diff --git a/inventory/demo-configuration.nix b/inventory/demo-configuration.nix index cb2b741..6cbe864 100644 --- a/inventory/demo-configuration.nix +++ b/inventory/demo-configuration.nix @@ -1,16 +1,20 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: + { - virtualisation.vmVariant.virtualisation.forwardPorts = [ - { from = "host"; host.port = 8001; guest.port = 8001; } - ]; + #virtualisation.vmVariant.virtualisation.forwardPorts = [ + # { from = "host"; host.port = 8001; guest.port = 8001; } + #]; + networking.hosts = { "127.0.0.1" = [ "hedgedoc.nixin.local" ]; }; + networking.hostName = "demo"; #networking.firewall.enable = false; networking.firewall = { - allowedTCPPorts = [ 8001 ]; + allowedTCPPorts = [ 80 443 ]; }; + services.hedgedoc = { enable = true; settings.domain = "hedgedoc.nixin.local"; @@ -22,11 +26,50 @@ "hedgedoc.nixin.local" ]; }; + users.users.operator = { isNormalUser = true; extraGroups = [ "wheel" ]; initialPassword = "test"; }; + security.acme.defaults.email = "contact@nixin.local"; + security.acme.acceptTerms = true; + + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts."hedgedoc.nixin.local" = { + forceSSL = true; + enableACME = true; + root = "/var/www/hedgedoc"; + locations."/".proxyPass = "http://127.0.0.1:8001"; + locations."/socket.io/" = { + proxyPass = "http://127.0.0.1:8001"; + proxyWebsockets = true; + extraConfig = + "proxy_ssl_server_name on;" + ; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + git + wget + tmux + mosh + htop + ]; + system.stateVersion = "24.05"; }