fix: wireguard networking and https on services

2023-11-01 16:27:29 +01:00 · 2023-11-01 16:27:29 +01:00 · 544f323b0c
parent 3ce24992e7
commit 544f323b0c
16 changed files with 43 additions and 36 deletions
--- a/hosts/biolimo/networking.nix
+++ b/hosts/biolimo/networking.nix
@ -10,7 +10,7 @@
    pub-solar.wireguard-client = {
      ownIPs = [
        "10.0.1.6/32"
-        "fd00:b12f:acab:1312:acab:6::/32"
+        "fd00:b12f:acab:1312:acab:6::/96"
      ];
      wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
    };
--- a/hosts/chocolatebar/networking.nix
+++ b/hosts/chocolatebar/networking.nix
@ -10,7 +10,7 @@
    pub-solar.wireguard-client = {
      ownIPs = [
        "10.0.1.5/32"
-        "fd00:b12f:acab:1312:acab:5::/32"
+        "fd00:b12f:acab:1312:acab:5::/96"
      ];
      wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
    };
--- a/hosts/droppie/networking.nix
+++ b/hosts/droppie/networking.nix
@ -10,7 +10,7 @@
    pub-solar.wireguard-client = {
      ownIPs = [
        "10.0.1.3/32"
-        "fd00:b12f:acab:1312:acab:3::/32"
+        "fd00:b12f:acab:1312:acab:3::/96"
      ];
      wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
    };
--- a/hosts/droppie/nextcloud-web-tunnel.nix
+++ b/hosts/droppie/nextcloud-web-tunnel.nix
@ -7,17 +7,18 @@
 in {
  config = {
    services.openssh.knownHosts = {
-      "cloud.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABPJSwr9DfnqV0KoL23BcxlWtRxuOqQpnFnCv4SG/LW";
+      "nachtigall.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUJGAYFzgzpeEs5rYvBX9jBn6wkj4Q5VqnT4xkg3l// barkeeper@nachtigall";
    };
-    systemd.services.ssh-tunnel-cloud-pub-solar = {
+    systemd.services.ssh-tunnel-nachtigall-pub-solar = {
      enable = false;
      unitConfig = {
-        Description = "Reverse SSH connection to enable backups from IPv4-only to IPv6-only host";
+        Description = "Reverse SSH connection to enable backups";
        After = ["network.target"];
      };
      serviceConfig = {
        Type = "simple";
-        ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 root@cloud.pub.solar";
+        ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 hakkonaut@nachtigall.pub.solar";
        User = psCfg.user.name;
        Group = "users";
        Restart = "always";
--- a/hosts/droppie/restic-backup.nix
+++ b/hosts/droppie/restic-backup.nix
@ -24,7 +24,7 @@
      exit 1
    fi
-    echo "WARNING: System will be shut down within the next 15 minutes" | wall
+    echo "WARNING: System will be shut down within the next ${builtins.toString shutdownWaitMinutes} minutes" | ${pkgs.util-linux}/bin/wall
    sleep 10
--- a/hosts/frikandel/wireguard.nix
+++ b/hosts/frikandel/wireguard.nix
@ -42,7 +42,7 @@
          publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
          allowedIPs = [
            "10.0.1.2/32"
-            "fd00:b12f:acab:1312:acab:2::/32"
+            "fd00:b12f:acab:1312:acab:2::/96"
          ];
          persistentKeepalive = 25;
        }
@ -50,7 +50,7 @@
          publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
          allowedIPs = [
            "10.0.1.3/32"
-            "fd00:b12f:acab:1312:acab:3::/32"
+            "fd00:b12f:acab:1312:acab:3::/96"
          ];
          persistentKeepalive = 25;
@ -59,7 +59,7 @@
          publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
          allowedIPs = [
            "10.0.1.5/32"
-            "fd00:b12f:acab:1312:acab:5::/32"
+            "fd00:b12f:acab:1312:acab:5::/96"
          ];
          persistentKeepalive = 25;
@ -68,7 +68,7 @@
          publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
          allowedIPs = [
            "10.0.1.6/32"
-            "fd00:b12f:acab:1312:acab:6::/32"
+            "fd00:b12f:acab:1312:acab:6::/96"
          ];
          persistentKeepalive = 25;
--- a/hosts/pie/firefly.nix
+++ b/hosts/pie/firefly.nix
@ -27,11 +27,11 @@ in {
  services.caddy = {
    enable = true;
    extraConfig = ''
-      firefly.b12f.io:80 {
+      firefly.b12f.io {
-        reverse_proxy localhost:8080
+        reverse_proxy 127.0.0.1:8080
      }
-      firefly-importer.b12f.io:80 {
+      firefly-importer.b12f.io {
-        reverse_proxy localhost:8081
+        reverse_proxy 127.0.0.1:8081
      }
    '';
  };
@ -62,7 +62,7 @@ in {
          ./.env.firefly
          config.age.secrets."firefly-secrets.env".path
        ];
-        ports = [ "8080:8080" ];
+        ports = [ "127.0.0.1:8080:8080" ];
