diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 8127c54bd6..c6a495f705 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -202,23 +202,28 @@ in { allowed_domains = [ "lukegb.com" ]; pass_identity_headers = true; }; - serviceOnHost = server: hostName: baseConfig // { + service = server: hostName: extraConfig: baseConfig // { from = "https://${hostName}"; to = "http://${server}"; preserve_host_header = true; - }; - hostToServices = { - clouvider-fra01 = [ - "int.lukegb.com" - "sonarr.int.lukegb.com" - "radarr.int.lukegb.com" - "deluge.int.lukegb.com" - ]; - "totoro:9090" = [ "prometheus.int.lukegb.com" ]; - "totoro:9093" = [ "alertmanager.int.lukegb.com" ]; - }; - servicesOnHosts = lib.concatLists (lib.mapAttrsToList (hostName: services: map (serviceOnHost hostName) services) hostToServices); - in servicesOnHosts ++ [ + } // extraConfig; + secureService = server: hostName: extraConfig: service server hostName ({ + to = "https://${server}"; + tls_server_name = hostName; + } // extraConfig); + in [ + (service "clouvider-fra01" "int.lukegb.com" {}) + (service "clouvider-fra01" "sonarr.int.lukegb.com" {}) + (service "clouvider-fra01" "radarr.int.lukegb.com" {}) + (service "clouvider-fra01" "deluge.int.lukegb.com" {}) + (service "totoro:9090" "prometheus.int.lukegb.com" {}) + (service "totoro:9093" "alertmanager.int.lukegb.com" {}) + (service "totoro:3000" "grafana.int.lukegb.com" {}) + (secureService "totoro" "invoices.lukegb.com" { + allow_public_unauthenticated_access = true; + regex = "^/((third_party|ajax|client_area|pdf)/.*|[a-zA-Z0-9]{8})$"; + }) + (secureService "totoro" "invoices.lukegb.com" {}) (baseConfig // { from = "https://httpbin.int.lukegb.com"; to = "https://verify.pomerium.com"; @@ -245,7 +250,7 @@ in { domain = "*.int.lukegb.com"; dnsProvider = "cloudflare"; credentialsFile = secrets.cloudflareCredentials; - extraDomainNames = ["int.lukegb.com"]; + extraDomainNames = ["int.lukegb.com" "lukegb.com" "*.lukegb.com"]; postRun = '' systemctl restart pomerium ''; diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix index fe11c3233f..32a7cef957 100644 --- a/ops/nixos/totoro/default.nix +++ b/ops/nixos/totoro/default.nix @@ -208,6 +208,7 @@ in { services.grafana = { enable = true; addr = "0.0.0.0"; + port = 3000; domain = "grafana.int.lukegb.com"; rootUrl = "https://grafana.int.lukegb.com/";