commit 1b77c527cf6e89abf7cfc44a98c313c0eea0faca
parent 3b0a8d78d5d9e24c7ac93e31d70b7467229d49b6
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 3 Mar 2023 12:30:59 +0100
parent 3b0a8d78d5d9e24c7ac93e31d70b7467229d49b6
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 3 Mar 2023 12:30:59 +0100
lollo: allow to proxy home-hosted infra via wanderduene
27 files changed, 270 insertions(+), 139 deletions(-)
M
|
76
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------
diff --git a/configurations/linux/services/dns.nix b/configurations/linux/services/dns.nix @@ -12,7 +12,7 @@ SOA = { nameServer = "ns1.ctu.cx."; adminEmail = "dns@ctu.cx"; # Email address with a real `@`! - serial = lib.toInt ("2022" + "12" + "08" + "1"); + serial = lib.toInt ("2023" + "03" + "02" + "1"); }; MXApple = with mx; [ (mx 10 "mx01.mail.icloud.com.") @@ -35,6 +35,11 @@ ns1 = (host "89.58.62.171" "2a0a:4cc0:1:2d7::1"); ns2 = (host "46.38.253.139" "2a03:4000:1:45d::1"); + "stasicontainer.home" = (host "195.39.246.35" "2a0f:4ac0:acab::35"); + "gateway.home" = (host "195.39.246.41" "2a0f:4ac0:acab::1"); + "blechkasten.home" = (host "195.39.246.43" "2a0f:4ac0:acab::43"); + "lollo-old.home" = (host "195.39.246.44" "2a0f:4ac0:acab::44"); + # "sig1._domainkey".CNAME = [ "sig1.dkim.ctu.cx.at.icloudmailadmin.com." ]; "48-247-39-195.wireguard".A = [ (a "195.39.247.48") ];
diff --git a/configurations/linux/services/prometheus-exporters.nix b/configurations/linux/services/prometheus-exporters.nix @@ -1,4 +1,4 @@ -{config, lib, pkgs, ...}: +{ config, lib, pkgs, ...}: { @@ -15,9 +15,9 @@ nginx = { enable = true; virtualHosts."${config.networking.fqdn}" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkDefault true; + forceSSL = lib.mkDefault true; + kTLS = lib.mkDefault true; locations."/node-exporter".proxyPass = "http://127.0.0.1:9100/metrics"; locations."/systemd-exporter".proxyPass = "http://127.0.0.1:9558/metrics"; };
diff --git a/configurations/linux/services/restic-server.nix b/configurations/linux/services/restic-server.nix @@ -7,7 +7,7 @@ owner = "nginx"; }; - dns.zones."${config.networking.domain}".subdomains."restic.${config.networking.hostName}".CNAME = [ "${config.networking.fqdn}." ]; + dns.zones."ctu.cx".subdomains."restic.${config.networking.hostName}".CNAME = [ "${config.networking.hostName}.ctu.cx." ]; systemd.services.restic-rest-server.onFailure = [ "email-notify@%i.service" ]; @@ -22,10 +22,10 @@ nginx = { enable = true; - virtualHosts."restic.${config.networking.fqdn}" = { - enableACME = true; - forceSSL = true; - kTLS = true; + virtualHosts."restic.${config.networking.hostName}.ctu.cx" = { + enableACME = lib.mkDefault true; + forceSSL = lib.mkDefault true; + kTLS = lib.mkDefault true; locations."/" = { proxyPass = "http://127.0.0.1:8000/"; extraConfig = ''
diff --git a/configurations/linux/services/syncthing-nginx.nix b/configurations/linux/services/syncthing-nginx.nix @@ -6,7 +6,7 @@ ./syncthing.nix ]; - dns.zones."${config.networking.domain}".subdomains."syncthing.${config.networking.hostName}".CNAME = [ "${config.networking.fqdn}." ]; + dns.zones."ctu.cx".subdomains."syncthing.${config.networking.hostName}".CNAME = [ "${config.networking.fqdn}." ]; systemd.services.syncthing.onFailure = [ "email-notify@%i.service" ]; @@ -18,7 +18,7 @@ nginx = { enable = true; - virtualHosts."syncthing.${config.networking.fqdn}" = { + virtualHosts."syncthing.${config.networking.hostName}.ctu.cx" = { enableACME = true; forceSSL = true; kTLS = true;
diff --git a/machines/lollo/backup-vnstat.nix b/machines/lollo/backup-vnstat.nix @@ -8,7 +8,7 @@ user = "vnstatd"; passwordFile = config.age.secrets.restic-vnstat.path; paths = [ "/var/lib/vnstat" ]; - targets = [ "hector.ctu.cx" "desastro.ctu.cx" ]; + targets = [ "hector.ctu.cx" ]; }; }
