From c388c862ca76edc22d3449dbff52e78caeaeede5 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Fri, 1 Mar 2024 14:47:47 -0800 Subject: [PATCH] fix(freepbx): ucp access --- docs/network.adoc | 2 + nixos/access/freepbx.nix | 91 +++++++++++++++++++++++++++++++++++++-- systems/hakurei/nixos.nix | 1 - tf/cloudflare_records.tf | 1 + tf/cloudflare_tunnels.tf | 1 - 5 files changed, 90 insertions(+), 6 deletions(-) diff --git a/docs/network.adoc b/docs/network.adoc index bb52010f..9715c774 100644 --- a/docs/network.adoc +++ b/docs/network.adoc @@ -23,6 +23,7 @@ tei:: `10.1.1.39` reisen:: `10.1.1.40` hakurei:: `10.1.1.41` kuwubernetes:: `10.1.1.42` +freepbx:: `10.1.1.43` mediabox:: `10.1.1.44` reimu:: `10.1.1.45` idp:: `10.1.1.46` @@ -55,3 +56,4 @@ hakurei:: * ^TCP:^[.value]##41324## * ^UDP:^[.value]##41641## * ^UDP:^[.value]##5353## +* ^TCP:^[.value]##8001##, ^TCP:^[.value]##8003## diff --git a/nixos/access/freepbx.nix b/nixos/access/freepbx.nix index 7bb72d9a..aaccd059 100644 --- a/nixos/access/freepbx.nix +++ b/nixos/access/freepbx.nix @@ -3,18 +3,41 @@ lib, ... }: let - inherit (lib.options) mkOption; + inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkDefault; - inherit (lib.lists) head; + inherit (lib.lists) head optional concatMap; inherit (lib.strings) splitString; inherit (config.services) nginx tailscale; access = nginx.access.freepbx; freepbx = config.lib.access.systemFor "freepbx"; in { options.services.nginx.access.freepbx = with lib.types; { + global.enable = mkEnableOption "global access" // { + default = access.useACMEHost != null; + }; + host = mkOption { + type = str; + default = freepbx.access.hostnameForNetwork.local; + }; url = mkOption { type = str; - default = "http://${freepbx.access.hostnameForNetwork.local}"; + default = "https://${access.host}"; + }; + asteriskPort = mkOption { + type = port; + default = 8088; + }; + ucpPort = mkOption { + type = port; + default = 8001; + }; + ucpSslPort = mkOption { + type = port; + default = 8003; + }; + ucpUrl = mkOption { + type = str; + default = "https://${access.host}:${toString access.ucpSslPort}"; }; domain = mkOption { type = str; @@ -37,7 +60,9 @@ in { virtualHosts = let proxyScheme = head (splitString ":" access.url); extraConfig = '' - proxy_buffering off; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; set $pbx_scheme $scheme; if ($http_x_forwarded_proto) { @@ -49,16 +74,68 @@ in { "/" = { proxyPass = access.url; }; + "/socket.io" = { + proxy.websocket.enable = true; + proxyPass = "${access.ucpUrl}/socket.io"; + extraConfig = '' + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Origin $pbx_scheme://$host; + ''; + }; }; in { ${access.domain} = { vouch.enable = mkDefault true; + local.enable = mkDefault (!access.global.enable); addSSL = mkDefault (access.useACMEHost != null); kTLS = mkDefault true; useACMEHost = mkDefault access.useACMEHost; inherit locations extraConfig; }; + "${access.domain}@ucp" = { + serverName = access.domain; + listen = concatMap (addr: [ + { + inherit addr; + port = access.ucpPort; + } + (mkIf (access.useACMEHost != null) { + inherit addr; + port = access.ucpSslPort; + ssl = true; + }) + ]) nginx.defaultListenAddresses; + proxy.websocket.enable = true; + local.enable = mkDefault (!access.global.enable); + addSSL = mkDefault (access.useACMEHost != null); + kTLS = mkDefault true; + useACMEHost = mkDefault access.useACMEHost; + locations = { + inherit (locations) "/socket.io"; + }; + inherit extraConfig; + }; ${access.localDomain} = { + listen = concatMap (addr: [ + { + inherit addr; + port = 80; + } + { + inherit addr; + port = access.ucpPort; + } + (mkIf (access.useACMEHost != null) { + inherit addr; + port = 443; + ssl = true; + }) + (mkIf (access.useACMEHost != null) { + inherit addr; + port = access.ucpSslPort; + ssl = true; + }) + ]) nginx.defaultListenAddresses; serverAliases = mkIf tailscale.enable [ access.tailDomain ]; useACMEHost = mkDefault access.useACMEHost; addSSL = mkDefault (access.useACMEHost != null); @@ -68,4 +145,10 @@ in { }; }; }; + config.networking.firewall = let + websocketPorts = [ access.ucpPort ] ++ optional (access.useACMEHost != null) access.ucpSslPort; + in { + interfaces.local.allowedTCPPorts = websocketPorts; + allowedTCPPorts = mkIf access.global.enable websocketPorts; + }; } diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 1001bd6e..68923445 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -54,7 +54,6 @@ in { credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path; ingress = { "prox.${config.networking.domain}".service = "http://localhost"; - ${nginx.access.freepbx.domain} = "http://localhost"; ${config.networking.domain}.service = "http://localhost"; }; }; diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index 18c06f36..9c0cc220 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -31,6 +31,7 @@ module "hakurei_system_records" { "plex", "idp", "ldap", + "pbx", "smb", "kitchen", "yt", diff --git a/tf/cloudflare_tunnels.tf b/tf/cloudflare_tunnels.tf index 8672f2d5..24702d02 100644 --- a/tf/cloudflare_tunnels.tf +++ b/tf/cloudflare_tunnels.tf @@ -12,7 +12,6 @@ module "hakurei" { subdomains = [ "@", "prox", - "pbx", ] }