bvm-netbox: add livetaild.lukegb.dev
This commit is contained in:
parent
d728fe86cf
commit
a12f2a8b07
1 changed files with 85 additions and 1 deletions
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
{ config, depot, pkgs, ... }:
|
||||
{ config, lib, depot, pkgs, ... }:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
|
||||
|
@ -146,6 +146,7 @@ in {
|
|||
defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
|
||||
defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
my.ip.tailscale = "100.81.27.52";
|
||||
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6251:1b34";
|
||||
|
||||
|
@ -219,7 +220,59 @@ in {
|
|||
proxyPass = "http://127.0.0.1:8001";
|
||||
};
|
||||
};
|
||||
virtualHosts."livetaild.lukegb.dev" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
|
||||
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
return 403;
|
||||
'';
|
||||
};
|
||||
locations."/.auth/return" = {
|
||||
extraConfig = ''
|
||||
if ($arg_state ~ ^a-) {
|
||||
return 303 https://a.livetaild.lukegb.dev$request_uri;
|
||||
}
|
||||
if ($arg_state ~ ^b-) {
|
||||
return 303 https://b.livetaild.lukegb.dev$request_uri;
|
||||
}
|
||||
if ($arg_state ~ ^localhost-) {
|
||||
return 303 http://localhost:13371$request_uri;
|
||||
}
|
||||
return 403;
|
||||
'';
|
||||
};
|
||||
};
|
||||
virtualHosts."a.livetaild.lukegb.dev" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
|
||||
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.222.0.2:13371";
|
||||
};
|
||||
};
|
||||
virtualHosts."b.livetaild.lukegb.dev" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
|
||||
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.222.0.3:13371";
|
||||
};
|
||||
};
|
||||
};
|
||||
my.vault.acmeCertificates."livetaild.lukegb.dev" = {
|
||||
hostnames = [
|
||||
"livetaild.lukegb.dev"
|
||||
"*.livetaild.lukegb.dev"
|
||||
];
|
||||
reloadOrRestartUnits = [ "nginx.service" ];
|
||||
};
|
||||
users.groups.acme = {};
|
||||
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
|
||||
|
||||
users.groups.ninovpn = {};
|
||||
users.users.ninovpn = {
|
||||
|
@ -231,5 +284,36 @@ in {
|
|||
];
|
||||
};
|
||||
|
||||
systemd.network.netdevs."20-wg0" = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg0";
|
||||
};
|
||||
wireguardConfig = {
|
||||
Address = "10.222.0.1/24";
|
||||
PrivateKeyFile = "/home/ninovpn/wg-priv";
|
||||
};
|
||||
wireguardPeers = [{
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
|
||||
AllowedIPs = ["10.222.0.2/32"];
|
||||
};
|
||||
} {
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
|
||||
AllowedIPs = ["10.222.0.3/32"];
|
||||
};
|
||||
}];
|
||||
};
|
||||
systemd.network.networks."20-wg0" = {
|
||||
matchConfig.Name = "wg0";
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
addresses = [{
|
||||
addressConfig = {
|
||||
Address = "10.222.0.1/24";
|
||||
};
|
||||
}];
|
||||
};
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue