diff --git a/modules/nixos/nginx-local.nix b/modules/nixos/nginx-local.nix new file mode 100644 index 00000000..3a3d47d3 --- /dev/null +++ b/modules/nixos/nginx-local.nix @@ -0,0 +1,40 @@ +{ + config, + lib, + ... +}: let + inherit (lib.modules) mkIf mkBefore; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.strings) optionalString; + inherit (config.services) tailscale; + localModule = { config, ... }: { + options = with lib.types; { + local = { + enable = mkEnableOption "local traffic only"; + }; + }; + config = mkIf config.local.enable { + extraConfig = let + tailscaleAllow = '' + allow fd7a:115c:a1e0::/96; + allow fd7a:115c:a1e0:ab12::/64; + allow 100.64.0.0/10; + ''; + in mkBefore '' + allow 127.0.0.0/8; + allow ::1; + allow 10.1.1.0/24; + allow fd0a::/64; + allow fe80::/64; + ${optionalString tailscale.enable tailscaleAllow} + deny all; + ''; + }; + }; +in { + options = with lib.types; { + services.nginx.virtualHosts = mkOption { + type = attrsOf (submodule localModule); + }; + }; +} diff --git a/nixos/access/home-assistant.nix b/nixos/access/home-assistant.nix new file mode 100644 index 00000000..fdb7fd7b --- /dev/null +++ b/nixos/access/home-assistant.nix @@ -0,0 +1,22 @@ +{ + config, + lib, + ... +}: let + inherit (lib.modules) mkIf mkDefault; + inherit (config.services) home-assistant tailscale; + proxyPass = "http://localhost:${toString home-assistant.config.http.server_port}/"; +in { + services.nginx.virtualHosts."home.local.${config.networking.domain}" = mkIf home-assistant.enable { + local.enable = mkDefault true; + locations."/" = { + inherit proxyPass; + }; + }; + services.nginx.virtualHosts."home.tail.${config.networking.domain}" = mkIf (home-assistant.enable && tailscale.enable) { + local.enable = mkDefault true; + locations."/" = { + inherit proxyPass; + }; + }; +} diff --git a/nixos/access/proxmox.nix b/nixos/access/proxmox.nix new file mode 100644 index 00000000..cd70c94a --- /dev/null +++ b/nixos/access/proxmox.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + ... +}: let + inherit (lib.modules) mkIf mkDefault; + inherit (lib.strings) escapeRegex; + proxyPass = "https://reisen.local.gensokyo.zone:8006/"; +in { + services.nginx.virtualHosts."prox.${config.networking.domain}" = { + locations."/" = { + extraConfig = '' + set $prox_prefix '''; + include ${config.sops.secrets.access-proxmox.path}; + if ($request_uri ~ "^/([^/]+).*") { + set $prox_prefix $1; + } + if ($request_uri ~ "^/(pve2/.*|pwt/.*|api2/.*|xtermjs/.*|[^/]+\.js.*)") { + rewrite /(.*) /prox/$1 last; + } + if ($http_referer ~ "^https://prox\.${escapeRegex config.networking.domain}/([^/]+)/$") { + set $prox_prefix $1; + } + if ($prox_prefix != $prox_expected) { + return 501; + } + if ($request_uri ~ "^/([^/]+)") { + rewrite /(.*) /prox/$1 last; + } + rewrite /[^/]+/(.*) /prox/$1; + rewrite /[^/]+$ /prox/; + ''; + }; + locations."/prox/" = { + inherit proxyPass; + extraConfig = '' + internal; + ''; + }; + locations."