This commit is contained in:
albert 2024-08-11 20:43:36 +09:00
parent 92e933d846
commit cf6de9610d
Signed by: albert
GPG key ID: 3895DD267CA11BA9
5 changed files with 17 additions and 46 deletions

View file

@ -1,12 +1,14 @@
{ ... }: {
{ pkgs-unstable, pkgs, ... }: {
# Enable tailscale and open port 22 on it
services.tailscale = {
enable = true;
package = pkgs-unstable.tailscale;
interfaceName = "tailscale0";
extraUpFlags = [
"--login-server=https://headscale.sysctl.io"
"--accept-dns"
"--accept-routes"
"--reset"
];
};
networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 22 ];

View file

@ -2,7 +2,7 @@
services.cron = {
enable = true;
systemCronJobs = [
''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
];
};
@ -20,8 +20,8 @@
};
volumes = [
"/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/frankfurt.sysctl.io.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/frankfurt.sysctl.io.key:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/frankfurt.sysctl.io.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/frankfurt.sysctl.io.key:ro"
];
ports = [
"3478:3478/udp"

View file

@ -2,7 +2,7 @@
services.cron = {
enable = true;
systemCronJobs = [
''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
];
};
@ -20,8 +20,8 @@
};
volumes = [
"/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/milan.sysctl.io.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/milan.sysctl.io.key:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/milan.sysctl.io.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/milan.sysctl.io.key:ro"
];
ports = [
"3478:3478/udp"

View file

@ -2,7 +2,7 @@
services.cron = {
enable = true;
systemCronJobs = [
''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
];
};
@ -20,8 +20,8 @@
};
volumes = [
"/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/sysctl.io.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/sysctl.io.key:ro"
];
ports = [
"3478:3478/udp"

View file

@ -50,40 +50,6 @@
};
};
# sops.secrets."cloudflare/api_key" = {
# owner = "haproxy";
# sopsFile = ../../../secrets/cloudflare.yaml;
# };
#
# sops.secrets."cloudflare/email" = {
# owner = "haproxy";
# sopsFile = ../../../secrets/cloudflare.yaml;
# };
# security.acme = {
# acceptTerms = true;
# defaults = {
# group = "haproxy";
# extraLegoFlags = [ "--pem" ];
# dnsPropagationCheck = false;
# email = "albert@sysctl.io";
# };
# certs."sysctl.io" = {
# directory = "/haproxy/";
# dnsProvider = "cloudflare";
# dnsResolver = "1.1.1.1:53";
# enableDebugLogs = true;
# credentialFiles = {
# "CF_DNS_API_TOKEN_FILE" = "/var/run/secrets/cloudflare/api_key";
# "CLOUDFLARE_EMAIL_FILE" = "/var/run/secrets/cloudflare/email";
# };
# domain = "sysctl.io";
# extraDomainNames = [ "*.sysctl.io" ];
# reloadServices = [ "haproxy" ];
# };
# };
services.haproxy = {
enable = true;
config = ''
@ -105,8 +71,11 @@
frontend https
mode tcp
bind :443
default_backend backend_tcp
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
default_backend backend_https
backend backend_http
mode http
server framework-server 10.100.0.2:443 ssl verity required ca-file /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
frontend tcp
mode tcp