Networking setup for VMs, new hosts for internal apps

krops/nas/configuration.nix

@@ -163,16 +163,55 @@
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
             '';
           proxyPass = "http://127.0.0.1:8973/";
         };
       };
+      virtualHosts."request-media.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
+            '';
+          proxyPass = "http://127.0.0.1:5055/";
+        };
+      };
+      virtualHosts."flood.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
+            '';
+          proxyPass = "http://192.168.50.187:3000/";
+        };
+      };
     };
     gitea = {
       enable = true;
       stateDir = "/Primary/gitea";
       package = pkgs.forgejo;
       settings = {
+        DEFAULT = {
+          APP_NAME = "Arch's Git Forge";
+        };
         server = {
           ROOT_URL = "https://git.gmem.ca/";
           HTTP_PORT = 8973;
@@ -211,12 +250,24 @@
     hostName = "vancouver";
     domain = "gmem.ca";
     firewall = {
-      trustedInterfaces = ["tailscale0"];
+      trustedInterfaces = ["tailscale0" "virbr0"];
       checkReversePath = "loose";
       enable = true;
-      allowedTCPPorts = [ 22 53 80 443 ];
+      allowedTCPPorts = [ 22 53 80 443 2049 ];
       allowedUDPPorts = [ 53 41641 ];
     };
+    useDHCP = false;
+    bridges = {
+      "br0" = {
+        interfaces = [ "eno1" ];
+      };
+    };
+    interfaces.br0.ipv4.addresses = [ {
+      address = "192.168.50.229";
+      prefixLength = 24;
+    } ];
+    defaultGateway = "192.168.50.1";
+    nameservers = ["100.100.100.100" "45.90.28.116" "45.90.30.116"];
     nftables.enable = true;
   };
   environment.systemPackages = with pkgs; [
@@ -232,7 +283,7 @@
     cifs-utils
     cloudflared
     bat
-    # atuin
+    virtiofsd
   ];
 
   time.timeZone = "Europe/London";
@@ -313,6 +364,16 @@
     dnsProvider = "route53";
     credentialsFile = "/var/lib/secrets/credentials";
   };
+  security.acme.certs."request-media.gmem.ca" = {
+    domain = "request-media.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };
+  security.acme.certs."flood.gmem.ca" = {
+    domain = "flood.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };
 
   system.stateVersion = "23.05";
 }