Move nginx to https

modules/common/linux/default.nix

@@ -485,5 +485,8 @@ in
       EDITOR = "kak";
       VISUAL = "kak";
     };
+
+    # Trust my own cert
+    security.pki.certificateFiles = [ ../../../nki-home/cert.pem ];
   };
 }

modules/services/nix-cache/default.nix

@@ -41,11 +41,19 @@ in
       type = types.path;
       description = "Path to the private key .pem file";
     };
+    sslCertificate = mkOption {
+      type = types.path;
+      description = "Path to the private key .pem file";
+    };
+    sslCertificateKey = mkOption {
+      type = types.path;
+      description = "Path to the private key .pem file";
+    };
   };
 
   config = {
     nix.settings = mkIf cfg.enableClient {
-      substituters = lib.mkAfter [ "http://${cfg.host}" ];
+      substituters = lib.mkAfter [ "https://${cfg.host}" ];
       trusted-public-keys = [ cfg.publicKey ];
     };
 
@@ -64,6 +72,9 @@ in
       virtualHosts = {
         # ... existing hosts config etc. ...
         "${cfg.host}" = {
+          forceSSL = true;
+          sslCertificate = cfg.sslCertificate;
+          sslCertificateKey = cfg.sslCertificateKey;
           locations."/".proxyPass = "http://${bindAddr}";
         };
       };

nki-home/cert.pem

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF6TCCA9GgAwIBAgIUBPEviSorTJodh/6ufW892x/PvqIwDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCQ0gxDTALBgNVBAgMBFZhdWQxETAPBgNVBAcMCExhdXNh
+bm5lMREwDwYDVQQKDAhadW1pbGFuZDESMBAGA1UEAwwJenVtaS5sYW5kMB4XDTI1
+MDQxMTIwMjgxMVoXDTM1MDQwOTIwMjgxMVowVjELMAkGA1UEBhMCQ0gxDTALBgNV
+BAgMBFZhdWQxETAPBgNVBAcMCExhdXNhbm5lMREwDwYDVQQKDAhadW1pbGFuZDES
+MBAGA1UEAwwJenVtaS5sYW5kMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEAifTbCEo08BH/ZVtcRQoB/rDwl3UQMoFxZUlZYtKHAyZZcaRO2OV7rMlb1gxq
+aZ++NB+nVvgr1NHcAsiBhMz2O5gZC+NK+zmnC4Fp3EXtFGto/NYNf7V7x6t36Jf8
+WscId+q+PApcG+QUGsxZXcJnHZPvrWSdaP2lftGs9GuoWCDdupZCE1UKku72UYQa
+yYxEfsrlAgioqEupId0HgVDc267axAwcRdIXrvVkL7zLhawa6/bTL+PmtPPRTnYq
+23/uqeIf5n8HmfoPTw+NiqQMx1q0R/wfz1F9pXddPRM/XlzMZ6WIVj5oLNkWU9mk
+vkrVQGFl/EfHFjyGoDBxcroT/ZqBF8hz7NzGb7s/Tfext/jOcM6TczAhXsH+8qZS
+ufGeSNBuR5c4lr+zrae7u5zyBfURGdHaag9yz6g9QE2+pm7MLqVBjL30qot5lHEU
+1frrI6FzY2WTioyduK23ulPpAND83TkXNxPwLNVg0utCyq2VC/gRLAgSL5+YFR7U
++HtOYY3BakrbZWzHP2vzZC3LaE9rZZhl4PiiojwSmiU0PnnyV68eYZwG83xv9vUE
+Df/kfBr3pEsXgeD8pRcMOnkcIzjXSbQe9oyAE7ZhKGkIkaRlx4NrtibsRynmXGXV
+EbPOiIHE8AVUe7+a3bvzBnlWTOMcmMf9B0YU3+sHCD8vbesCAwEAAaOBrjCBqzAd
+BgNVHQ4EFgQUAZhG1lLB8c9DAHgIIabVuK94r60wHwYDVR0jBBgwFoAUAZhG1lLB
+8c9DAHgIIabVuK94r60wDwYDVR0TAQH/BAUwAwEB/zBYBgNVHREEUTBPhwR/AAAB
+gglsb2NhbGhvc3SCCWhvbWUudGluY4ILKi5ob21lLnRpbmOCEGthZ2FtaXBjLmR0
+dGgudHOCEioua2FnYW1pcGMuZHR0aC50czANBgkqhkiG9w0BAQsFAAOCAgEAb0jD
+RUaKAIvUwYFqY4m1sgQWGFqB/Cv1dlBGZexYRRt0glEIsmFXDzvOOfrYTm18faG7
+eo/pERMYUc7IdHPA/DDC6eAwCUvSZgDi6TJ0jy2GqwOB84MlsUyK7UFGURk7Np2X
+RxkiU0Q5wcI4y5p3Njh1pgpbVfArLYwRvWYuvWwYpdZCVIT4rprVoOfAnV2QsCi/
+DJFc64kxePZxJ2CX1neWi81jVcy35wbObAyfBcktkD3ySkr2pWKDkVr6slAU+lmq
+u4eCPwqKqh+bns4ndX65eX2YkKRLBEpF3KVxrPKtc3I6BUUldXIEZ7JY7mtcugO7
+oDNd5QOY5feO3qI+ULnEmNDbonFMHKEO7Xb7ggWtuXiyrOCU1J/Xykk/VJfZxP//
+lcacNjB3ZOj4gBTfNbycQiana5Vhop9k5gn7ft4A+ohLekxjIE/lZYThfalc2+lw
+Rrr4tJzpNFhe8SHtg8ubQM74VtTnPy67N1KVO3CPqv4HDrmLnxLh1CP3GeQzq0M3
+4Dzg7F+Z8cH0ALmGnBNHacffgZ9Beg9fkJ+J54r+ESHBzTrEebt6QCrsCNZShOMT
+xgjqVru6hDqdzKHjb02jv+z55yw26KOt7HpjLfXisWk9vs11jp6TphTa7zFdCmPZ
+E93m8rI+0lj1jZS2h+8hNUq3UdkLswVTIiXlZqg=
+-----END CERTIFICATE-----

nki-home/configuration.nix

@@ -61,6 +61,8 @@ in
       nki.services.nix-cache = {
         enableServer = true;
         privateKeyFile = config.sops.secrets."nix-cache/private-key".path;
+        sslCertificate = ./cert.pem;
+        sslCertificateKey = config.sops.secrets."nginx/key.pem".path;
       };
 
       sops.secrets."nix-build-farm/private-key" = {
@@ -241,6 +243,28 @@ in
 
       virtualisation.spiceUSBRedirection.enable = true;
     }
+    {
+      sops.secrets."nginx/key.pem" = {
+        owner = "nginx";
+        reloadUnits = [ "nginx.service" ];
+      };
+      security.dhparams.enable = true;
+      security.dhparams.params.nginx.bits = 4096;
+      systemd.services.nginx.requires = [ "dhparams-gen-nginx.service" ];
+      # Nginx HTTPS
+      services.nginx = {
+        sslDhparam = config.security.dhparams.params.nginx.path;
+        defaultListen = [
+          {
+            addr = "0.0.0.0";
+            ssl = true;
+            extraParameters = [
+            ];
+          }
+        ];
+      };
+      common.linux.tailscale.firewall.allowPorts = [ 443 ];
+    }
     {
       # LLM poop
       services.ollama = {
@@ -259,7 +283,7 @@ in
         enable = true;
         port = 5689;
         openFirewall = true;
-        host = "0.0.0.0";
+        host = "127.0.0.1";
         environment = {
           ANONYMIZED_TELEMETRY = "False";
           DO_NOT_TRACK = "True";
@@ -268,7 +292,27 @@ in
           ENABLE_SIGNUP = "false";
         };
       };
-      common.linux.tailscale.firewall.allowPorts = [ config.services.open-webui.port ];
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        virtualHosts = {
+          # ... existing hosts config etc. ...
+          "llm" = {
+            serverAliases = [
+              "llm.home.tinc"
+              "llm.kagamipc.dtth.ts"
+            ];
+            forceSSL = true;
+            sslCertificate = ./cert.pem;
+            sslCertificateKey = config.sops.secrets."nginx/key.pem".path;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:5689";
+              proxyWebsockets = true;
+            };
+          };
+        };
+      };
+
     }
   ];
 }

