rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
859 commits 1 branch 0 tags 41 MiB
Commit graph

10 commits

Author SHA1 Message Date
ediblerope
beadcc5397 Use propagation wait instead of disabling ACME DNS check 
Disabling the propagation check caused lego to submit to Let's
Encrypt before Cloudflare's authoritative nameservers had the
TXT record. A 30s wait gives Cloudflare time to propagate.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-14 22:36:48 +01:00
ediblerope
3c0746e23b Skip ACME DNS propagation check for local resolver caching 
Local DNS resolver caches stale responses causing the wildcard
cert DNS-01 challenge to time out before propagation is confirmed.
Cloudflare's authoritative servers propagate fast enough for
Let's Encrypt to validate without the client-side check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-14 22:33:13 +01:00
ediblerope
372275da5e Fix Authelia forward-auth to match proven working NPM config 
- Use /api/verify endpoint instead of /api/authz/forward-auth
- Add proxy_pass_request_body off to auth location
- Put redirect URL inline in error_page instead of using a variable
- Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-07 20:35:59 +01:00
ediblerope
09d24eecf3 Fix Authelia forward-auth: use set instead of auth_request_set for redirect URL 
auth_request_set reads variables from the auth subrequest context where
$scheme/$http_host/$request_uri are empty, causing a 500 instead of a
302 redirect. Using set captures from the main request context.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-07 20:31:03 +01:00
ediblerope
64bd0b8f0b Fix nginx proxy_headers_hash warning from Authelia forward-auth headers 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-07 17:27:23 +01:00
ediblerope
9ce1e00ea5 Remove broken --dns.propagation-wait flag, rely on default propagation check 
The CNAME interference is resolved so the default lego propagation check
(querying Cloudflare authoritative NS) should work correctly now.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-07 17:20:19 +01:00
ediblerope
476379f4e4 Fix ACME: add 30s propagation wait and re-enable full DNS check 
The previous dnsPropagationCheck=false caused lego to ask LE to validate
before the TXT record was globally visible. Adding --dns.propagation-wait
gives Cloudflare time to serve the record from all edge locations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-07 17:16:07 +01:00
ediblerope
b27d2913e8 Disable ACME DNS propagation check for Cloudflare 
Cloudflare is the authoritative NS so API-created TXT records are
immediately visible — the propagation poll was timing out unnecessarily.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-07 16:53:00 +01:00
ediblerope
eadbc92126 Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc 
- Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01
- Native Authelia SSO with forward auth protecting homepage + camera
- Native go2rtc camera streaming (no more Docker)
- Auto-migration script for Authelia secrets and user database from Docker
- Homepage hrefs updated to use HTTPS domain names
- Fail2ban updated for native nginx log paths + new Authelia jail

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-07 15:47:56 +01:00
ediblerope
f8759889bf
Update and rename webservices.nix to nginx.nix 2026-01-22 10:46:23 +00:00
Renamed from services/webservices.nix (Browse further)