Test SSL

nixos/hosts/nixos-rpi4-03/temp.nix

@@ -2,6 +2,11 @@
     networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ];
     # networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+# Generate a test cert
+# sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
+#   -nodes -keyout test-ssl.key -out test-ssl.crt -subj "/CN=test-ssl" \
+#   -addext "subjectAltName=DNS:test-ssl,DNS:*.test-ssl,IP:10.100.0.2"
+
     services.nginx = {
         enable = true;
         httpConfig = ''
@@ -12,6 +17,14 @@
                 server_name_in_redirect off;
                 root  /var/www/test;
             }
+            server {
+                listen 443 ssl;
+                server_name _;
+                server_name_in_redirect off;
+                root /var/www/test-ssl;
+                ssl_certificate     /etc/ssl/nginx/test-ssl.crt;
+                ssl_certificate_key /etc/ssl/nginx/test-ssl.key;
+            }
         '';
     };
 }

nixos/hosts/osaka-vultr-01/wireguard.nix

@@ -18,7 +18,6 @@
     "net.ipv4.conf.all.forwarding" = 1;
     "net.ipv4.conf.default.forwarding" = 1;
   };
-  networking.firewall.allowPing = true;
   networking.wireguard = {
     enable = true;
     interfaces = {
@@ -26,12 +25,8 @@
         ips = [ "10.100.0.1/24" ];
         listenPort = 51820;
         privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01";
-        postSetup    = ''
+        postSetup    = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE'';
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE
+        postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE'';
-        '';
-        postShutdown = ''
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE
-        '';
         peers = [
           { # nixos-rpi4-03
             publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";