diff --git a/flake.lock b/flake.lock index af3efa2..51cf32c 100644 --- a/flake.lock +++ b/flake.lock @@ -493,11 +493,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1774932258, - "narHash": "sha256-TCvJhfJeAXTGG+kgp5gw8OaOTyMsgxi3Y4MTBEHrxoI=", + "lastModified": 1777671232, + "narHash": "sha256-eLLr3lON++si1Ti+NXooj/cgA6dbkLlc2BahIllTHUY=", "owner": "JackMechem", "repo": "server-dash", - "rev": "ede90f8c7fc5c143191f37920999244c87a73e62", + "rev": "c991fe7b6df55ce159754bc446efd1866dfb58b5", "type": "github" }, "original": { @@ -513,11 +513,11 @@ "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1775019268, - "narHash": "sha256-vMZr3B2vpoO33YyHFsxOKMfW/A+GVigzcdYYa+ghHL0=", + "lastModified": 1777670098, + "narHash": "sha256-WWObAxZIrpLa0oB9g3vcHYWr3mOdPglqjrR6uYkfruQ=", "owner": "JackMechem", "repo": "server-dash-api", - "rev": "6c6ee030cd0775178bed3f3fc1c83b23a75071f5", + "rev": "56c555d699dc692e2c58e6fcede8dda2c503c7fc", "type": "github" }, "original": { diff --git a/hosts/dellserv/configuration.nix b/hosts/dellserv/configuration.nix index f28f549..4bd1376 100644 --- a/hosts/dellserv/configuration.nix +++ b/hosts/dellserv/configuration.nix @@ -35,7 +35,6 @@ 8384 8080 443 - 22 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; @@ -95,6 +94,40 @@ systemd.services.caddy.serviceConfig.EnvironmentFile = "/etc/secrets/caddy-env"; + # sslh multiplexes SSH and HTTPS on port 443 so git SSH works + # without needing port 22 open on the router. + # Using a manual service instead of services.sslh because the NixOS module + # injects extra IPv4/IPv6 listen entries that cause duplicate-bind failures. + environment.etc."sslh.conf".text = '' + foreground = true; + inetd = false; + numeric = true; + transparent = false; + timeout = 2; + log_level = 0; + verbose-connections = 0; + + listen = ({ host = "0.0.0.0"; port = "443"; }); + + protocols = ( + { name = "ssh"; host = "127.0.0.1"; port = "22"; }, + { name = "tls"; host = "127.0.0.1"; port = "4443"; }, + { name = "anyprot"; host = "127.0.0.1"; port = "4443"; } + ); + ''; + + systemd.services.sslh = { + description = "sslh - protocol multiplexer"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.sslh}/bin/sslh-fork -F /etc/sslh.conf"; + Restart = "on-failure"; + RestartSec = "3s"; + Type = "simple"; + }; + }; + services.caddy = { enable = true; package = pkgs.caddy.withPlugins { @@ -102,15 +135,25 @@ hash = "sha256-Olz4W84Kiyldy+JtbIicVCL7dAYl4zq+2rxEOUTObxA="; }; globalConfig = '' + auto_https disable_redirects acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} + https_port 4443 + http_port 4480 ''; virtualHosts."dashboard.jackmechem.dev" = { extraConfig = '' - reverse_proxy localhost:3000 + bind 127.0.0.1 + handle /auth/* { + reverse_proxy localhost:3001 + } + handle { + reverse_proxy localhost:3000 + } ''; }; virtualHosts."syncthing.jackmechem.dev" = { extraConfig = '' + bind 127.0.0.1 reverse_proxy localhost:8384 { header_up Host {upstream_hostport} } @@ -118,11 +161,13 @@ }; virtualHosts."git.jackmechem.dev" = { extraConfig = '' + bind 127.0.0.1 reverse_proxy localhost:3002 ''; }; virtualHosts."adguard.jackmechem.dev" = { extraConfig = '' + bind 127.0.0.1 reverse_proxy localhost:3003 ''; }; @@ -132,6 +177,8 @@ enable = true; package = "/var/lib/server-dash/build"; }; + + systemd.services.server-dash.environment.ENROLLMENT_OPEN = "false"; services.server-dash-api = { enable = true; useNixBuild = false; @@ -164,7 +211,8 @@ HTTP_PORT = 3002; ROOT_URL = "https://git.jackmechem.dev"; SSH_DOMAIN = "gitssh.jackmechem.dev"; - SSH_PORT = 22; + SSH_PORT = 443; + SSH_LISTEN_PORT = 22; }; }; }; diff --git a/modules/home-manager/tmux.nix b/modules/home-manager/tmux.nix index 950489c..e31764e 100644 --- a/modules/home-manager/tmux.nix +++ b/modules/home-manager/tmux.nix @@ -24,6 +24,7 @@ bind - split-window -v set -s escape-time 0 + set -g focus-events on # Act like vim