nixos/kelder: Independent nginx config

2023-05-27 18:44:23 +01:00
parent 75fc5ae163
commit be901d4222
42 changed files with 579 additions and 552 deletions
--- a/nixos/boxes/colony/vms/estuary/bgp.nix
+++ b/nixos/boxes/colony/vms/estuary/bgp.nix
@@ -15,10 +15,11 @@ in
          define OWNAS = 211024;

          define CCVIP1 = ${lib.my.colony.prefixes.vip1};
+          define CCVIP2 = ${lib.my.colony.prefixes.vip2};

          define OWNIP4 = ${assignments.internal.ipv4.address};
          define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];
-          define CCNETSET4 = [ ${lib.my.colony.prefixes.vip1} ];
+          define CCNETSET4 = [ ${lib.my.colony.prefixes.vip1}, ${lib.my.colony.prefixes.vip2} ];

          define INTNET6 = ${intnet6};
          define AMSNET6 = ${amsnet6};
@@ -53,6 +54,7 @@ in
          }
          protocol static static4 {
            route CCVIP1 via "base";
+            route CCVIP2 via "base";

            ipv4 {
              import all;
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -188,7 +188,7 @@ in
                      {
                        wireguardPeerConfig = {
                          PublicKey = "7N9YdQaCMWWIwAnW37vrthm9ZpbnG4Lx3gheHeRYz2E=";
-                          AllowedIPs = [ "${lib.my.kelder.start.vpn.v4}2" ];
+                          AllowedIPs = [ allAssignments.kelder.estuary.ipv4.address ];
                          PersistentKeepalive = 25;
                        };
                      }
@@ -339,7 +339,14 @@ in
                };
                "95-kelder" = {
                  matchConfig.Name = "kelder";
-                  address = [ "${lib.my.kelder.start.vpn.v4}1/30" ];
+                  routes = [
+                    {
+                      routeConfig = {
+                        Destination = allAssignments.kelder.estuary.ipv4.address;
+                        Scope = "link";
+                      };
+                    }
+                  ];
                };
              } ];
            };
@@ -388,12 +395,6 @@ in
                      dst = allAssignments.valheim-oci.internal.ipv4.address;
                      proto = "udp";
                    }
-
-                    {
-                      port = 6922;
-                      dst = "${lib.my.kelder.start.vpn.v4}2";
-                      dstPort = "ssh";
-                    }
                  ];
                };
                extraRules =
@@ -433,7 +434,7 @@ in
                    chain forward {
                      iifname { wan, $ixps } oifname base jump filter-routing
                      oifname $ixps jump ixp
-                      oifname as211024 accept
+                      oifname { as211024, kelder } accept
                    }
                    chain output {
                      oifname ifog ether type != vlan reject
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -214,6 +214,8 @@ in
            valheim IN A ${assignments.internal.ipv4.address}
            valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}

+            andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}
+
            $TTL 3
            _acme-challenge IN LUA TXT @@FILE@@

--- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
@@ -172,14 +172,6 @@ in
                  dnsProvider = "cloudflare";
                  credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
                };
-
-                "${lib.my.kelder.domain}" = {
-                  extraDomainNames = [
-                    "*.${lib.my.kelder.domain}"
-                  ];
-                  dnsProvider = "cloudflare";
-                  credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
-                };
              };
            };
          };
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -45,8 +45,6 @@ let
    };
    "/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
  };
-
-  kelderUpstream = "http://${lib.my.kelder.start.vpn.v4}2:80";
 in
 {
  my = {
@@ -370,39 +368,6 @@ in
        };
        useACMEHost = lib.my.pubDomain;
      };
-
-      "torrents.${lib.my.kelder.domain}" = {
-        locations."/".proxyPass = kelderUpstream;
-        useACMEHost = lib.my.kelder.domain;
-      };
-      "jackett.${lib.my.kelder.domain}" = {
-        locations."/".proxyPass = kelderUpstream;
-        useACMEHost = lib.my.kelder.domain;
-      };
-      "radarr.${lib.my.kelder.domain}" = {
-        locations."/" = {
-          proxyPass = kelderUpstream;
-          proxyWebsockets = true;
-          extraConfig = lib.my.nginx.proxyHeaders;
-        };
-        useACMEHost = lib.my.kelder.domain;
-      };
-      "sonarr.${lib.my.kelder.domain}" = {
-        locations."/" = {
-          proxyPass = kelderUpstream;
-          proxyWebsockets = true;
-          extraConfig = lib.my.nginx.proxyHeaders;
-        };
-        useACMEHost = lib.my.kelder.domain;
-      };
-      "media.${lib.my.kelder.domain}" = {
-        locations."/" = {
-          proxyPass = kelderUpstream;
-          proxyWebsockets = true;
-          extraConfig = lib.my.nginx.proxyHeaders;
-        };
-        useACMEHost = lib.my.kelder.domain;
-      };
    };

