nixos/git: Fix for local access to git.nul.ie

2023-12-09 16:30:06 +00:00
parent 56704821b8
commit c7fdb70cc0
4 changed files with 26 additions and 10 deletions
--- a/nixos/boxes/colony/vms/git/default.nix
+++ b/nixos/boxes/colony/vms/git/default.nix
@@ -1,6 +1,7 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
+  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.colony) domain prefixes;
 in
 {
--- a/nixos/boxes/colony/vms/git/gitea.nix
+++ b/nixos/boxes/colony/vms/git/gitea.nix
@@ -12,6 +12,10 @@ in
      };
    };

+    boot.kernel.sysctl = {
+      "net.ipv4.conf.all.route_localnet" = 1;
+    };
+
    users = {
      users.git = {
        description = "Gitea Service";
@@ -23,6 +27,8 @@ in
      groups.git = {};
    };

+    networking.hosts."127.0.0.1" = [ "git.nul.ie" ];
+
    systemd = {
      services = {
        gitea.preStart =
@@ -136,6 +142,12 @@ in
            ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
            ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address}
          }
+          chain output {
+            ip daddr 127.0.0.1 tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
+          }
+          chain postrouting {
+            ip saddr 127.0.0.1 snat to ${assignments.internal.ipv4.address}
+          }
        }
      '';
    };
--- a/nixos/modules/firewall.nix
+++ b/nixos/modules/firewall.nix
@@ -131,6 +131,9 @@ in
                chain prerouting {
                  type nat hook prerouting priority dstnat;
                }
+                chain output {
+                  type nat hook output priority dstnat;
+                }
                chain postrouting {
                  type nat hook postrouting priority srcnat;
                }
--- a/secrets/gitea/actions-runner.env.age
+++ b/secrets/gitea/actions-runner.env.age
@@ -1,12 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBobGg0
-Sk1uMGtHZ1FLK3ZJYlhBQTNlOUo1YXQ0L0FqN00vVEtxT2NYVm5VCkV1bUZXdGZn
-bXh6TnMwN3p6Rm5WRWxpTkoyeGx1NFB3bTBwdGcrT0JWMzgKLT4gWDI1NTE5IER4
-S1FsK2JhK243QkJWSkFweWVOZTQzZnR1YlZjVGw1Uk1jMmdNVks1SEkKMU50cjha
-c1U0MVVZNmMvYitZYWorQ0R1VXhibWZvYzR6TUFTclVrREJ6MAotPiBPQ11RLWdy
-ZWFzZSBkPFlEeiFFfCBMImhVR0poUiBjL1MjP0kKTkJWWngvankzc3ByREJaYUhM
-emZ1akNSSmJIcjB1d2RoTE90bDZld0YwelN5STlaSTBwQjV2Q0sKLS0tIHRHK0V4
-UkgrQ21PSFVpWms0THdmOVRlK09zV3Y4ZnFTd2JvbnZaSWk2ZjgKYWufQ+yFOWWJ
-mXe4hvy3X6iAdBW52dJVpu//ql2tBMKS05hcYo4uSa1QjURMANeinStojEQPnMRc
-Ci5WovrSssqjOYYoVgx/41DL5BPSBw==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyA2dlpB
+M3RNNmF6TG9SSmM1Y0E3ZVdGczEyMENsTnFjc0t2K2ZnbEZIdlFrClJrN3d1eXhi
+aU1iNnJoY08yNTd0S1BHeGpUQWhMdTlqdDdjbzA1QVY3dGMKLT4gWDI1NTE5IGw3
+R1FTRXZHdkVtSk9NN09iR0VjYjd0ZGlmVi9MTkpuYmo0eDFGTFJIbGcKYzlmRDNY
+VjRhZjhaeTZ1cEhJQTJURlRCUkdWNTNyYlNHcU1SbGNTcnpXQQotPiBPMlNGYy1n
+cmVhc2UgMyBHaWN+bntrXSA0cltsNQpXZzZqSVJmcG9raFhTWXp0Wm9STWgzR0lG
+NHc0dGQzK2g5eWRQb2dEcytSL1ZRUWxRL3lIbjFYSzUvWQotLS0gQW1qd25CS0U2
+bk5uSlcxMjBrZURseWZJWkZLakxxYVFodnBENmQxLzRyQQpBFLUiRAvyFsgZuDsQ
+4/trVbfLtZbl6CdSlGqsgL7QCpS45Wy7iKcI6Lyvoi8EsZdlytGJ3JsPpi8KjqUO
+2r2IpbL3LjerjiAEchqnVRAA
 -----END AGE ENCRYPTED FILE-----