gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(freepbx): ucp access

Browse source
This commit is contained in:
arcnmx 2024-03-01 14:47:47 -08:00
parent 2b59e68384
commit c388c862ca
5 changed files with 90 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/network.adoc
View file

@ -23,6 +23,7 @@ tei:: `10.1.1.39`
reisen:: `10.1.1.40` reisen:: `10.1.1.40`
hakurei:: `10.1.1.41` hakurei:: `10.1.1.41`
kuwubernetes:: `10.1.1.42` kuwubernetes:: `10.1.1.42`
freepbx:: `10.1.1.43`
mediabox:: `10.1.1.44` mediabox:: `10.1.1.44`
reimu:: `10.1.1.45` reimu:: `10.1.1.45`
idp:: `10.1.1.46` idp:: `10.1.1.46`
@ -55,3 +56,4 @@ hakurei::
* ^TCP:^[.value]##41324## * ^TCP:^[.value]##41324##
* ^UDP:^[.value]##41641## * ^UDP:^[.value]##41641##
* ^UDP:^[.value]##5353## * ^UDP:^[.value]##5353##
* ^TCP:^[.value]##8001##, ^TCP:^[.value]##8003##

91
nixos/access/freepbx.nix
View file

@ -3,18 +3,41 @@
lib, lib,
... ...
}: let }: let
inherit (lib.options) mkOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault; inherit (lib.modules) mkIf mkMerge mkDefault;
inherit (lib.lists) head; inherit (lib.lists) head optional concatMap;
inherit (lib.strings) splitString; inherit (lib.strings) splitString;
inherit (config.services) nginx tailscale; inherit (config.services) nginx tailscale;
access = nginx.access.freepbx; access = nginx.access.freepbx;
freepbx = config.lib.access.systemFor "freepbx"; freepbx = config.lib.access.systemFor "freepbx";
in { in {
options.services.nginx.access.freepbx = with lib.types; { options.services.nginx.access.freepbx = with lib.types; {
global.enable = mkEnableOption "global access" // {
default = access.useACMEHost != null;
};
host = mkOption {
type = str;
default = freepbx.access.hostnameForNetwork.local;
};
url = mkOption { url = mkOption {
type = str; type = str;
default = "http://${freepbx.access.hostnameForNetwork.local}"; default = "https://${access.host}";
};
asteriskPort = mkOption {
type = port;
default = 8088;
};
ucpPort = mkOption {
type = port;
default = 8001;
};
ucpSslPort = mkOption {
type = port;
default = 8003;
};
ucpUrl = mkOption {
type = str;
default = "https://${access.host}:${toString access.ucpSslPort}";
}; };
domain = mkOption { domain = mkOption {
type = str; type = str;
@ -37,7 +60,9 @@ in {
virtualHosts = let virtualHosts = let
proxyScheme = head (splitString ":" access.url); proxyScheme = head (splitString ":" access.url);
extraConfig = '' extraConfig = ''
proxy_buffering off; proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
set $pbx_scheme $scheme; set $pbx_scheme $scheme;
if ($http_x_forwarded_proto) { if ($http_x_forwarded_proto) {
@ -49,16 +74,68 @@ in {
"/" = { "/" = {
proxyPass = access.url; proxyPass = access.url;
}; };
"/socket.io" = {
proxy.websocket.enable = true;
proxyPass = "${access.ucpUrl}/socket.io";
extraConfig = ''
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin $pbx_scheme://$host;
'';
};
}; };
in { in {
${access.domain} = { ${access.domain} = {
vouch.enable = mkDefault true; vouch.enable = mkDefault true;
local.enable = mkDefault (!access.global.enable);
addSSL = mkDefault (access.useACMEHost != null); addSSL = mkDefault (access.useACMEHost != null);
kTLS = mkDefault true; kTLS = mkDefault true;
useACMEHost = mkDefault access.useACMEHost; useACMEHost = mkDefault access.useACMEHost;
inherit locations extraConfig; inherit locations extraConfig;
}; };
"${access.domain}@ucp" = {
serverName = access.domain;
listen = concatMap (addr: [
{
inherit addr;
port = access.ucpPort;
}
(mkIf (access.useACMEHost != null) {
inherit addr;
port = access.ucpSslPort;
ssl = true;
})
]) nginx.defaultListenAddresses;
proxy.websocket.enable = true;
local.enable = mkDefault (!access.global.enable);
addSSL = mkDefault (access.useACMEHost != null);
kTLS = mkDefault true;
useACMEHost = mkDefault access.useACMEHost;
locations = {
inherit (locations) "/socket.io";
};
inherit extraConfig;
};
${access.localDomain} = { ${access.localDomain} = {
listen = concatMap (addr: [
{
inherit addr;
port = 80;
}
{
inherit addr;
port = access.ucpPort;
}
(mkIf (access.useACMEHost != null) {
inherit addr;
port = 443;
ssl = true;
})
(mkIf (access.useACMEHost != null) {
inherit addr;
port = access.ucpSslPort;
ssl = true;
})
]) nginx.defaultListenAddresses;
serverAliases = mkIf tailscale.enable [ access.tailDomain ]; serverAliases = mkIf tailscale.enable [ access.tailDomain ];
useACMEHost = mkDefault access.useACMEHost; useACMEHost = mkDefault access.useACMEHost;
addSSL = mkDefault (access.useACMEHost != null); addSSL = mkDefault (access.useACMEHost != null);
@ -68,4 +145,10 @@ in {
}; };
}; };
}; };
config.networking.firewall = let
websocketPorts = [ access.ucpPort ] ++ optional (access.useACMEHost != null) access.ucpSslPort;
in {
interfaces.local.allowedTCPPorts = websocketPorts;
allowedTCPPorts = mkIf access.global.enable websocketPorts;
};
} }

1
systems/hakurei/nixos.nix
View file

@ -54,7 +54,6 @@ in {
credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path; credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
ingress = { ingress = {
"prox.${config.networking.domain}".service = "http://localhost"; "prox.${config.networking.domain}".service = "http://localhost";
${nginx.access.freepbx.domain} = "http://localhost";
${config.networking.domain}.service = "http://localhost"; ${config.networking.domain}.service = "http://localhost";
}; };
}; };

1
tf/cloudflare_records.tf
View file

@ -31,6 +31,7 @@ module "hakurei_system_records" {
"plex", "plex",
"idp", "idp",
"ldap", "ldap",
"pbx",
"smb", "smb",
"kitchen", "kitchen",
"yt", "yt",

1
tf/cloudflare_tunnels.tf
View file

@ -12,7 +12,6 @@ module "hakurei" {
subdomains = [ subdomains = [
"@", "@",
"prox", "prox",
"pbx",
] ]
} }