bvm-netbox: add livetaild.lukegb.dev
This commit is contained in:
parent
d728fe86cf
commit
a12f2a8b07
1 changed files with 85 additions and 1 deletions
|
@ -2,7 +2,7 @@
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
{ config, depot, pkgs, ... }:
|
{ config, lib, depot, pkgs, ... }:
|
||||||
let
|
let
|
||||||
inherit (depot.ops) secrets;
|
inherit (depot.ops) secrets;
|
||||||
|
|
||||||
|
@ -146,6 +146,7 @@ in {
|
||||||
defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
|
defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
|
||||||
defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };
|
defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };
|
||||||
};
|
};
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
my.ip.tailscale = "100.81.27.52";
|
my.ip.tailscale = "100.81.27.52";
|
||||||
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6251:1b34";
|
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6251:1b34";
|
||||||
|
|
||||||
|
@ -219,7 +220,59 @@ in {
|
||||||
proxyPass = "http://127.0.0.1:8001";
|
proxyPass = "http://127.0.0.1:8001";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
virtualHosts."livetaild.lukegb.dev" = {
|
||||||
|
forceSSL = true;
|
||||||
|
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
|
||||||
|
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
|
||||||
|
locations."/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
return 403;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
locations."/.auth/return" = {
|
||||||
|
extraConfig = ''
|
||||||
|
if ($arg_state ~ ^a-) {
|
||||||
|
return 303 https://a.livetaild.lukegb.dev$request_uri;
|
||||||
|
}
|
||||||
|
if ($arg_state ~ ^b-) {
|
||||||
|
return 303 https://b.livetaild.lukegb.dev$request_uri;
|
||||||
|
}
|
||||||
|
if ($arg_state ~ ^localhost-) {
|
||||||
|
return 303 http://localhost:13371$request_uri;
|
||||||
|
}
|
||||||
|
return 403;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
virtualHosts."a.livetaild.lukegb.dev" = {
|
||||||
|
forceSSL = true;
|
||||||
|
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
|
||||||
|
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://10.222.0.2:13371";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
virtualHosts."b.livetaild.lukegb.dev" = {
|
||||||
|
forceSSL = true;
|
||||||
|
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
|
||||||
|
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://10.222.0.3:13371";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
my.vault.acmeCertificates."livetaild.lukegb.dev" = {
|
||||||
|
hostnames = [
|
||||||
|
"livetaild.lukegb.dev"
|
||||||
|
"*.livetaild.lukegb.dev"
|
||||||
|
];
|
||||||
|
reloadOrRestartUnits = [ "nginx.service" ];
|
||||||
|
};
|
||||||
|
users.groups.acme = {};
|
||||||
|
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
|
||||||
|
|
||||||
users.groups.ninovpn = {};
|
users.groups.ninovpn = {};
|
||||||
users.users.ninovpn = {
|
users.users.ninovpn = {
|
||||||
|
@ -231,5 +284,36 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.network.netdevs."20-wg0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Kind = "wireguard";
|
||||||
|
Name = "wg0";
|
||||||
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
Address = "10.222.0.1/24";
|
||||||
|
PrivateKeyFile = "/home/ninovpn/wg-priv";
|
||||||
|
};
|
||||||
|
wireguardPeers = [{
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
|
||||||
|
AllowedIPs = ["10.222.0.2/32"];
|
||||||
|
};
|
||||||
|
} {
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
|
||||||
|
AllowedIPs = ["10.222.0.3/32"];
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
systemd.network.networks."20-wg0" = {
|
||||||
|
matchConfig.Name = "wg0";
|
||||||
|
linkConfig.RequiredForOnline = "no";
|
||||||
|
addresses = [{
|
||||||
|
addressConfig = {
|
||||||
|
Address = "10.222.0.1/24";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
system.stateVersion = "21.05";
|
system.stateVersion = "21.05";
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue