From f61c6dddfa3e35bd32e4b0796756671f84d779df Mon Sep 17 00:00:00 2001
From: natto1784 <singh.amneesh1784@gmail.com>
Date: Fri, 4 Jun 2021 02:49:09 +0530
Subject: [PATCH] Remilia: add more stuff in nginx service

---
 hosts/servers/remilia.nix            |  3 +-
 hosts/servers/remilia/boot.nix       |  1 +
 hosts/servers/remilia/builder.nix    | 14 ++++++++++
 hosts/servers/remilia/networking.nix | 41 ++++++++++++++++++++++++++--
 hosts/servers/remilia/services.nix   | 37 ++++++++++++++++++++++++-
 5 files changed, 92 insertions(+), 4 deletions(-)
 create mode 100644 hosts/servers/remilia/builder.nix

diff --git a/hosts/servers/remilia.nix b/hosts/servers/remilia.nix
index 46a0ddd..17c203d 100755
--- a/hosts/servers/remilia.nix
+++ b/hosts/servers/remilia.nix
@@ -8,8 +8,9 @@
     ./remilia/hardware.nix
     ./remilia/boot.nix
     ./remilia/services.nix
+    ./remilia/builder.nix
     ../../configs/nvim.nix
   ];
-  programs.gnupg.agent.enable = lib.mkForce false;
+ # programs.gnupg.agent.enable = lib.mkForce false;
   system.stateVersion = "21.11";
 }
diff --git a/hosts/servers/remilia/boot.nix b/hosts/servers/remilia/boot.nix
index 3a96c43..32d1859 100755
--- a/hosts/servers/remilia/boot.nix
+++ b/hosts/servers/remilia/boot.nix
@@ -1,6 +1,7 @@
 {config, ...}:
 {
   boot = {
+    kernel.sysctl."net.ipv4.ip_forward" = 1;
     initrd.kernelModules = [ "bochs_drm" ];
     initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" ];
     kernelModules = [ "kvm-amd" ];
diff --git a/hosts/servers/remilia/builder.nix b/hosts/servers/remilia/builder.nix
new file mode 100644
index 0000000..4ded076
--- /dev/null
+++ b/hosts/servers/remilia/builder.nix
@@ -0,0 +1,14 @@
+{config, ...}:
+{
+  nix.buildMachines = [ {
+	 hostName = "Satori";
+	 system = "x86_64-linux";
+	 maxJobs = 4;
+	 speedFactor = 2;
+	 supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+	}] ;
+	nix.distributedBuilds = true;
+	nix.extraOptions = ''
+		builders-use-substitutes = true
+	'';
+}
diff --git a/hosts/servers/remilia/networking.nix b/hosts/servers/remilia/networking.nix
index a38aa8e..28af060 100755
--- a/hosts/servers/remilia/networking.nix
+++ b/hosts/servers/remilia/networking.nix
@@ -1,13 +1,50 @@
-{config, ...}:
+{config, pkgs, ...}:
 {
   networking = {
     useDHCP = false;
     hostName = "Remilia";
-    firewall.allowedTCPPorts = [ 22 80 ];
+    firewall = {
+      interfaces = {
+        ens3 = {
+          allowedTCPPorts = [ 22 80 443 ];
+          allowedUDPPorts = [ 17840 ];
+        };
+      };
+    };
     interfaces = {
       ens3 = {
         useDHCP = true;
       };
     };
+    nat = {
+      enable = true;
+      externalInterface = "ens3";
+      internalInterfaces = [ "wg0" ];
+    };
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.55.0.1/24" ];
+        listenPort = 17840;
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE
+        '';
+        privateKeyFile = "/var/secrets/wg";
+        peers = [
+          {
+            publicKey = "m9SSpkj+r2QY4YEUMEoTkbOI/L7C39Kh6m45QZ5mkw4=";
+            allowedIPs = [ "10.55.0.2/32" ];
+          }
+          {
+            publicKey = "SqskEH7hz7Gv9ZS+FYLRFgKZyJCFbBFCyuvzBYnbfVU=";
+            allowedIPs = [ "10.55.0.3/32" ];
+          }
+        ];
+      };
+    };
   };
 }
diff --git a/hosts/servers/remilia/services.nix b/hosts/servers/remilia/services.nix
index 576d965..422e9a1 100755
--- a/hosts/servers/remilia/services.nix
+++ b/hosts/servers/remilia/services.nix
@@ -1,12 +1,47 @@
-{config, ...}:
+{config, pkgs, ...}:
 {
   services = {
     openssh = {
       enable = true;
       permitRootLogin = "yes";
     };
+    nginx = {
+      enable = true;
+      package = pkgs.nginx;
+      virtualHosts = {
+        "weirdnatto.in" = {
+          addSSL = true;
+          enableACME = true;
+          locations."/".proxyPass = "http://10.55.0.2:80";
+        };
+        "git.weirdnatto.in" = {
+          addSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://10.55.0.2:5001";
+            extraConfig = ''
+              proxy_set_header Host $host;
+              '';
+          };
+        };
+        "mail.weirdnatto.in" = {
+          addSSL = true;
+          enableACME = true;
+          locations."/" = {};
+        };
+      };
+    };
   };
+
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"
   ];
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      "weirdnatto.in".email = "natto+acme@weirdnatto.in";    
+      "git.weirdnatto.in".email = "git+acme@weirdnatto.in";    
+      "mail.weirdnatto.in".email = "mail+acme@weirdnatto.in";    
+    };
+  };
 }