/prox/api2/" = { + proxyPass = "${proxyPass}api2/"; + extraConfig = '' + internal; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + }; + services.nginx.virtualHosts."prox.local.${config.networking.domain}" = { + local.enable = mkDefault true; + locations."/" = { + inherit proxyPass; + }; + }; + services.nginx.virtualHosts."prox.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable { + local.enable = mkDefault true; + locations."/" = { + inherit proxyPass; + }; + }; + + sops.secrets.access-proxmox = { + sopsFile = mkDefault ../secrets/access-proxmox.yaml; + owner = config.services.nginx.user; + group = config.services.nginx.group; + }; +} diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix index e8226090..126259fd 100644 --- a/nixos/access/zigbee2mqtt.nix +++ b/nixos/access/zigbee2mqtt.nix @@ -5,9 +5,15 @@ }: let inherit (lib.options) mkOption; - inherit (lib.modules) mkIf mkDefault mkOptionDefault; + inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; cfg = config.services.zigbee2mqtt; access = config.services.nginx.access.zigbee2mqtt; + proxyPass = mkDefault "http://${access.host}:${toString access.port}"; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + ''; in { options.services.nginx.access.zigbee2mqtt = with lib.types; { host = mkOption { @@ -16,6 +22,10 @@ in { domain = mkOption { type = str; }; + localDomain = mkOption { + type = str; + default = "z2m.local.${config.networking.domain}"; + }; port = mkOption { type = port; }; @@ -28,16 +38,17 @@ in { mkOptionDefault cfg.settings.frontend.port ); }; - virtualHosts.${access.domain} = { - vouch.enable = true; - locations = { - "/" = { - proxyPass = mkDefault "http://${access.host}:${toString access.port}"; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - ''; + virtualHosts = { + ${access.domain} = { + vouch.enable = true; + locations."/" = { + inherit proxyPass extraConfig; + }; + }; + ${access.localDomain} = { + local.enable = true; + locations."/" = { + inherit proxyPass extraConfig; }; }; }; diff --git a/nixos/plex.nix b/nixos/plex.nix index 7556ddef..24f2f1df 100644 --- a/nixos/plex.nix +++ b/nixos/plex.nix @@ -24,13 +24,19 @@ proxy_redirect off; proxy_buffering off; ''; + proxyPass = "http://localhost:32400"; in { "plex.${config.networking.domain}" = { - locations."/".proxyPass = "http://localhost:32400"; + locations."/" = { + inherit proxyPass; + }; inherit extraConfig; }; "plex.local.${config.networking.domain}" = { - locations."/".proxyPass = "http://localhost:32400"; + local.enable = true; + locations."