From 9c6bbe8b8284efed007f792de644f6aa491ddf21 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Fri, 1 Mar 2024 12:14:25 -0800 Subject: [PATCH] refactor(access): move some services to cf tunnels --- docs/network.adoc | 3 +- nixos/access/freepbx.nix | 71 +++++++++++++++++++++++++++++++++++++ nixos/access/unifi.nix | 6 ++-- systems/freepbx/default.nix | 3 ++ systems/hakurei/nixos.nix | 23 ++++++++++-- systems/tei/cloudflared.nix | 4 +++ systems/tei/nixos.nix | 1 + tf/cloudflare_records.tf | 10 +++++- tf/cloudflare_tunnels.tf | 2 ++ tf/proxmox_vms.tf | 2 ++ 10 files changed, 118 insertions(+), 7 deletions(-) create mode 100644 nixos/access/freepbx.nix create mode 100644 systems/freepbx/default.nix diff --git a/docs/network.adoc b/docs/network.adoc index 60abd7de..bb52010f 100644 --- a/docs/network.adoc +++ b/docs/network.adoc @@ -11,6 +11,7 @@ include::{inc}attrs.adoc[] == Reserved IPv4 Addresses router:: `10.1.1.1` +u7-pro:: `10.1.1.3` gensokyo:: `10.1.1.4` eientei:: `10.1.1.5` @@ -18,8 +19,6 @@ shanghai:: `10.1.1.32` hourai:: `10.1.1.36` -tewi:: `10.1.1.38` - tei:: `10.1.1.39` reisen:: `10.1.1.40` hakurei:: `10.1.1.41` diff --git a/nixos/access/freepbx.nix b/nixos/access/freepbx.nix new file mode 100644 index 00000000..7bb72d9a --- /dev/null +++ b/nixos/access/freepbx.nix @@ -0,0 +1,71 @@ +{ + config, + lib, + ... +}: let + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkMerge mkDefault; + inherit (lib.lists) head; + inherit (lib.strings) splitString; + inherit (config.services) nginx tailscale; + access = nginx.access.freepbx; + freepbx = config.lib.access.systemFor "freepbx"; +in { + options.services.nginx.access.freepbx = with lib.types; { + url = mkOption { + type = str; + default = "http://${freepbx.access.hostnameForNetwork.local}"; + }; + domain = mkOption { + type = str; + default = "pbx.${config.networking.domain}"; + }; + localDomain = mkOption { + type = str; + default = "pbx.local.${config.networking.domain}"; + }; + tailDomain = mkOption { + type = str; + default = "pbx.tail.${config.networking.domain}"; + }; + useACMEHost = mkOption { + type = nullOr str; + default = null; + }; + }; + config.services.nginx = { + virtualHosts = let + proxyScheme = head (splitString ":" access.url); + extraConfig = '' + proxy_buffering off; + + set $pbx_scheme $scheme; + if ($http_x_forwarded_proto) { + set $pbx_scheme $http_x_forwarded_proto; + } + proxy_redirect ${proxyScheme}://$host/ $pbx_scheme://$host/; + ''; + locations = { + "/" = { + proxyPass = access.url; + }; + }; + in { + ${access.domain} = { + vouch.enable = mkDefault true; + addSSL = mkDefault (access.useACMEHost != null); + kTLS = mkDefault true; + useACMEHost = mkDefault access.useACMEHost; + inherit locations extraConfig; + }; + ${access.localDomain} = { + serverAliases = mkIf tailscale.enable [ access.tailDomain ]; + useACMEHost = mkDefault access.useACMEHost; + addSSL = mkDefault (access.useACMEHost != null); + kTLS = mkDefault true; + local.enable = true; + inherit locations extraConfig; + }; + }; + }; +} diff --git a/nixos/access/unifi.nix b/nixos/access/unifi.nix index 8910f7cf..04db617e 100644 --- a/nixos/access/unifi.nix +++ b/nixos/access/unifi.nix @@ -71,9 +71,11 @@ in { useACMEHost = mkDefault access.useACMEHost; inherit locations extraConfig; }; - ${access.domain} = mkIf (access.global.enable || access.useACMEHost != null) { + ${access.domain} = { vouch.enable = mkDefault true; - forceSSL = mkDefault true; + local.enable = mkDefault (!access.global.enable); + forceSSL = mkDefault access.global.enable; + addSSL = mkDefault (!access.global.enable && access.useACMEHost != null); kTLS = mkDefault true; useACMEHost = mkDefault access.useACMEHost; inherit locations extraConfig; diff --git a/systems/freepbx/default.nix b/systems/freepbx/default.nix new file mode 100644 index 00000000..60e5f5c2 --- /dev/null +++ b/systems/freepbx/default.nix @@ -0,0 +1,3 @@ +_: { + type = null; +} diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 4c701aa5..1001bd6e 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -10,6 +10,7 @@ tei = access.nixosFor "tei"; inherit (mediabox.services) plex; inherit (tei.services) kanidm vouch-proxy; + inherit (config.services) nginx tailscale; in { imports = let inherit (meta) nixos; @@ -31,6 +32,7 @@ in { nixos.access.vouch nixos.access.kanidm nixos.access.freeipa + nixos.access.freepbx nixos.access.unifi nixos.access.kitchencam nixos.access.proxmox @@ -52,13 +54,13 @@ in { credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path; ingress = { "prox.${config.networking.domain}".service = "http://localhost"; + ${nginx.access.freepbx.domain} = "http://localhost"; ${config.networking.domain}.service = "http://localhost"; }; }; }; security.acme.certs = let - inherit (config.services) nginx tailscale; inherit (nginx) access; in { ${access.vouch.localDomain} = { @@ -108,6 +110,17 @@ in { ]) ]; }; + ${access.freepbx.domain} = { + inherit (nginx) group; + extraDomainNames = mkMerge [ + [ + access.freepbx.localDomain + ] + (mkIf tailscale.enable [ + access.freepbx.tailDomain + ]) + ]; + }; ${access.proxmox.domain} = { inherit (nginx) group; extraDomainNames = mkMerge [ @@ -146,7 +159,7 @@ in { }; services.nginx = let - inherit (config.services.nginx) access; + inherit (nginx) access; in { access.plex = assert plex.enable; { url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString plex.port}"; @@ -168,6 +181,9 @@ in { access.freeipa = { host = "idp.local.${config.networking.domain}"; }; + access.freepbx = { + useACMEHost = access.freepbx.domain; + }; access.kitchencam = { streamPort = 41081; useACMEHost = access.kitchencam.domain; @@ -183,6 +199,9 @@ in { forceSSL = true; useACMEHost = access.freeipa.domain; }; + ${access.freepbx.domain} = { + local.enable = true; + }; ${access.proxmox.domain} = { useACMEHost = access.proxmox.domain; }; diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix index 8d32673e..4549fd52 100644 --- a/systems/tei/cloudflared.nix +++ b/systems/tei/cloudflared.nix @@ -73,6 +73,10 @@ in { host = config.services.zigbee2mqtt.domain; inherit hostName; }) + (ingressForNginx { + host = config.services.nginx.access.unifi.domain; + inherit hostName; + }) (ingressForHass {inherit hostName;}) (ingressForVouch {inherit hostName;}) (ingressForKanidm {inherit hostName;}) diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index c914f42b..7984e3f8 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -18,6 +18,7 @@ in { nixos.nginx nixos.access.zigbee2mqtt nixos.access.home-assistant + nixos.access.unifi nixos.vouch nixos.kanidm nixos.unifi diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index b8a14e46..18c06f36 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -22,6 +22,7 @@ module "hakurei_system_records" { "ldap", "freeipa", "unifi", + "pbx", "smb", "kitchen", "yt", @@ -30,7 +31,6 @@ module "hakurei_system_records" { "plex", "idp", "ldap", - "unifi", "smb", "kitchen", "yt", @@ -118,6 +118,14 @@ module "kubernetes_system_records" { local_v6 = "fd0a::be24:11ff:fe49:fedc" } +module "freepbx_system_records" { + source = "./system/records" + name = "freepbx" + zone_id = cloudflare_zone.gensokyo-zone_zone.id + zone_zone = cloudflare_zone.gensokyo-zone_zone.zone + local_v6 = "fd0a::be24:11ff:fe33:1904" +} + module "kitchencam_system_records" { source = "./system/records" name = "kitchencam" diff --git a/tf/cloudflare_tunnels.tf b/tf/cloudflare_tunnels.tf index b4066859..8672f2d5 100644 --- a/tf/cloudflare_tunnels.tf +++ b/tf/cloudflare_tunnels.tf @@ -12,6 +12,7 @@ module "hakurei" { subdomains = [ "@", "prox", + "pbx", ] } @@ -44,6 +45,7 @@ module "tewi" { "id", "login", "z2m", + "unifi", ] } diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf index ddc8f901..dcfcc507 100644 --- a/tf/proxmox_vms.tf +++ b/tf/proxmox_vms.tf @@ -367,6 +367,7 @@ EOT network_device { bridge = "vmbr0" + mac_address = "BC:24:11:3D:39:91" } operating_system { @@ -492,6 +493,7 @@ EOT network_device { bridge = "vmbr0" + mac_address = "BC:24:11:33:19:04" } operating_system {