Compare commits
10 commits
c8c6fb1b5e
...
d0e090bb68
| Author | SHA1 | Date | |
|---|---|---|---|
d0e090bb68
|
|||
|
e5e608c580
|
|||
|
69717ef92b
|
|||
|
d13f18a189
|
|||
|
de857dcfbf
|
|||
|
5680e29cd2
|
|||
|
4a91f8a165
|
|||
|
52e53ba5b3
|
|||
|
218da08936
|
|||
|
724d30a092
|
11 changed files with 27 additions and 13 deletions
|
|
@ -21,7 +21,8 @@
|
||||||
services.nginx.virtualHosts."${fqdn}" = {
|
services.nginx.virtualHosts."${fqdn}" = {
|
||||||
useACMEHost = "lava.moe";
|
useACMEHost = "lava.moe";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
|
#locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
|
||||||
|
locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
|
||||||
listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
|
listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,14 +9,15 @@
|
||||||
networking.firewall.allowedUDPPorts = [ 6167 ];
|
networking.firewall.allowedUDPPorts = [ 6167 ];
|
||||||
# TODO: this should be generically set
|
# TODO: this should be generically set
|
||||||
networking.useHostResolvConf = false;
|
networking.useHostResolvConf = false;
|
||||||
networking.nameservers = [ "fd0d:1::2:1" ];
|
networking.nameservers = [ "8.8.8.8" ];
|
||||||
|
|
||||||
services.matrix-continuwuity = {
|
services.matrix-continuwuity = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings.global = {
|
settings.global = {
|
||||||
# TODO: link this with outer container's address
|
# TODO: link this with outer container's address
|
||||||
address = [ "fd0d:1::2:2" ];
|
address = [ "10.30.2.2" ];
|
||||||
server_name = "lava.moe";
|
server_name = "lava.moe";
|
||||||
|
rocksdb_recovery_mode = 2;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -22,9 +22,9 @@
|
||||||
useACMEHost = "lava.moe";
|
useACMEHost = "lava.moe";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/".extraConfig = "return 302 'https://lava.moe';";
|
locations."/".extraConfig = "return 302 'https://lava.moe';";
|
||||||
locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
|
locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
|
||||||
locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
|
locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
|
||||||
locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167";
|
locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."lava.moe" = {
|
services.nginx.virtualHosts."lava.moe" = {
|
||||||
|
|
@ -52,9 +52,8 @@
|
||||||
containers.${name} = {
|
containers.${name} = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress6 = "fd0d:1::${subnet}:1";
|
hostAddress = "10.30.${subnet}.1";
|
||||||
localAddress6 = "fd0d:1::${subnet}:2";
|
localAddress = "10.30.${subnet}.2";
|
||||||
# privateUsers = "pick";
|
|
||||||
nixpkgs = nixpkgs;
|
nixpkgs = nixpkgs;
|
||||||
ephemeral = true;
|
ephemeral = true;
|
||||||
config = { imports = [ ./configuration.nix ]; };
|
config = { imports = [ ./configuration.nix ]; };
|
||||||
|
|
@ -64,7 +63,6 @@
|
||||||
mountPoint = "/persist";
|
mountPoint = "/persist";
|
||||||
isReadOnly = false;
|
isReadOnly = false;
|
||||||
};
|
};
|
||||||
# flake = "path:" + ./.;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@
|
||||||
nix-stable
|
nix-stable
|
||||||
packages
|
packages
|
||||||
security
|
security
|
||||||
|
tailscale
|
||||||
|
|
||||||
./filesystem.nix
|
./filesystem.nix
|
||||||
./kernel.nix
|
./kernel.nix
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@
|
||||||
nix-stable
|
nix-stable
|
||||||
packages
|
packages
|
||||||
security
|
security
|
||||||
