matt1432/nixos-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(servers): only expose public apps to WAN

Browse source
This commit is contained in:
matt1432 2024-08-11 14:53:45 -04:00
parent a2978995a3
commit c14a7906c8
11 changed files with 142 additions and 149 deletions
devices/cluster/modules
caddy.nixunbound.nix

125
devices/cluster/modules/caddy.nix
View file

@ -4,7 +4,7 @@
config,
...
}: let
inherit (config.vars) mainUser;
inherit (config.vars) hostName mainUser;
inherit (config.sops) secrets;
caddy = caddy-plugins.packages.${pkgs.system}.default;
@ -33,35 +33,68 @@ in {
clusterIP = config.services.pcsd.virtualIps.caddy-vip.ip;
nosIP = "10.0.0.121";
serviviIP = "10.0.0.249";
tlsConf = ''
tls {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
resolvers 1.0.0.1
}
'';
mkPublicReverseProxy = subdomain: ip: extraConf:
{
hostName = "${subdomain}.nelim.org";
reverseProxy = ip;
listenAddresses = [clusterIP];
extraConfig = tlsConf + (extraConf.extraConfig or "");
}
// (builtins.removeAttrs extraConf ["extraConfig"]);
in {
# Public
"Vaultwarden" = mkPublicReverseProxy "vault" "${nosIP}:8781" {};
"Hauk" = mkPublicReverseProxy "hauk" "${nosIP}:3003" {};
"Headscale" = mkPublicReverseProxy "headscale" "${clusterIP}:8085" {};
"Jellyfin" = mkPublicReverseProxy "jelly" "${nosIP}:8096" {
subDirectories.jfa-go = {
subDirName = "accounts";
reverseProxy = "${nosIP}:8056";
};
};
"Jellyseer" = mkPublicReverseProxy "seerr" "${nosIP}:5055" {};
"Gameyfin" = mkPublicReverseProxy "games" "${nosIP}:8074" {};
"Forgejo" = mkPublicReverseProxy "git" "${nosIP}:3000" {};
"Nextcloud" = mkPublicReverseProxy "cloud" "${nosIP}:8042" {
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
'';
};
"OnlyOffice" = mkPublicReverseProxy "office" "http://${nosIP}:8055" {};
"Immich" = mkPublicReverseProxy "photos" "${nosIP}:2283" {};
# Private
"nelim.org" = {
serverAliases = ["*.nelim.org"];
extraConfig = ''
tls {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
resolvers 1.0.0.1
}
'';
extraConfig = tlsConf;
listenAddresses = [
(
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9"
)
];
subDomains = {
# Misc one-liners
vault.reverseProxy = "${nosIP}:8781";
hauk.reverseProxy = "${nosIP}:3003";
headscale.reverseProxy = "${clusterIP}:8085";
pr-tracker.reverseProxy = "${serviviIP}:3000";
jellyfin = {
subDomainName = "jelly";
reverseProxy = "${nosIP}:8096";
subDirectories = {
jfa-go = {
subDirName = "accounts";
reverseProxy = "${nosIP}:8056";
};
};
};
pcsd = {
extraConfig = ''
reverse_proxy https://${clusterIP}:2224 {
@ -72,42 +105,14 @@ in {
'';
};
# Resume builder
resume.reverseProxy = "${nosIP}:3060";
resauth.reverseProxy = "${nosIP}:3100";
# Nextcloud & Co
office.reverseProxy = "http://${nosIP}:8055";
nextcloud = {
subDomainName = "cloud";
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
'';
reverseProxy = "${nosIP}:8042";
};
forgejo = {
subDomainName = "git";
reverseProxy = "${nosIP}:3000";
};
nix-binary-cache = {
subDomainName = "cache";
reverseProxy = "${serviviIP}:5000";
};
calibre = {
subDomainName = "books";
reverseProxy = "${nosIP}:8083";
};
immich = {
subDomainName = "photos";
reverseProxy = "${nosIP}:2283";
};
# Resume builder
resume.reverseProxy = "${nosIP}:3060";
resauth.reverseProxy = "${nosIP}:3100";
# FreshRSS & Co
bridge.reverseProxy = "${nosIP}:3006";
@ -117,16 +122,6 @@ in {
reverseProxy = "${nosIP}:2800";
};
jellyseer = {
subDomainName = "seerr";
reverseProxy = "${nosIP}:5055";
};
gameyfin = {
subDomainName = "games";
reverseProxy = "${nosIP}:8074";
};
wgui.reverseProxy = "${nosIP}:51821";
lan = {
@ -137,12 +132,10 @@ in {
subDirectories = {
bazarr.reverseProxy = "${nosIP}:6767";
prowlarr.reverseProxy = "${nosIP}:9696";
radarr.reverseProxy = "${nosIP}:7878";
sabnzbd.reverseProxy = "${nosIP}:8382";
sonarr.reverseProxy = "${nosIP}:8989";
calibre.reverseProxy = "${nosIP}:8580";
qbittorent = {
subDirName = "qbt";