        dependsOn = [ "firefly-db" ];
      };
@ -82,9 +82,9 @@ in {
        image = "fireflyiii/data-importer:latest";
        autoStart = true;
        extraOptions = [ "--network=firefly" ];
-        ports = [ "8081:8080" ];
+        ports = [ "127.0.0.1:8081:8080" ];
        environment = {
-          FIREFLY_III_URL = "http://firefly.b12f.io/";
+          FIREFLY_III_URL = "https://firefly.b12f.io";
        };
        environmentFiles = [
          ./.env.firefly-importer
--- a/hosts/pie/invoiceplane.nix
+++ b/hosts/pie/invoiceplane.nix
@ -52,7 +52,7 @@ in {
      containers."invoiceplane-db" = {
        image = "mariadb:11";
        autoStart = true;
-        ports = [ "3306:3306" ];
+        ports = [ "127.0.0.1:3306:3306" ];
        volumes = [
          "/var/lib/invoiceplane/db:/var/lib/mysql"
        ];
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@ -17,8 +17,12 @@
    ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:2::"; prefixLength = 128; } ];
  };
-  networking.hosts = flake.self.lib.addLocalHostname ["caddy.local"];
+  networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
-  networking.firewall.allowedTCPPorts = [ 80 ];
+    "128.140.109.213" = [ "vpn.b12f.io" ];
    "2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.openssh.openFirewall = true;
@ -26,7 +30,9 @@
  services.caddy = {
    globalConfig = ''
      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2::
-      auto_https off
+      # auto_https off
      email acme@benjaminbaedorf.eu
      # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    '';
  };
@ -35,7 +41,7 @@
  pub-solar.wireguard-client = {
    ownIPs = [
      "10.0.1.2/32"
-      "fd00:b12f:acab:1312:acab:2::/32"
+      "fd00:b12f:acab:1312:acab:2::/96"
    ];
    wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
  };
--- a/hosts/pie/paperless.nix
+++ b/hosts/pie/paperless.nix
@ -18,12 +18,12 @@ in {
    user = psCfg.user.name;
    consumptionDir = consumptionDir;
    dataDir = dataDir;
-    address = "localhost";
+    address = "127.0.0.1";
    extraConfig = {
      PAPERLESS_OCR_LANGUAGE = "nld+deu";
      PAPERLESS_ADMIN_USER = psCfg.user.name;
      PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
-      PAPERLESS_URL = "http://paperless.b12f.io";
+      PAPERLESS_URL = "https://paperless.b12f.io";
    };
  };
@ -50,9 +50,9 @@ in {
  services.caddy = {
    enable = true;
    extraConfig = ''
-      paperless.b12f.io:80 {
+      paperless.b12f.io {
        request_header Host localhost:${builtins.toString config.services.paperless.port}
-        reverse_proxy localhost:${builtins.toString config.services.paperless.port}
+        reverse_proxy 127.0.0.1:${builtins.toString config.services.paperless.port}
      }
    '';
  };
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -52,9 +52,10 @@
          "\"invoicing.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
          "\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
-          "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
+          "\"vpn.b12f.io. 10800 IN AAAA 2a01:4f8:c2c:b60::\""
          "\"frikandel.b12f.io. 10800 IN A 10.0.1.7\""
          "\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
          "\"fritz.box. 10800 IN A 192.168.178.1\""
          "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
--- a/modules/core/packages.nix
+++ b/modules/core/packages.nix
@ -18,6 +18,7 @@ in {
    usbutils
    diffutils
    findutils
    psmisc
    exfat
    gitMinimal
--- a/modules/wireguard-client/default.nix
+++ b/modules/wireguard-client/default.nix
@ -44,7 +44,7 @@ in {
              "10.0.1.0/24"
              "fd00:b12f:acab:1312::/64"
            ];
-            endpoint = "[2a01:4f8:c2c:b60::]:51899";
+            endpoint = "vpn.b12f.io:51899";
            persistentKeepalive = 25;
          }
        ];
--- a/secrets/b12f-env-secrets
+++ b/secrets/b12f-env-secrets
--- a/secrets/firefly-importer-secrets.env
+++ b/secrets/firefly-importer-secrets.env
--- a/users/b12f/home.nix
+++ b/users/b12f/home.nix
@ -18,12 +18,6 @@ in {
    programs.ssh = {
      enable = true;
      matchBlocks = {
        "git.b12f.io" = {
          hostname = "git.b12f.io";
          user = "git";
          port = 2222;
        };
        "aur.archlinux.org" = {
          user = "aur";
        };
@ -85,6 +79,10 @@ in {
        "frikandel.b12f.io" = {
          user = "yule";
        };
        "droppie.b12f.io" = {
          user = "yule";
        };
      };
    };