gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(hakurei): cloudflared

Browse source
This commit is contained in:
arcnmx 2024-01-20 13:54:29 -08:00
parent ddcdcb0e0e
commit 7ded53ccc1
10 changed files with 258 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

40
modules/nixos/nginx-local.nix Normal file
View file

@ -0,0 +1,40 @@
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkBefore;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.strings) optionalString;
inherit (config.services) tailscale;
localModule = { config, ... }: {
options = with lib.types; {
local = {
enable = mkEnableOption "local traffic only";
};
};
config = mkIf config.local.enable {
extraConfig = let
tailscaleAllow = ''
allow fd7a:115c:a1e0::/96;
allow fd7a:115c:a1e0:ab12::/64;
allow 100.64.0.0/10;
'';
in mkBefore ''
allow 127.0.0.0/8;
allow ::1;
allow 10.1.1.0/24;
allow fd0a::/64;
allow fe80::/64;
${optionalString tailscale.enable tailscaleAllow}
deny all;
'';
};
};
in {
options = with lib.types; {
services.nginx.virtualHosts = mkOption {
type = attrsOf (submodule localModule);
};
};
}

22
nixos/access/home-assistant.nix Normal file
View file

@ -0,0 +1,22 @@
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault;
inherit (config.services) home-assistant tailscale;
proxyPass = "http://localhost:${toString home-assistant.config.http.server_port}/";
in {
services.nginx.virtualHosts."home.local.${config.networking.domain}" = mkIf home-assistant.enable {
local.enable = mkDefault true;
locations."/" = {
inherit proxyPass;
};
};
services.nginx.virtualHosts."home.tail.${config.networking.domain}" = mkIf (home-assistant.enable && tailscale.enable) {
local.enable = mkDefault true;
locations."/" = {
inherit proxyPass;
};
};
}

68
nixos/access/proxmox.nix Normal file
View file

@ -0,0 +1,68 @@
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault;
inherit (lib.strings) escapeRegex;
proxyPass = "https://reisen.local.gensokyo.zone:8006/";
in {
services.nginx.virtualHosts."prox.${config.networking.domain}" = {
locations."/" = {
extraConfig = ''
set $prox_prefix ''';
include ${config.sops.secrets.access-proxmox.path};
if ($request_uri ~ "^/([^/]+).*") {
set $prox_prefix $1;
}
if ($request_uri ~ "^/(pve2/.*|pwt/.*|api2/.*|xtermjs/.*|[^/]+\.js.*)") {
rewrite /(.*) /prox/$1 last;
}
if ($http_referer ~ "^https://prox\.${escapeRegex config.networking.domain}/([^/]+)/$") {
set $prox_prefix $1;
}
if ($prox_prefix != $prox_expected) {
return 501;
}
if ($request_uri ~ "^/([^/]+)") {
rewrite /(.*) /prox/$1 last;
}
rewrite /[^/]+/(.*) /prox/$1;
rewrite /[^/]+$ /prox/;
'';
};
locations."/prox/" = {
inherit proxyPass;
extraConfig = ''
internal;
'';
};
locations."/prox/api2/" = {
proxyPass = "${proxyPass}api2/";
extraConfig = ''
internal;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
services.nginx.virtualHosts."prox.local.${config.networking.domain}" = {
local.enable = mkDefault true;
locations."/" = {
inherit proxyPass;
};
};
services.nginx.virtualHosts."prox.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable {
local.enable = mkDefault true;
locations."/" = {
inherit proxyPass;
};
};
sops.secrets.access-proxmox = {
sopsFile = mkDefault ../secrets/access-proxmox.yaml;
owner = config.services.nginx.user;
group = config.services.nginx.group;
};
}

31
nixos/access/zigbee2mqtt.nix
View file

@ -5,9 +5,15 @@
}:
let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
cfg = config.services.zigbee2mqtt;
access = config.services.nginx.access.zigbee2mqtt;
proxyPass = mkDefault "http://${access.host}:${toString access.port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
in {
options.services.nginx.access.zigbee2mqtt = with lib.types; {
host = mkOption {
@ -16,6 +22,10 @@ in {
domain = mkOption {
type = str;
};
localDomain = mkOption {
type = str;
default = "z2m.local.${config.networking.domain}";
};
port = mkOption {
type = port;
};
@ -28,16 +38,17 @@ in {
mkOptionDefault cfg.settings.frontend.port
);
};
virtualHosts.${access.domain} = {
virtualHosts = {
${access.domain} = {
vouch.enable = true;
locations = {
"/" = {
proxyPass = mkDefault "http://${access.host}:${toString access.port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
locations."/" = {
inherit proxyPass extraConfig;
};
};
${access.localDomain} = {
local.enable = true;
locations."/" = {
inherit proxyPass extraConfig;
};
};
};

10
nixos/plex.nix
View file

@ -24,13 +24,19 @@
proxy_redirect off;
proxy_buffering off;
'';
proxyPass = "http://localhost:32400";
in {
"plex.${config.networking.domain}" = {
locations."/".proxyPass = "http://localhost:32400";
locations."/" = {
inherit proxyPass;
};
inherit extraConfig;
};
"plex.local.${config.networking.domain}" = {
locations."/".proxyPass = "http://localhost:32400";
local.enable = true;
locations."/" = {
inherit proxyPass;
};
inherit extraConfig;
};
};

75
nixos/secrets/access-proxmox.yaml Normal file
View file

@ -0,0 +1,75 @@
access-proxmox: ENC[AES256_GCM,data:SZVTDk5t6A4GgjrRXAdnfw7QarieTCkdHU/olt0=,iv:ByyghIA5RaTc1u4FhFJtEhZAlZfV+92AoXapNbCv6QI=,tag:NsaUeSr7pX/8AnS48Hdwvw==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSnB6REJQS3hFTWdrcjhv
aU9ZM0k4VHNiSDI4RkhHQkJ6ajVhdkxEc2l3CnRiOHNoYVBobVZRWVhIdEo0b01r
QkhYTnpXSm9XSzgybUFZR0I4cmlKdlEKLS0tIDVURnZ6TFZ2UlJ5Y1ozOVBTZ2dr
QlBlRnlDZlA5bG1KaDB5STFLdCtkWWcKgKZulfpmL021V16LLd3paqHpHcofNfps
LhZsPZuiVgQ3iMlFYQsp8Ya5s/TBkMvSyEO24H2BSFdM9vNDgZuxTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UHRjeWd3VExtVG8ybzR3
ODdIRkZ6VlVBalN5WWdLV1RhVEJRcm56VlZ3Cm5ObW9YRW1BL2ZCeFNyVklzbDdD
YnF3QVV1NFNHUHQwOFFTamVpT1c4R0kKLS0tIFNzaEx6VEtvRW5WdFRqMXJOd1VW
RWlMajR4ZXpNbktXeDRRSEJVS3MwdW8KbFr11HAGJc++u3hsja7Uz9FUhmnUW2Jw
Qs/n0kf8BCMigbJMZP1YKxJoDNKGjFzLr+NtDErnKl0OaGAUfYSLjw==
-----END AGE ENCRYPTED FILE-----
- recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZGZrR0M3SGplZWFVMVQ2
UFhtR3MvS0o2L1RyQUdvL2E0QkV2c29QRUNFCmU5dnhPQTdadmk0bHQvZXFpam0w
a3NxNGtVWkFidzZTeW1yWUpieVNDQjgKLS0tIHZUR2pLc05hdXdEUG5FbU43Wkps
aVJTU2MwNlV4VGZCZmljZ2J5V3p4dkEKtX6n603K8v2kyt+TNGSKX3TPRXvl497D
Mp2YvTLttv4tW/kJq1A0esXre+H/SMlrHGR/fBWbd2BhjbrmpggQSA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-20T20:11:12Z"
mac: ENC[AES256_GCM,data:1zZn01VFBs9lgPI4B8qtaoQvO4+fBLMs4pkmiNFwk/gzNsD4Dw5y+RfuAP+7OoPlkvDliw+Zct9jAgscVGmSqa2OMHSbgBnn50j06JmKbfDedxhZrQdb7O+yykuq6/RxN2E/LZ40saQaiS6GguvRhDqVNUqn+HGpa7Tbrb8LmhQ=,iv:P67WoQLtGhKuVhCgdkDUxx41bfSNitXdxroSOQqLGQc=,tag:m57oJnz4diogQ0EXktKt0w==,type:str]
pgp:
- created_at: "2024-01-20T20:09:09Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ/9GD37XRt05xS/k1j6KreWEaNMfj3JCsOBBz+UKnxVtajn
Ar/TkOdAoYTKjCxD0NAf2OOHvdunDra+xEgzNrLGjfvAZyl3k9O63SwVw2GZzrAm
5yogXz4qm1rEpcEphzC1kWzGS1g4Wp5Fgo12b3xqjhmezySrMfpNwzzP37TZ7/4X
Mld1fQ+Ie1S+C69ZtZmrIfYK3NJGH3YM8frzwEYm7pIsgCmb7qNO/x6OgiTkeeGU
Ik4CaXK8oks7ANDAs8Z+fRxiuUtawKsL8J2oNCS4KofAO5h3e0batdJ2fEKqJNqN
TfSmLjmXXA7kYDSvPPY+PdSNw6u4veNhjjra3B+nd5CZ+5gPZqJmwcn6rcBOQJQb
21wU3iZzckMMEuccPH5JyoX/4nL1g3jucFy5ELKVgKzfEeIRkIT3JJW48unbnNQD
eNZrTFocUyz08d4CJz9GwTaRSAp1MHp7NDcJTUoQYxPjiaf1fhcyxak3qYnk09Xm
PkosYDM7auc41flUyCxZBwBWSxoLrSN/x/bbB1A8rXhrMcp3jafF+wkq3a6VsHPy
7Dqw/DwerHEqKOnh6MjxRxygO3CEszDlZB6J88njRgLJPCrcV+wqAZZLLnL/H2AA
GlJ8JedJd8ra58sUw++IPnWSTFV7arXoxPb+DvmylOuvTvxkHm70rzcKEcbQfwTS
XgHIejtCvGqcDmSQpn3gm3qEg+hgrx/CZTOLk6slGmSp3ZRCI70kMlhAin7htuST
bvHu65sovs2k3p8l/mTl2TmQ79r+vngbkSctlZScypFMotgEqaX7ptZGGpuHrDE=
=4ayC
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-01-20T20:09:09Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQf/ecN4WKkf7C+CO5siLc0FmrpcRo79WHf9kxOv5xo1hWFb
gtBLHMPaCtxOliKTszEGQzl43Z6O0j/04a49eqRe5aCF7GgFnji/H/75+Hv2HTMz
8MyIuSchQOq1xLjzo27sxKlcUPgp2bCuVFlxzWrWZYGPYfNOTDDFQvirl+r1G3Dg
8zcuigkFeH8pH9f5Kk/94Uwd/wmFHGt4DW2s8BHgp/l5iR5mpXh17qtyPdKRN9aL
SSC2uGP7TAhgS8uIbDslaxm9xK35CP7+FPQWutnds+5ZM6Bc0nEjwqRfOT9vpIhJ
ua118bogSFlDHM02nnMng0BmJZ8x5jq1VrcvM5xvLNJeAXCEg6N6v9iw3GrYE+XK
hq3D6aPJDiSPVtM/zw6gfUQayEZspBzKC9DgDXQiARwPGkZ67I3NF2MnMqaSqHOH
aswNxCHFkaTt5IQ+uaOODfFAgOjRdrNttBMCxjjfWw==
=fVK/
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1

18
systems/hakurei/nixos.nix
View file

@ -10,9 +10,27 @@
nixos.base
nixos.reisen-ct
nixos.tailscale
nixos.cloudflared
nixos.nginx
nixos.access.proxmox
];
sops.secrets.cloudflared-tunnel-hakurei = {
owner = config.services.cloudflared.user;
};
services.cloudflared = let
tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
ingress = {
"prox.${config.networking.domain}".service = "http://localhost";
};
};
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";

5
systems/hakurei/secrets.yaml
View file

@ -1,4 +1,5 @@
tailscale-key: ENC[AES256_GCM,data:HmowloL0TsKM/XFI5GDd6Nl+9uSZcYevB6CObq1Eg5cvyhtb4pJgMA2GRxE6mJQXva5cet56Udlj,iv:4gSDgWIAAZLokvJzEW+JF0xoNzHr4zW1Zc9qJdpgcc0=,tag:hWMRNc6Odfi19HnjwQSGgQ==,type:str]
cloudflared-tunnel-hakurei: ENC[AES256_GCM,data:Pwj8/8RSLrfylwl1Et6SHOJSMWxm+Kn1WpYgZhvWoUQ9GsiuRFf2j0mdu36zid9N+6QC3NK9yv6mMfIgvLJkjXhiYtMidZD4e6a4kQMVbbui+Ohj6wf92Jg5rRdassFHJZSCyZtbaeBXqOzzqF51QrEEWRFxfxt6cvwqZjvSMsbctjltwiD7CehhzQGvDdstZAsVhJC6c+GKDs5pFU3KPTTIHc6b1IzZFijgJZKtNNgKrc4Wqw0=,iv:i2YZq7WMuKiDEHMUJS3QD+SP68Rkpt2fS4X8pkv8s3I=,tag:+0RuoOBf9Vm6aJdCsDfvKg==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -15,8 +16,8 @@ sops:
ZEpzdWJZWGdEaElLZUc1YW5ON0YrM2MKk/dZvaFVzfkMD3poreaDGfJwG5j5fL3L
kuV/3fEHBf5HszR/VTy/bZ2+abN6x3UG5h0l+QaS9ux+mtwFCyYYjg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-19T18:41:54Z"
mac: ENC[AES256_GCM,data:ZBHhH10PYH6TTzezIRORy67C8n1ItvLLlhHs+n7gB09JK+IsdKh4MDWtCNdo/2lLBFEKknn46HkOqFeaGrltkb/DryzPdRKBQSV6aj2Tfk52t8RrvgcG14iFqoifZ30STFkipA4jMuSuRnlk4VQfrZMyKJj2RpcpqNn5pYLdXJM=,iv:rvzixIXKC+E1LS0yYHhIwh0Z2aQ1vgd3laMPV6GCKD0=,tag:Oc1xnIuq8C5IzZAfpoargA==,type:str]
lastmodified: "2024-01-20T00:35:43Z"
mac: ENC[AES256_GCM,data:jgsjLzPDdK1v2QpILqpirfnc0keEoIzO9QX0hMm0PK6VO6UMAF5IbQmeR25tZqNpJTRdcZlFb59mFqpazgzfS1S8+zckroefww7jG2oRvZz88DTxOA9quI/kuBhjUMG3oofrLpqu3Mjwu3ZXh7jfZ8HyzdAvqi9vjXXwi9P7zvw=,iv:7tydgr3duSPZXht00ivReS9o4CPa1uyhTRvgHatONKQ=,tag:Ojk/+eTacfWEMiKlNZwExw==,type:str]
pgp:
- created_at: "2024-01-19T18:57:37Z"
enc: |-

1
systems/tei/nixos.nix
View file

@ -14,6 +14,7 @@
nixos.nginx
nixos.access.gensokyo
nixos.access.zigbee2mqtt
nixos.access.home-assistant
nixos.vouch
nixos.kanidm
nixos.mosquitto

1
tf/cloudflare_records.tf
View file

@ -31,6 +31,7 @@ module "tewi_system_records" {
local_v6 = "fd0a::be24:11ff:fecc:6657"
local_subdomains = [
"mqtt",
"z2m",
"home",
"postgresql",
]