commit 577c6f7d637395e59884166a68527022b8c5612a
parent 0b4d2c664ed5db78f1cfa5b6ca5bab4be7b2f810
Author: Katja (ctucx) <git@ctu.cx>
Date: Sun, 9 Mar 2025 13:32:50 +0100
parent 0b4d2c664ed5db78f1cfa5b6ca5bab4be7b2f810
Author: Katja (ctucx) <git@ctu.cx>
Date: Sun, 9 Mar 2025 13:32:50 +0100
configurations/nixos/services/syncthingNginx: add client-cert auth
3 files changed, 37 insertions(+), 30 deletions(-)
diff --git a/configurations/nixos/services/syncthing-nginx.nix b/configurations/nixos/services/syncthing-nginx.nix @@ -1,30 +0,0 @@ -{ config, ctucxConfig, lib, pkgs, ... }: - -{ - - imports = [ - ctucxConfig.services.syncthing - ] - - dns.zones."ctu.cx".subdomains."syncthing.${config.networking.hostName}".CNAME = [ "${config.networking.fqdn}." ]; - - systemd.services.syncthing.onFailure = [ "email-notify@%i.service" ]; - - services = { - syncthing.guiAddress = "[::1]:8384"; - syncthing.settings = { - gui.insecureSkipHostcheck = true; - }; - - nginx = { - enable = true; - virtualHosts."syncthing.${config.networking.fqdn}" = { - useACMEHost = "${config.networking.fqdn}"; - forceSSL = true; - kTLS = true; - locations."/".proxyPass = "http://${toString config.services.syncthing.guiAddress}"; - }; - }; - }; - -}
diff --git a/configurations/nixos/services/syncthing.nix b/configurations/nixos/services/syncthing.nix @@ -21,6 +21,7 @@ in { services.syncthing = { enable = true; openDefaultPorts = true; + guiAddress = lib.mkDefault "[::1]:8384"; user = lib.mkDefault "katja"; group = lib.mkDefault "users";
diff --git a/configurations/nixos/services/syncthingNginx.nix b/configurations/nixos/services/syncthingNginx.nix @@ -0,0 +1,36 @@ +{ config, ctucxConfig, lib, pkgs, ... }: + +{ + + imports = [ + ctucxConfig.services.syncthing + ]; + + dns.zones."ctu.cx".subdomains."syncthing.${lib.removeSuffix ".ctu.cx" config.networking.fqdn}".CNAME = [ "${config.networking.fqdn}." ]; + + systemd.services.syncthing.onFailure = [ "email-notify@%i.service" ]; + + services.syncthing.settings = { + gui.insecureSkipHostcheck = true; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."syncthing.${config.networking.fqdn}" = { + useACMEHost = "${config.networking.fqdn}"; + forceSSL = true; + kTLS = true; + extraConfig = '' + ssl_client_certificate ${../../../secrets/certs/root_ca.crt}; + ssl_verify_client on; + ''; + locations."/" = { + proxyPass = "http://${toString config.services.syncthing.guiAddress}"; + extraConfig = '' + if ($ssl_client_s_dn != "CN=katja@ctu.cx") { + return 403; + } + ''; + }; + }; + +}