nki-home/secrets.yaml

@@ -18,6 +18,8 @@ nix-cache:
 nix-build-farm:
     private-key: ENC[AES256_GCM,data:m5neeWCEdaZ1MRhNwTptfDIgv3ABNlYyNil3oTD81Jbe/6WxWaS5Q++CRlHCjc2hOoHsWsZixw8iGZVTA+QXgH6B9C6A4oOAhgR9m92EGTEfFw0qxQbdzs7U98Yonx/N8SApUycZZB/EU81+MrDNY4GGzCiO6s00/vZLkDTYnqRFgbo+8KTG0BQTl4q+VYP2q3l0wy+Ivz5CWPmbz42Xdin/sBnjeFHKDuof4iZZnN3i8gUJ/mMw3lbdiHd6A8DL0G5Ut46ljzMC2aMsZOATCID3mPOPgI0xIetDofPJLDqVsNqptRHo8WB+KwDidvl222f5F7JqdSqgAMOJYPscrX0odufApiJfg5bbXBygvrDfAlPSruW7GsWGoKAhw0qC4NC/j+qYCwhS0qdorCLnIy3zzMtA6HkHtE675hy7/7oLj7k9Y8MhE4PxztjXTmDazaVCtKhnA/DpaxP2mH84gfCkJFD1YF9jtPm+P3e+46FwkW+WnHaA2L+H7Evava30DLEBhh5y9Gd1A3JN4isn,iv:7KUWg7+GWgmGJkbIvsy9gtccZBb+1Y5uDWhXQFk0obk=,tag:qJdM684XPHxecLVxVb5pgw==,type:str]
 wg-deluge.conf: ENC[AES256_GCM,data:CjCqgC1458C6odMtcWigE9tZwci4bJYyk+2fVTpP2OnHYwAp38bt0TbBLwgytMqKfB5EpJZLdbeTSoL33MhT2MD4gWBuDH1++p59l9213LS+9mF6gxG/RksrnnLvz9Pnk5J19qOz1PDxm6t8ZF2qu5qAHY83CF+k32G04/p2Nl04bDllAmMUlGGHJ5TXvXCSRcNU/2tWYv/sC4SwfUfpMjRbSKJUQSTEXnQsPaKsf+fq3mhj1a/xT6zJ6sxwDAGQ3PwIY8xTDf5ucS9ULPO9Zn27NUBoFmS1g0fJd+ZCJJYIWkG2uYDf+ldu/Ag95BduHX7Juf3GolhVd24hZzaIq3LeME99+T3SYA4LBkAaASnBvrVOXmFavHPKhFfbZ1DG0mO7S2M+Ticz+dUktjTXCh/Fe4uwf2R82PieuPhNng==,iv:AKleoSHG6qKEMJ7vIFsQ+X7d/jaXt+d0kg3LnbeWrRc=,tag:zrtqRIxEBbpSh9Ryj8cwqw==,type:str]
+nginx:
+    key.pem: ENC[AES256_GCM,data:ObYnicx/H4tj6DAKiXERL9TZjP+1lDRqGB+qekiirAEpjKOJ4FpD9vd82ffDoxIbANAl6lKwzZDsEO6tdejl1OgZcPNTXsLkXQ6nurek92qCew0bzfca2Nn49DiwDOS+c1l5oKBHePKC8sCV8A5YH69fMWIHsvJDJaD7Ltu6xyP5MG/b2UYTsUnhHOM03PSLQV+PYXE63MzqLV2Det5sFxh0jY+551gq2lUAJoYNagmoQEfxjwBOntIepIXudarWf8Nl5QoPxQ90eji97E7LPbFn3pKR6mHDzyvfE6gsaStDUEtByJGMAzmUFvcCTqSH6Lj2iCfyBJY9qENOtZ8etwHkf4ddllF2PZxrxv4DOQuhcvOxWcl9gd1UqwcbD06hTjI1KbXSgxm9KP5PjGCNxkBjeOaUOqRn++3MQeuAR2eiASEa8x6AQGDOaAcqqtff92/akpTcE4d+hLnSfo1dfaptDppr5BiuhivpPY54WQJm/YODHSnUGdXc3CaZtPHIAqdRCuMplIyRpg6HPAHRbeCp826mHZeYFNzavCoF3lSVokBONk2VjOpKS2coUGQGe+JllH2Na2a4qjHPNQOLaZaIVdrr/Qn0mPrtXSArOz9nAOeL7fLYDlFdrCcFUdrXw+YWjhjU++dQuN6tMXAb4upOOuQfcALfTq7YBZLIj92dR1CP5hdMXKM//TZVLhnipcwk7xCpJENZrFqjuqnQlVNiq25mgOK4zoAqnq65E3sYCTzhe4F89Ce01PmTKmsMnLfP/ubDu499N68w5Qe95rKSL1OXRSjrLab8LS8CUib/yAGCIitGAAtQ9ck/cI96+WqyPG8wcbU/zVamB7SY8b/VC8fEUcgIztHWPK9Km+Q6ywHvQQlihpJJYKBjAUBXFN36VDcYLV5XsM1LpQgX8DaLLeJzC1NPnf8hf0YJW9EpMLq5EjqAkccFxvpeX2mGLE9GarqTX/ZISEFcL4Lf+ktrVQ5vL0DukjL5X5fr7IslHwQlr8Ci7ihDwLTy/4sJWe6LSOBCkYEvx4ZRO1k/XwtnVCoYPGrHI76ow39Hzg8mYeAdurpHOMo4g5rZmiBv5A2f5jGtg2rKaVVMxGigZB1sQGI+b9CmLEypJPPl3XAnOPDIIzPG5eMdIAQK7AzXUqNs12EVX8ZzGjD7/zCq/cKXA+CeO+LFst7ixIM2hOZIctHSd/I/FbYOAnCuHfYc5dy4pkGBJjXCyYc/7ONG0O5I1T2FIgtFUr0MfO0P6JDB+ICpmmrIvNJBmc7nNaakx2gxitZjM2/K+MUsxmnE5pdHFB4fmKamIb7o4LeJcs86Y+RI1b0dli8Hp7HEMVz7L5yJnddIggiu8MrOJtPnZe0Oej7FWp76KhBD64oPveGPnLWdB9d0ZEg0BL40pEubuHuNRHmNn1MCmsdDQz4wfrMUTW/S3QQS8LJ12pIVqxld7uvvwiQkRB58oR22dwsjpE63awfErOtY5ZYBrY9u34Pt2Op3TxLBUUP1uGGanSAC07Xkj7HMMQ4g+e83843itqRbDLNCYz75aIjHAjWogpKo5XTX2itpw+k4ZtDKGzlUi4e7VQjLNt7J+74uuZuHqVxoaHSRlrQE2F5Tueh4Njlux3cEYO3s3yDrvysAZF1yZG7zToGCCu3faa7cLkQCdkvFNqiG+V2AVslzW+0WS5m7IVmkMxnGKgigWiFlIpsP0gB7ihSo/T9DP7iUni6/Y85/AKdzNxb3EfSOwewbReVZZ5K9ag7+iYs0sq+Z4e3L/+xIOSTulsCFlGhOURtU3ef3vbHeIuRxEYuk1lTZInNbQTSwOZaGRCzYRH1ZVDml6aNobeFxD67h5j9nBZTqIxlQMC2hjUX4KUwS693659cQTG8PimxuDdnOfNdTQ5/n2FHRXQMpAK4l3JakoOO2y9lwITizTYWj2Hvls6Dhcxa+WrzexA0LZZc7okA5LfvHeq8969MQGJP2qXZ3/NZXvp0CSg3m328yC4PYYr6J4feI3vwNTtRZd6vkOFLRe/dsZSaDFIPhF2bjjXQ3sbZRtHYnEVYVVQ8ndEnhSzOVwFMP7l43xNiYDBh/NHU6sGH4187pn7GATDViwPsfBa8lhzyDd0kGn3wTsBs4QNH1zNpFEfJEwo77PQC1zUtwDoxa5coBesLh9NUoB/i0thLR0wUBH9x4H/z0lkgljH3MAPejH+ybx/9ZXtnNHYPHvVeptvBymy8QXxy4x8ZQf2Vt8IvPLpacCC44kowNd51YrVg5jKUzgb3TNlBZnhuOj2JmKCf+SU52c8jPDUIzP8ysuljTSlyre7rU6XP0PHDbvbc1L0cyRSopnqu8ztr7h3OgAUrswcXFz1/pgUpfqZ0DF9PmS2MLhbXvV6cKXVC/7ZXByE9ToE/Q/1+FT+3U0Gq0n7UjzHPLA9BspPjJd4VaRhI4gfhx2M71DTARAcYLkJW+0g2wKdnGVVa0OsfKwhe4UF8v3otjWHXQwZ0NKconROsk8v3yYFPGbUtEPNeInXGFQdkgr6MYMz5jdQ+D1ZWMLhlWagVN/iZDiGIGyHCq0MgYwGRKG7HjeQZ7Lv2Bf3WYM2cFtpsHdj6NjYdO+3DMLq3aABjrBNyjZM0+8jofL4i5FT7HjD7+NTmt5dHPX0LRwl1/6tgidnoSBbGVGpxp5k5CDUNTLDZpVxjG73YQeOPWt0/VL+whRovawuO2kSJt06UIQME86k9B644pvUWo/WVeo9rtZaVjJaFjdDIkaHvYvC66KSoJ1qpns53R3AFW76AIsOJDP+WN+tFCh4TWVRqtauhVabexTERQ+ctb304w4B931HeJ/L1q8AAzL6vNiV87I1++RJamR8Rp+B70OWotuy/2psJFXv1qKEoUmdp8N5wOS8YGlA7ssgK8/wQxwv1Yahi6sw/cHLW74Mc5czwzbZeECOFO49STczBGonpD8sKkGDEYTR2o96nYNUWnoe5b1eo058YrV73hUxNmvMj5q+wj9M1VLMmLTHuKIh5oXw0bQUdhirs7gNtZtREX2H69ax/2c8Q4FxjAlZlKtGVVmsKSkCLUdhINDGZbIOht3LO/uok1NscI+lvWMsajEWlBOmOnH0539CJ7xjuzzqYAja+hDpr0WvCvOWLPwbI0aq00Is6mICuEu9vB8nfiBwIlA/we6qBjULnXrPh39zfhoQZNetNivJU85wBR/8cz0voSrf4/Or8GkzfdyADDG4PM3vUepJuyTjF5zo+ZQCgMHujxxv/mMk1riOGq02nYZCYRdUXwJyTxTkogagwv59cDQJHqnDG9b9iZOuevG4kSWNn3srLb7HDcqT0sQpSa8ulAPZopFgbX7Hy0KY0eOahkTG9wXPYACFeaXs2+2d9HBeuH6fonMHCL06OQ6dcqKysWe6HrED71nn+kuu9LO7mbLBSekPpJkH2P86ipg8ZBYVK94G21fn9Lbr0/xp6lsgAkuwBIJ7w1QgwKlCXuItpHTFOq1TToTxh99ZyK8MkYgMSz5oYdgBEelaxbknR/nYLQAOYwOvfg+fCkz3HcDr+/SRC6niQ1c2sZP9rOe3DR9Dzr8yzWHoFjkuRMoBMz+6LbjYBW2ieT4iUAmpWydB9F/N1a4MvyT18J4+Gxc/Ugp/AufRq/xmMKKtqp/D7nj8l/N+9wAmaYakvbNfDf00bm7qhIg8nnoWI7LbiI/l3djtSEPxWqyI+IMwKx+lXhvoTdio/aIcjiM1FKdh9bkn466Qjp4Jw7dQh0Au1cv5RMq4XFAF/ob2oNdW1lflPPwp8+G0Rkx8btIoPGXzlR5Qmd1K17PouBP5haOSxptn2g9kqpcsdAGyHnqOdnL/mY1SrwJIGLIMkXffJsf837IQaD8PUhO1DHUV3hZ9MPc0hZL2oRPBBnw+5dOCSfFDzvxjo7Bj9W1OFRo5ETJz1OWBhj7TRn8zMr4wvfxdHB8aFAjEhypTmVtmSLPUB6NTZo4HqGfWVCMfYum5sfLi