mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 04:19:19 -08:00
cloudflared tunnel
This commit is contained in:
arcnmx
parent
62e97d324a
commit
2dda82d1dd
8 changed files with 51 additions and 52 deletions
22
nixos/systems/tewi/cloudflared.nix
Normal file
22
nixos/systems/tewi/cloudflared.nix
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
{ config, lib, ... }: with lib; {
|
||||
sops.secrets.cloudflared-tunnel-apartment.owner = config.services.cloudflared.user;
|
||||
services.cloudflared = {
|
||||
enable = true;
|
||||
tunnels = {
|
||||
"a3ae32ce-fe82-4f2c-ad54-3adf4a45fcbc" = {
|
||||
credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
|
||||
default = "http_status:404";
|
||||
ingress = {
|
||||
"gensokyo.zone" = "http://localhost:80";
|
||||
"home.gensokyo.zone" = "http://localhost:8123";
|
||||
"z2m.gensokyo.zone" = "http://localhost:80";
|
||||
"login.gensokyo.zone" = "http://localhost:${toString config.services.vouch-proxy.settings.vouch.port}";
|
||||
"id.gensokyo.zone" = {
|
||||
service = "https://127.0.0.1:8081";
|
||||
originRequest.noTLSVerify = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -78,6 +78,7 @@ in {
|
|||
"200::/7"
|
||||
"100.64.0.0/10"
|
||||
"fd7a:115c:a1e0:ab12::/64"
|
||||
"::1"
|
||||
];
|
||||
};
|
||||
recorder = {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
'';
|
||||
in {
|
||||
networks.gensokyo = {
|
||||
tcp = [ 8080 636 ];
|
||||
tcp = [ 8081 636 ];
|
||||
};
|
||||
|
||||
services.kanidm = {
|
||||
|
|
@ -33,8 +33,8 @@ in {
|
|||
role = "WriteReplica";
|
||||
log_level = "default";
|
||||
db_fs_type = "zfs";
|
||||
bindaddress = "${config.networks.tailscale.ipv4}:8080";
|
||||
ldapbindaddress = "${config.networks.tailscale.ipv4}:636";
|
||||
bindaddress = "0.0.0.0:8081";
|
||||
ldapbindaddress = "0.0.0.0:636";
|
||||
tls_chain = "${unencryptedCert}/${unencryptedCert.domain}.pem";
|
||||
tls_key = "${unencryptedCert}/${unencryptedCert.domain}/key.pem";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -15,12 +15,12 @@ with lib;
|
|||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedTlsSettings = false;
|
||||
commonHttpConfig = ''
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
#add_header X-Frame-Options DENY;
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ in {
|
|||
imports = with meta; [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
hardware.local
|
||||
services.access
|
||||
nixos.arc
|
||||
nixos.sops
|
||||
./kanidm.nix
|
||||
|
|
@ -35,6 +36,7 @@ in {
|
|||
./mosquitto.nix
|
||||
./postgres.nix
|
||||
./nginx.nix
|
||||
./cloudflared.nix
|
||||
../../gui/nfs.nix
|
||||
] ++ lib.optional (meta.trusted ? nixos.systems.tewi.default) meta.trusted.nixos.systems.tewi.default;
|
||||
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAI
|
|||
openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str]
|
||||
z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str]
|
||||
ha-secrets: ENC[AES256_GCM,data:/VW9zlFgFbwoFohnmg3f1fYG4qSg32LvA5eapWXXhH5ppFHnIt+2MO1HCzzETuy4EHN/nv1I6hZRwvM52wuF15UrkWjWOu4Xhaz3q7sQbjUVecJAXuG51cKeFryFTq0Tb0zh,iv:SWrMUlLbQAm9qVGK79O6I3tB+pcPBsLitOpn89NBZpQ=,tag:WGYAqID1NvtQJx/w0RqrZQ==,type:str]
|
||||
cloudflared-tunnel-apartment: ENC[AES256_GCM,data:r3NbCbdA9sGqjhij/lUFqszpLvtzP9xasQ+LfCc4UPkt767/rjMrls496k59fLuh5iovHq4U6IXhdFica/gg0KdVR++osbXDZe0NlD3H54zQsqLNTlceU3SOok7HfwUcsmtYAsTN7u+SIv5bXJsdfqS7SYbCi9624Gz8xk0BU9rDkI4pXt9FA+4kVhgArSH7NbcgZ6oo4sOn6G1SsK5OzAb1BLOC4g==,iv:3KOU5jTUqD434GckPXV8teiThfagIinEGGZrVSR17xk=,tag:GKoO1904PxwUAkyY3X9S7Q==,type:str]
|
||||
ha-integration: ENC[AES256_GCM,data:iW/hnCuXWKeZ43CNf2KKISPY1N2uqHHGQcCpfBojN4kTCi6VvsAZveUS8v28SrrPsh/2+vXoj1STj+N4COkFn7NANP6q946H7VaEgOTBvf9wykJ+WGYDMUgd8Ce8yLjnJpf+q6Rm5BHWMBrE53bB6YCbU9CIOCFF1mm4b6SXdJSuK0DOXZjsoYAc2TjHFb3K3/+74YRiRLgGSnE7MT8sPQ3Bojg9VRNFDZbxRejRjwDGZlRIHM/imeoTSwsWB/sLryR1HKEvyXSWy7MG0v2YqyAloxa/4uFpOdQ37NG4tegzCYwdybnEdW2wv+bZXfDq/csAIpRIyegpkjZeAhfAA5LptYaXxdzFhtFS6NJ6ROW+scbOhS0snoOrg7CqiiB8Y7ad6VFco6dJKCdr+A/92pH3y/+gq6LxOOpIxzbnqkIDV41VVRK61tHafZsXEMXkyRCPbYuVIcVlK4xuw3OryzfUUTW0UFUm0qgIP04L6bI0Zay2NYxL42T7DgLbeddOBEYvBJefQVS1Yk/Q7ql9gnj4EsFMbvKGANhT182kkwKGN+kbVW3Gh63kploRB6AOjGJe+2+2zZnJrKBot+AHJ0Fj8e3n00kvXQtYccVsvD1NREABg0O6xtTjgUoPw+C0lbRgoh/mouyny6f+1jSUF9xDIU8M8YUHOku/VtmSxrMGc5HDPeGjSs/0IMzJJXbt3x9if2Db4zW50XbGFkZDEceJwqulqR7ca0BKeUPUurYnCqh7YGTPe1zc+xkH6Ew/KWlH6bY/YC1hL1fqlqWVWktW3StwAOIzZoytvjtdxifc7Gy4YPKzOi4njLbyvyB+lRMkzvBfyVguGyHvpGbSSog6lxUTmbOqDbl3qCRY2ZJXcuBza6e90Qf1GF1oGjrOIVfNAmJCz7BaNfjtKIc8asql36pRzjFXwPlbfgNHXjQEAUAqiAEyabhaCnqZVbhk0i8PrT/jrHCj/COXgHUT8As3t1Tmipcel7OwqiE23lpTp//bQ4dRuVs59RzyElaLsj9cehiEzIys0bzlPDmQzbgxw48yKRhtrwkY5J0zPWe7OkrFwkbLHfNFisU4qPvoTwOIMvCjTHdMZZ3TrXeuEPH3gEkIYeItd0o7NyJ0FekK1N9YLN6r0lWKHhWvz/dOaR2RRb22bsO24gn12xXHb0idEQ6D+AQxSLywW6DKjb6ZBAihZd9dJ3fIYcaB81C8W7dJ5o0J060MVX/ngRpB0Us916BBUoXRT3/7HbXen+Bn3i87fSXdFStXUXPwnNLATVOOKcq++h9we1yScPdVg2IWPGmryc6RoS1PjKGzlUE5XAXQKuyGbZQtgqV9Da5wktWkJFeZpuP9oQzC+37AP9fZM3BZHGK1siZ5USPbxwwszWWn0lHDdmQyor/IhKSBVh+4CkqOY0SV/P73OzhfyS+JtcBIrTJgMWHPOc5jsSf+5l904XhApg7KYxYwZHaDrbooG+YXu5eZ8QSqz04BmG6ErgQZ3f29mg6e7OT1Ikt2Q1M7MePSnSMZuvQKJ4dVYwFmo1nO0HnkObA6rMPd7XVUYDmWOyzUcRUBukU2w0XfHELLzid0odLHZsXCH+RTaRoXvwXVz1eRWu5guzeafsxDpTW5Z/AqR785jYGgL116sGSJ5806p01IqDBg0aS+oEtSpfaXw1AZXT4GkxoQM3vAUeRAc+B/twtjJ38UFMisWXBbss4Q6wxRcXFzNtSkZMchUfGS4XMJ43FajrHlFKG9uZQ4G7IXYbliFkjZ5F2zwXr3sDsVFxeYIuws1yYCEYFtisduad6kOnZCTQjAMw1YYKtTM7TYeMt4TNutR+AAOqGMx0p11lZmAFYRlsoqGs+by+vC8BO1gCkAcr7s8MAoh5CuG56zs16gnSRlMbQAciIjaRptKkYh+zLEXYI9kmMlr3hWQYlHNtBtU6w2+n+1y7EYlh+PiFB+xrGJisgPePfx7+VqEH3UiPVVv8bAN9Mh0RwjaOGXAYMEgsN1smhsKm1h0K3Z8tcZUx/OJFHgHDo3bi0eE3REz/Mxh56PVx/1vhpGj9TGZuanynEP5q7iYh3ETYBHdK89we4uw4tEkDnt9JRXNuofYmXyw44AbO8UNMy6jt/2Joc55egSU5oiexrLVUSQaM3vVdvfz4u7Whv1O31hRPt8hDccHM6KSFkXRLmI3m02vKQs7gEqjjZH+6sOI1ciY8LcmePzFefVG/xGRlH9yPpV1bDUdxBgpSFT8N9Xm+yqBKhuwT0MUhUoEpaiZht7iDPMshXXX3j80TO1csgD8gWY4L9YPTgHngRtLS+LZfdlDb9gvgJ7WwD6i3r/X4lLvLy2fKplSbCHJprlGY4YJWnmVJyFGOShPm0yOkZgBgfKT6CeoeTL+h+tGWuML1+Tbt0p6QRNP9djhoznMPMVxLWOZXa7Sbnb6PurddDG7eKPyadasc174BqdWNPzlu+nAQV8s6UlB8y9hmjqevpx+HAwbMWhIFtsuXAxS7jMe7FsQyjf0I7YUySS4sCH+1vsFpZDTxjPmatGT5g1vJAMKBfXEpMuR3KQpIftVrON/Wp+rS2kpSCpcPt6+8g8FMP1/OVM6B2Kmj4LeZvS1LHp8FktQrPXav3i8aIpjEstsCPWFJTgBEjuUxGmodks+Zo64R1XxhtAQzXmwUltGRpx3aCiDoDP94uKicEY/+k60ucECLx3sQEcpu6nE53JEELveAHVgwIyXLmik/MclvaZMZu5kjh8QaiPEzL1/r1trYVQiJ63IHpriDThRQqnFSYiQ74BJnheXsU/5mlUUwNT+TinsiwP8JCarTm0XyXrHYW7KxJW7ZXud9Sc7/bYrkQ4hvtz+XtFpZs7UHmHjBDF0DHqHPxUdudKV548tyh2Uc8LwzNgRCXrFswUme/dVTcGGRHZPIgO8P9SBvPbakyN8Xjpm7CC+bGEl3jV4DfMfXH79Y25mlw4s8nbi06mpYp1T938jfrVIgE7Tvp3C+miLblKbwA14IYI3ZiLwiea+Nb36/jkG198yZfsmkqqPZPMMq9+kkA3NEWk+BlPA3m75mCltCXJY6BMrFVQWVMiwroQ8aq4medx1Nsc6w==,iv:tRzbBW/YFMp2vw26M9ediGY49GuxvyV2ijZ1W7mjURQ=,tag:L4ACYnVzdarztrjlsX3cAQ==,type:str]
|
||||
sops:
|
||||
shamir_threshold: 1
|
||||
|
|
@ -34,8 +35,8 @@ sops:
|
|||
VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
|
||||
7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-03-10T17:59:59Z"
|
||||
mac: ENC[AES256_GCM,data:cEQnqvtfPWDR9lcI37k52mPuFhqW+4TTs2LghRn9NiJkcLUSJNCrNUJE2Q/YMrQD6Ks5m7jRik/x3ryMdvVSiG4KC/Uk5pviZOCwDhRpDG4I8EqJHRhXLyxxptHV+D4y4+txPyXelOaY9FLU+0X+yHNLGRdURb7PqXfBZhmU56E=,iv:IvFaSROIH6OtpOOL53nn0CGTjLRpuCndBHDr1mIETNU=,tag:r2WzjoIC3jZvedgLcYaLfg==,type:str]
|
||||
lastmodified: "2023-03-14T23:12:48Z"
|
||||
mac: ENC[AES256_GCM,data:07zr/KHyLHvS7v+BMrY3uC9YZ0y6U7H6SMpYSWt3pR07Z36P9ZijOn2kgLmWnR1BzwwBW+L2t83kyegpZzLiqNniA9YDiHxtg3ovJCjkXjyhGEzDnLjZrGordf0qxC8mh+wuaSLueeR2Yj2xzdTDAoRCZTmuugipunYc2jazaOI=,iv:pJXn5g7CgYEZC8Z7LIQ+nmMzq5XA5imRa9U9nDLr2cM=,tag:L+gMyJo5Sj67ApOMnR7zog==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-03-10T17:06:53Z"
|
||||
enc: |
|
||||
|
|
|
|||
|
|
@ -10,6 +10,10 @@
|
|||
type = types.nullOr types.str;
|
||||
default = "gensokyo.zone";
|
||||
};
|
||||
secure = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
port = mkOption {
|
||||
type = lib.types.port;
|
||||
|
|
@ -17,7 +21,7 @@
|
|||
};
|
||||
listen = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = config.networks.tailscale.ipv4;
|
||||
default = "127.0.0.1";
|
||||
};
|
||||
allowAllUsers = mkOption {
|
||||
type = types.bool;
|
||||
|
|
@ -62,6 +66,10 @@
|
|||
};
|
||||
};
|
||||
config = {
|
||||
services.vouch-proxy.settings = {
|
||||
vouch.cookie.secure = false;
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
vouch-jwt.owner = "vouch-proxy";
|
||||
vouch-client-secret.owner = "vouch-proxy";
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue