diff --git a/nixos/systems/tewi/cloudflared.nix b/nixos/systems/tewi/cloudflared.nix new file mode 100644 index 00000000..edbd4e95 --- /dev/null +++ b/nixos/systems/tewi/cloudflared.nix @@ -0,0 +1,22 @@ +{ config, lib, ... }: with lib; { + sops.secrets.cloudflared-tunnel-apartment.owner = config.services.cloudflared.user; + services.cloudflared = { + enable = true; + tunnels = { + "a3ae32ce-fe82-4f2c-ad54-3adf4a45fcbc" = { + credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path; + default = "http_status:404"; + ingress = { + "gensokyo.zone" = "http://localhost:80"; + "home.gensokyo.zone" = "http://localhost:8123"; + "z2m.gensokyo.zone" = "http://localhost:80"; + "login.gensokyo.zone" = "http://localhost:${toString config.services.vouch-proxy.settings.vouch.port}"; + "id.gensokyo.zone" = { + service = "https://127.0.0.1:8081"; + originRequest.noTLSVerify = true; + }; + }; + }; + }; + }; +} diff --git a/nixos/systems/tewi/home-assistant.nix b/nixos/systems/tewi/home-assistant.nix index 2636c90c..e52da0fb 100644 --- a/nixos/systems/tewi/home-assistant.nix +++ b/nixos/systems/tewi/home-assistant.nix @@ -78,6 +78,7 @@ in { "200::/7" "100.64.0.0/10" "fd7a:115c:a1e0:ab12::/64" + "::1" ]; }; recorder = { diff --git a/nixos/systems/tewi/kanidm.nix b/nixos/systems/tewi/kanidm.nix index f2daecb7..aea5f8d8 100644 --- a/nixos/systems/tewi/kanidm.nix +++ b/nixos/systems/tewi/kanidm.nix @@ -15,7 +15,7 @@ ''; in { networks.gensokyo = { - tcp = [ 8080 636 ]; + tcp = [ 8081 636 ]; }; services.kanidm = { @@ -33,8 +33,8 @@ in { role = "WriteReplica"; log_level = "default"; db_fs_type = "zfs"; - bindaddress = "${config.networks.tailscale.ipv4}:8080"; - ldapbindaddress = "${config.networks.tailscale.ipv4}:636"; + bindaddress = "0.0.0.0:8081"; + ldapbindaddress = "0.0.0.0:636"; tls_chain = "${unencryptedCert}/${unencryptedCert.domain}.pem"; tls_key = "${unencryptedCert}/${unencryptedCert.domain}/key.pem"; }; diff --git a/nixos/systems/tewi/nginx.nix b/nixos/systems/tewi/nginx.nix index cfa28b33..3e24ef39 100644 --- a/nixos/systems/tewi/nginx.nix +++ b/nixos/systems/tewi/nginx.nix @@ -15,12 +15,12 @@ with lib; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; - recommendedTlsSettings = true; + recommendedTlsSettings = false; commonHttpConfig = '' map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } - add_header Strict-Transport-Security $hsts_header; + #add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; #add_header X-Frame-Options DENY; diff --git a/nixos/systems/tewi/nixos.nix b/nixos/systems/tewi/nixos.nix index 6c0819d5..93612ca9 100644 --- a/nixos/systems/tewi/nixos.nix +++ b/nixos/systems/tewi/nixos.nix @@ -26,6 +26,7 @@ in { imports = with meta; [ (modulesPath + "/installer/scan/not-detected.nix") hardware.local + services.access nixos.arc nixos.sops ./kanidm.nix @@ -35,6 +36,7 @@ in { ./mosquitto.nix ./postgres.nix ./nginx.nix + ./cloudflared.nix ../../gui/nfs.nix ] ++ lib.optional (meta.trusted ? nixos.systems.tewi.default) meta.trusted.nixos.systems.tewi.default; diff --git a/nixos/systems/tewi/secrets.yaml b/nixos/systems/tewi/secrets.yaml index fe7f2cb9..ad934d81 100644 --- a/nixos/systems/tewi/secrets.yaml +++ b/nixos/systems/tewi/secrets.yaml @@ -8,6 +8,7 @@ vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAI openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str] z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str] ha-secrets: ENC[AES256_GCM,data:/VW9zlFgFbwoFohnmg3f1fYG4qSg32LvA5eapWXXhH5ppFHnIt+2MO1HCzzETuy4EHN/nv1I6hZRwvM52wuF15UrkWjWOu4Xhaz3q7sQbjUVecJAXuG51cKeFryFTq0Tb0zh,iv:SWrMUlLbQAm9qVGK79O6I3tB+pcPBsLitOpn89NBZpQ=,tag:WGYAqID1NvtQJx/w0RqrZQ==,type:str] +cloudflared-tunnel-apartment: ENC[AES256_GCM,data:r3NbCbdA9sGqjhij/lUFqszpLvtzP9xasQ+LfCc4UPkt767/rjMrls496k59fLuh5iovHq4U6IXhdFica/gg0KdVR++osbXDZe0NlD3H54zQsqLNTlceU3SOok7HfwUcsmtYAsTN7u+SIv5bXJsdfqS7SYbCi9624Gz8xk0BU9rDkI4pXt9FA+4kVhgArSH7NbcgZ6oo4sOn6G1SsK5OzAb1BLOC4g==,iv:3KOU5jTUqD434GckPXV8teiThfagIinEGGZrVSR17xk=,tag:GKoO1904PxwUAkyY3X9S7Q==,type:str] ha-integration: ENC[AES256_GCM,data:iW/hnCuXWKeZ43CNf2KKISPY1N2uqHHGQcCpfBojN4kTCi6VvsAZveUS8v28SrrPsh/2+vXoj1STj+N4COkFn7NANP6q946H7VaEgOTBvf9wykJ+WGYDMUgd8Ce8yLjnJpf+q6Rm5BHWMBrE53bB6YCbU9CIOCFF1mm4b6SXdJSuK0DOXZjsoYAc2TjHFb3K3/+74YRiRLgGSnE7MT8sPQ3Bojg9VRNFDZbxRejRjwDGZlRIHM/imeoTSwsWB/sLryR1HKEvyXSWy7MG0v2YqyAloxa/4uFpOdQ37NG4tegzCYwdybnEdW2wv+bZXfDq/csAIpRIyegpkjZeAhfAA5LptYaXxdzFhtFS6NJ6ROW+scbOhS0snoOrg7CqiiB8Y7ad6VFco6dJKCdr+A/92pH3y/+gq6LxOOpIxzbnqkIDV41VVRK61tHafZsXEMXkyRCPbYuVIcVlK4xuw3OryzfUUTW0UFUm0qgIP04L6bI0Zay2NYxL42T7DgLbeddOBEYvBJefQVS1Yk/Q7ql9gnj4EsFMbvKGANhT182kkwKGN+kbVW3Gh63kploRB6AOjGJe+2+2zZnJrKBot+AHJ0Fj8e3n00kvXQtYccVsvD1NREABg0O6xtTjgUoPw+C0lbRgoh/mouyny6f+1jSUF9xDIU8M8YUHOku/VtmSxrMGc5HDPeGjSs/0IMzJJXbt3x9if2Db4zW50XbGFkZDEceJwqulqR7ca0BKeUPUurYnCqh7YGTPe1zc+xkH6Ew/KWlH6bY/YC1hL1fqlqWVWktW3StwAOIzZoytvjtdxifc7Gy4YPKzOi4njLbyvyB+lRMkzvBfyVguGyHvpGbSSog6lxUTmbOqDbl3qCRY2ZJXcuBza6e90Qf1GF1oGjrOIVfNAmJCz7BaNfjtKIc8asql36pRzjFXwPlbfgNHXjQEAUAqiAEyabhaCnqZVbhk0i8PrT/jrHCj/COXgHUT8As3t1Tmipcel7OwqiE23lpTp//bQ4dRuVs59RzyElaLsj9cehiEzIys0bzlPDmQzbgxw48yKRhtrwkY5J0zPWe7OkrFwkbLHfNFisU4qPvoTwOIMvCjTHdMZZ3TrXeuEPH3gEkIYeItd0o7NyJ0FekK1N9YLN6r0lWKHhWvz/dOaR2RRb22bsO24gn12xXHb0idEQ6D+AQxSLywW6DKjb6ZBAihZd9dJ3fIYcaB81C8W7dJ5o0J060MVX/ngRpB0Us916BBUoXRT3/7HbXen+Bn3i87fSXdFStXUXPwnNLATVOOKcq++h9we1yScPdVg2IWPGmryc6RoS1PjKGzlUE5XAXQKuyGbZQtgqV9Da5wktWkJFeZpuP9oQzC+37AP9fZM3BZHGK1siZ5USPbxwwszWWn0lHDdmQyor/IhKSBVh+4CkqOY0SV/P73OzhfyS+JtcBIrTJgMWHPOc5jsSf+5l904XhApg7KYxYwZHaDrbooG+YXu5eZ8QSqz04BmG6ErgQZ3f29mg6e7OT1Ikt2Q1M7MePSnSMZuvQKJ4dVYwFmo1nO0HnkObA6rMPd7XVUYDmWOyzUcRUBukU2w0XfHELLzid0odLHZsXCH+RTaRoXvwXVz1eRWu5guzeafsxDpTW5Z/AqR785jYGgL116sGSJ5806p01IqDBg0aS+oEtSpfaXw1AZXT4GkxoQM3vAUeRAc+B/twtjJ38UFMisWXBbss4Q6wxRcXFzNtSkZMchUfGS4XMJ43FajrHlFKG9uZQ4G7IXYbliFkjZ5F2zwXr3sDsVFxeYIuws1yYCEYFtisduad6kOnZCTQjAMw1YYKtTM7TYeMt4TNutR+AAOqGMx0p11lZmAFYRlsoqGs+by+vC8BO1gCkAcr7s8MAoh5CuG56zs16gnSRlMbQAciIjaRptKkYh+zLEXYI9kmMlr3hWQYlHNtBtU6w2+n+1y7EYlh+PiFB+xrGJisgPePfx7+VqEH3UiPVVv8bAN9Mh0RwjaOGXAYMEgsN1smhsKm1h0K3Z8tcZUx/OJFHgHDo3bi0eE3REz/Mxh56PVx/1vhpGj9TGZuanynEP5q7iYh3ETYBHdK89we4uw4tEkDnt9JRXNuofYmXyw44AbO8UNMy6jt/2Joc55egSU5oiexrLVUSQaM3vVdvfz4u7Whv1O31hRPt8hDccHM6KSFkXRLmI3m02vKQs7gEqjjZH+6sOI1ciY8LcmePzFefVG/xGRlH9yPpV1bDUdxBgpSFT8N9Xm+yqBKhuwT0MUhUoEpaiZht7iDPMshXXX3j80TO1csgD8gWY4L9YPTgHngRtLS+LZfdlDb9gvgJ7WwD6i3r/X4lLvLy2fKplSbCHJprlGY4YJWnmVJyFGOShPm0yOkZgBgfKT6CeoeTL+h+tGWuML1+Tbt0p6QRNP9djhoznMPMVxLWOZXa7Sbnb6PurddDG7eKPyadasc174BqdWNPzlu+nAQV8s6UlB8y9hmjqevpx+HAwbMWhIFtsuXAxS7jMe7FsQyjf0I7YUySS4sCH+1vsFpZDTxjPmatGT5g1vJAMKBfXEpMuR3KQpIftVrON/Wp+rS2kpSCpcPt6+8g8FMP1/OVM6B2Kmj4LeZvS1LHp8FktQrPXav3i8aIpjEstsCPWFJTgBEjuUxGmodks+Zo64R1XxhtAQzXmwUltGRpx3aCiDoDP94uKicEY/+k60ucECLx3sQEcpu6nE53JEELveAHVgwIyXLmik/MclvaZMZu5kjh8QaiPEzL1/r1trYVQiJ63IHpriDThRQqnFSYiQ74BJnheXsU/5mlUUwNT+TinsiwP8JCarTm0XyXrHYW7KxJW7ZXud9Sc7/bYrkQ4hvtz+XtFpZs7UHmHjBDF0DHqHPxUdudKV548tyh2Uc8LwzNgRCXrFswUme/dVTcGGRHZPIgO8P9SBvPbakyN8Xjpm7CC+bGEl3jV4DfMfXH79Y25mlw4s8nbi06mpYp1T938jfrVIgE7Tvp3C+miLblKbwA14IYI3ZiLwiea+Nb36/jkG198yZfsmkqqPZPMMq9+kkA3NEWk+BlPA3m75mCltCXJY6BMrFVQWVMiwroQ8aq4medx1Nsc6w==,iv:tRzbBW/YFMp2vw26M9ediGY49GuxvyV2ijZ1W7mjURQ=,tag:L4ACYnVzdarztrjlsX3cAQ==,type:str] sops: shamir_threshold: 1 @@ -34,8 +35,8 @@ sops: VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR 7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-10T17:59:59Z" - mac: ENC[AES256_GCM,data:cEQnqvtfPWDR9lcI37k52mPuFhqW+4TTs2LghRn9NiJkcLUSJNCrNUJE2Q/YMrQD6Ks5m7jRik/x3ryMdvVSiG4KC/Uk5pviZOCwDhRpDG4I8EqJHRhXLyxxptHV+D4y4+txPyXelOaY9FLU+0X+yHNLGRdURb7PqXfBZhmU56E=,iv:IvFaSROIH6OtpOOL53nn0CGTjLRpuCndBHDr1mIETNU=,tag:r2WzjoIC3jZvedgLcYaLfg==,type:str] + lastmodified: "2023-03-14T23:12:48Z" + mac: ENC[AES256_GCM,data:07zr/KHyLHvS7v+BMrY3uC9YZ0y6U7H6SMpYSWt3pR07Z36P9ZijOn2kgLmWnR1BzwwBW+L2t83kyegpZzLiqNniA9YDiHxtg3ovJCjkXjyhGEzDnLjZrGordf0qxC8mh+wuaSLueeR2Yj2xzdTDAoRCZTmuugipunYc2jazaOI=,iv:pJXn5g7CgYEZC8Z7LIQ+nmMzq5XA5imRa9U9nDLr2cM=,tag:L+gMyJo5Sj67ApOMnR7zog==,type:str] pgp: - created_at: "2023-03-10T17:06:53Z" enc: | diff --git