diff --git a/machines/lollo/bind.nix b/machines/lollo/bind.nix @@ -1,59 +1,11 @@ -{ config, lib, pkgs, currentSystem, ...}: +{ config, lib, pkgs, ... }: -with pkgs.dns.lib.combinators; - -let - zone = { - CAA = [ { issuerCritical = false; tag = "issue"; value = "letsencrypt.org"; } ]; - A = [ (a "195.39.246.42") ]; - AAAA = [ (aaaa "2a0f:4ac0:acab::42") ]; - - NS = [ "home.ctu.cx." ]; - SOA = { - nameServer = "home.ctu.cx."; - adminEmail = "dns@ctu.cx"; # Email address with a real `@`! - serial = lib.toInt ("2022" + "12" + "08" + "1"); - }; - - subdomains = { - stasicontainer = (host "195.39.246.35" "2a0f:4ac0:acab::35"); - gateway = (host "195.39.246.41" "2a0f:4ac0:acab::1"); - blechkasten = (host "195.39.246.43" "2a0f:4ac0:acab::43"); - lollo-old = (host "195.39.246.44" "2a0f:4ac0:acab::44"); - - lollo.CNAME = [ "home.ctu.cx." ]; - legacy.CNAME = [ "lollo-old.home.ctu.cx." ]; - smart.CNAME = [ "lollo.home.ctu.cx." ]; - storage.CNAME = [ "lollo.home.ctu.cx." ]; - music.CNAME = [ "lollo.home.ctu.cx." ]; - influx.CNAME = [ "lollo.home.ctu.cx." ]; - wiki.CNAME = [ "lollo.home.ctu.cx." ]; - fedi.CNAME = [ "lollo.home.ctu.cx." ]; - things.CNAME = [ "lollo.home.ctu.cx." ]; - }; - }; - -in { +{ deployment.tags = [ "dns" ]; - dns.zones."ctu.cx".subdomains = with pkgs.dns.lib.combinators; { - home.NS = [ "home.ctu.cx." ]; - home.A = [ (a "195.39.246.42") ]; - home.AAAA = [ "2a0f:4ac0:acab::42" ]; - }; - - services.bind = { enable = true; - zones = [ - { - name = "home.ctu.cx"; - master = true; - slaves = [ "any" ]; - file = pkgs.dns.util."${currentSystem}".writeZone "home.ctu.cx" zone; - } - ]; extraConfig = '' acl "trusted" { 10.0.0.0/8;
diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix @@ -1,7 +1,6 @@ { inputs, config, lib, pkgs, ... }: { - imports = [ inputs.impermanence.nixosModules.impermanence @@ -28,12 +27,20 @@ ./websites ]; - dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); + + networking.usePBBUplink = false; + + dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); + dns.zones."ctu.cx".subdomains."${config.networking.hostName}.home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); + dns.zones."ctu.cx".subdomains."legacy.home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); + dns.zones."ctu.cx".subdomains."home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age; age.secrets.restic-server-hector.file = ../../secrets/restic-server/hector.age; age.secrets.restic-server-lollo.file = ../../secrets/restic-server/lollo.age; + age.secrets.wireguard-privkey.file = ../../secrets/lollo/wireguard-privkey.age; + boot = { loader = { systemd-boot.enable = true; @@ -41,9 +48,9 @@ }; kernel.sysctl = { - "net.ipv6.conf.eno1.forwarding" = 0; - "net.ipv6.conf.eno1.autoconf" = 0; - "net.ipv6.conf.eno1.accept_ra" = 0; + "net.ipv6.conf.eno1.forwarding" = lib.mkIf config.networking.usePBBUplink 0; + "net.ipv6.conf.eno1.autoconf" = lib.mkIf config.networking.usePBBUplink 0; + "net.ipv6.conf.eno1.accept_ra" = lib.mkIf config.networking.usePBBUplink 0; }; initrd.network = { @@ -56,32 +63,39 @@ }; postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + + '' + lib.optionalString config.networking.usePBBUplink '' sysctl -w net.ipv6.conf.eno1.autoconf=0 sysctl -w net.ipv6.conf.eno1.accept_ra=0 + '' + '' + ip link set dev eno1 up - ip addr add 2a0f:4ac0:acab::42/128 dev eno1 - ip route add default via 2a0f:4ac0:acab::1 dev eno1 onlink ip addr add 195.39.246.42/28 dev eno1 ip addr add 10.0.0.42/8 dev eno1 ip route add default via 195.39.246.41 dev eno1 onlink - echo 'cryptsetup-askpass' >> /root/.profile + '' + lib.optionalString config.networking.usePBBUplink '' + ip addr add 2a0f:4ac0:acab::42/128 dev eno1 + ip route add default via 2a0f:4ac0:acab::1 dev eno1 onlink ''; }; }; systemd.network.networks = { - "40-eno1".networkConfig.IPv6AcceptRA = false; + "40-eno1".networkConfig.IPv6AcceptRA = lib.mkIf config.networking.usePBBUplink false; }; networking = { + domain = "home.ctu.cx"; + useDHCP = false; nameservers = [ "8.8.8.8" ]; defaultGateway = "195.39.246.41"; - defaultGateway6 = { + defaultGateway6 = lib.mkIf config.networking.usePBBUplink { address = "2a0f:4ac0:acab::1"; interface = "eno1"; }; @@ -98,16 +112,39 @@ } ]; - ipv6.addresses = [{ + ipv6.addresses = lib.mkIf config.networking.usePBBUplink [{ address = "2a0f:4ac0:acab::42"; prefixLength = 62; }]; }; + wireguard = { + enable = true; + + interfaces.wg-wanderduene = { + listenPort = 51820; + privateKeyFile = config.age.secrets.wireguard-privkey.path; + generatePrivateKeyFile = true; + postSetup = "ip link set dev wg-wanderduene mtu 1500"; + ips = [ "172.17.0.2/24" ]; + + peers = [ + { + persistentKeepalive = 10; + endpoint = "46.38.253.139:51821"; + allowedIPs = [ "172.17.0.0/24" ]; + publicKey = "hOUeP8RFchzJXyy8DceTFKN9f1VHi9GzZQii0dX2zww="; + } + ]; + }; + + }; + firewall.enable = true; firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 ]; + firewall.allowedUDPPorts = [ 5201 51820 ]; firewall.extraCommands = '' + iptables -A nixos-fw -i wg-wanderduene -j nixos-fw-accept iptables -A nixos-fw -p tcp -s 10.0.0.0/8 -j nixos-fw-accept iptables -A nixos-fw -p udp -s 10.0.0.0/8 -j nixos-fw-accept iptables -A nixos-fw -p tcp -s 195.39.246.32/28 -j nixos-fw-accept @@ -142,6 +179,7 @@ }; programs.fuse.userAllowOther = true; + home-manager.users.leah = { imports = [ inputs.impermanence.nixosModules.home-manager.impermanence ]; @@ -162,7 +200,19 @@ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ]; - services.email-notify.enable = true; + services = { + email-notify.enable = true; + nginx.virtualHosts."${config.networking.fqdn}" = { + enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; + forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; + kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; + }; + nginx.virtualHosts."restic.lollo.ctu.cx" = { + enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; + forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; + kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; + }; + }; system.stateVersion = "22.05"; # Did you read the comment? home-manager.users.leah.home.stateVersion = "22.11";
diff --git a/machines/lollo/gotosocial.nix b/machines/lollo/gotosocial.nix @@ -5,9 +5,13 @@ let in { + dns.zones."ctu.cx".subdomains."fedi.home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; + age.secrets.restic-gotosocial.file = ../../secrets/lollo/restic/gotosocial.age; + age.secrets.gotosocial-env.file = ../../secrets/lollo/gotosocial-env.age; systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ]; + restic-backups.gotosocial = { user = "gotosocial"; passwordFile = config.age.secrets.restic-gotosocial.path; @@ -18,7 +22,10 @@ in { ''; }; - systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group; + systemd.services.gotosocial.serviceConfig = { + Group = lib.mkForce config.services.nginx.group; + EnvironmentFile = lib.mkIf (config.networking.usePBBUplink == false) config.age.secrets.gotosocial-env.path; + }; services.gotosocial = { enable = true; @@ -34,7 +41,7 @@ in { bind-address = "127.0.0.1"; port = 8085; - trusted-proxies = [ "127.0.0.1/32" ]; + trusted-proxies = [ "127.0.0.1/32" "172.17.0.0/24" ]; db-type = "sqlite"; db-address = "/var/lib/gotosocial/db.sqlite"; @@ -55,9 +62,9 @@ in { }; services.nginx.virtualHosts."fedi.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; locations = { "/.well-known/host-meta".extraConfig = ''return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="lrdd" template="https://fedi.home.ctu.cx/.well-known/webfinger?resource={uri}" type="application/xrd+xml" /></XRD>';''; "= /".return = "307 /@leah"; @@ -77,11 +84,12 @@ in { # ''; "/".extraConfig = '' - proxy_pass http://localhost:8085/; + proxy_pass http://127.0.0.1:8085/; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; + '' + lib.optionalString config.networking.usePBBUplink '' proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; '';
diff --git a/machines/lollo/radicale.nix b/machines/lollo/radicale.nix @@ -16,7 +16,7 @@ paths = [ "/var/lib/radicale" ]; }; - dns.zones."ctu.cx".subdomains.dav.CNAME = [ "${config.networking.fqdn}." ]; + dns.zones."ctu.cx".subdomains.dav.CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; systemd.services.radicale.onFailure = [ "email-notify@%i.service" ]; @@ -37,9 +37,9 @@ nginx = { enable = true; virtualHosts."dav.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; locations."/".proxyPass = "http://127.0.0.1:5232/"; }; };
diff --git a/machines/lollo/smarthome/influxdb2.nix b/machines/lollo/smarthome/influxdb2.nix @@ -1,10 +1,12 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { age.secrets.restic-influxdb.file = ../../../secrets/lollo/restic/influxdb.age; age.secrets.influx-backup-env.file = ../../../secrets/lollo/influx/backup_env.age; + dns.zones."ctu.cx".subdomains."influx.home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; + systemd.services.restic-backup-influxdb.serviceConfig.EnvironmentFile = config.age.secrets.influx-backup-env.path; restic-backups.influxdb = { @@ -23,9 +25,9 @@ services.nginx = { enable = true; virtualHosts."influx.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; locations."/".proxyPass = "http://127.0.0.1:8086/"; }; };
diff --git a/machines/lollo/smarthome/mqtt-webui/default.nix b/machines/lollo/smarthome/mqtt-webui/default.nix @@ -1,4 +1,4 @@ -{ inputs, lib, pkgs, ... }: +{ inputs, lib, pkgs, config, ... }: let @@ -6,13 +6,16 @@ let in { + dns.zones."ctu.cx".subdomains."smart.home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; + + services = { nginx = { enable = true; virtualHosts."smart.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; locations = { "/" = {
diff --git a/machines/lollo/websites/flauschehorn.sexy.nix b/machines/lollo/websites/flauschehorn.sexy.nix @@ -1,8 +1,8 @@ -{ pkgs, config, ...}: +{ pkgs, config, lib, ...}: { - dns.zones."flauschehorn.sexy" = (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); + dns.zones."flauschehorn.sexy" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); users = { users."flauschehorn" = { @@ -56,9 +56,9 @@ nginx = { enable = true; virtualHosts."flauschehorn.sexy" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; locations = { "/".extraConfig = '' include "${pkgs.nginx}/conf/fastcgi_params";
diff --git a/machines/lollo/websites/music.home.ctu.cx.nix b/machines/lollo/websites/music.home.ctu.cx.nix @@ -9,6 +9,8 @@ let in { + dns.zones."ctu.cx".subdomains."music.home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; + fileSystems."/mnt/music_originals" = { device = "/nix/persist/home/leah/syncthing/Music (Originals)"; options = [ "bind" "ro" ]; @@ -17,9 +19,9 @@ in { services.nginx = { enable = true; virtualHosts."music.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; root = "/mnt/music_originals"; locations = {
diff --git a/machines/lollo/websites/oeffi.ctu.cx.nix b/machines/lollo/websites/oeffi.ctu.cx.nix @@ -1,8 +1,8 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { - dns.zones."ctu.cx".subdomains.oeffi.CNAME = [ "${config.networking.fqdn}." ]; + dns.zones."ctu.cx".subdomains.oeffi.CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; users.groups.oeffisearch = {}; users.users.oeffisearch = { @@ -56,9 +56,9 @@ services.nginx = { enable = true; virtualHosts."oeffi.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; locations = { "/".proxyPass = "http://127.0.0.1:8082"; "/assets/".alias = "${pkgs.oeffi-web}/share/oeffi-web/assets/";
diff --git a/machines/lollo/websites/oeffisear.ch.nix b/machines/lollo/websites/oeffisear.ch.nix @@ -1,8 +1,8 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { - dns.zones."oeffisear.ch" = (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); + dns.zones."oeffisear.ch" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); users.groups.oeffisearch = {}; users.users.oeffisearch = { @@ -64,9 +64,9 @@ services.nginx = { enable = true; virtualHosts."oeffisear.ch" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; locations = { "@api".proxyPass = "http://127.0.0.1:8081"; "/" = {
diff --git a/machines/lollo/websites/photos.ctu.cx.nix b/machines/lollo/websites/photos.ctu.cx.nix @@ -45,7 +45,7 @@ let in { - dns.zones."ctu.cx".subdomains.photos.CNAME = [ "${config.networking.fqdn}." ]; + dns.zones."ctu.cx".subdomains.photos.CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; fileSystems."/mnt/photos.ctu.cx" = { device = "/nix/persist/home/leah/syncthing/Pictures/photos.ctu.cx"; @@ -102,9 +102,9 @@ in { services.nginx = { enable = true; virtualHosts."photos.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; root = "/var/lib/ctucx-gallery"; }; };
diff --git a/machines/lollo/websites/storage.home.ctu.cx/default.nix b/machines/lollo/websites/storage.home.ctu.cx/default.nix @@ -1,12 +1,14 @@ - -{ ... }: +{ config, lib, ... }: { + + dns.zones."ctu.cx".subdomains."storage.home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; + services.nginx.virtualHosts = { "storage.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; basicAuthFile = "/var/src/secrets/nginx/storage.htpasswd";
diff --git a/machines/lollo/websites/things.home.ctu.cx.nix b/machines/lollo/websites/things.home.ctu.cx.nix @@ -1,7 +1,9 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { + dns.zones."ctu.cx".subdomains."things.home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; + users.users.things = { isSystemUser = true; home = "/var/lib/ctucx-things"; @@ -30,9 +32,9 @@ nginx = { enable = true; virtualHosts."things.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; root = pkgs.ctucx-things; locations = { "/".index = "index.php index.html";
diff --git a/machines/lollo/websites/wifionic.de.nix b/machines/lollo/websites/wifionic.de.nix @@ -1,11 +1,11 @@ -{ pkgs, ...}: +{ config, pkgs, lib, ... }: let version = "262"; in { - dns.zones."wifionic.de" = (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); + dns.zones."wifionic.de" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); systemd = { services.check-o2tiles = { @@ -44,9 +44,9 @@ in { services.nginx = { enable = true; virtualHosts."wifionic.de" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; locations = { "/".root = pkgs.mobile-coverage-map;
diff --git a/machines/lollo/websites/wiki.home.ctu.cx.nix b/machines/lollo/websites/wiki.home.ctu.cx.nix @@ -2,6 +2,8 @@ { + dns.zones."ctu.cx".subdomains."wiki.home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; + fileSystems."/mnt/wiki" = { device = "/nix/persist/home/leah/syncthing/Wiki"; options = [ "bind" "ro" ]; @@ -54,9 +56,9 @@ services.nginx = { enable = true; virtualHosts."wiki.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + enableACME = lib.mkIf config.networking.usePBBUplink true; + forceSSL = lib.mkIf config.networking.usePBBUplink true; + kTLS = lib.mkIf config.networking.usePBBUplink true; root = "/var/lib/hugo-wiki"; }; };
diff --git a/machines/wanderduene/3proxy.nix b/machines/wanderduene/3proxy.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: + +{ + + services._3proxy = { + enable = true; + denyPrivate = false; + services = [ + { + type = "socks"; + auth = [ "strong" ]; + acl = [ { + rule = "allow"; + users = [ "gotosocial" ]; + } + ]; + } + ]; + usersFile = pkgs.writeText "3proxy-users" '' + gotosocial:CR:$1$p9CQeW/0$DXaBBc9cD0Xv1XZtPBbW00 + ''; + }; + +}+ \ No newline at end of file
diff --git a/machines/wanderduene/configuration.nix b/machines/wanderduene/configuration.nix @@ -2,14 +2,19 @@ { + deployment.buildOnTarget = false; + imports = [ ./hardware-configuration.nix ../../configurations/linux/services/prometheus-exporters.nix ../../configurations/linux/services/dns.nix + + ./3proxy.nix + ./reverse-proxy-lollo.nix ]; - age.secrets.wireguard-privkey.file = ../../secrets/wanderduene/wireguard-privkey.age; + age.secrets.wireguard-privkey.file = ../../secrets/wanderduene/wireguard-privkey.age; dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host "46.38.253.139" "2a03:4000:1:45d::1"); @@ -71,12 +76,28 @@ privateKeyFile = config.age.secrets.wireguard-privkey.path; generatePrivateKeyFile = true; postSetup = "ip link set dev wg-mikrotik mtu 1500"; - ips = [ "172.16.0.1/12" ]; + ips = [ "172.16.0.1/24" ]; + + peers = [ + { + persistentKeepalive = 10; + allowedIPs = [ "172.16.0.0/24" "195.39.246.32/28" "10.0.0.0/8" ]; + publicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; + } + ]; + }; + + interfaces.wg-lollo = { + listenPort = 51821; + privateKeyFile = config.age.secrets.wireguard-privkey.path; + generatePrivateKeyFile = true; + postSetup = "ip link set dev wg-lollo mtu 1500"; + ips = [ "172.17.0.1/24" ]; peers = [ { persistentKeepalive = 10; - allowedIPs = [ "172.16.0.0/12" "195.39.246.32/28" "10.0.0.0/8" ]; + allowedIPs = [ "172.17.0.0/24" ]; publicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; } ]; @@ -85,7 +106,10 @@ firewall.enable = true; firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 51820 ]; + firewall.allowedUDPPorts = [ 5201 51820 51821 ]; + firewall.extraCommands = '' + iptables -A nixos-fw -i wg-lollo -j nixos-fw-accept + ''; }; services.iperf3 = {
diff --git a/machines/wanderduene/reverse-proxy-lollo.nix b/machines/wanderduene/reverse-proxy-lollo.nix @@ -0,0 +1,49 @@ +{ pkgs, lib, config, ... }: + +let + domains = [ + "flauschehorn.sexy" + "wifionic.de" + "oeffisear.ch" + ]; + + subdomains = [ + "oeffi" + "dav" + "photos" + "lollo" + "home" + "legacy.home" + "lollo.home" + "fedi.home" + "influx.home" + "smart.home" + "music.home" + "wiki.home" + "things.home" + ]; + +in { + + services.nginx.clientMaxBodySize = "2g"; + + dns.zones = lib.mkMerge [ + (lib.attrsets.genAttrs domains (domain: (pkgs.dns.lib.combinators.host "46.38.253.139" "2a03:4000:1:45d::1"))) + { + "ctu.cx".subdomains = (lib.attrsets.genAttrs subdomains (domain: { CNAME = [ "${config.networking.fqdn}." ]; })); + } + ]; + + services.nginx.virtualHosts = (lib.attrsets.genAttrs (domains ++ (lib.lists.forEach subdomains (x: "${x}.ctu.cx")) ++ [ "restic.lollo.ctu.cx" ]) (domain: { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/".proxyPass = "http://172.17.0.2:80/"; + locations."/".proxyWebsockets = true; + locations."/".extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + })); + +}+ \ No newline at end of file
diff --git a/modules/default.nix b/modules/default.nix @@ -21,4 +21,8 @@ ] else []) ]); + options = { + networking.usePBBUplink = lib.mkOption { type = lib.types.bool; }; + }; + }
diff --git a/modules/linux/restic-backups.nix b/modules/linux/restic-backups.nix @@ -44,7 +44,7 @@ let targets = mkOption { type = with types; listOf str; - default = [ "desastro.ctu.cx" "lollo.ctu.cx" "hector.ctu.cx" ]; + default = [ "lollo.ctu.cx" "hector.ctu.cx" ]; }; timerConfig = mkOption {
diff --git a/secrets/lollo/gotosocial-env.age b/secrets/lollo/gotosocial-env.age Binary files differ.
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -37,6 +37,7 @@ in { "lollo/wireguard-privkey.age".publicKeys = [ leah lollo ]; "lollo/radicale-users.age".publicKeys = [ leah lollo ]; + "lollo/gotosocial-env.age".publicKeys = [ leah lollo ]; "lollo/restic/vnstat.age".publicKeys = [ leah lollo ]; "lollo/restic/gotosocial.age".publicKeys = [ leah lollo ]; @@ -44,7 +45,6 @@ in { "lollo/restic/radicale.age".publicKeys = [ leah lollo ]; "lollo/restic/influxdb.age".publicKeys = [ leah lollo ]; - "lollo-old/syncthing/key.age".publicKeys = [ leah lollo-old ]; "lollo-old/syncthing/cert.age".publicKeys = [ leah lollo-old ];