cert access to homepage

2025-07-16 13:50:10 -06:00
parent 98024d8672
commit 90dac76ad1
5 changed files with 69 additions and 10 deletions
--- a/modules/servers/homepage.nix
+++ b/modules/servers/homepage.nix
@@ -7,7 +7,15 @@ in
  options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
  config = {
    networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
-    sops.secrets = lib.mkIf cfg.enable { homepage.sopsFile = ../../secrets/homepage.yaml; };
+    sops.secrets = lib.mkIf cfg.enable {
+      homepage.sopsFile = ../../secrets/homepage.yaml;
+      "private-ca/pem" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "nginx";
+        group = "nginx";
+      };
+    };
+    my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
    services = {
      homepage-dashboard = lib.mkIf cfg.enable {
        enable = true;
@@ -25,7 +33,7 @@ in
          |> builtins.filter (file: builtins.match ".*\\.nix" file != null)
          |> map (file: import ./homepage/bookmarks/${file});
      };
-      nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverse cfg);
+      nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReversePrivate cfg);
    };
  };
 }
--- a/modules/servers/setup.nix
+++ b/modules/servers/setup.nix
@@ -48,6 +48,10 @@ let
      type = lib.types.bool;
      default = false;
    };
+    certPath = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+    };
  };
  proxy = locations: {
    inherit locations;
@@ -84,6 +88,16 @@ let
        proxy_http_version 1.1;
      '';
    };
+  proxyReversePrivate =
+    cfg:
+    proxyReverse cfg
+    // {
+      extraConfig = ''
+        ssl_verify_client on;
+        ssl_client_certificate ${cfg.certPath};
+        error_page 403 /403.html;
+      '';
+    };
 in
 {
  inherit
@@ -91,5 +105,6 @@ in
    proxy
    proxyReverse
    proxyReverseFix
+    proxyReversePrivate
    ;
 }