rewrite frumar.nix, pennyworth.nix, remove some vpn proxies
parent
2086d63e8e
commit
3f0cfa3e08
|
@ -18,71 +18,81 @@
|
|||
|
||||
security.y-selfsigned.enable = true;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."unifi.yori.cc" = {
|
||||
services.nginx = let
|
||||
sslForward = proxyPass: extra: lib.mkMerge [ {
|
||||
onlySSL = true;
|
||||
useACMEHost = "wildcard.yori.cc";
|
||||
locations."/" = {
|
||||
proxyPass = "https://[::1]:8443";
|
||||
inherit proxyPass;
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
};
|
||||
} extra ];
|
||||
in {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"unifi.yori.cc" = sslForward "https://[::1]:8443" {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
virtualHosts."priv.yori.cc" = let
|
||||
oauth2Block = ''
|
||||
auth_request /oauth2/auth;
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
|
||||
# pass information via X-User and X-Email headers to backend,
|
||||
# requires running with --set-xauthrequest flag
|
||||
auth_request_set $user $upstream_http_x_auth_request_user;
|
||||
auth_request_set $email $upstream_http_x_auth_request_email;
|
||||
proxy_set_header X-User $user;
|
||||
proxy_set_header X-Email $email;
|
||||
|
||||
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
'';
|
||||
in {
|
||||
onlySSL = true;
|
||||
useACMEHost = "wildcard.yori.cc";
|
||||
locations."/".proxyPass = "http://127.0.0.1:4000";
|
||||
locations."/sonarr" = {
|
||||
proxyPass = "http://127.0.0.1:8989";
|
||||
extraConfig = oauth2Block;
|
||||
"grafana.yori.cc" = sslForward "http://127.0.0.1:3000" {};
|
||||
"prometheus.yori.cc" = sslForward "http://127.0.0.1:9090" {
|
||||
# only over VPN
|
||||
listen = [ { addr = "10.209.0.3"; port = 443; ssl = true; } ];
|
||||
};
|
||||
locations."/radarr" = {
|
||||
proxyPass = "http://127.0.0.1:7878";
|
||||
extraConfig = oauth2Block;
|
||||
"plex.yori.cc" = sslForward "http://127.0.0.1:32400" {
|
||||
extraConfig = ''
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_min_length 1000;
|
||||
gzip_proxied any;
|
||||
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
|
||||
proxy_http_version 1.1;
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
locations."/marvin-tracker/" = {
|
||||
proxyPass = "http://[::1]:4001/";
|
||||
# handles auth using arg
|
||||
"fooocus.yori.cc" = sslForward "http://192.168.2.135:7860" {};
|
||||
"priv.yori.cc" = let
|
||||
oauth2Block = ''
|
||||
auth_request /oauth2/auth;
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
|
||||
# pass information via X-User and X-Email headers to backend,
|
||||
# requires running with --set-xauthrequest flag
|
||||
auth_request_set $user $upstream_http_x_auth_request_user;
|
||||
auth_request_set $email $upstream_http_x_auth_request_email;
|
||||
proxy_set_header X-User $user;
|
||||
proxy_set_header X-Email $email;
|
||||
|
||||
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
'';
|
||||
proxyOauth2 = proxyPass: {
|
||||
inherit proxyPass;
|
||||
extraConfig = oauth2Block;
|
||||
};
|
||||
in {
|
||||
onlySSL = true;
|
||||
useACMEHost = "wildcard.yori.cc";
|
||||
# TODO remove dashy
|
||||
locations."/".proxyPass = "http://127.0.0.1:4000";
|
||||
locations."/sonarr" = proxyOauth2 "http://127.0.0.1:8989";
|
||||
locations."/radarr" = proxyOauth2 "http://127.0.0.1:7878";
|
||||
locations."/marvin-tracker/" = {
|
||||
proxyPass = "http://[::1]:4001/";
|
||||
# handles auth using arg
|
||||
};
|
||||
locations."/paperless/" = proxyOauth2 "http://127.0.0.1:${toString config.services.paperless.port}/";
|
||||
locations."/media/" = {
|
||||
root = "/var/mediashare";
|
||||
};
|
||||
};
|
||||
locations."/paperless/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
|
||||
extraConfig = oauth2Block;
|
||||
"frumar.yori.cc" = {
|
||||
enableACME = lib.mkForce false;
|
||||
inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
|
||||
};
|
||||
locations."/media/" = {
|
||||
root = "/var/mediashare";
|
||||
};
|
||||
};
|
||||
virtualHosts."fooocus.yori.cc" = {
|
||||
onlySSL = true;
|
||||
useACMEHost = "wildcard.yori.cc";
|
||||
locations."/" = {
|
||||
proxyPass = "http://192.168.2.135:7860";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
virtualHosts."frumar.yori.cc" = {
|
||||
enableACME = lib.mkForce false;
|
||||
inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
|
||||
};
|
||||
};
|
||||
systemd.services.nginx.serviceConfig.BindReadOnlyPaths = [ "/data/plexmedia/ca" "/var/mediashare" ];
|
||||
|
|
|
@ -2,30 +2,17 @@
|
|||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
sslforward = proxyPass: {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
inherit proxyPass;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
vpn = import ../../vpn.nix;
|
||||
in {
|
||||
{ config, pkgs, lib, ... }: {
|
||||
imports = [
|
||||
./hetznercloud.nix
|
||||
../../roles/server.nix
|
||||
../../roles/datakami.nix
|
||||
../../services/backup.nix
|
||||
../../services/email.nix
|
||||
../../services/calibre-web.nix
|
||||
];
|
||||
|
||||
system.stateVersion = "19.03";
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.yorick = {
|
||||
public = {
|
||||
enable = true;
|
||||
|
@ -47,6 +34,7 @@ in {
|
|||
enable = true;
|
||||
vhost = "calibre.yori.cc";
|
||||
};
|
||||
vpn-host.enable = true;
|
||||
};
|
||||
|
||||
age.secrets.muflax.file = ../../../secrets/http.muflax.age;
|
||||
|
@ -58,62 +46,29 @@ in {
|
|||
private_key = config.age.secrets.muflax.path;
|
||||
};
|
||||
};
|
||||
services.nginx.commonHttpConfig = ''
|
||||
access_log off;
|
||||
'';
|
||||
services.nginx.virtualHosts = {
|
||||
"yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "yorickvanpelt.nl";
|
||||
};
|
||||
"yorickvanpelt.nl".locations."/p1".return =
|
||||
"301 https://git.yori.cc/yorick/meterkast";
|
||||
"grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000";
|
||||
#"ubiquiti.yori.cc" = sslforward "https://${vpn.ips.frumar}:8443";
|
||||
"prometheus.yori.cc" = {
|
||||
# only over vpn
|
||||
listen = [{
|
||||
addr = "10.209.0.1";
|
||||
port = 80;
|
||||
}];
|
||||
locations."/".proxyPass = "http://10.209.0.3:9090";
|
||||
};
|
||||
"pub.yori.cc".locations."/muflax/".extraConfig = ''
|
||||
rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
|
||||
'';
|
||||
"plex.yori.cc" = (sslforward "http://${vpn.ips.frumar}:32400") // {
|
||||
extraConfig = ''
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_min_length 1000;
|
||||
gzip_proxied any;
|
||||
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
|
||||
proxy_http_version 1.1;
|
||||
proxy_buffering off;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
commonHttpConfig = "access_log off;";
|
||||
virtualHosts = {
|
||||
"yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "yorickvanpelt.nl";
|
||||
};
|
||||
"yorickvanpelt.nl".locations."/p1".return =
|
||||
"301 https://git.yori.cc/yorick/meterkast";
|
||||
"pub.yori.cc".locations."/muflax/".extraConfig = ''
|
||||
rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
|
||||
'';
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
|
||||
networking.firewall.allowedTCPPorts = [ 60307 ]; # weechat relay
|
||||
|
||||
# TODO: reload cert in weechat
|
||||
security.acme.certs."pennyworth.yori.cc".postRun = ''
|
||||
cat fullchain.pem key.pem > /home/yorick/.weechat/ssl/relay.pem
|
||||
chown yorick:users /home/yorick/.weechat/ssl/relay.pem
|
||||
chmod 0600 $_
|
||||
'';
|
||||
networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
|
||||
(machine: publicKey: {
|
||||
inherit publicKey;
|
||||
allowedIPs = [ "${vpn.ips.${machine}}/32" ];
|
||||
}) vpn.keys);
|
||||
services.prometheus.exporters.wireguard = { enable = true; };
|
||||
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9586 ];
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
||||
users.users.yorick.packages = with pkgs; [
|
||||
sshfs-fuse
|
||||
weechat
|
||||
ripgrep
|
||||
];
|
||||
nix.settings.allowed-users = [ "@wheel" ];
|
||||
|
||||
users.users.yorick.packages = with pkgs; [ sshfs-fuse weechat ripgrep ];
|
||||
}
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
networking.firewall.logRefusedConnections =
|
||||
false; # Silence logging of scanners and knockers
|
||||
|
||||
nix.settings.allowed-users = [ "@wheel" ];
|
||||
# TODO: upstream with noXlibs
|
||||
nixpkgs.overlays = [
|
||||
(self: super: {
|
||||
|
|
|
@ -1,4 +1,11 @@
|
|||
{
|
||||
imports =
|
||||
[ ./git.nix ./muflax-church.nix ./pub.nix ./website.nix ./torrent-wg.nix ];
|
||||
imports = [
|
||||
./calibre-web.nix
|
||||
./git.nix
|
||||
./muflax-church.nix
|
||||
./pub.nix
|
||||
./vpn-host.nix
|
||||
./website.nix
|
||||
./torrent-wg.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let cfg = config.services.yorick.vpn-host;
|
||||
in {
|
||||
options.services.yorick.vpn-host = with lib; {
|
||||
enable = mkEnableOption "vpn-host";
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
services.prometheus.exporters.wireguard.enable = true;
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 31790 ]; # wg
|
||||
interfaces.wg-y.allowedTCPPorts = [ 9586 ]; # wireguard exporter
|
||||
};
|
||||
wireguard.interfaces.wg-y.peers = let vpn = import ../vpn.nix;
|
||||
in lib.mkForce (lib.mapAttrsToList (machine: publicKey: {
|
||||
inherit publicKey;
|
||||
allowedIPs = [ "${vpn.ips.${machine}}/32" ];
|
||||
}) vpn.keys);
|
||||
};
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue