diff --git a/etc/nixos/configuration.nix b/etc/nixos/configuration.nix index 3cfe807..387113d 100644 --- a/etc/nixos/configuration.nix +++ b/etc/nixos/configuration.nix @@ -12,6 +12,15 @@ # useDHCP is deprecated useDHCP = false; interfaces.eth0.useDHCP = true; + + firewall = { + enable = true; + allowedTCPPorts = [ + 80 + 443 + 2222 + ]; + }; }; time.timeZone = "Europe/London"; @@ -48,5 +57,47 @@ }; }; + virtualisation.docker = { + enable = true; + autoPrune.enable = true; + }; + + docker-containers = { + nginx-proxy = { + image = "jwilder/nginx-proxy:alpine"; + ports = [ + "80:80" + "443:443" + ]; + volumes = [ + # So that we can watch new containers come up + "/var/run/docker.sock:/tmp/docker.sock:ro" + # So that we can access generated certs + "nginx-certs:/etc/nginx/certs:ro" + # So that we can write challenge files for letsencrypt auth + "nginx-challenges:/usr/share/nginx/html" + # So that we can modify config on-the-fly to set up challenge + # files + "nginx-conf:/etc/nginx/vhost.d" + ]; + environment = { + DHPARAM_GENERATION = "false"; # Provided by nginx-proxy-letsencrypt + }; + }; + + nginx-proxy-letsencrypt = { + image = "jrcs/letsencrypt-nginx-proxy-companion"; + volumes = [ + "/var/run/docker.sock:/var/run/dokcer.sock:ro" + "nginx-certs:/etc/nginx/certs" + "nginx-challenges:/usr/share/nginx/html" + "nginx-conf:/etc/nginx/vhost.d" + ]; + environment = { + DEFAULT_EMAIL = "tm@tlater.net"; + }; + }; + }; + system.stateVersion = "19.09"; }