fix(nginx): proxied listen

2026-02-09 04:19:19 -08:00 · 2024-04-29 12:01:35 -07:00 · 2024-04-29 12:01:35 -07:00 · f9b02a03a4
commit f9b02a03a4
parent f2c7178486
18 changed files with 185 additions and 90 deletions
--- a/systems/hakurei/default.nix
+++ b/systems/hakurei/default.nix
@ -40,6 +40,7 @@
            listen = mkIf (!preread) "wan";
          };
          http.listen = "wan";
+          proxied.enable = true;
        };
      };
      sshd = {
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@ -53,18 +53,16 @@ in {
  };

  services.cloudflared = let
-    inherit (nginx) defaultHTTPListenPort;
    tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604";
-    localNginx = "http://localhost:${toString defaultHTTPListenPort}";
  in {
    tunnels.${tunnelId} = {
      default = "http_status:404";
      credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
-      ingress = {
-        ${virtualHosts.prox.serverName}.service = localNginx;
-        ${virtualHosts.gensokyoZone.serverName}.service = localNginx;
-        ${virtualHosts.freeipa'web.serverName}.service = localNginx;
-      };
+      ingress = mkMerge [
+        (virtualHosts.freeipa'web.proxied.cloudflared.getIngress {})
+        (virtualHosts.prox.proxied.cloudflared.getIngress {})
+        (virtualHosts.gensokyoZone.proxied.cloudflared.getIngress {})
+      ];
    };
  };

@ -219,6 +217,12 @@ in {
    upstreams' = {
      vouch'auth.servers.local.enable = false;
      vouch'auth'local.servers.local.enable = true;
+      tei'nginx'proxied.servers.nginx.accessService = {
+        # TODO: host exports
+        system = "tei";
+        name = "nginx";
+        port = "proxied";
+      };
    };
    stream.servers = {
      mosquitto.ssl.cert.name = "mosquitto";
@ -261,13 +265,13 @@ in {
        # not the real grocy record-holder, so don't respond globally..
        local.denyGlobal = true;
        ssl.cert.enable = true;
-        proxy.url = "http://${mkAddress6 (access.getAddressFor "tei" "lan")}";
+        proxy.upstream = "tei'nginx'proxied";
      };
      barcodebuddy = {
        # not the real bbuddy record-holder, so don't respond globally..
        local.denyGlobal = true;
        ssl.cert.enable = true;
-        proxy.url = "http://${mkAddress6 (access.getAddressFor "tei" "lan")}";
+        proxy.upstream = "tei'nginx'proxied";
      };
      freepbx = {
        ssl.cert.enable = true;
--- a/systems/tei/cloudflared.nix
+++ b/systems/tei/cloudflared.nix
@ -4,11 +4,10 @@
  access,
  ...
 }: let
-  inherit (lib.modules) mkIf;
+  inherit (lib.modules) mkMerge;
  inherit (config.services) home-assistant nginx;
  cfg = config.services.cloudflared;
  apartment = "5e85d878-c6b2-4b15-b803-9aeb63d63543";
-  localNginx = "http://localhost:${toString nginx.defaultHTTPListenPort}";
 in {
  sops.secrets.cloudflared-tunnel-apartment.owner = cfg.user;
  services.cloudflared = {
@ -16,28 +15,17 @@ in {
      ${apartment} = {
        credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
        default = "http_status:404";
-        ingress = {
-          ${nginx.virtualHosts.zigbee2mqtt.serverName} = {
-            service = localNginx;
-          };
-          ${nginx.virtualHosts.grocy.serverName} = {
-            service = localNginx;
-          };
-          ${nginx.virtualHosts.barcodebuddy.serverName} = {
-            service = localNginx;
-          };
-          ${home-assistant.domain} = assert home-assistant.enable; {
-            service = access.proxyUrlFor { serviceName = "home-assistant"; };
-          };
-        };
+        ingress = mkMerge [
+          (nginx.virtualHosts.zigbee2mqtt.proxied.cloudflared.getIngress {})
+          (nginx.virtualHosts.grocy.proxied.cloudflared.getIngress {})
+          (nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {})
+          {
+            ${home-assistant.domain} = assert home-assistant.enable; {
+              service = access.proxyUrlFor { serviceName = "home-assistant"; };
+            };
+          }
+        ];
      };
    };
  };
-
-  systemd.services."cloudflared-tunnel-${apartment}" = rec {
-    wants = mkIf config.services.tailscale.enable [
-      "tailscaled.service"
-    ];
-    after = wants;
-  };
 }
--- a/systems/tei/default.nix
+++ b/systems/tei/default.nix
@ -10,7 +10,10 @@ _: {
  exports = {
    services = {
      sshd.enable = true;
-      nginx.enable = true;
+      nginx = {
+        enable = true;
+        ports.proxied.enable = true;
+      };
      tailscale.enable = true;
      home-assistant.enable = true;
      zigbee2mqtt.enable = true;
--- a/systems/utsuho/default.nix
+++ b/systems/utsuho/default.nix
@ -10,7 +10,10 @@ _: {
  exports = {
    services = {
      sshd.enable = true;
-      nginx.enable = true;
+      nginx = {
+        enable = true;
+        ports.proxied.enable = true;
+      };
      unifi.enable = true;
      mosquitto.enable = true;
      dnsmasq.enable = true;
--- a/systems/utsuho/nixos.nix
+++ b/systems/utsuho/nixos.nix
@ -18,18 +18,13 @@ in {
  ];

  services.cloudflared = let
-    inherit (nginx) virtualHosts defaultHTTPListenPort;
+    inherit (nginx) virtualHosts;
    tunnelId = "28bcd3fc-3467-4997-806b-546ba9995028";
-    localNginx = "http://localhost:${toString defaultHTTPListenPort}";
  in {
    tunnels.${tunnelId} = {
      default = "http_status:404";
      credentialsFile = config.sops.secrets.cloudflared-tunnel-utsuho.path;
-      ingress = {
-        ${virtualHosts.unifi.serverName} = {
-          service = localNginx;
-        };
-      };
+      ingress = virtualHosts.unifi.proxied.cloudflared.getIngress {};
    };
  };