From 4439c7f9de84ea8fe915b852c6c6823df1d45fb3 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Sat, 2 Mar 2024 13:18:05 +0100 Subject: [PATCH] wip pam auth --- hetzner-vpn1.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/hetzner-vpn1.nix b/hetzner-vpn1.nix index 7889803..67e7b9b 100644 --- a/hetzner-vpn1.nix +++ b/hetzner-vpn1.nix @@ -24,8 +24,15 @@ defaults.email = "acme@zerforschen.plus"; }; + security.pam.services.nginx.setEnvironment = false; + systemd.services.nginx.serviceConfig = { + SupplementaryGroups = ["shadow"]; + }; + services.nginx = { enable = true; + additionalModules = [pkgs.nginxModules.pam]; + recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; @@ -37,9 +44,12 @@ enableACME = true; locations."/" = { extraConfig = '' + # bind to tailscale ip proxy_bind 100.88.118.60; + auth_pam "Password Required"; + auth_pam_service_name "nginx"; ''; - proxyPass = "http://vinzenz-lpt2:8542/"; + proxyPass = "http://vinzenz-lpt2:8542/"; #tailscale magic dns proxyWebsockets = true; }; };