2 files changed, 23 insertions, 6 deletions

diff --git a/configuration.nix b/configuration.nix
index 91376d1..7e79efd 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -67,6 +67,11 @@ in
     };
   };
 
+  security.acme = {
+    acceptTerms = true;
+    email = "einebeere@gmail.com";
+  };
+
   programs = {
     fish.enable = true;
     git.enable = true;
diff --git a/machines/lapin.nix b/machines/lapin.nix
index ef92139..6de21d6 100644
--- a/machines/lapin.nix
+++ b/machines/lapin.nix
@@ -1,12 +1,9 @@
-{ ... }:
+{ lib, ... }:
 
-let
-  nameservers = [ "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" ];
-in
 {
   networking = {
     defaultGateway = "172.31.1.1";
-    inherit nameservers;
+    nameservers = [ "2606:4700:4700::1111" "2606:4700:4700::1001" ];
   };
 
   systemd.network.enable = true;
@@ -17,6 +14,11 @@ in
     routes = [ { routeConfig.Gateway = "fe80::1"; } ];
   };
 
+  services.resolved = {
+    llmnr = "false";
+    dnssec = "false"; # DNSSEC breaks IPv6, for some reason :(
+  };  
+  
   virtualisation.docker.daemon.settings = {
     "experimental" = true;
     "ipv6" = true;
@@ -27,12 +29,22 @@ in
       { base = "172.17.0.0/16"; size = 24; }
       { base = "fc00:d0c::/32"; size = 48; }
     ];
-    "dns" = nameservers;
+    # This is the default Tailscale MTU.
+    # Necessary since we proxy IPv4 requests through another node
+    # and the container does not differentiate the IPv6 (enp1s0) and
+    # IPv4 (tailscale0) interfaces like the host.
+    # Can be removed when I find a better method to support IPv4 on
+    # IPv6 only hosts.
+    "mtu" = 1280;
   };
 
   services.nginx.virtualHosts = {
     "soc.rnrd.eu" = {
+      forceSSL = true;
+      enableACME = true;
+      
       locations."/" = {
+        recommendedProxySettings = true;
         proxyPass = "http://127.0.0.1:1111";
       };
     };