···

       
180
       
180
       
 
       


     

       
181
       
181
       
 
       
  networking.firewall = {

     

       
182
       
182
       
 
       
    enable = true;

     

       
183
       
183
       
-
       
    allowedTCPPorts = [ 22 80 443 ];

     

       
183
       
183
       
+
       
    allowedTCPPorts = [

     

       
184
       
184
       
+
       
      22

     

       
185
       
185
       
+
       
      80

     

       
186
       
186
       
+
       
      443

     

       
187
       
187
       
+
       
    ];

     

       
184
       
188
       
 
       
    logRefusedConnections = false;

     

       
185
       
189
       
 
       
    rejectPackets = true;

     

       
186
       
190
       
 
       
  };

     
···

       
299
       
303
       
 
       
  atelier.services.knot-sync = {

     

       
300
       
304
       
 
       
    enable = true;

     

       
301
       
305
       
 
       
    secretsFile = config.age.secrets.github-knot-sync.path;

     

       
306
       
306
       
+
       
  };

     

       
307
       
307
       
+
       


     

       
308
       
308
       
+
       
  services.n8n = {

     

       
309
       
309
       
+
       
    enable = true;

     

       
310
       
310
       
+
       
    environment = {

     

       
311
       
311
       
+
       
      N8N_HOST = "n8n.dunkirk.sh";

     

       
312
       
312
       
+
       
      N8N_PROTOCOL = "https";

     

       
313
       
313
       
+
       
      WEBHOOK_URL = "https://n8n.dunkirk.sh";

     

       
314
       
314
       
+
       
    };

     

       
315
       
315
       
+
       
  };

     

       
316
       
316
       
+
       


     

       
317
       
317
       
+
       
  services.caddy.virtualHosts."n8n.dunkirk.sh" = {

     

       
318
       
318
       
+
       
    extraConfig = ''

     

       
319
       
319
       
+
       
      tls {

     

       
320
       
320
       
+
       
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}

     

       
321
       
321
       
+
       
      }

     

       
322
       
322
       
+
       
      header {

     

       
323
       
323
       
+
       
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

     

       
324
       
324
       
+
       
      }

     

       
325
       
325
       
+
       
      reverse_proxy localhost:5678 {

     

       
326
       
326
       
+
       
        header_up X-Forwarded-Proto {scheme}

     

       
327
       
327
       
+
       
        header_up X-Forwarded-For {remote}

     

       
328
       
328
       
+
       
      }

     

       
329
       
329
       
+
       
    '';

     

       
302
       
330
       
 
       
  };

     

       
303
       
331
       
 
       


     

       
304
       
332
       
 
       
  boot.loader.systemd-boot.enable = true;