gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: cloudflared

Browse source
This commit is contained in:
arcnmx 2024-01-13 13:49:42 -08:00
parent d87b210c46
commit 859d60cd81
3 changed files with 61 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/nixos/cloudflared.nix
View file

@ -4,6 +4,7 @@
inherit (lib.modules) mkIf mkMerge mkForce; inherit (lib.modules) mkIf mkMerge mkForce;
inherit (lib.options) mkOption mkEnableOption; inherit (lib.options) mkOption mkEnableOption;
cfg = config.services.cloudflared; cfg = config.services.cloudflared;
settingsFormat = pkgs.formats.json { };
in { in {
options.services.cloudflared = with lib.types; { options.services.cloudflared = with lib.types; {
tunnels = let tunnels = let
@ -14,7 +15,7 @@ in {
default = config.extraTunnel.ingress != { }; default = config.extraTunnel.ingress != { };
}; };
ingress = mkOption { ingress = mkOption {
type = attrs; inherit (settingsFormat) type;
default = { }; default = { };
}; };
}; };

13
nixos/reisen-ct/network.nix
View file

@ -1,9 +1,10 @@
{ {
lib, lib,
config, config,
options,
... ...
}: let }: let
inherit (lib) mkDefault; inherit (lib.modules) mkIf mkDefault;
in { in {
services.resolved.enable = true; services.resolved.enable = true;
services.avahi = { services.avahi = {
@ -17,4 +18,14 @@ in {
}; };
wideArea = mkDefault false; wideArea = mkDefault false;
}; };
systemd.services.avahi-daemon = mkIf (options ? proxmoxLXC && config.services.avahi.enable) {
serviceConfig.ExecStartPre = mkIf config.services.resolved.enable [
"+-${config.systemd.package}/bin/resolvectl mdns eth0 yes"
];
};
systemd.network.networks.eth0 = mkIf (! options ? proxmoxLXC) {
matchConfig.Name = "eth0";
linkConfig.Multicast = true;
networkConfig.MulticastDNS = true;
};
} }

66
systems/tewi/cloudflared.nix
View file

@ -1,34 +1,62 @@
{ {
meta,
config, config,
lib, lib,
... ...
}: let }: let
inherit (config) services; inherit (lib.modules) mkMerge;
inherit (lib.attrsets) listToAttrs nameValuePair;
inherit (config.networking) hostName;
cfg = config.services.cloudflared;
apartment = "131222b0-9db0-4168-96f5-7d45ec51c3be"; apartment = "131222b0-9db0-4168-96f5-7d45ec51c3be";
systemFor = hostName: if hostName == config.networking.hostName
then config
else meta.network.nodes.${hostName};
accessHostFor = { hostName, access ? "local", ... }: let
host = {
local = "${hostName}.local";
tail = "${hostName}.tail.cutie.moe";
}.${access} or (throw "unsupported access ${access}");
in if hostName == config.networking.hostName then "localhost" else host;
ingressForNginx = { host ? system.networking.fqdn, port ? 80, hostName, system ? systemFor hostName }@args: nameValuePair host {
service = "http://${accessHostFor args}:${toString port}";
};
ingressForHass = { host ? system.services.home-assistant.domain, port ? system.services.home-assistant.config.http.server_port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
service = "http://${accessHostFor args}:${toString port}";
};
ingressForVouch = { host ? system.services.vouch-proxy.domain, port ? system.services.vouch-proxy.settings.vouch.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
service = "http://${accessHostFor args}:${toString port}";
};
ingressForKanidm = { host ? system.services.kanidm.server.frontend.domain, port ? system.services.kanidm.server.frontend.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
service = "https://${accessHostFor args}:${toString port}";
originRequest.noTLSVerify = true;
};
ingressForDeluge = { host, port ? system.services.deluge.web.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
service = "http://${accessHostFor args}:${toString port}";
};
in { in {
sops.secrets.cloudflared-tunnel-apartment.owner = services.cloudflared.user; sops.secrets.cloudflared-tunnel-apartment.owner = cfg.user;
sops.secrets.cloudflared-tunnel-apartment-deluge.owner = services.cloudflared.user; sops.secrets.cloudflared-tunnel-apartment-deluge.owner = cfg.user;
services.cloudflared = { services.cloudflared = {
tunnels = { tunnels = {
${apartment} = { ${apartment} = {
credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path; credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
default = "http_status:404"; default = "http_status:404";
ingress = { ingress = listToAttrs [
${config.networking.domain}.service = "http://localhost:80"; (ingressForNginx { host = config.networking.domain; inherit hostName; })
${services.home-assistant.domain}.service = "http://localhost:${toString services.home-assistant.config.http.server_port}"; (ingressForNginx { host = config.services.zigbee2mqtt.domain; inherit hostName; })
${services.zigbee2mqtt.domain}.service = "http://localhost:80"; (ingressForHass { inherit hostName; })
${services.vouch-proxy.domain}.service = "http://localhost:${toString services.vouch-proxy.settings.vouch.port}"; (ingressForVouch { inherit hostName; })
${services.kanidm.server.frontend.domain} = { (ingressForKanidm { inherit hostName; })
service = "https://127.0.0.1:${toString services.kanidm.server.frontend.port}"; ];
originRequest.noTLSVerify = true; extraTunnel.ingress = mkMerge [
}; (listToAttrs [
}; (ingressForDeluge { host = "deluge"; inherit hostName; })
extraTunnel.ingress = { ])
deluge = { {
hostname._secret = config.sops.secrets.cloudflared-tunnel-apartment-deluge.path; deluge.hostname._secret = config.sops.secrets.cloudflared-tunnel-apartment-deluge.path;
service = "http://localhost:${toString services.deluge.web.port}"; }
}; ];
};
}; };
}; };
}; };