gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(hakurei): access

Browse source
This commit is contained in:
arcnmx 2024-01-20 15:33:51 -08:00
parent 7ded53ccc1
commit e95cec051f
5 changed files with 62 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/nixos/kanidm.nix
View file

@ -56,18 +56,10 @@ in {
services.kanidm = { services.kanidm = {
server.unencrypted.package = let server.unencrypted.package = let
cert = pkgs.runCommand "kanidm-cert" { cert = pkgs.mkSnakeOil {
name = "kanidm-cert";
inherit (cfg.server.unencrypted) domain; inherit (cfg.server.unencrypted) domain;
nativeBuildInputs = [ pkgs.buildPackages.minica ]; };
} ''
install -d $out
cd $out
minica \
--ca-key ca.key.pem \
--ca-cert ca.cert.pem \
--domains $domain
cat $domain/cert.pem ca.cert.pem > $domain.pem
'';
in mkOptionDefault cert; in mkOptionDefault cert;
clientSettings = mkIf cfg.enableServer { clientSettings = mkIf cfg.enableServer {
uri = mkDefault cfg.serverSettings.origin; uri = mkDefault cfg.serverSettings.origin;
@ -82,8 +74,8 @@ in {
); );
} }
(mkIf cfg.server.unencrypted.enable { (mkIf cfg.server.unencrypted.enable {
tls_chain = "${cfg.server.unencrypted.package}/${cfg.server.unencrypted.domain}.pem"; tls_chain = "${cfg.server.unencrypted.package}/fullchain.pem";
tls_key = "${cfg.server.unencrypted.package}/${cfg.server.unencrypted.domain}/key.pem"; tls_key = "${cfg.server.unencrypted.package.key}/key.pem";
}) })
]; ];
}; };

21
nixos/access/proxmox.nix
View file

@ -1,15 +1,29 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: let }: let
inherit (lib.modules) mkIf mkDefault; inherit (lib.modules) mkIf mkDefault;
inherit (lib.strings) escapeRegex; inherit (lib.strings) escapeRegex;
inherit (lib.lists) singleton optional;
inherit (config.services) tailscale;
proxyPass = "https://reisen.local.gensokyo.zone:8006/"; proxyPass = "https://reisen.local.gensokyo.zone:8006/";
unencrypted = pkgs.mkSnakeOil {
name = "prox-local-cert";
domain = singleton "prox.local.${config.networking.domain}"
++ optional tailscale.enable "prox.tail.${config.networking.domain}";
};
sslCertificate = unencrypted.fullchain;
sslCertificateKey = unencrypted.key;
in { in {
services.nginx.virtualHosts."prox.${config.networking.domain}" = { services.nginx.virtualHosts."prox.${config.networking.domain}" = {
locations."/" = { locations."/" = {
extraConfig = '' extraConfig = ''
if ($http_x_forwarded_proto = http) {
return 302 https://$host$request_uri;
}
set $prox_prefix '''; set $prox_prefix ''';
include ${config.sops.secrets.access-proxmox.path}; include ${config.sops.secrets.access-proxmox.path};
if ($request_uri ~ "^/([^/]+).*") { if ($request_uri ~ "^/([^/]+).*") {
@ -24,7 +38,7 @@ in {
if ($prox_prefix != $prox_expected) { if ($prox_prefix != $prox_expected) {
return 501; return 501;
} }
if ($request_uri ~ "^/([^/]+)") { if ($request_uri ~ "^/([^/]+)$") {
rewrite /(.*) /prox/$1 last; rewrite /(.*) /prox/$1 last;
} }
rewrite /[^/]+/(.*) /prox/$1; rewrite /[^/]+/(.*) /prox/$1;
@ -49,12 +63,15 @@ in {
}; };
services.nginx.virtualHosts."prox.local.${config.networking.domain}" = { services.nginx.virtualHosts."prox.local.${config.networking.domain}" = {
local.enable = mkDefault true; local.enable = mkDefault true;
forceSSL = mkDefault true;
inherit sslCertificate sslCertificateKey;
locations."/" = { locations."/" = {
inherit proxyPass; inherit proxyPass;
}; };
}; };
services.nginx.virtualHosts."prox.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable { services.nginx.virtualHosts."prox.tail.${config.networking.domain}" = mkIf tailscale.enable {
local.enable = mkDefault true; local.enable = mkDefault true;
inherit sslCertificate sslCertificateKey;
locations."/" = { locations."/" = {
inherit proxyPass; inherit proxyPass;
}; };

8
nixos/access/zigbee2mqtt.nix
View file

@ -5,7 +5,7 @@
}: }:
let let
inherit (lib.options) mkOption; inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.zigbee2mqtt; cfg = config.services.zigbee2mqtt;
access = config.services.nginx.access.zigbee2mqtt; access = config.services.nginx.access.zigbee2mqtt;
proxyPass = mkDefault "http://${access.host}:${toString access.port}"; proxyPass = mkDefault "http://${access.host}:${toString access.port}";
@ -51,6 +51,12 @@ in {
inherit proxyPass extraConfig; inherit proxyPass extraConfig;
}; };
}; };
"z2m.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable {
local.enable = true;
locations."/" = {
inherit proxyPass extraConfig;
};
};
}; };
}; };
} }

1
overlays/local/default.nix
View file

@ -17,6 +17,7 @@ final: prev: {
wezterm = final.callPackage ./wezterm { wezterm = final.callPackage ./wezterm {
inherit (final.darwin.apple_sdk.frameworks) Cocoa CoreGraphics Foundation UserNotifications; inherit (final.darwin.apple_sdk.frameworks) Cocoa CoreGraphics Foundation UserNotifications;
}; };
mkSnakeOil = final.callPackage ./snakeoil.nix { };
terraform-providers = terraform-providers =
prev.terraform-providers prev.terraform-providers
// { // {

30
overlays/local/snakeoil.nix Normal file
View file

@ -0,0 +1,30 @@
{
runCommand,
buildPackages,
lib,
}: let
inherit (lib.strings) concatStringsSep;
inherit (lib.lists) toList head;
in { domain, name }: runCommand name {
domains = concatStringsSep "," (toList domain);
domain = head (toList domain);
nativeBuildInputs = [ buildPackages.minica ];
outputs = [ "out" "key" "cakey" "ca" "cert" "fullchain" ];
} ''
install -d $out
minica \
--ca-key ca.key.pem \
--ca-cert ca.pem \
--domains "$domains"
mv ca.pem $ca
mv ca.key.pem $cakey
mv $domain/cert.pem $cert
mv $domain/key.pem $key
cat $cert $ca > $fullchain
ln -s $fullchain $out/fullchain.pem
ln -s $key $out/key.pem
ln -s $cakey $out/ca.key.pem
ln -s $cert $out/cert.pem
ln -s $ca $out/ca.pem
''