125
devices/cluster/modules/unbound.nix
View file

@ -1,5 +1,24 @@
{config, ...}: let
{
config,
lib,
...
}: let
inherit (lib) foldl isList mapAttrsToList mergeAttrsWithFunc remove unique;
mergeAttrsList = list:
foldl (mergeAttrsWithFunc (a: b:
if isList a && isList b
then unique (a ++ b)
else b)) {}
list;
inherit (config.vars) mainUser hostName;
wanIP = "166.62.180.199";
serviviIP = "100.64.0.7";
caddyIp =
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9";
in {
# https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602
boot.kernel.sysctl."net.core.rmem_max" = 1048576;
@ -12,70 +31,62 @@ in {
resolveLocalQueries = false;
settings = {
server = {
interface = ["127.0.0.1"];
port = 5335;
server = let
mkLocalEntry = domain: ip: {
local-zone = ["${domain} redirect"];
local-data = ["\"${domain} IN A ${ip}\""];
};
# Custom DNS
local-zone = [
"headscale.nelim.org redirect"
"git.nelim.org redirect"
"mc.nelim.org transparent"
"cv.nelim.org transparent"
"mc2.nelim.org transparent"
"ota.nelim.org redirect"
"nelim.org redirect"
];
local-data = let
wanIP = "166.62.180.199";
caddyIp =
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9";
in [
"\"headscale.nelim.org. IN A ${wanIP}\""
mkMinecraftEntry = domain: port: {
local-zone = ["${domain} transparent"];
local-data = [
"\"${domain} IN A ${serviviIP}\""
"\"_minecraft._tcp.${domain}. 180 IN SRV 0 0 ${toString port} ${domain}.\""
];
};
"\"git.nelim.org. IN A ${wanIP}\""
publicApps = remove "nelim.org" (mapAttrsToList (n: v: v.hostName) config.services.caddy.virtualHosts);
in
mergeAttrsList (
(map (x: mkLocalEntry x wanIP) publicApps)
++ [
(mkMinecraftEntry "mc.nelim.org" 25569)
(mkMinecraftEntry "mc2.nelim.org" 25560)
(mkMinecraftEntry "cv.nelim.org" 25566)
"\"mc.nelim.org IN A 100.64.0.7\""
"\"_minecraft._tcp.mc.nelim.org. 180 IN SRV 0 0 25569 mc.nelim.org.\""
(mkLocalEntry "nelim.org" caddyIp)
"\"cv.nelim.org IN A 100.64.0.7\""
"\"_minecraft._tcp.cv.nelim.org. 180 IN SRV 0 0 25566 cv.nelim.org.\""
{
interface = ["127.0.0.1"];
port = 5335;
"\"mc2.nelim.org IN A 100.64.0.7\""
"\"_minecraft._tcp.mc2.nelim.org. 180 IN SRV 0 0 25560 mc2.nelim.org.\""
do-ip4 = true;
do-ip6 = false;
prefer-ip6 = false;
do-udp = true;
do-tcp = true;
"\"ota.nelim.org. IN A 100.64.0.5\""
# Performance
prefetch = true;
num-threads = 1;
"\"nelim.org 0 A ${caddyIp}\""
];
private-address = [
"172.16.0.0/12"
"10.0.0.0/8"
"100.64.0.0/8"
"fd00::/8"
"fe80::/10"
];
do-ip4 = true;
do-ip6 = false;
prefer-ip6 = false;
do-udp = true;
do-tcp = true;
# Performance
prefetch = true;
num-threads = 1;
private-address = [
"172.16.0.0/12"
"10.0.0.0/8"
"100.64.0.0/8"
"fd00::/8"
"fe80::/10"
];
# Default stuff
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
edns-buffer-size = 1232;
so-rcvbuf = "1m";
};
# Default stuff
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
edns-buffer-size = 1232;
so-rcvbuf = "1m";
}
]
);
};
};
}