
volumes = [ volumes = [
"${cert-key}:/etc/ssl/certs/cert.key:ro" "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
"${cert-pem}:/etc/ssl/certs/cert.pem:ro" "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
"${config.security.acme.certs.${fqdn}.directory}/fullchain.pem:/etc/ssl/certs/cert.pem:ro"
"${config.security.acme.certs.${fqdn}.directory}/key.pem:/etc/ssl/certs/cert.key:ro"
"${nginx-conf}:/etc/nginx/nginx.conf:ro" "${nginx-conf}:/etc/nginx/nginx.conf:ro"
]; ];
}; };
@ -65,4 +72,25 @@ in {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /srv/marzban 0755 root root -" "d /srv/marzban 0755 root root -"
]; ];
# OpenConnect
security.acme = {
acceptTerms = true;
defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
defaults.email = "admin@ataraxiadev.com";
defaults.renewInterval = "weekly";
certs = {
${fqdn} = {
extraDomainNames = [
"auth.ataraxiadev.com"
"doh.ataraxiadev.com"
];
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
reloadServices = [ "podman-nginx.service" ];
};
};
};
persist.state.directories = [ "/var/lib/acme" ];
} }

8
secrets/nixos-vps/nginx.yaml
View File

File diff suppressed because one or more lines are too long