    minio =
--- a/nixos/boxes/kelder/containers/acquisition/default.nix
+++ b/nixos/boxes/kelder/containers/acquisition/default.nix
@@ -1,4 +1,9 @@
-{ lib, ... }: {
+{ lib, ... }:
+let
+  inherit (lib.my) net;
+  inherit (lib.my.kelder) domain prefixes;
+in
+{
  nixos.systems.kelder-acquisition = {
    system = "x86_64-linux";
    nixpkgs = "mine";
@@ -6,8 +11,8 @@
    assignments = {
      internal = {
        name = "acquisition-ctr";
-        domain = lib.my.kelder.domain;
-        ipv4.address = "${lib.my.kelder.start.ctrs.v4}2";
+        inherit domain;
+        ipv4.address = net.cidr.host 2 prefixes.ctrs.v4;
      };
    };

--- a/nixos/boxes/kelder/default.nix
+++ b/nixos/boxes/kelder/default.nix
@@ -1,4 +1,9 @@
-{ lib, ... }: {
+{ lib, ... }:
+let
+  inherit (lib.my) net;
+  inherit (lib.my.kelder) domain prefixes;
+in
+{
  imports = [ ./containers ];

  nixos.systems.kelder = {
@@ -7,11 +12,18 @@
    home-manager = "mine";

    assignments = {
+      estuary = {
+        ipv4 ={
+          address = net.cidr.host 0 lib.my.colony.prefixes.vip2;
+          mask = 32;
+          gateway = null;
+        };
+      };
      ctrs = {
        name = "kelder-ctrs";
-        domain = lib.my.kelder.domain;
+        inherit domain;
        ipv4 = {
-          address = "${lib.my.kelder.start.ctrs.v4}1";
+          address = net.cidr.host 1 prefixes.ctrs.v4;
          gateway = null;
        };
      };
@@ -153,10 +165,12 @@
                ];
                "95-estuary" = {
                  matchConfig.Name = "estuary";
-                  address = [ "${lib.my.kelder.start.vpn.v4}2/30" ];
+                  address = with assignments.estuary; [
+                    (with ipv4; "${address}/${toString mask}")
+                  ];
                  routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
                    {
-                      From = "${lib.my.kelder.start.vpn.v4}2";
+                      From = assignments.estuary.ipv4.address;
                      Table = vpnTable;
                      Priority = 100;
                    }
--- a/nixos/boxes/kelder/nginx.nix
+++ b/nixos/boxes/kelder/nginx.nix
@@ -1,6 +1,7 @@
 { lib, pkgs, config, allAssignments, ... }:
 let
-  inherit (lib) mkMerge mkIf;
+  inherit (builtins) mapAttrs;
+  inherit (lib) mkMerge mkIf mkDefault;
 in
 {
  config = {
@@ -10,6 +11,15 @@ in
          owner = "nginx";
          group = "nginx";
        };
+        "dhparams.pem" = {
+          owner = "acme";
+          group = "acme";
+          mode = "440";
+        };
+        "kelder/cloudflare-credentials.conf" = {
+          owner = "acme";
+          group = "acme";
+        };
      };

      firewall = {
@@ -17,6 +27,31 @@ in
      };
    };

+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "dev@nul.ie";
+        server = "https://acme-v02.api.letsencrypt.org/directory";
+        reloadServices = [ "nginx" ];
+        dnsResolver = "8.8.8.8";
+      };
+      certs = {
+        "${lib.my.kelder.domain}" = {
+          extraDomainNames = [
+            "*.${lib.my.kelder.domain}"
+          ];
+          dnsProvider = "cloudflare";
+          credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
+        };
+      };
+    };
+
+    users = {
+      users = {
+        nginx.extraGroups = [ "acme" ];
+      };
+    };
+
    services = {
      nginx = {
        enable = true;
@@ -25,6 +60,7 @@ in
        recommendedTlsSettings = true;
        clientMaxBodySize = "0";
        serverTokens = true;
+        sslDhparam = config.age.secrets."dhparams.pem".path;

        # Based on recommended*Settings, but probably better to be explicit about these
        appendHttpConfig = ''
@@ -79,58 +115,61 @@ in
            c
          ];
          acquisition = "http://${allAssignments.kelder-acquisition.internal.ipv4.address}";
+          hosts = {
+            "_" = {
+              default = true;
+              forceSSL = true;
+              onlySSL = false;
+              locations = {
+                "/".root = "${pkgs.nginx}/html";
+              };
+            };
+
+            "media.${lib.my.kelder.domain}" = {
+              locations = {
+                "/".proxyPass = "${acquisition}:8096";
+                "= /".return = "302 $scheme://$host/web/";
+                "= /web/".proxyPass = "${acquisition}:8096/web/index.html";
+                "/socket" = {
+                  proxyPass = "${acquisition}:8096/socket";
+                  proxyWebsockets = true;
+                  extraConfig = lib.my.nginx.proxyHeaders;
+                };
+              };
+            };
+            "torrents.${lib.my.kelder.domain}" = withAuth {
+              locations."/".proxyPass = "${acquisition}:9091";
+            };
+            "jackett.${lib.my.kelder.domain}" = withAuth {
+              locations."/".proxyPass = "${acquisition}:9117";
+            };
+            "radarr.${lib.my.kelder.domain}" = withAuth {
+              locations."/" = {
+                proxyPass = "${acquisition}:7878";
+                proxyWebsockets = true;
+                extraConfig = lib.my.nginx.proxyHeaders;
+              };
+            };
+            "sonarr.${lib.my.kelder.domain}" = withAuth {
+              locations."/" = {
+                proxyPass = "${acquisition}:8989";
+                proxyWebsockets = true;
+                extraConfig = lib.my.nginx.proxyHeaders;
+              };
+            };
+          };
+
+          defaultsFor = mapAttrs (n: _: {
+            onlySSL = mkDefault true;
+            useACMEHost = mkDefault "${config.networking.domain}";
+            kTLS = mkDefault true;
+            http2 = mkDefault true;
+          });
        in
-        {
-          "_" = {
-            default = true;
-            locations = {
-              "= /".root = "${pkgs.nginx}/html";
-
-              "~ /media/?".return = "302 $scheme://$host/web/";
-              "= /web/".proxyPass = "${acquisition}:8096/web/index.html";
-              "/socket" = {
-                proxyPass = "${acquisition}:8096/socket";
-                proxyWebsockets = true;
-                extraConfig = lib.my.nginx.proxyHeaders;
-              };
-
-              "/".proxyPass = "${acquisition}:8096";
-            };
-          };
-
-          "media.${lib.my.kelder.domain}" = {
-            locations = {
-              "/".proxyPass = "${acquisition}:8096";
-              "= /".return = "302 $scheme://$host/web/";
-              "= /web/".proxyPass = "${acquisition}:8096/web/index.html";
-              "/socket" = {
-                proxyPass = "${acquisition}:8096/socket";
-                proxyWebsockets = true;
-                extraConfig = lib.my.nginx.proxyHeaders;
-              };
-            };
-          };
-          "torrents.${lib.my.kelder.domain}" = withAuth {
-            locations."/".proxyPass = "${acquisition}:9091";
-          };
-          "jackett.${lib.my.kelder.domain}" = withAuth {
-            locations."/".proxyPass = "${acquisition}:9117";
-          };
-          "radarr.${lib.my.kelder.domain}" = withAuth {
-            locations."/" = {
-              proxyPass = "${acquisition}:7878";
-              proxyWebsockets = true;
-              extraConfig = lib.my.nginx.proxyHeaders;
-            };
-          };
-          "sonarr.${lib.my.kelder.domain}" = withAuth {
-            locations."/" = {
-              proxyPass = "${acquisition}:8989";
-              proxyWebsockets = true;
-              extraConfig = lib.my.nginx.proxyHeaders;
-            };
-          };
-        };
+        mkMerge [
+          hosts
+          (defaultsFor hosts)
+        ];
      };
    };
  };