bvm-netbox: add livetaild.lukegb.dev

This commit is contained in:
Luke Granger-Brown 2023-05-14 15:04:26 +01:00
parent d728fe86cf
commit a12f2a8b07

View file

@ -2,7 +2,7 @@
#
# SPDX-License-Identifier: Apache-2.0
{ config, depot, pkgs, ... }:
{ config, lib, depot, pkgs, ... }:
let
inherit (depot.ops) secrets;
@ -146,6 +146,7 @@ in {
defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
my.ip.tailscale = "100.81.27.52";
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6251:1b34";
@ -219,7 +220,59 @@ in {
proxyPass = "http://127.0.0.1:8001";
};
};
virtualHosts."livetaild.lukegb.dev" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
locations."/" = {
extraConfig = ''
return 403;
'';
};
locations."/.auth/return" = {
extraConfig = ''
if ($arg_state ~ ^a-) {
return 303 https://a.livetaild.lukegb.dev$request_uri;
}
if ($arg_state ~ ^b-) {
return 303 https://b.livetaild.lukegb.dev$request_uri;
}
if ($arg_state ~ ^localhost-) {
return 303 http://localhost:13371$request_uri;
}
return 403;
'';
};
};
virtualHosts."a.livetaild.lukegb.dev" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
locations."/" = {
proxyPass = "http://10.222.0.2:13371";
};
};
virtualHosts."b.livetaild.lukegb.dev" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/livetaild.lukegb.dev/fullchain.pem";
sslCertificateKey = "/var/lib/acme/livetaild.lukegb.dev/privkey.pem";
sslTrustedCertificate = "/var/lib/acme/livetaild.lukegb.dev/chain.pem";
locations."/" = {
proxyPass = "http://10.222.0.3:13371";
};
};
};
my.vault.acmeCertificates."livetaild.lukegb.dev" = {
hostnames = [
"livetaild.lukegb.dev"
"*.livetaild.lukegb.dev"
];
reloadOrRestartUnits = [ "nginx.service" ];
};
users.groups.acme = {};
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
users.groups.ninovpn = {};
users.users.ninovpn = {
@ -231,5 +284,36 @@ in {
];
};
systemd.network.netdevs."20-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
Address = "10.222.0.1/24";
PrivateKeyFile = "/home/ninovpn/wg-priv";
};
wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
AllowedIPs = ["10.222.0.2/32"];
};
} {
wireguardPeerConfig = {
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
AllowedIPs = ["10.222.0.3/32"];
};
}];
};
systemd.network.networks."20-wg0" = {
matchConfig.Name = "wg0";
linkConfig.RequiredForOnline = "no";
addresses = [{
addressConfig = {
Address = "10.222.0.1/24";
};
}];
};
system.stateVersion = "21.05";
}