/" = { + inherit proxyPass; + }; inherit extraConfig; }; }; diff --git a/nixos/secrets/access-proxmox.yaml b/nixos/secrets/access-proxmox.yaml new file mode 100644 index 00000000..4828f39b --- /dev/null +++ b/nixos/secrets/access-proxmox.yaml @@ -0,0 +1,75 @@ +access-proxmox: ENC[AES256_GCM,data:SZVTDk5t6A4GgjrRXAdnfw7QarieTCkdHU/olt0=,iv:ByyghIA5RaTc1u4FhFJtEhZAlZfV+92AoXapNbCv6QI=,tag:NsaUeSr7pX/8AnS48Hdwvw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSnB6REJQS3hFTWdrcjhv + aU9ZM0k4VHNiSDI4RkhHQkJ6ajVhdkxEc2l3CnRiOHNoYVBobVZRWVhIdEo0b01r + QkhYTnpXSm9XSzgybUFZR0I4cmlKdlEKLS0tIDVURnZ6TFZ2UlJ5Y1ozOVBTZ2dr + QlBlRnlDZlA5bG1KaDB5STFLdCtkWWcKgKZulfpmL021V16LLd3paqHpHcofNfps + LhZsPZuiVgQ3iMlFYQsp8Ya5s/TBkMvSyEO24H2BSFdM9vNDgZuxTQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UHRjeWd3VExtVG8ybzR3 + ODdIRkZ6VlVBalN5WWdLV1RhVEJRcm56VlZ3Cm5ObW9YRW1BL2ZCeFNyVklzbDdD + YnF3QVV1NFNHUHQwOFFTamVpT1c4R0kKLS0tIFNzaEx6VEtvRW5WdFRqMXJOd1VW + RWlMajR4ZXpNbktXeDRRSEJVS3MwdW8KbFr11HAGJc++u3hsja7Uz9FUhmnUW2Jw + Qs/n0kf8BCMigbJMZP1YKxJoDNKGjFzLr+NtDErnKl0OaGAUfYSLjw== + -----END AGE ENCRYPTED FILE----- + - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZGZrR0M3SGplZWFVMVQ2 + UFhtR3MvS0o2L1RyQUdvL2E0QkV2c29QRUNFCmU5dnhPQTdadmk0bHQvZXFpam0w + a3NxNGtVWkFidzZTeW1yWUpieVNDQjgKLS0tIHZUR2pLc05hdXdEUG5FbU43Wkps + aVJTU2MwNlV4VGZCZmljZ2J5V3p4dkEKtX6n603K8v2kyt+TNGSKX3TPRXvl497D + Mp2YvTLttv4tW/kJq1A0esXre+H/SMlrHGR/fBWbd2BhjbrmpggQSA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-20T20:11:12Z" + mac: ENC[AES256_GCM,data:1zZn01VFBs9lgPI4B8qtaoQvO4+fBLMs4pkmiNFwk/gzNsD4Dw5y+RfuAP+7OoPlkvDliw+Zct9jAgscVGmSqa2OMHSbgBnn50j06JmKbfDedxhZrQdb7O+yykuq6/RxN2E/LZ40saQaiS6GguvRhDqVNUqn+HGpa7Tbrb8LmhQ=,iv:P67WoQLtGhKuVhCgdkDUxx41bfSNitXdxroSOQqLGQc=,tag:m57oJnz4diogQ0EXktKt0w==,type:str] + pgp: + - created_at: "2024-01-20T20:09:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ/9GD37XRt05xS/k1j6KreWEaNMfj3JCsOBBz+UKnxVtajn + Ar/TkOdAoYTKjCxD0NAf2OOHvdunDra+xEgzNrLGjfvAZyl3k9O63SwVw2GZzrAm + 5yogXz4qm1rEpcEphzC1kWzGS1g4Wp5Fgo12b3xqjhmezySrMfpNwzzP37TZ7/4X + Mld1fQ+Ie1S+C69ZtZmrIfYK3NJGH3YM8frzwEYm7pIsgCmb7qNO/x6OgiTkeeGU + Ik4CaXK8oks7ANDAs8Z+fRxiuUtawKsL8J2oNCS4KofAO5h3e0batdJ2fEKqJNqN + TfSmLjmXXA7kYDSvPPY+PdSNw6u4veNhjjra3B+nd5CZ+5gPZqJmwcn6rcBOQJQb + 21wU3iZzckMMEuccPH5JyoX/4nL1g3jucFy5ELKVgKzfEeIRkIT3JJW48unbnNQD + eNZrTFocUyz08d4CJz9GwTaRSAp1MHp7NDcJTUoQYxPjiaf1fhcyxak3qYnk09Xm + PkosYDM7auc41flUyCxZBwBWSxoLrSN/x/bbB1A8rXhrMcp3jafF+wkq3a6VsHPy + 7Dqw/DwerHEqKOnh6MjxRxygO3CEszDlZB6J88njRgLJPCrcV+wqAZZLLnL/H2AA + GlJ8JedJd8ra58sUw++IPnWSTFV7arXoxPb+DvmylOuvTvxkHm70rzcKEcbQfwTS + XgHIejtCvGqcDmSQpn3gm3qEg+hgrx/CZTOLk6slGmSp3ZRCI70kMlhAin7htuST + bvHu65sovs2k3p8l/mTl2TmQ79r+vngbkSctlZScypFMotgEqaX7ptZGGpuHrDE= + =4ayC + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-01-20T20:09:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQf/ecN4WKkf7C+CO5siLc0FmrpcRo79WHf9kxOv5xo1hWFb + gtBLHMPaCtxOliKTszEGQzl43Z6O0j/04a49eqRe5aCF7GgFnji/H/75+Hv2HTMz + 8MyIuSchQOq1xLjzo27sxKlcUPgp2bCuVFlxzWrWZYGPYfNOTDDFQvirl+r1G3Dg + 8zcuigkFeH8pH9f5Kk/94Uwd/wmFHGt4DW2s8BHgp/l5iR5mpXh17qtyPdKRN9aL + SSC2uGP7TAhgS8uIbDslaxm9xK35CP7+FPQWutnds+5ZM6Bc0nEjwqRfOT9vpIhJ + ua118bogSFlDHM02nnMng0BmJZ8x5jq1VrcvM5xvLNJeAXCEg6N6v9iw3GrYE+XK + hq3D6aPJDiSPVtM/zw6gfUQayEZspBzKC9DgDXQiARwPGkZ67I3NF2MnMqaSqHOH + aswNxCHFkaTt5IQ+uaOODfFAgOjRdrNttBMCxjjfWw== + =fVK/ + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 9d8c1d6b..38db9830 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -10,9 +10,27 @@ nixos.base nixos.reisen-ct nixos.tailscale + nixos.cloudflared nixos.nginx + nixos.access.proxmox ]; + sops.secrets.cloudflared-tunnel-hakurei = { + owner = config.services.cloudflared.user; + }; + + services.cloudflared = let + tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604"; + in { + tunnels.${tunnelId} = { + default = "http_status:404"; + credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path; + ingress = { + "prox.${config.networking.domain}".service = "http://localhost"; + }; + }; + }; + sops.defaultSopsFile = ./secrets.yaml; system.stateVersion = "23.11"; diff --git a/systems/hakurei/secrets.yaml b/systems/hakurei/secrets.yaml index aad6dfca..9d1299fd 100644 --- a/systems/hakurei/secrets.yaml +++ b/systems/hakurei/secrets.yaml @@ -1,4 +1,5 @@ tailscale-key: ENC[AES256_GCM,data:HmowloL0TsKM/XFI5GDd6Nl+9uSZcYevB6CObq1Eg5cvyhtb4pJgMA2GRxE6mJQXva5cet56Udlj,iv:4gSDgWIAAZLokvJzEW+JF0xoNzHr4zW1Zc9qJdpgcc0=,tag:hWMRNc6Odfi19HnjwQSGgQ==,type:str] +cloudflared-tunnel-hakurei: ENC[AES256_GCM,data:Pwj8/8RSLrfylwl1Et6SHOJSMWxm+Kn1WpYgZhvWoUQ9GsiuRFf2j0mdu36zid9N+6QC3NK9yv6mMfIgvLJkjXhiYtMidZD4e6a4kQMVbbui+Ohj6wf92Jg5rRdassFHJZSCyZtbaeBXqOzzqF51QrEEWRFxfxt6cvwqZjvSMsbctjltwiD7CehhzQGvDdstZAsVhJC6c+GKDs5pFU3KPTTIHc6b1IzZFijgJZKtNNgKrc4Wqw0=,iv:i2YZq7WMuKiDEHMUJS3QD+SP68Rkpt2fS4X8pkv8s3I=,tag:+0RuoOBf9Vm6aJdCsDfvKg==,type:str] sops: shamir_threshold: 1 kms: [] @@ -15,8 +16,8 @@ sops: ZEpzdWJZWGdEaElLZUc1YW5ON0YrM2MKk/dZvaFVzfkMD3poreaDGfJwG5j5fL3L kuV/3fEHBf5HszR/VTy/bZ2+abN6x3UG5h0l+QaS9ux+mtwFCyYYjg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-19T18:41:54Z" - mac: ENC[AES256_GCM,data:ZBHhH10PYH6TTzezIRORy67C8n1ItvLLlhHs+n7gB09JK+IsdKh4MDWtCNdo/2lLBFEKknn46HkOqFeaGrltkb/DryzPdRKBQSV6aj2Tfk52t8RrvgcG14iFqoifZ30STFkipA4jMuSuRnlk4VQfrZMyKJj2RpcpqNn5pYLdXJM=,iv:rvzixIXKC+E1LS0yYHhIwh0Z2aQ1vgd3laMPV6GCKD0=,tag:Oc1xnIuq8C5IzZAfpoargA==,type:str] + lastmodified: "2024-01-20T00:35:43Z" + mac: ENC[AES256_GCM,data:jgsjLzPDdK1v2QpILqpirfnc0keEoIzO9QX0hMm0PK6VO6UMAF5IbQmeR25tZqNpJTRdcZlFb59mFqpazgzfS1S8+zckroefww7jG2oRvZz88DTxOA9quI/kuBhjUMG3oofrLpqu3Mjwu3ZXh7jfZ8HyzdAvqi9vjXXwi9P7zvw=,iv:7tydgr3duSPZXht00ivReS9o4CPa1uyhTRvgHatONKQ=,tag:Ojk/+eTacfWEMiKlNZwExw==,type:str] pgp: - created_at: "2024-01-19T18:57:37Z" enc: |- diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index d900eb43..9558b9f2 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -14,6 +14,7 @@ nixos.nginx nixos.access.gensokyo nixos.access.zigbee2mqtt + nixos.access.home-assistant nixos.vouch nixos.kanidm nixos.mosquitto diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index 89314174..c2af2167 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -31,6 +31,7 @@ module "tewi_system_records" { local_v6 = "fd0a::be24:11ff:fecc:6657" local_subdomains = [ "mqtt", + "z2m", "home", "postgresql", ]