fix: wireguard networking and https on services

This commit is contained in:
Benjamin Bädorf 2023-11-01 16:27:29 +01:00
parent 3ce24992e7
commit 544f323b0c
No known key found for this signature in database
GPG key ID: 1B7BF5B77A521346
16 changed files with 43 additions and 36 deletions

View file

@ -10,7 +10,7 @@
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.6/32"
"fd00:b12f:acab:1312:acab:6::/32"
"fd00:b12f:acab:1312:acab:6::/96"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};

View file

@ -10,7 +10,7 @@
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.5/32"
"fd00:b12f:acab:1312:acab:5::/32"
"fd00:b12f:acab:1312:acab:5::/96"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};

View file

@ -10,7 +10,7 @@
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.3/32"
"fd00:b12f:acab:1312:acab:3::/32"
"fd00:b12f:acab:1312:acab:3::/96"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};

View file

@ -7,17 +7,18 @@
in {
config = {
services.openssh.knownHosts = {
"cloud.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABPJSwr9DfnqV0KoL23BcxlWtRxuOqQpnFnCv4SG/LW";
"nachtigall.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUJGAYFzgzpeEs5rYvBX9jBn6wkj4Q5VqnT4xkg3l// barkeeper@nachtigall";
};
systemd.services.ssh-tunnel-cloud-pub-solar = {
systemd.services.ssh-tunnel-nachtigall-pub-solar = {
enable = false;
unitConfig = {
Description = "Reverse SSH connection to enable backups from IPv4-only to IPv6-only host";
Description = "Reverse SSH connection to enable backups";
After = ["network.target"];
};
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 root@cloud.pub.solar";
ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 hakkonaut@nachtigall.pub.solar";
User = psCfg.user.name;
Group = "users";
Restart = "always";

View file

@ -24,7 +24,7 @@
exit 1
fi
echo "WARNING: System will be shut down within the next 15 minutes" | wall
echo "WARNING: System will be shut down within the next ${builtins.toString shutdownWaitMinutes} minutes" | ${pkgs.util-linux}/bin/wall
sleep 10

View file

@ -42,7 +42,7 @@
publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
allowedIPs = [
"10.0.1.2/32"
"fd00:b12f:acab:1312:acab:2::/32"
"fd00:b12f:acab:1312:acab:2::/96"
];
persistentKeepalive = 25;
}
@ -50,7 +50,7 @@
publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
allowedIPs = [
"10.0.1.3/32"
"fd00:b12f:acab:1312:acab:3::/32"
"fd00:b12f:acab:1312:acab:3::/96"
];
persistentKeepalive = 25;
@ -59,7 +59,7 @@
publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
allowedIPs = [
"10.0.1.5/32"
"fd00:b12f:acab:1312:acab:5::/32"
"fd00:b12f:acab:1312:acab:5::/96"
];
persistentKeepalive = 25;
@ -68,7 +68,7 @@
publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
allowedIPs = [
"10.0.1.6/32"
"fd00:b12f:acab:1312:acab:6::/32"
"fd00:b12f:acab:1312:acab:6::/96"
];
persistentKeepalive = 25;

View file

@ -27,11 +27,11 @@ in {
services.caddy = {
enable = true;
extraConfig = ''
firefly.b12f.io:80 {
reverse_proxy localhost:8080
firefly.b12f.io {
reverse_proxy 127.0.0.1:8080
}
firefly-importer.b12f.io:80 {
reverse_proxy localhost:8081
firefly-importer.b12f.io {
reverse_proxy 127.0.0.1:8081
}
'';
};
@ -62,7 +62,7 @@ in {
./.env.firefly
config.age.secrets."firefly-secrets.env".path
];
ports = [ "8080:8080" ];
ports = [ "127.0.0.1:8080:8080" ];
dependsOn = [ "firefly-db" ];
};
@ -82,9 +82,9 @@ in {
image = "fireflyiii/data-importer:latest";
autoStart = true;
extraOptions = [ "--network=firefly" ];
ports = [ "8081:8080" ];
ports = [ "127.0.0.1:8081:8080" ];
environment = {
FIREFLY_III_URL = "http://firefly.b12f.io/";
FIREFLY_III_URL = "https://firefly.b12f.io";
};
environmentFiles = [
./.env.firefly-importer

View file

@ -52,7 +52,7 @@ in {
containers."invoiceplane-db" = {
image = "mariadb:11";
autoStart = true;
ports = [ "3306:3306" ];
ports = [ "127.0.0.1:3306:3306" ];
volumes = [
"/var/lib/invoiceplane/db:/var/lib/mysql"
];

View file

@ -17,8 +17,12 @@
ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:2::"; prefixLength = 128; } ];
};
networking.hosts = flake.self.lib.addLocalHostname ["caddy.local"];
networking.firewall.allowedTCPPorts = [ 80 ];
networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
"128.140.109.213" = [ "vpn.b12f.io" ];
"2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.openssh.openFirewall = true;
@ -26,7 +30,9 @@
services.caddy = {
globalConfig = ''
default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2::
auto_https off
# auto_https off
email acme@benjaminbaedorf.eu
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
'';
};
@ -35,7 +41,7 @@
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.2/32"
"fd00:b12f:acab:1312:acab:2::/32"
"fd00:b12f:acab:1312:acab:2::/96"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};

View file

@ -18,12 +18,12 @@ in {
user = psCfg.user.name;
consumptionDir = consumptionDir;
dataDir = dataDir;
address = "localhost";
address = "127.0.0.1";
extraConfig = {
PAPERLESS_OCR_LANGUAGE = "nld+deu";
PAPERLESS_ADMIN_USER = psCfg.user.name;
PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
PAPERLESS_URL = "http://paperless.b12f.io";
PAPERLESS_URL = "https://paperless.b12f.io";
};
};
@ -50,9 +50,9 @@ in {
services.caddy = {
enable = true;
extraConfig = ''
paperless.b12f.io:80 {
paperless.b12f.io {
request_header Host localhost:${builtins.toString config.services.paperless.port}
reverse_proxy localhost:${builtins.toString config.services.paperless.port}
reverse_proxy 127.0.0.1:${builtins.toString config.services.paperless.port}
}
'';
};

View file

@ -52,9 +52,10 @@
"\"invoicing.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
"\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
"\"vpn.b12f.io. 10800 IN AAAA 2a01:4f8:c2c:b60::\""
"\"frikandel.b12f.io. 10800 IN A 10.0.1.7\""
"\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"fritz.box. 10800 IN A 192.168.178.1\""
"\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""

View file

@ -18,6 +18,7 @@ in {
usbutils
diffutils
findutils
psmisc
exfat
gitMinimal

View file

@ -44,7 +44,7 @@ in {
"10.0.1.0/24"
"fd00:b12f:acab:1312::/64"
];
endpoint = "[2a01:4f8:c2c:b60::]:51899";
endpoint = "vpn.b12f.io:51899";
persistentKeepalive = 25;
}
];

Binary file not shown.

Binary file not shown.

View file

@ -18,12 +18,6 @@ in {
programs.ssh = {
enable = true;
matchBlocks = {
"git.b12f.io" = {
hostname = "git.b12f.io";
user = "git";
port = 2222;
};
"aur.archlinux.org" = {
user = "aur";
};
@ -85,6 +79,10 @@ in {
"frikandel.b12f.io" = {
user = "yule";
};
"droppie.b12f.io" = {
user = "yule";
};
};
};