commit e777b57b712edb595e63d7b379d521aec45eb24e
parent 53676fddf0bcff891fdf0f8cfcd05d43866c180b
Author: Leah (ctucx) <git@ctu.cx>
Date: Sat, 4 Mar 2023 13:42:30 +0100
parent 53676fddf0bcff891fdf0f8cfcd05d43866c180b
Author: Leah (ctucx) <git@ctu.cx>
Date: Sat, 4 Mar 2023 13:42:30 +0100
machines/wanderduene: add proxy for stasicontainer, disable proxy for lollo
7 files changed, 80 insertions(+), 7 deletions(-)
diff --git a/configurations/linux/services/dns.nix b/configurations/linux/services/dns.nix @@ -12,7 +12,7 @@ SOA = { nameServer = "ns1.ctu.cx."; adminEmail = "dns@ctu.cx"; # Email address with a real `@`! - serial = lib.toInt ("2023" + "03" + "02" + "1"); + serial = lib.toInt ("2023" + "03" + "04" + "1"); }; MXApple = with mx; [ (mx 10 "mx01.mail.icloud.com.")
diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix @@ -28,7 +28,7 @@ ]; - networking.usePBBUplink = false; + networking.usePBBUplink = true; dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42"); dns.zones."ctu.cx".subdomains."${config.networking.hostName}.home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42");
diff --git a/machines/lollo/websites/music.home.ctu.cx.nix b/machines/lollo/websites/music.home.ctu.cx.nix @@ -34,7 +34,7 @@ in { xslt_stylesheet ${webmusic-nginx}/webmusic.xslt; auth_basic 'Auth required'; - auth_basic_user_file /var/lib/secrets/music-auth; + auth_basic_user_file ${pkgs.writeText "auth-file" "giveme:$apr1$nln71O9Y$j2wSV4BmYBHbqRSwOGQZl."}; ''; "~(.*)playlist.m3u$".extraConfig = ''
diff --git a/machines/trabbi/prometheus.nix b/machines/trabbi/prometheus.nix @@ -30,6 +30,21 @@ ]; }]; } + { + job_name = "systemd-exporter"; + scrape_interval = "30s"; + scheme = "https"; + metrics_path = "/systemd-exporter"; + static_configs = [{ + targets = (lib.mapAttrsToList ( + name: host: lib.mkIf ( + host.config.services.prometheus.exporters.node.enable == true && + host.config.networking.hostName != "" && + host.config.networking.domain != "" + ) host.config.networking.fqdn + ) nodes); + }]; + } ]; };
diff --git a/machines/wanderduene/3proxy.nix b/machines/wanderduene/3proxy.nix @@ -6,6 +6,24 @@ enable = true; denyPrivate = false; services = [ + #mikrotik ssh forwarding + { + type = "tcppm"; + auth = [ "none" ]; + extraArguments = "2201 172.16.0.2 22"; + } + #lollo ssh forwarding + { + type = "tcppm"; + auth = [ "none" ]; + extraArguments = "2202 172.17.0.2 22"; + } + #stasicontainer ssh forwarding + { + type = "tcppm"; + auth = [ "none" ]; + extraArguments = "2203 172.18.0.2 22"; + } { type = "socks"; auth = [ "strong" ];
diff --git a/machines/wanderduene/configuration.nix b/machines/wanderduene/configuration.nix @@ -11,7 +11,8 @@ ../../configurations/linux/services/dns.nix ./3proxy.nix - ./reverse-proxy-lollo.nix +# ./reverse-proxy-lollo.nix +# ./reverse-proxy-stasicontainer.nix ]; age.secrets.wireguard-privkey.file = ../../secrets/wanderduene/wireguard-privkey.age; @@ -81,7 +82,7 @@ peers = [ { persistentKeepalive = 10; - allowedIPs = [ "172.16.0.0/24" "195.39.246.32/28" "10.0.0.0/8" ]; + allowedIPs = [ "172.16.0.0/24" "10.0.0.0/8" ]; publicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; } ]; @@ -102,11 +103,28 @@ } ]; }; + + interfaces.wg-stasicont = { + listenPort = 51822; + privateKeyFile = config.age.secrets.wireguard-privkey.path; + generatePrivateKeyFile = true; + postSetup = "ip link set dev wg-stasicont mtu 1500"; + ips = [ "172.18.0.1/24" ]; + + peers = [ + { + persistentKeepalive = 10; + allowedIPs = [ "172.18.0.0/24" ]; + publicKey = "Sh5le4IsR5jW1+jSrR5N/dcuTE+OEcEB6ou7bqwriAg="; + } + ]; + }; + }; firewall.enable = true; - firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 51820 51821 ]; + firewall.allowedTCPPorts = [ 5201 2201 2202 2203 ]; + firewall.allowedUDPPorts = [ 5201 51820 51821 51822 ]; firewall.extraCommands = '' iptables -A nixos-fw -i wg-lollo -j nixos-fw-accept '';
diff --git a/machines/wanderduene/reverse-proxy-stasicontainer.nix b/machines/wanderduene/reverse-proxy-stasicontainer.nix @@ -0,0 +1,21 @@ +{ pkgs, lib, config, ... }: + +{ + + services.nginx.clientMaxBodySize = "2g"; + + dns.zones."ctu.cx".subdomains."stasicontainer.home".CNAME = [ "${config.networking.fqdn}." ]; + + services.nginx.virtualHosts."stasicontainer.home.ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/".proxyPass = "http://172.18.0.2:80/"; + locations."/".proxyWebsockets = true; + locations."/".extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + +}+ \ No newline at end of file