feat(homelab): fixing cf tunnels, authentik and tailscale!
This commit is contained in:
@@ -2,6 +2,7 @@
|
||||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
self,
|
||||
...
|
||||
}: let
|
||||
inherit (lib) mkOption mkEnableOption mkIf types;
|
||||
@@ -16,29 +17,97 @@ in {
|
||||
default = "";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Public domain name to be used to access the server services via Caddy reverse proxy
|
||||
Public domain name to be used to access the server services via Traefik reverse proxy
|
||||
'';
|
||||
};
|
||||
cloudflared = {
|
||||
credentialsFile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
example = lib.literalExpression ''
|
||||
pkgs.writeText "cloudflare-credentials.json" '''
|
||||
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
|
||||
'''
|
||||
'';
|
||||
};
|
||||
tunnelId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
example = "00000000-0000-0000-0000-000000000000";
|
||||
};
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
services.caddy.virtualHosts."${cfg.url}" = {
|
||||
useACMEHost = cfg.url;
|
||||
extraConfig = ''
|
||||
handle_path /.well-known/webfinger {
|
||||
header Content-Type application/jrd+json
|
||||
respond `{
|
||||
"subject": "acct:adam@${cfg.url}",
|
||||
"links": [
|
||||
{
|
||||
"rel": "http://openid.net/specs/connect/1.0/issuer",
|
||||
"href": "https://login.${cfg.url}/realms/cnix"
|
||||
}
|
||||
]
|
||||
}`
|
||||
}
|
||||
|
||||
reverse_proxy http://127.0.0.1:8283
|
||||
'';
|
||||
config = mkIf cfg.enable {
|
||||
age.secrets = {
|
||||
wwwCloudflared.file = "${self}/secrets/wwwCloudflared.age";
|
||||
};
|
||||
|
||||
server = {
|
||||
fail2ban = lib.mkIf config.server.www.enable {
|
||||
jails = {
|
||||
www = {
|
||||
serviceName = "cnst.dev";
|
||||
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
nginx = {
|
||||
enable = true;
|
||||
defaultListen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 8283;
|
||||
}
|
||||
];
|
||||
virtualHosts."webfinger" = {
|
||||
forceSSL = false;
|
||||
serverName = cfg.url;
|
||||
root = "/etc/webfinger";
|
||||
locations."= /.well-known/webfinger" = {
|
||||
root = "/etc/webfinger";
|
||||
extraConfig = ''
|
||||
default_type application/jrd+json;
|
||||
try_files /.well-known/webfinger =404;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
cloudflared = {
|
||||
enable = true;
|
||||
tunnels.${cfg.cloudflared.tunnelId} = {
|
||||
credentialsFile = cfg.cloudflared.credentialsFile;
|
||||
default = "http_status:404";
|
||||
ingress."${cfg.url}".service = "http://127.0.0.1:8283";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."webfinger/.well-known/webfinger".text = ''
|
||||
{
|
||||
"subject": "acct:adam@${cfg.url}",
|
||||
"links": [
|
||||
{
|
||||
"rel": "http://openid.net/specs/connect/1.0/issuer",
|
||||
"href": "https://auth.${cfg.url}/application/o/tailscale/"
|
||||
}
|
||||
]
|
||||
}
|
||||
'';
|
||||
|
||||
services.traefik.dynamicConfigOptions.http = {
|
||||
routers.webfinger = {
|
||||
entryPoints = ["websecure"];
|
||||
rule = "Host(`${cfg.url}`) && Path(`/.well-known/webfinger`)";
|
||||
service = "webfinger";
|
||||
tls.certResolver = "letsencrypt";
|
||||
};
|
||||
|
||||
services.webfinger.loadBalancer.servers = [
|
||||
{url = "http://127.0.0.1:8283";}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user