diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix index 324e43b2..8a37f27e 100644 --- a/nixos/hosts/osaka-linode-01/firewall.nix +++ b/nixos/hosts/osaka-linode-01/firewall.nix @@ -51,36 +51,38 @@ }; - sops.secrets."cloudflare/api_key" = { - owner = "haproxy"; - sopsFile = ../../../secrets/cloudflare.yaml; - }; +# sops.secrets."cloudflare/api_key" = { +# owner = "haproxy"; +# sopsFile = ../../../secrets/cloudflare.yaml; +# }; +# +# sops.secrets."cloudflare/email" = { +# owner = "haproxy"; +# sopsFile = ../../../secrets/cloudflare.yaml; +# }; - sops.secrets."cloudflare/email" = { - owner = "haproxy"; - sopsFile = ../../../secrets/cloudflare.yaml; - }; - - security.acme = { - acceptTerms = true; - defaults = { - group = "haproxy"; - extraLegoFlags = [ "--pem" ]; - reloadServices = [ "haproxy" ]; - email = "albert@sysctl.io"; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_API_KEY_FILE = "/var/run/secrets/cloudflare/api_key"; - CLOUDFLARE_EMAIL_FILE = "/var/run/secrets/cloudflare/email"; - }; - }; - certs = { - "sysctl.io" = { - directory = "/haproxy/"; - enableDebugLogs = true; - }; - }; - }; +# security.acme = { +# acceptTerms = true; +# defaults = { +# group = "haproxy"; +# extraLegoFlags = [ "--pem" ]; +# dnsPropagationCheck = false; +# email = "albert@sysctl.io"; +# }; +# certs."sysctl.io" = { +# directory = "/haproxy/"; +# dnsProvider = "cloudflare"; +# dnsResolver = "1.1.1.1:53"; +# enableDebugLogs = true; +# credentialFiles = { +# "CF_DNS_API_TOKEN_FILE" = "/var/run/secrets/cloudflare/api_key"; +# "CLOUDFLARE_EMAIL_FILE" = "/var/run/secrets/cloudflare/email"; +# }; +# domain = "sysctl.io"; +# extraDomainNames = [ "*.sysctl.io" ]; +# reloadServices = [ "haproxy" ]; +# }; +# }; services.haproxy = { enable = true; @@ -95,16 +97,26 @@ frontend http mode http bind :80 - bind :443 ssl crt /haproxy option forwardfor default_backend backend_http - + backend backend_http + mode http + server framework-server 10.100.0.2 + + frontend https + mode tcp + bind :443 + default_backend backend_tcp + frontend tcp mode tcp - bind :42420 - bind :25565 - bind :443 - default_backend backend_tcp + bind :42420 + bind :25565 + bind :4443 + default_backend backend_tcp + backend backend_tcp + mode tcp + server framework-server 10.100.0.2 frontend mail mode tcp @@ -114,26 +126,10 @@ bind :587 bind :993 bind :4190 - option forwardfor default_backend backend_mail - backend backend_mail mode tcp - option forwarded - option forwardfor if-none server mailserver-wg 10.100.1.3 - - backend backend_tcp - mode tcp - option forwarded - option forwardfor if-none - server framework-server 10.100.0.2 - - backend backend_http - mode http - option forwarded - option forwardfor if-none - server framework-server 10.100.0.2 ''; }; } diff --git a/secrets/cloudflare.yaml b/secrets/cloudflare.yaml index 95ea9022..70ac1ad2 100644 --- a/secrets/cloudflare.yaml +++ b/secrets/cloudflare.yaml @@ -1,14 +1,14 @@ cloudflare: email: ENC[AES256_GCM,data:ycl75o3oi/zF6czNBfKzIg==,iv:MWUwoMU4XfHX9rilJlRGuPbISvhwtMAfku/0ZAckTSo=,tag:nekhk1dNOKeuYg87/ulDKA==,type:str] - api_key: ENC[AES256_GCM,data:DEPN2A7lQy74PIUdS1IBcQrO/hk77rApSjL6ET4NRizkpI2r,iv:xVwDzr1zJpt7UlfQZ87m+sY8VjDe/t/1hr41pMq9osg=,tag:2nzfNdeOU6Wx7tGIdMEZWQ==,type:str] + api_key: ENC[AES256_GCM,data:RYAd4zSbbSXF4jDgzmvVFRc0GKkUu+F5+kKzZ1YEUrzRmcoZEuaSxg==,iv:BJRuy1bp8cC7dCXHq4VVBz7Tp860RmldUj7NnDE8PR8=,tag:3PeRGmfOs6oya5zGiHWPhA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-08-05T12:54:12Z" - mac: ENC[AES256_GCM,data:okgSNCxIjjO1Et52EVeaCz7Ep+QqEcwvTsyTmZEW1gedc7bQSCYra+E5RqS/xlVw6//+N5VJx0kSBYG79KVwMWC9tnm9FSwQwFBb8MvCjEdH2Dgxf9VXYd53P8SdLA8hQoFfREJekIbTiZoVGG6mk4Yl++ufECG/zl1IE6/eeVg=,iv:IiGI8uRJA/H8uIBd2nexg4R4ORVrtAvFIkKEMBB2/bQ=,tag:13Fgq4FSOim3V9l72XzjHA==,type:str] + lastmodified: "2024-08-06T01:41:28Z" + mac: ENC[AES256_GCM,data:ALVUwaZ1+9Rg6z3003z+Cb2OeZagyNJohs7h/7Bhjgu5Rz6O44RjQ2S6UOezI5FcNXGaGbDRL83Vv192g0KfG0Ec3wwhcfBeNFUxQvIwH3F+RUWxqA5JDDk4+KMrW09fxy4koOgr1xO6z0uMYlIpJK/Jyu8t8mjoJLFI5lXdgzc=,iv:KCiyksgkG5loPEKPbmr0TMQ6pFpuGOeRzlRqu+mAFLI=,tag:oKgTNCpa3It2UIDeYxMXNA==,type:str] pgp: - created_at: "2024-08-05T12:38:54Z" enc: |-