|
tailscale
|
||||||
wireguard
|
wireguard
|
||||||
|
|
||||||
modules.services.banksia
|
modules.services.banksia
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@
|
||||||
email = "me@lava.moe";
|
email = "me@lava.moe";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
dnsProvider = "cloudflare";
|
dnsProvider = "cloudflare";
|
||||||
credentialsFile = config.age.secrets."acme_dns".path;
|
environmentFile = config.age.secrets."acme_dns".path;
|
||||||
};
|
};
|
||||||
certs."lava.moe" = {
|
certs."lava.moe" = {
|
||||||
extraDomainNames = [
|
extraDomainNames = [
|
||||||
|
|
|
||||||
|
|
@ -27,8 +27,12 @@ in {
|
||||||
forward-addr = [
|
forward-addr = [
|
||||||
"2606:4700:4700::1111@853#cloudflare-dns.com"
|
"2606:4700:4700::1111@853#cloudflare-dns.com"
|
||||||
"2606:4700:4700::1001@853#cloudflare-dns.com"
|
"2606:4700:4700::1001@853#cloudflare-dns.com"
|
||||||
|
"2001:4860:4860::8888@853#dns.google"
|
||||||
|
"2001:4860:4860::8844@853#dns.google"
|
||||||
"1.1.1.1@853#cloudflare-dns.com"
|
"1.1.1.1@853#cloudflare-dns.com"
|
||||||
"1.0.0.1@853#cloudflare-dns.com"
|
"1.0.0.1@853#cloudflare-dns.com"
|
||||||
|
"8.8.8.8@853#dns.google"
|
||||||
|
"8.8.4.4@853#dns.google"
|
||||||
];
|
];
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
|
@ -37,8 +41,10 @@ in {
|
||||||
access-control = [
|
access-control = [
|
||||||
"127.0.0.1/8 allow"
|
"127.0.0.1/8 allow"
|
||||||
"10.0.0.0/8 allow"
|
"10.0.0.0/8 allow"
|
||||||
|
"100.64.0.0/10 allow"
|
||||||
"192.168.100.0/24 allow"
|
"192.168.100.0/24 allow"
|
||||||
"fd0d::/16 allow"
|
"fd0d::/16 allow"
|
||||||
|
"fd7a:115c:a1e0::/48 allow"
|
||||||
"${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
|
"${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
|
||||||
];
|
];
|
||||||
domain-insecure = [ "\"local.lava.moe\"" ];
|
domain-insecure = [ "\"local.lava.moe\"" ];
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ let
|
||||||
serverIp = gcSecrets.wireguard.gateway;
|
serverIp = gcSecrets.wireguard.gateway;
|
||||||
|
|
||||||
forwarding = {
|
forwarding = {
|
||||||
# "22727" = [ "10.100.0.3" "7777" ];
|
"22727" = [ "10.100.0.3" "7777" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
mapForwards = type:
|
mapForwards = type:
|
||||||
|
|
@ -18,6 +18,8 @@ let
|
||||||
in ''
|
in ''
|
||||||
${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
|
${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
|
||||||
${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
|
${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
|
||||||
|
${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
|
||||||
'') forwarding
|
'') forwarding
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,8 @@
|
||||||
vimAlias = true;
|
vimAlias = true;
|
||||||
vimdiffAlias = true;
|
vimdiffAlias = true;
|
||||||
withNodeJs = false;
|
withNodeJs = false;
|
||||||
|
withPython3 = false;
|
||||||
|
withRuby = false;
|
||||||
|
|
||||||
plugins = with pkgs.vimPlugins; [
|
plugins = with pkgs.vimPlugins; [
|
||||||
fzf-vim
|
fzf-vim
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,8 @@ in {
|
||||||
vimdiffAlias = true;
|
vimdiffAlias = true;
|
||||||
#package = pkgs.neovim-nightly;
|
#package = pkgs.neovim-nightly;
|
||||||
withNodeJs = true;
|
withNodeJs = true;
|
||||||
|
withPython3 = true;
|
||||||
|
withRuby = false;
|
||||||
|
|
||||||
extraPackages = with pkgs; [
|
extraPackages = with pkgs; [
|
||||||
rust-analyzer
|
rust-analyzer
|
||||||
|
|
|
||||||
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue