commit 65ec5ce654b7e0cbde8fbbe21b954ec4260ee107
parent b8eb242ee53c871b6b812530f16b3e2c3e359917
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 12 May 2023 16:17:17 +0200
parent b8eb242ee53c871b6b812530f16b3e2c3e359917
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 12 May 2023 16:17:17 +0200
machines/wanderduene: update emergency reverse-proxy from `lollo` to `briefkasten`
4 files changed, 60 insertions(+), 58 deletions(-)
A
|
49
+++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/machines/wanderduene/3proxy.nix b/machines/wanderduene/3proxy.nix @@ -12,7 +12,7 @@ auth = [ "none" ]; extraArguments = "2201 172.16.0.2 22"; } - #lollo ssh forwarding + #briefkasten ssh forwarding { type = "tcppm"; auth = [ "none" ];
diff --git a/machines/wanderduene/configuration.nix b/machines/wanderduene/configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ nodes, config, lib, pkgs, ... }: { @@ -13,17 +13,19 @@ ./rclone-restic-server.nix ./3proxy.nix -# ./reverse-proxy-lollo.nix # ./reverse-proxy-stasicontainer.nix - ]; - age.secrets.wireguard-privkey.file = ../../secrets/wanderduene/wireguard-privkey.age; + ] ++ (if nodes.briefkasten.config.networking.usePBBUplink != true then [ + ./reverse-proxy-briefkasten.nix + ] else [ ]); networking.primaryIP = "2a03:4000:1:45d::1"; networking.primaryIP4 = "46.38.253.139"; dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); + age.secrets.wireguard-privkey.file = ../../secrets/wanderduene/wireguard-privkey.age; + boot = { loader.grub = { enable = true; @@ -93,11 +95,11 @@ ]; }; - interfaces.wg-lollo = { + interfaces.wg-briefkasten = { listenPort = 51821; privateKeyFile = config.age.secrets.wireguard-privkey.path; generatePrivateKeyFile = true; - postSetup = "ip link set dev wg-lollo mtu 1500"; + postSetup = "ip link set dev wg-briefkasten mtu 1500"; ips = [ "172.17.0.1/24" ]; peers = [ @@ -131,7 +133,8 @@ firewall.allowedTCPPorts = [ 5201 2201 2202 2203 ]; firewall.allowedUDPPorts = [ 5201 51820 51821 51822 ]; firewall.extraCommands = '' - iptables -A nixos-fw -i wg-lollo -j nixos-fw-accept + iptables -A nixos-fw -i wg-briefkasten -j nixos-fw-accept + iptables -A nixos-fw -i wg-stasicont -j nixos-fw-accept ''; };
diff --git a/machines/wanderduene/reverse-proxy-briefkasten.nix b/machines/wanderduene/reverse-proxy-briefkasten.nix @@ -0,0 +1,48 @@ +{ pkgs, lib, config, ... }: + +let + domains = [ + "flauschehorn.sexy" + "wifionic.de" + ]; + + subdomains = [ + "dav" + "photos" + "briefkasten" + "solar-system-nrw" + "home" + "legacy.home" + "briefkasten.home" + "fedi.home" + "influx.home" + "smart.home" + "music.home" + "wiki.home" + "things.home" + ]; + +in { + + services.nginx.clientMaxBodySize = "2g"; + + dns.zones = lib.mkMerge [ + (lib.attrsets.genAttrs domains (domain: (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP4))) + { + "ctu.cx".subdomains = (lib.attrsets.genAttrs subdomains (domain: { CNAME = [ "${config.networking.fqdn}." ]; })); + } + ]; + + services.nginx.virtualHosts = (lib.attrsets.genAttrs (domains ++ (lib.lists.forEach subdomains (x: "${x}.ctu.cx")) ++ [ "restic.briefkasten.ctu.cx" ]) (domain: { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/".proxyPass = "http://172.17.0.2:80/"; + locations."/".proxyWebsockets = true; + locations."/".extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + })); + +}+ \ No newline at end of file
diff --git a/machines/wanderduene/reverse-proxy-lollo.nix b/machines/wanderduene/reverse-proxy-lollo.nix @@ -1,49 +0,0 @@ -{ pkgs, lib, config, ... }: - -let - domains = [ - "flauschehorn.sexy" - "wifionic.de" - "oeffisear.ch" - ]; - - subdomains = [ - "oeffi" - "dav" - "photos" - "lollo" - "home" - "legacy.home" - "lollo.home" - "fedi.home" - "influx.home" - "smart.home" - "music.home" - "wiki.home" - "things.home" - ]; - -in { - - services.nginx.clientMaxBodySize = "2g"; - - dns.zones = lib.mkMerge [ - (lib.attrsets.genAttrs domains (domain: (pkgs.dns.lib.combinators.host "46.38.253.139" "2a03:4000:1:45d::1"))) - { - "ctu.cx".subdomains = (lib.attrsets.genAttrs subdomains (domain: { CNAME = [ "${config.networking.fqdn}." ]; })); - } - ]; - - services.nginx.virtualHosts = (lib.attrsets.genAttrs (domains ++ (lib.lists.forEach subdomains (x: "${x}.ctu.cx")) ++ [ "restic.lollo.ctu.cx" ]) (domain: { - enableACME = true; - forceSSL = true; - kTLS = true; - locations."/".proxyPass = "http://172.17.0.2:80/"; - locations."/".proxyWebsockets = true; - locations."/".extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - })); - -}- \ No newline at end of file