From c7fdb70cc06c7502f4da8c446bb1d6b9b2fa5143 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Sat, 9 Dec 2023 16:30:06 +0000 Subject: [PATCH] nixos/git: Fix for local access to git.nul.ie --- nixos/boxes/colony/vms/git/default.nix | 1 + nixos/boxes/colony/vms/git/gitea.nix | 12 ++++++++++++ nixos/modules/firewall.nix | 3 +++ secrets/gitea/actions-runner.env.age | 20 ++++++++++---------- 4 files changed, 26 insertions(+), 10 deletions(-) diff --git a/nixos/boxes/colony/vms/git/default.nix b/nixos/boxes/colony/vms/git/default.nix index 2f789fc..d0781ea 100644 --- a/nixos/boxes/colony/vms/git/default.nix +++ b/nixos/boxes/colony/vms/git/default.nix @@ -1,6 +1,7 @@ { lib, ... }: let inherit (lib.my) net; + inherit (lib.my.c) pubDomain; inherit (lib.my.c.colony) domain prefixes; in { diff --git a/nixos/boxes/colony/vms/git/gitea.nix b/nixos/boxes/colony/vms/git/gitea.nix index 6830d9e..f60b787 100644 --- a/nixos/boxes/colony/vms/git/gitea.nix +++ b/nixos/boxes/colony/vms/git/gitea.nix @@ -12,6 +12,10 @@ in }; }; + boot.kernel.sysctl = { + "net.ipv4.conf.all.route_localnet" = 1; + }; + users = { users.git = { description = "Gitea Service"; @@ -23,6 +27,8 @@ in groups.git = {}; }; + networking.hosts."127.0.0.1" = [ "git.nul.ie" ]; + systemd = { services = { gitea.preStart = @@ -136,6 +142,12 @@ in ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address} ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address} } + chain output { + ip daddr 127.0.0.1 tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address} + } + chain postrouting { + ip saddr 127.0.0.1 snat to ${assignments.internal.ipv4.address} + } } ''; }; diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix index fff40fe..30ee703 100644 --- a/nixos/modules/firewall.nix +++ b/nixos/modules/firewall.nix @@ -131,6 +131,9 @@ in chain prerouting { type nat hook prerouting priority dstnat; } + chain output { + type nat hook output priority dstnat; + } chain postrouting { type nat hook postrouting priority srcnat; } diff --git a/secrets/gitea/actions-runner.env.age b/secrets/gitea/actions-runner.env.age index 6f127da..12b3e99 100644 --- a/secrets/gitea/actions-runner.env.age +++ b/secrets/gitea/actions-runner.env.age @@ -1,12 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBobGg0 -Sk1uMGtHZ1FLK3ZJYlhBQTNlOUo1YXQ0L0FqN00vVEtxT2NYVm5VCkV1bUZXdGZn -bXh6TnMwN3p6Rm5WRWxpTkoyeGx1NFB3bTBwdGcrT0JWMzgKLT4gWDI1NTE5IER4 -S1FsK2JhK243QkJWSkFweWVOZTQzZnR1YlZjVGw1Uk1jMmdNVks1SEkKMU50cjha -c1U0MVVZNmMvYitZYWorQ0R1VXhibWZvYzR6TUFTclVrREJ6MAotPiBPQ11RLWdy -ZWFzZSBkPFlEeiFFfCBMImhVR0poUiBjL1MjP0kKTkJWWngvankzc3ByREJaYUhM -emZ1akNSSmJIcjB1d2RoTE90bDZld0YwelN5STlaSTBwQjV2Q0sKLS0tIHRHK0V4 -UkgrQ21PSFVpWms0THdmOVRlK09zV3Y4ZnFTd2JvbnZaSWk2ZjgKYWufQ+yFOWWJ -mXe4hvy3X6iAdBW52dJVpu//ql2tBMKS05hcYo4uSa1QjURMANeinStojEQPnMRc -Ci5WovrSssqjOYYoVgx/41DL5BPSBw== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyA2dlpB +M3RNNmF6TG9SSmM1Y0E3ZVdGczEyMENsTnFjc0t2K2ZnbEZIdlFrClJrN3d1eXhi +aU1iNnJoY08yNTd0S1BHeGpUQWhMdTlqdDdjbzA1QVY3dGMKLT4gWDI1NTE5IGw3 +R1FTRXZHdkVtSk9NN09iR0VjYjd0ZGlmVi9MTkpuYmo0eDFGTFJIbGcKYzlmRDNY +VjRhZjhaeTZ1cEhJQTJURlRCUkdWNTNyYlNHcU1SbGNTcnpXQQotPiBPMlNGYy1n +cmVhc2UgMyBHaWN+bntrXSA0cltsNQpXZzZqSVJmcG9raFhTWXp0Wm9STWgzR0lG +NHc0dGQzK2g5eWRQb2dEcytSL1ZRUWxRL3lIbjFYSzUvWQotLS0gQW1qd25CS0U2 +bk5uSlcxMjBrZURseWZJWkZLakxxYVFodnBENmQxLzRyQQpBFLUiRAvyFsgZuDsQ +4/trVbfLtZbl6CdSlGqsgL7QCpS45Wy7iKcI6Lyvoi8EsZdlytGJ3JsPpi8KjqUO +2r2IpbL3LjerjiAEchqnVRAA -----END AGE ENCRYPTED FILE-----