diff --git a/nixos/common/services/tailscale.nix b/nixos/common/services/tailscale.nix index 2603747a..ed37e679 100644 --- a/nixos/common/services/tailscale.nix +++ b/nixos/common/services/tailscale.nix @@ -1,12 +1,14 @@ -{ ... }: { +{ pkgs-unstable, pkgs, ... }: { # Enable tailscale and open port 22 on it services.tailscale = { enable = true; + package = pkgs-unstable.tailscale; interfaceName = "tailscale0"; extraUpFlags = [ "--login-server=https://headscale.sysctl.io" "--accept-dns" "--accept-routes" + "--reset" ]; }; networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 22 ]; diff --git a/nixos/hosts/frankfurt-linode-01/containers/derp.nix b/nixos/hosts/frankfurt-linode-01/containers/derp.nix index ebf965c8..c5b4aafd 100644 --- a/nixos/hosts/frankfurt-linode-01/containers/derp.nix +++ b/nixos/hosts/frankfurt-linode-01/containers/derp.nix @@ -2,7 +2,7 @@ services.cron = { enable = true; systemCronJobs = [ - ''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' + ''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' ]; }; @@ -20,8 +20,8 @@ }; volumes = [ "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/frankfurt.sysctl.io.crt:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/frankfurt.sysctl.io.key:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/frankfurt.sysctl.io.crt:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/frankfurt.sysctl.io.key:ro" ]; ports = [ "3478:3478/udp" diff --git a/nixos/hosts/milan-linode-01/containers/derp.nix b/nixos/hosts/milan-linode-01/containers/derp.nix index 3972ac54..e3a3b4a5 100644 --- a/nixos/hosts/milan-linode-01/containers/derp.nix +++ b/nixos/hosts/milan-linode-01/containers/derp.nix @@ -2,7 +2,7 @@ services.cron = { enable = true; systemCronJobs = [ - ''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' + ''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' ]; }; @@ -20,8 +20,8 @@ }; volumes = [ "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/milan.sysctl.io.crt:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/milan.sysctl.io.key:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/milan.sysctl.io.crt:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/milan.sysctl.io.key:ro" ]; ports = [ "3478:3478/udp" diff --git a/nixos/hosts/osaka-linode-01/containers/derp.nix b/nixos/hosts/osaka-linode-01/containers/derp.nix index 82ac2bbc..a8d5c5a5 100644 --- a/nixos/hosts/osaka-linode-01/containers/derp.nix +++ b/nixos/hosts/osaka-linode-01/containers/derp.nix @@ -2,7 +2,7 @@ services.cron = { enable = true; systemCronJobs = [ - ''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' + ''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' ]; }; @@ -20,8 +20,8 @@ }; volumes = [ "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/sysctl.io.crt:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/sysctl.io.key:ro" ]; ports = [ "3478:3478/udp" diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix index 8a37f27e..e01d7886 100644 --- a/nixos/hosts/osaka-linode-01/firewall.nix +++ b/nixos/hosts/osaka-linode-01/firewall.nix @@ -50,40 +50,6 @@ }; }; - -# sops.secrets."cloudflare/api_key" = { -# owner = "haproxy"; -# sopsFile = ../../../secrets/cloudflare.yaml; -# }; -# -# sops.secrets."cloudflare/email" = { -# owner = "haproxy"; -# sopsFile = ../../../secrets/cloudflare.yaml; -# }; - -# security.acme = { -# acceptTerms = true; -# defaults = { -# group = "haproxy"; -# extraLegoFlags = [ "--pem" ]; -# dnsPropagationCheck = false; -# email = "albert@sysctl.io"; -# }; -# certs."sysctl.io" = { -# directory = "/haproxy/"; -# dnsProvider = "cloudflare"; -# dnsResolver = "1.1.1.1:53"; -# enableDebugLogs = true; -# credentialFiles = { -# "CF_DNS_API_TOKEN_FILE" = "/var/run/secrets/cloudflare/api_key"; -# "CLOUDFLARE_EMAIL_FILE" = "/var/run/secrets/cloudflare/email"; -# }; -# domain = "sysctl.io"; -# extraDomainNames = [ "*.sysctl.io" ]; -# reloadServices = [ "haproxy" ]; -# }; -# }; - services.haproxy = { enable = true; config = '' @@ -105,8 +71,11 @@ frontend https mode tcp - bind :443 - default_backend backend_tcp + bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem + default_backend backend_https + backend backend_http + mode http + server framework-server 10.100.0.2:443 ssl verity required ca-file /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem frontend tcp mode tcp