diff --git a/modules/common/linux/default.nix b/modules/common/linux/default.nix index c00367b..602ba6e 100644 --- a/modules/common/linux/default.nix +++ b/modules/common/linux/default.nix @@ -485,5 +485,8 @@ in EDITOR = "kak"; VISUAL = "kak"; }; + + # Trust my own cert + security.pki.certificateFiles = [ ../../../nki-home/cert.pem ]; }; } diff --git a/modules/services/nix-cache/default.nix b/modules/services/nix-cache/default.nix index bbf2601..53e2d1a 100644 --- a/modules/services/nix-cache/default.nix +++ b/modules/services/nix-cache/default.nix @@ -41,11 +41,19 @@ in type = types.path; description = "Path to the private key .pem file"; }; + sslCertificate = mkOption { + type = types.path; + description = "Path to the private key .pem file"; + }; + sslCertificateKey = mkOption { + type = types.path; + description = "Path to the private key .pem file"; + }; }; config = { nix.settings = mkIf cfg.enableClient { - substituters = lib.mkAfter [ "http://${cfg.host}" ]; + substituters = lib.mkAfter [ "https://${cfg.host}" ]; trusted-public-keys = [ cfg.publicKey ]; }; @@ -64,6 +72,9 @@ in virtualHosts = { # ... existing hosts config etc. ... "${cfg.host}" = { + forceSSL = true; + sslCertificate = cfg.sslCertificate; + sslCertificateKey = cfg.sslCertificateKey; locations."/".proxyPass = "http://${bindAddr}"; }; }; diff --git a/nki-home/cert.pem b/nki-home/cert.pem new file mode 100644 index 0000000..c8f9b91 --- /dev/null +++ b/nki-home/cert.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF6TCCA9GgAwIBAgIUBPEviSorTJodh/6ufW892x/PvqIwDQYJKoZIhvcNAQEL +BQAwVjELMAkGA1UEBhMCQ0gxDTALBgNVBAgMBFZhdWQxETAPBgNVBAcMCExhdXNh +bm5lMREwDwYDVQQKDAhadW1pbGFuZDESMBAGA1UEAwwJenVtaS5sYW5kMB4XDTI1 +MDQxMTIwMjgxMVoXDTM1MDQwOTIwMjgxMVowVjELMAkGA1UEBhMCQ0gxDTALBgNV +BAgMBFZhdWQxETAPBgNVBAcMCExhdXNhbm5lMREwDwYDVQQKDAhadW1pbGFuZDES +MBAGA1UEAwwJenVtaS5sYW5kMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC +AgEAifTbCEo08BH/ZVtcRQoB/rDwl3UQMoFxZUlZYtKHAyZZcaRO2OV7rMlb1gxq +aZ++NB+nVvgr1NHcAsiBhMz2O5gZC+NK+zmnC4Fp3EXtFGto/NYNf7V7x6t36Jf8 +WscId+q+PApcG+QUGsxZXcJnHZPvrWSdaP2lftGs9GuoWCDdupZCE1UKku72UYQa +yYxEfsrlAgioqEupId0HgVDc267axAwcRdIXrvVkL7zLhawa6/bTL+PmtPPRTnYq +23/uqeIf5n8HmfoPTw+NiqQMx1q0R/wfz1F9pXddPRM/XlzMZ6WIVj5oLNkWU9mk +vkrVQGFl/EfHFjyGoDBxcroT/ZqBF8hz7NzGb7s/Tfext/jOcM6TczAhXsH+8qZS +ufGeSNBuR5c4lr+zrae7u5zyBfURGdHaag9yz6g9QE2+pm7MLqVBjL30qot5lHEU +1frrI6FzY2WTioyduK23ulPpAND83TkXNxPwLNVg0utCyq2VC/gRLAgSL5+YFR7U ++HtOYY3BakrbZWzHP2vzZC3LaE9rZZhl4PiiojwSmiU0PnnyV68eYZwG83xv9vUE +Df/kfBr3pEsXgeD8pRcMOnkcIzjXSbQe9oyAE7ZhKGkIkaRlx4NrtibsRynmXGXV +EbPOiIHE8AVUe7+a3bvzBnlWTOMcmMf9B0YU3+sHCD8vbesCAwEAAaOBrjCBqzAd +BgNVHQ4EFgQUAZhG1lLB8c9DAHgIIabVuK94r60wHwYDVR0jBBgwFoAUAZhG1lLB +8c9DAHgIIabVuK94r60wDwYDVR0TAQH/BAUwAwEB/zBYBgNVHREEUTBPhwR/AAAB +gglsb2NhbGhvc3SCCWhvbWUudGluY4ILKi5ob21lLnRpbmOCEGthZ2FtaXBjLmR0 +dGgudHOCEioua2FnYW1pcGMuZHR0aC50czANBgkqhkiG9w0BAQsFAAOCAgEAb0jD +RUaKAIvUwYFqY4m1sgQWGFqB/Cv1dlBGZexYRRt0glEIsmFXDzvOOfrYTm18faG7 +eo/pERMYUc7IdHPA/DDC6eAwCUvSZgDi6TJ0jy2GqwOB84MlsUyK7UFGURk7Np2X +RxkiU0Q5wcI4y5p3Njh1pgpbVfArLYwRvWYuvWwYpdZCVIT4rprVoOfAnV2QsCi/ +DJFc64kxePZxJ2CX1neWi81jVcy35wbObAyfBcktkD3ySkr2pWKDkVr6slAU+lmq +u4eCPwqKqh+bns4ndX65eX2YkKRLBEpF3KVxrPKtc3I6BUUldXIEZ7JY7mtcugO7 +oDNd5QOY5feO3qI+ULnEmNDbonFMHKEO7Xb7ggWtuXiyrOCU1J/Xykk/VJfZxP// +lcacNjB3ZOj4gBTfNbycQiana5Vhop9k5gn7ft4A+ohLekxjIE/lZYThfalc2+lw +Rrr4tJzpNFhe8SHtg8ubQM74VtTnPy67N1KVO3CPqv4HDrmLnxLh1CP3GeQzq0M3 +4Dzg7F+Z8cH0ALmGnBNHacffgZ9Beg9fkJ+J54r+ESHBzTrEebt6QCrsCNZShOMT +xgjqVru6hDqdzKHjb02jv+z55yw26KOt7HpjLfXisWk9vs11jp6TphTa7zFdCmPZ +E93m8rI+0lj1jZS2h+8hNUq3UdkLswVTIiXlZqg= +-----END CERTIFICATE----- diff --git a/nki-home/configuration.nix b/nki-home/configuration.nix index 1304d3d..9846344 100644 --- a/nki-home/configuration.nix +++ b/nki-home/configuration.nix @@ -61,6 +61,8 @@ in nki.services.nix-cache = { enableServer = true; privateKeyFile = config.sops.secrets."nix-cache/private-key".path; + sslCertificate = ./cert.pem; + sslCertificateKey = config.sops.secrets."nginx/key.pem".path; }; sops.secrets."nix-build-farm/private-key" = { @@ -241,6 +243,28 @@ in virtualisation.spiceUSBRedirection.enable = true; } + { + sops.secrets."nginx/key.pem" = { + owner = "nginx"; + reloadUnits = [ "nginx.service" ]; + }; + security.dhparams.enable = true; + security.dhparams.params.nginx.bits = 4096; + systemd.services.nginx.requires = [ "dhparams-gen-nginx.service" ]; + # Nginx HTTPS + services.nginx = { + sslDhparam = config.security.dhparams.params.nginx.path; + defaultListen = [ + { + addr = "0.0.0.0"; + ssl = true; + extraParameters = [ + ]; + } + ]; + }; + common.linux.tailscale.firewall.allowPorts = [ 443 ]; + } { # LLM poop services.ollama = { @@ -259,7 +283,7 @@ in enable = true; port = 5689; openFirewall = true; - host = "0.0.0.0"; + host = "127.0.0.1"; environment = { ANONYMIZED_TELEMETRY = "False"; DO_NOT_TRACK = "True"; @@ -268,7 +292,27 @@ in ENABLE_SIGNUP = "false"; }; }; - common.linux.tailscale.firewall.allowPorts = [ config.services.open-webui.port ]; + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + # ... existing hosts config etc. ... + "llm" = { + serverAliases = [ + "llm.home.tinc" + "llm.kagamipc.dtth.ts" + ]; + forceSSL = true; + sslCertificate = ./cert.pem; + sslCertificateKey = config.sops.secrets."nginx/key.pem".path; + locations."/" = { + proxyPass = "http://127.0.0.1:5689"; + proxyWebsockets = true; + }; + }; + }; + }; + } ]; } diff --git a/nki-home/secrets.yaml b/nki-home/secrets.yaml index 648220d..4d7a0e7 100644 --- a/nki-home/secrets.yaml +++ b/nki-home/secrets.yaml @@ -18,6 +18,8 @@ nix-cache: nix-build-farm: private-key: ENC[AES256_GCM,data:m5neeWCEdaZ1MRhNwTptfDIgv3ABNlYyNil3oTD81Jbe/6WxWaS5Q++CRlHCjc2hOoHsWsZixw8iGZVTA+QXgH6B9C6A4oOAhgR9m92EGTEfFw0qxQbdzs7U98Yonx/N8SApUycZZB/EU81+MrDNY4GGzCiO6s00/vZLkDTYnqRFgbo+8KTG0BQTl4q+VYP2q3l0wy+Ivz5CWPmbz42Xdin/sBnjeFHKDuof4iZZnN3i8gUJ/mMw3lbdiHd6A8DL0G5Ut46ljzMC2aMsZOATCID3mPOPgI0xIetDofPJLDqVsNqptRHo8WB+KwDidvl222f5F7JqdSqgAMOJYPscrX0odufApiJfg5bbXBygvrDfAlPSruW7GsWGoKAhw0qC4NC/j+qYCwhS0qdorCLnIy3zzMtA6HkHtE675hy7/7oLj7k9Y8MhE4PxztjXTmDazaVCtKhnA/DpaxP2mH84gfCkJFD1YF9jtPm+P3e+46FwkW+WnHaA2L+H7Evava30DLEBhh5y9Gd1A3JN4isn,iv:7KUWg7+GWgmGJkbIvsy9gtccZBb+1Y5uDWhXQFk0obk=,tag:qJdM684XPHxecLVxVb5pgw==,type:str] wg-deluge.conf: ENC[AES256_GCM,data:CjCqgC1458C6odMtcWigE9tZwci4bJYyk+2fVTpP2OnHYwAp38bt0TbBLwgytMqKfB5EpJZLdbeTSoL33MhT2MD4gWBuDH1++p59l9213LS+9mF6gxG/RksrnnLvz9Pnk5J19qOz1PDxm6t8ZF2qu5qAHY83CF+k32G04/p2Nl04bDllAmMUlGGHJ5TXvXCSRcNU/2tWYv/sC4SwfUfpMjRbSKJUQSTEXnQsPaKsf+fq3mhj1a/xT6zJ6sxwDAGQ3PwIY8xTDf5ucS9ULPO9Zn27NUBoFmS1g0fJd+ZCJJYIWkG2uYDf+ldu/Ag95BduHX7Juf3GolhVd24hZzaIq3LeME99+T3SYA4LBkAaASnBvrVOXmFavHPKhFfbZ1DG0mO7S2M+Ticz+dUktjTXCh/Fe4uwf2R82PieuPhNng==,iv:AKleoSHG6qKEMJ7vIFsQ+X7d/jaXt+d0kg3LnbeWrRc=,tag:zrtqRIxEBbpSh9Ryj8cwqw==,type:str] +nginx: + key.pem: ENC[AES256_GCM,data:ObYnicx/H4tj6DAKiXERL9TZjP+1lDRqGB+qekiirAEpjKOJ4FpD9vd82ffDoxIbANAl6lKwzZDsEO6tdejl1OgZcPNTXsLkXQ6nurek92qCew0bzfca2Nn49DiwDOS+c1l5oKBHePKC8sCV8A5YH69fMWIHsvJDJaD7Ltu6xyP5MG/b2UYTsUnhHOM03PSLQV+PYXE63MzqLV2Det5sFxh0jY+551gq2lUAJoYNagmoQEfxjwBOntIepIXudarWf8Nl5QoPxQ90eji97E7LPbFn3pKR6mHDzyvfE6gsaStDUEtByJGMAzmUFvcCTqSH6Lj2iCfyBJY9qENOtZ8etwHkf4ddllF2PZxrxv4DOQuhcvOxWcl9gd1UqwcbD06hTjI1KbXSgxm9KP5PjGCNxkBjeOaUOqRn++3MQeuAR2eiASEa8x6AQGDOaAcqqtff92/akpTcE4d+hLnSfo1dfaptDppr5BiuhivpPY54WQJm/YODHSnUGdXc3CaZtPHIAqdRCuMplIyRpg6HPAHRbeCp826mHZeYFNzavCoF3lSVokBONk2VjOpKS2coUGQGe+JllH2Na2a4qjHPNQOLaZaIVdrr/Qn0mPrtXSArOz9nAOeL7fLYDlFdrCcFUdrXw+YWjhjU++dQuN6tMXAb4upOOuQfcALfTq7YBZLIj92dR1CP5hdMXKM//TZVLhnipcwk7xCpJENZrFqjuqnQlVNiq25mgOK4zoAqnq65E3sYCTzhe4F89Ce01PmTKmsMnLfP/ubDu499N68w5Qe95rKSL1OXRSjrLab8LS8CUib/yAGCIitGAAtQ9ck/cI96+WqyPG8wcbU/zVamB7SY8b/VC8fEUcgIztHWPK9Km+Q6ywHvQQlihpJJYKBjAUBXFN36VDcYLV5XsM1LpQgX8DaLLeJzC1NPnf8hf0YJW9EpMLq5EjqAkccFxvpeX2mGLE9GarqTX/ZISEFcL4Lf+ktrVQ5vL0DukjL5X5fr7IslHwQlr8Ci7ihDwLTy/4sJWe6LSOBCkYEvx4ZRO1k/XwtnVCoYPGrHI76ow39Hzg8mYeAdurpHOMo4g5rZmiBv5A2f5jGtg2rKaVVMxGigZB1sQGI+b9CmLEypJPPl3XAnOPDIIzPG5eMdIAQK7AzXUqNs12EVX8ZzGjD7/zCq/cKXA+CeO+LFst7ixIM2hOZIctHSd/I/FbYOAnCuHfYc5dy4pkGBJjXCyYc/7ONG0O5I1T2FIgtFUr0MfO0P6JDB+ICpmmrIvNJBmc7nNaakx2gxitZjM2/K+MUsxmnE5pdHFB4fmKamIb7o4LeJcs86Y+RI1b0dli8Hp7HEMVz7L5yJnddIggiu8MrOJtPnZe0Oej7FWp76KhBD64oPveGPnLWdB9d0ZEg0BL40pEubuHuNRHmNn1MCmsdDQz4wfrMUTW/S3QQS8LJ12pIVqxld7uvvwiQkRB58oR22dwsjpE63awfErOtY5ZYBrY9u34Pt2Op3TxLBUUP1uGGanSAC07Xkj7HMMQ4g+e83843itqRbDLNCYz75aIjHAjWogpKo5XTX2itpw+k4ZtDKGzlUi4e7VQjLNt7J+74uuZuHqVxoaHSRlrQE2F5Tueh4Njlux3cEYO3s3yDrvysAZF1yZG7zToGCCu3faa7cLkQCdkvFNqiG+V2AVslzW+0WS5m7IVmkMxnGKgigWiFlIpsP0gB7ihSo/T9DP7iUni6/Y85/AKdzNxb3EfSOwewbReVZZ5K9ag7+iYs0sq+Z4e3L/+xIOSTulsCFlGhOURtU3ef3vbHeIuRxEYuk1lTZInNbQTSwOZaGRCzYRH1ZVDml6aNobeFxD67h5j9nBZTqIxlQMC2hjUX4KUwS693659cQTG8PimxuDdnOfNdTQ5/n2FHRXQMpAK4l3JakoOO2y9lwITizTYWj2Hvls6Dhcxa+WrzexA0LZZc7okA5LfvHeq8969MQGJP2qXZ3/NZXvp0CSg3m328yC4PYYr6J4feI3vwNTtRZd6vkOFLRe/dsZSaDFIPhF2bjjXQ3sbZRtHYnEVYVVQ8ndEnhSzOVwFMP7l43xNiYDBh/NHU6sGH4187pn7GATDViwPsfBa8lhzyDd0kGn3wTsBs4QNH1zNpFEfJEwo77PQC1zUtwDoxa5coBesLh9NUoB/i0thLR0wUBH9x4H/z0lkgljH3MAPejH+ybx/9ZXtnNHYPHvVeptvBymy8QXxy4x8ZQf2Vt8IvPLpacCC44kowNd51YrVg5jKUzgb3TNlBZnhuOj2JmKCf+SU52c8jPDUIzP8ysuljTSlyre7rU6XP0PHDbvbc1L0cyRSopnqu8ztr7h3OgAUrswcXFz1/pgUpfqZ0DF9PmS2MLhbXvV6cKXVC/7ZXByE9ToE/Q/1+FT+3U0Gq0n7UjzHPLA9BspPjJd4VaRhI4gfhx2M71DTARAcYLkJW+0g2wKdnGVVa0OsfKwhe4UF8v3otjWHXQwZ0NKconROsk8v3yYFPGbUtEPNeInXGFQdkgr6MYMz5jdQ+D1ZWMLhlWagVN/iZDiGIGyHCq0MgYwGRKG7HjeQZ7Lv2Bf3WYM2cFtpsHdj6NjYdO+3DMLq3aABjrBNyjZM0+8jofL4i5FT7HjD7+NTmt5dHPX0LRwl1/6tgidnoSBbGVGpxp5k5CDUNTLDZpVxjG73YQeOPWt0/VL+whRovawuO2kSJt06UIQME86k9B644pvUWo/WVeo9rtZaVjJaFjdDIkaHvYvC66KSoJ1qpns53R3AFW76AIsOJDP+WN+tFCh4TWVRqtauhVabexTERQ+ctb304w4B931HeJ/L1q8AAzL6vNiV87I1++RJamR8Rp+B70OWotuy/2psJFXv1qKEoUmdp8N5wOS8YGlA7ssgK8/wQxwv1Yahi6sw/cHLW74Mc5czwzbZeECOFO49STczBGonpD8sKkGDEYTR2o96nYNUWnoe5b1eo058YrV73hUxNmvMj5q+wj9M1VLMmLTHuKIh5oXw0bQUdhirs7gNtZtREX2H69ax/2c8Q4FxjAlZlKtGVVmsKSkCLUdhINDGZbIOht3LO/uok1NscI+lvWMsajEWlBOmOnH0539CJ7xjuzzqYAja+hDpr0WvCvOWLPwbI0aq00Is6mICuEu9vB8nfiBwIlA/we6qBjULnXrPh39zfhoQZNetNivJU85wBR/8cz0voSrf4/Or8GkzfdyADDG4PM3vUepJuyTjF5zo+ZQCgMHujxxv/mMk1riOGq02nYZCYRdUXwJyTxTkogagwv59cDQJHqnDG9b9iZOuevG4kSWNn3srLb7HDcqT0sQpSa8ulAPZopFgbX7Hy0KY0eOahkTG9wXPYACFeaXs2+2d9HBeuH6fonMHCL06OQ6dcqKysWe6HrED71nn+kuu9LO7mbLBSekPpJkH2P86ipg8ZBYVK94G21fn9Lbr0/xp6lsgAkuwBIJ7w1QgwKlCXuItpHTFOq1TToTxh99ZyK8MkYgMSz5oYdgBEelaxbknR/nYLQAOYwOvfg+fCkz3HcDr+/SRC6niQ1c2sZP9rOe3DR9Dzr8yzWHoFjkuRMoBMz+6LbjYBW2ieT4iUAmpWydB9F/N1a4MvyT18J4+Gxc/Ugp/AufRq/xmMKKtqp/D7nj8l/N+9wAmaYakvbNfDf00bm7qhIg8nnoWI7LbiI/l3djtSEPxWqyI+IMwKx+lXhvoTdio/aIcjiM1FKdh9bkn466Qjp4Jw7dQh0Au1cv5RMq4XFAF/ob2oNdW1lflPPwp8+G0Rkx8btIoPGXzlR5Qmd1K17PouBP5haOSxptn2g9kqpcsdAGyHnqOdnL/mY1SrwJIGLIMkXffJsf837IQaD8PUhO1DHUV3hZ9MPc0hZL2oRPBBnw+5dOCSfFDzvxjo7Bj9W1OFRo5ETJz1OWBhj7TRn8zMr4wvfxdHB8aFAjEhypTmVtmSLPUB6NTZo4HqGfWVCMfYum5sfLi0u2hpAmRIGQOChURtv1o3KPhzIpBxXz9e3/+Ro8RxITV+s5ATKFsb8EJp4hYbrg84MFVicg29+Ds4ET+WfSAD/1U0wdKVzZt30Fnh31vQPEBoTwjwESZDnprKc5fAD9koW8gZK1WP0dypbXbTnSx76l04Kyncr+L3/kaC4i6q1zw3QEtseecGNNUQHTioM+HLuEtuWE7eg6UXsZ0lFqx3Avd7i0Nu9fIlS2yaG2hln/yiEx9ifh1hcidziu4TKFgjh/AKRQDYGHguvfdCwfBWIHeyrzWFztp/kwYCinwqHnBujUqaJqa+qFhCp8exrP1KVzeu7PkRwGIAwfJx43WPjBgMsbm7GsBYrkWHXYceBCmjgProdgK0=,iv:G7JThXxOrVYpQatcvkjmhOGSs+griXoSzrpqqYwh2TA=,tag:U4Yj8MC4nOUcc/8bvC90WQ==,type:str] sops: age: - recipient: age1tt0peqg8zdfh74m5sdgwsczcqh036nhgmwvkqnvywll88uvmm9xs433rhm @@ -47,7 +49,7 @@ sops: bUhIT0Z2b1dVWGNyS1hRVFRyZTA4d00KchP7EhSOMwBl5vFuuskzosRoi8jUu1sw hVjJNF2a40ewgkQgVAoWEzirHbknbQORzmepDDRth7Bve3UQU64+GA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-08T23:20:49Z" - mac: ENC[AES256_GCM,data:4RANoPaf4TCLkkTkY/UyOCLWKVL6o5N+bSXbNCoQLoI5hI5oW6zgPnvEKtERhJiKNttEoPStb68dt8/DRZ6enpi6h/DP+kNm7wCCT0atMnfKUXz1Hco6ixub9cyT1wpRxjU0O5EPmYSDRYTayOBOqvXzns+OpVFGMcskUAeroL8=,iv:JHMW8tsydX2k39SPqbFfyash4k8juTCi8DtufA8lL/s=,tag:lTQc62Y4nDEErT/TbL+Hbg==,type:str] + lastmodified: "2025-04-13T14:21:06Z" + mac: ENC[AES256_GCM,data:gkVuyr5PSqumXYWK5WsMfPHPQHbXHIFoUgGokh6xEHTacmxABvNroQiMZYrSvbHVSUxy06Ao8VWRK1tPPSjbsxBD5T7X0yXDLGkmPQpQWSRy+Zb1hQaV0Osp2p4yGGseNJxBmWOGWdmJGOwCAoj8tnS/EOGo+128dJyzrvD9F4Q=,iv:RQ/cM1eySv+KVLD/MGSs3E1RXMLFJR+6O1hOie8bskU=,tag:fT6jXRSMpCexYV1m5FbbDQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.1 diff --git a/nki-personal-do/headscale.nix b/nki-personal-do/headscale.nix index 3d1950f..a925068 100644 --- a/nki-personal-do/headscale.nix +++ b/nki-personal-do/headscale.nix @@ -61,6 +61,13 @@ rec { dns = { base_domain = "dtth.ts"; + extra_records = [ + { + name = "llm.kagamipc.dtth.ts"; + type = "A"; + value = "100.64.0.1"; + } + ]; }; noise = {