etheroute-lon01: rejiggle pomerium policy
This commit is contained in:
parent
4e20db9fcc
commit
1c550cf508
2 changed files with 21 additions and 15 deletions
|
@ -202,23 +202,28 @@ in {
|
|||
allowed_domains = [ "lukegb.com" ];
|
||||
pass_identity_headers = true;
|
||||
};
|
||||
serviceOnHost = server: hostName: baseConfig // {
|
||||
service = server: hostName: extraConfig: baseConfig // {
|
||||
from = "https://${hostName}";
|
||||
to = "http://${server}";
|
||||
preserve_host_header = true;
|
||||
};
|
||||
hostToServices = {
|
||||
clouvider-fra01 = [
|
||||
"int.lukegb.com"
|
||||
"sonarr.int.lukegb.com"
|
||||
"radarr.int.lukegb.com"
|
||||
"deluge.int.lukegb.com"
|
||||
];
|
||||
"totoro:9090" = [ "prometheus.int.lukegb.com" ];
|
||||
"totoro:9093" = [ "alertmanager.int.lukegb.com" ];
|
||||
};
|
||||
servicesOnHosts = lib.concatLists (lib.mapAttrsToList (hostName: services: map (serviceOnHost hostName) services) hostToServices);
|
||||
in servicesOnHosts ++ [
|
||||
} // extraConfig;
|
||||
secureService = server: hostName: extraConfig: service server hostName ({
|
||||
to = "https://${server}";
|
||||
tls_server_name = hostName;
|
||||
} // extraConfig);
|
||||
in [
|
||||
(service "clouvider-fra01" "int.lukegb.com" {})
|
||||
(service "clouvider-fra01" "sonarr.int.lukegb.com" {})
|
||||
(service "clouvider-fra01" "radarr.int.lukegb.com" {})
|
||||
(service "clouvider-fra01" "deluge.int.lukegb.com" {})
|
||||
(service "totoro:9090" "prometheus.int.lukegb.com" {})
|
||||
(service "totoro:9093" "alertmanager.int.lukegb.com" {})
|
||||
(service "totoro:3000" "grafana.int.lukegb.com" {})
|
||||
(secureService "totoro" "invoices.lukegb.com" {
|
||||
allow_public_unauthenticated_access = true;
|
||||
regex = "^/((third_party|ajax|client_area|pdf)/.*|[a-zA-Z0-9]{8})$";
|
||||
})
|
||||
(secureService "totoro" "invoices.lukegb.com" {})
|
||||
(baseConfig // {
|
||||
from = "https://httpbin.int.lukegb.com";
|
||||
to = "https://verify.pomerium.com";
|
||||
|
@ -245,7 +250,7 @@ in {
|
|||
domain = "*.int.lukegb.com";
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = secrets.cloudflareCredentials;
|
||||
extraDomainNames = ["int.lukegb.com"];
|
||||
extraDomainNames = ["int.lukegb.com" "lukegb.com" "*.lukegb.com"];
|
||||
postRun = ''
|
||||
systemctl restart pomerium
|
||||
'';
|
||||
|
|
|
@ -208,6 +208,7 @@ in {
|
|||
services.grafana = {
|
||||
enable = true;
|
||||
addr = "0.0.0.0";
|
||||
port = 3000;
|
||||
domain = "grafana.int.lukegb.com";
|
||||
rootUrl = "https://grafana.int.lukegb.com/";
|
||||
|
||||
|
|
Loading…
Reference in a new issue