0u2hpAmRIGQOChURtv1o3KPhzIpBxXz9e3/+Ro8RxITV+s5ATKFsb8EJp4hYbrg84MFVicg29+Ds4ET+WfSAD/1U0wdKVzZt30Fnh31vQPEBoTwjwESZDnprKc5fAD9koW8gZK1WP0dypbXbTnSx76l04Kyncr+L3/kaC4i6q1zw3QEtseecGNNUQHTioM+HLuEtuWE7eg6UXsZ0lFqx3Avd7i0Nu9fIlS2yaG2hln/yiEx9ifh1hcidziu4TKFgjh/AKRQDYGHguvfdCwfBWIHeyrzWFztp/kwYCinwqHnBujUqaJqa+qFhCp8exrP1KVzeu7PkRwGIAwfJx43WPjBgMsbm7GsBYrkWHXYceBCmjgProdgK0=,iv:G7JThXxOrVYpQatcvkjmhOGSs+griXoSzrpqqYwh2TA=,tag:U4Yj8MC4nOUcc/8bvC90WQ==,type:str]
 sops:
     age:
         - recipient: age1tt0peqg8zdfh74m5sdgwsczcqh036nhgmwvkqnvywll88uvmm9xs433rhm
@@ -47,7 +49,7 @@ sops:
             bUhIT0Z2b1dVWGNyS1hRVFRyZTA4d00KchP7EhSOMwBl5vFuuskzosRoi8jUu1sw
             hVjJNF2a40ewgkQgVAoWEzirHbknbQORzmepDDRth7Bve3UQU64+GA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-08T23:20:49Z"
+    lastmodified: "2025-04-13T14:21:06Z"
-    mac: ENC[AES256_GCM,data:4RANoPaf4TCLkkTkY/UyOCLWKVL6o5N+bSXbNCoQLoI5hI5oW6zgPnvEKtERhJiKNttEoPStb68dt8/DRZ6enpi6h/DP+kNm7wCCT0atMnfKUXz1Hco6ixub9cyT1wpRxjU0O5EPmYSDRYTayOBOqvXzns+OpVFGMcskUAeroL8=,iv:JHMW8tsydX2k39SPqbFfyash4k8juTCi8DtufA8lL/s=,tag:lTQc62Y4nDEErT/TbL+Hbg==,type:str]
+    mac: ENC[AES256_GCM,data:gkVuyr5PSqumXYWK5WsMfPHPQHbXHIFoUgGokh6xEHTacmxABvNroQiMZYrSvbHVSUxy06Ao8VWRK1tPPSjbsxBD5T7X0yXDLGkmPQpQWSRy+Zb1hQaV0Osp2p4yGGseNJxBmWOGWdmJGOwCAoj8tnS/EOGo+128dJyzrvD9F4Q=,iv:RQ/cM1eySv+KVLD/MGSs3E1RXMLFJR+6O1hOie8bskU=,tag:fT6jXRSMpCexYV1m5FbbDQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.1

nki-personal-do/headscale.nix

@@ -61,6 +61,13 @@ rec {
 
       dns = {
         base_domain = "dtth.ts";
+        extra_records = [
+          {
+            name = "llm.kagamipc.dtth.ts";
+            type = "A";
+            value = "100.64.0.1";
+          }
+        ];
       };
 
       noise = {