refactor(access): move some services to cf tunnels

docs/network.adoc

@@ -11,6 +11,7 @@ include::{inc}attrs.adoc[]
 == Reserved IPv4 Addresses
 
 router:: `10.1.1.1`
+u7-pro:: `10.1.1.3`
 gensokyo:: `10.1.1.4`
 eientei:: `10.1.1.5`
 
@@ -18,8 +19,6 @@ shanghai:: `10.1.1.32`
 
 hourai:: `10.1.1.36`
 
-tewi:: `10.1.1.38`
-
 tei:: `10.1.1.39`
 reisen:: `10.1.1.40`
 hakurei:: `10.1.1.41`

nixos/access/freepbx.nix

@@ -0,0 +1,71 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.lists) head;
+  inherit (lib.strings) splitString;
+  inherit (config.services) nginx tailscale;
+  access = nginx.access.freepbx;
+  freepbx = config.lib.access.systemFor "freepbx";
+in {
+  options.services.nginx.access.freepbx = with lib.types; {
+    url = mkOption {
+      type = str;
+      default = "http://${freepbx.access.hostnameForNetwork.local}";
+    };
+    domain = mkOption {
+      type = str;
+      default = "pbx.${config.networking.domain}";
+    };
+    localDomain = mkOption {
+      type = str;
+      default = "pbx.local.${config.networking.domain}";
+    };
+    tailDomain = mkOption {
+      type = str;
+      default = "pbx.tail.${config.networking.domain}";
+    };
+    useACMEHost = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+  };
+  config.services.nginx = {
+    virtualHosts = let
+      proxyScheme = head (splitString ":" access.url);
+      extraConfig = ''
+        proxy_buffering off;
+
+        set $pbx_scheme $scheme;
+        if ($http_x_forwarded_proto) {
+          set $pbx_scheme $http_x_forwarded_proto;
+        }
+        proxy_redirect ${proxyScheme}://$host/ $pbx_scheme://$host/;
+      '';
+      locations = {
+        "/" = {
+          proxyPass = access.url;
+        };
+      };
+    in {
+      ${access.domain} = {
+        vouch.enable = mkDefault true;
+        addSSL = mkDefault (access.useACMEHost != null);
+        kTLS = mkDefault true;
+        useACMEHost = mkDefault access.useACMEHost;
+        inherit locations extraConfig;
+      };
+      ${access.localDomain} = {
+        serverAliases = mkIf tailscale.enable [ access.tailDomain ];
+        useACMEHost = mkDefault access.useACMEHost;
+        addSSL = mkDefault (access.useACMEHost != null);
+        kTLS = mkDefault true;
+        local.enable = true;
+        inherit locations extraConfig;
+      };
+    };
+  };
+}

nixos/access/unifi.nix

@@ -71,9 +71,11 @@ in {
         useACMEHost = mkDefault access.useACMEHost;
         inherit locations extraConfig;
       };
-      ${access.domain} = mkIf (access.global.enable || access.useACMEHost != null) {
+      ${access.domain} = {
         vouch.enable = mkDefault true;
-        forceSSL = mkDefault true;
+        local.enable = mkDefault (!access.global.enable);
+        forceSSL = mkDefault access.global.enable;
+        addSSL = mkDefault (!access.global.enable && access.useACMEHost != null);
         kTLS = mkDefault true;
         useACMEHost = mkDefault access.useACMEHost;
         inherit locations extraConfig;

systems/freepbx/default.nix

@@ -0,0 +1,3 @@
+_: {
+  type = null;
+}

systems/hakurei/nixos.nix

@@ -10,6 +10,7 @@
   tei = access.nixosFor "tei";
   inherit (mediabox.services) plex;
   inherit (tei.services) kanidm vouch-proxy;
+  inherit (config.services) nginx tailscale;
 in {
   imports = let
     inherit (meta) nixos;
@@ -31,6 +32,7 @@ in {
     nixos.access.vouch
     nixos.access.kanidm
     nixos.access.freeipa
+    nixos.access.freepbx
     nixos.access.unifi
     nixos.access.kitchencam
     nixos.access.proxmox
@@ -52,13 +54,13 @@ in {
       credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
       ingress = {
         "prox.${config.networking.domain}".service = "http://localhost";
+        ${nginx.access.freepbx.domain} = "http://localhost";
         ${config.networking.domain}.service = "http://localhost";
       };
     };
   };
 
   security.acme.certs = let
-    inherit (config.services) nginx tailscale;
     inherit (nginx) access;
   in {
     ${access.vouch.localDomain} = {
@@ -108,6 +110,17 @@ in {
         ])
       ];
     };
+    ${access.freepbx.domain} = {
+      inherit (nginx) group;
+      extraDomainNames = mkMerge [
+        [
+          access.freepbx.localDomain
+        ]
+        (mkIf tailscale.enable [
+          access.freepbx.tailDomain
+        ])
+      ];
+    };
     ${access.proxmox.domain} = {
       inherit (nginx) group;
       extraDomainNames = mkMerge [
@@ -146,7 +159,7 @@ in {
   };
 
   services.nginx = let
-    inherit (config.services.nginx) access;
+    inherit (nginx) access;
   in {
     access.plex = assert plex.enable; {
       url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString plex.port}";
@@ -168,6 +181,9 @@ in {
     access.freeipa = {
       host = "idp.local.${config.networking.domain}";
     };
+    access.freepbx = {
+      useACMEHost = access.freepbx.domain;
+    };
     access.kitchencam = {
       streamPort = 41081;
       useACMEHost = access.kitchencam.domain;
@@ -183,6 +199,9 @@ in {
         forceSSL = true;
         useACMEHost = access.freeipa.domain;
       };
+      ${access.freepbx.domain} = {
+        local.enable = true;
+      };
       ${access.proxmox.domain} = {
         useACMEHost = access.proxmox.domain;
       };

systems/tei/cloudflared.nix

@@ -73,6 +73,10 @@ in {
             host = config.services.zigbee2mqtt.domain;
             inherit hostName;
           })
+          (ingressForNginx {
+            host = config.services.nginx.access.unifi.domain;
+            inherit hostName;
+          })
           (ingressForHass {inherit hostName;})
           (ingressForVouch {inherit hostName;})
           (ingressForKanidm {inherit hostName;})

systems/tei/nixos.nix

@@ -18,6 +18,7 @@ in {
     nixos.nginx
     nixos.access.zigbee2mqtt
     nixos.access.home-assistant
+    nixos.access.unifi
     nixos.vouch
     nixos.kanidm
     nixos.unifi

tf/cloudflare_records.tf

@@ -22,6 +22,7 @@ module "hakurei_system_records" {
     "ldap",
     "freeipa",
     "unifi",
+    "pbx",
     "smb",
     "kitchen",
     "yt",
@@ -30,7 +31,6 @@ module "hakurei_system_records" {
     "plex",
     "idp",
     "ldap",
-    "unifi",
     "smb",
     "kitchen",
     "yt",
@@ -118,6 +118,14 @@ module "kubernetes_system_records" {
   local_v6  = "fd0a::be24:11ff:fe49:fedc"
 }
 
+module "freepbx_system_records" {
+  source    = "./system/records"
+  name      = "freepbx"
+  zone_id   = cloudflare_zone.gensokyo-zone_zone.id
+  zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
+  local_v6  = "fd0a::be24:11ff:fe33:1904"
+}
+
 module "kitchencam_system_records" {
   source    = "./system/records"
   name      = "kitchencam"

tf/cloudflare_tunnels.tf

@@ -12,6 +12,7 @@ module "hakurei" {
   subdomains = [
     "@",
     "prox",
+    "pbx",
   ]
 }
 
@@ -44,6 +45,7 @@ module "tewi" {
     "id",
     "login",
     "z2m",
+    "unifi",
   ]
 }
 

tf/proxmox_vms.tf

@@ -367,6 +367,7 @@ EOT
 
   network_device {
     bridge = "vmbr0"
+    mac_address = "BC:24:11:3D:39:91"
   }
 
   operating_system {
@@ -492,6 +493,7 @@ EOT
 
   network_device {
     bridge = "vmbr0"
+    mac_address = "BC:24:11:33:19:04"
   }
 
   operating_system {