a/nixos/systems/tewi/vouch.nix b/nixos/systems/tewi/vouch.nix index 6da2e8b0..1f3bb4e0 100644 --- a/nixos/systems/tewi/vouch.nix +++ b/nixos/systems/tewi/vouch.nix @@ -10,6 +10,10 @@ type = types.nullOr types.str; default = "gensokyo.zone"; }; + secure = mkOption { + type = types.bool; + default = true; + }; }; port = mkOption { type = lib.types.port; @@ -17,7 +21,7 @@ }; listen = mkOption { type = types.nullOr types.str; - default = config.networks.tailscale.ipv4; + default = "127.0.0.1"; }; allowAllUsers = mkOption { type = types.bool; @@ -62,6 +66,10 @@ }; }; config = { + services.vouch-proxy.settings = { + vouch.cookie.secure = false; + }; + sops.secrets = { vouch-jwt.owner = "vouch-proxy"; vouch-client-secret.owner = "vouch-proxy"; diff --git a/services/access.nix b/services/access.nix index eeab04d8..4383237f 100644 --- a/services/access.nix +++ b/services/access.nix @@ -49,32 +49,20 @@ }; services.nginx.virtualHosts = mkMerge [ - (mkIf tf.state.enable { + (mkIf (tf.state.enable && config.networking.hostName == "tewi") { "gensokyo.zone" = { locations."/" = { root = pkgs.gensokyoZone; }; }; - "home.gensokyo.zone" = { - locations = { - "/" = { - proxyPass = meta.tailnet.tewi.pp 4 8123; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - ''; - }; - }; - }; "z2m.gensokyo.zone" = { extraConfig = '' - auth_request /validate; - error_page 401 = @error401; + auth_request /validate; + error_page 401 = @error401; ''; locations = { "/" = { - proxyPass = meta.tailnet.tewi.pp 4 8072; + proxyPass = "http://127.0.0.1:8072"; extraConfig = '' add_header Access-Control-Allow-Origin https://login.gensokyo.zone; add_header Access-Control-Allow-Origin https://id.gensokyo.zone; @@ -91,7 +79,7 @@ }; "/validate" = { recommendedProxySettings = false; - proxyPass = meta.tailnet.tewi.ppp 4 30746 "validate"; + proxyPass = "http://127.0.0.1:30746/validate"; extraConfig = '' proxy_set_header Host $http_host; proxy_pass_request_body off; @@ -104,39 +92,16 @@ }; }; }; - "id.gensokyo.zone" = { - locations = { - "/" = { - proxyPass = meta.tailnet.tewi.pp 4 8080; - extraConfig = '' - proxy_set_header Host $host; - add_header Access-Control-Allow-Origin https://id.gensokyo.zone; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - ''; - }; - }; - }; - "login.gensokyo.zone" = { - locations = { - "/" = { - proxyPass = meta.tailnet.tewi.pp 4 30746; - recommendedProxySettings = false; - extraConfig = '' - proxy_set_header Host $http_host; - ''; - }; - }; - }; + }) + (mkIf (config.networking.hostName != "tewi") { "home.${config.networking.domain}" = { locations = { "/" = { proxyPass = meta.tailnet.yukari.pp 4 8123; extraConfig = '' proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; ''; }; };