fix: wireguard networking and https on services
This commit is contained in:
parent
3ce24992e7
commit
544f323b0c
|
@ -10,7 +10,7 @@
|
|||
pub-solar.wireguard-client = {
|
||||
ownIPs = [
|
||||
"10.0.1.6/32"
|
||||
"fd00:b12f:acab:1312:acab:6::/32"
|
||||
"fd00:b12f:acab:1312:acab:6::/96"
|
||||
];
|
||||
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
|
||||
};
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
pub-solar.wireguard-client = {
|
||||
ownIPs = [
|
||||
"10.0.1.5/32"
|
||||
"fd00:b12f:acab:1312:acab:5::/32"
|
||||
"fd00:b12f:acab:1312:acab:5::/96"
|
||||
];
|
||||
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
|
||||
};
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
pub-solar.wireguard-client = {
|
||||
ownIPs = [
|
||||
"10.0.1.3/32"
|
||||
"fd00:b12f:acab:1312:acab:3::/32"
|
||||
"fd00:b12f:acab:1312:acab:3::/96"
|
||||
];
|
||||
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
|
||||
};
|
||||
|
|
|
@ -7,17 +7,18 @@
|
|||
in {
|
||||
config = {
|
||||
services.openssh.knownHosts = {
|
||||
"cloud.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABPJSwr9DfnqV0KoL23BcxlWtRxuOqQpnFnCv4SG/LW";
|
||||
"nachtigall.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUJGAYFzgzpeEs5rYvBX9jBn6wkj4Q5VqnT4xkg3l// barkeeper@nachtigall";
|
||||
};
|
||||
|
||||
systemd.services.ssh-tunnel-cloud-pub-solar = {
|
||||
systemd.services.ssh-tunnel-nachtigall-pub-solar = {
|
||||
enable = false;
|
||||
unitConfig = {
|
||||
Description = "Reverse SSH connection to enable backups from IPv4-only to IPv6-only host";
|
||||
Description = "Reverse SSH connection to enable backups";
|
||||
After = ["network.target"];
|
||||
};
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 root@cloud.pub.solar";
|
||||
ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 hakkonaut@nachtigall.pub.solar";
|
||||
User = psCfg.user.name;
|
||||
Group = "users";
|
||||
Restart = "always";
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
exit 1
|
||||
fi
|
||||
|
||||
echo "WARNING: System will be shut down within the next 15 minutes" | wall
|
||||
echo "WARNING: System will be shut down within the next ${builtins.toString shutdownWaitMinutes} minutes" | ${pkgs.util-linux}/bin/wall
|
||||
|
||||
sleep 10
|
||||
|
||||
|
|
|
@ -42,7 +42,7 @@
|
|||
publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
|
||||
allowedIPs = [
|
||||
"10.0.1.2/32"
|
||||
"fd00:b12f:acab:1312:acab:2::/32"
|
||||
"fd00:b12f:acab:1312:acab:2::/96"
|
||||
];
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
|
@ -50,7 +50,7 @@
|
|||
publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
|
||||
allowedIPs = [
|
||||
"10.0.1.3/32"
|
||||
"fd00:b12f:acab:1312:acab:3::/32"
|
||||
"fd00:b12f:acab:1312:acab:3::/96"
|
||||
];
|
||||
|
||||
persistentKeepalive = 25;
|
||||
|
@ -59,7 +59,7 @@
|
|||
publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
|
||||
allowedIPs = [
|
||||
"10.0.1.5/32"
|
||||
"fd00:b12f:acab:1312:acab:5::/32"
|
||||
"fd00:b12f:acab:1312:acab:5::/96"
|
||||
];
|
||||
|
||||
persistentKeepalive = 25;
|
||||
|
@ -68,7 +68,7 @@
|
|||
publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
|
||||
allowedIPs = [
|
||||
"10.0.1.6/32"
|
||||
"fd00:b12f:acab:1312:acab:6::/32"
|
||||
"fd00:b12f:acab:1312:acab:6::/96"
|
||||
];
|
||||
|
||||
persistentKeepalive = 25;
|
||||
|
|
|
@ -27,11 +27,11 @@ in {
|
|||
services.caddy = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
firefly.b12f.io:80 {
|
||||
reverse_proxy localhost:8080
|
||||
firefly.b12f.io {
|
||||
reverse_proxy 127.0.0.1:8080
|
||||
}
|
||||
firefly-importer.b12f.io:80 {
|
||||
reverse_proxy localhost:8081
|
||||
firefly-importer.b12f.io {
|
||||
reverse_proxy 127.0.0.1:8081
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
@ -62,7 +62,7 @@ in {
|
|||
./.env.firefly
|
||||
config.age.secrets."firefly-secrets.env".path
|
||||
];
|
||||
ports = [ "8080:8080" ];
|
||||
ports = [ "127.0.0.1:8080:8080" ];
|
||||
dependsOn = [ "firefly-db" ];
|
||||
};
|
||||
|
||||
|
@ -82,9 +82,9 @@ in {
|
|||
image = "fireflyiii/data-importer:latest";
|
||||
autoStart = true;
|
||||
extraOptions = [ "--network=firefly" ];
|
||||
ports = [ "8081:8080" ];
|
||||
ports = [ "127.0.0.1:8081:8080" ];
|
||||
environment = {
|
||||
FIREFLY_III_URL = "http://firefly.b12f.io/";
|
||||
FIREFLY_III_URL = "https://firefly.b12f.io";
|
||||
};
|
||||
environmentFiles = [
|
||||
./.env.firefly-importer
|
||||
|
|
|
@ -52,7 +52,7 @@ in {
|
|||
containers."invoiceplane-db" = {
|
||||
image = "mariadb:11";
|
||||
autoStart = true;
|
||||
ports = [ "3306:3306" ];
|
||||
ports = [ "127.0.0.1:3306:3306" ];
|
||||
volumes = [
|
||||
"/var/lib/invoiceplane/db:/var/lib/mysql"
|
||||
];
|
||||
|
|
|
@ -17,8 +17,12 @@
|
|||
ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:2::"; prefixLength = 128; } ];
|
||||
};
|
||||
|
||||
networking.hosts = flake.self.lib.addLocalHostname ["caddy.local"];
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
|
||||
"128.140.109.213" = [ "vpn.b12f.io" ];
|
||||
"2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
services.openssh.openFirewall = true;
|
||||
|
||||
|
@ -26,7 +30,9 @@
|
|||
services.caddy = {
|
||||
globalConfig = ''
|
||||
default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2::
|
||||
auto_https off
|
||||
# auto_https off
|
||||
email acme@benjaminbaedorf.eu
|
||||
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -35,7 +41,7 @@
|
|||
pub-solar.wireguard-client = {
|
||||
ownIPs = [
|
||||
"10.0.1.2/32"
|
||||
"fd00:b12f:acab:1312:acab:2::/32"
|
||||
"fd00:b12f:acab:1312:acab:2::/96"
|
||||
];
|
||||
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
|
||||
};
|
||||
|
|
|
@ -18,12 +18,12 @@ in {
|
|||
user = psCfg.user.name;
|
||||
consumptionDir = consumptionDir;
|
||||
dataDir = dataDir;
|
||||
address = "localhost";
|
||||
address = "127.0.0.1";
|
||||
extraConfig = {
|
||||
PAPERLESS_OCR_LANGUAGE = "nld+deu";
|
||||
PAPERLESS_ADMIN_USER = psCfg.user.name;
|
||||
PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
|
||||
PAPERLESS_URL = "http://paperless.b12f.io";
|
||||
PAPERLESS_URL = "https://paperless.b12f.io";
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -50,9 +50,9 @@ in {
|
|||
services.caddy = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
paperless.b12f.io:80 {
|
||||
paperless.b12f.io {
|
||||
request_header Host localhost:${builtins.toString config.services.paperless.port}
|
||||
reverse_proxy localhost:${builtins.toString config.services.paperless.port}
|
||||
reverse_proxy 127.0.0.1:${builtins.toString config.services.paperless.port}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
|
|
@ -52,9 +52,10 @@
|
|||
"\"invoicing.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
|
||||
|
||||
"\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
|
||||
"\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
|
||||
"\"vpn.b12f.io. 10800 IN AAAA 2a01:4f8:c2c:b60::\""
|
||||
|
||||
"\"frikandel.b12f.io. 10800 IN A 10.0.1.7\""
|
||||
"\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
|
||||
|
||||
"\"fritz.box. 10800 IN A 192.168.178.1\""
|
||||
"\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
|
||||
|
|
|
@ -18,6 +18,7 @@ in {
|
|||
usbutils
|
||||
diffutils
|
||||
findutils
|
||||
psmisc
|
||||
exfat
|
||||
|
||||
gitMinimal
|
||||
|
|
|
@ -44,7 +44,7 @@ in {
|
|||
"10.0.1.0/24"
|
||||
"fd00:b12f:acab:1312::/64"
|
||||
];
|
||||
endpoint = "[2a01:4f8:c2c:b60::]:51899";
|
||||
endpoint = "vpn.b12f.io:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -18,12 +18,6 @@ in {
|
|||
programs.ssh = {
|
||||
enable = true;
|
||||
matchBlocks = {
|
||||
"git.b12f.io" = {
|
||||
hostname = "git.b12f.io";
|
||||
user = "git";
|
||||
port = 2222;
|
||||
};
|
||||
|
||||
"aur.archlinux.org" = {
|
||||
user = "aur";
|
||||
};
|
||||
|
@ -85,6 +79,10 @@ in {
|
|||
"frikandel.b12f.io" = {
|
||||
user = "yule";
|
||||
};
|
||||
|
||||
"droppie.b12f.io" = {
|
||||
user = "yule";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue