nixos: frp -> cloudflared
This commit is contained in:
parent
cd9a65a649
commit
55be394c9c
5 changed files with 101 additions and 126 deletions
62
hosts/blacksteel/Caddyfile
Normal file
62
hosts/blacksteel/Caddyfile
Normal file
|
@ -0,0 +1,62 @@
|
|||
(default) {
|
||||
encode zstd gzip
|
||||
|
||||
header {
|
||||
# https://observatory.mozilla.org/analyze/ny4.dev
|
||||
# https://infosec.mozilla.org/guidelines/web_security
|
||||
# https://caddyserver.com/docs/caddyfile/directives/header#examples
|
||||
|
||||
?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
|
||||
?Permissions-Policy interest-Hpcohort=()
|
||||
?Strict-Transport-Security max-age=31536000;
|
||||
?X-Content-Type-Options nosniff
|
||||
?X-Frame-Options DENY
|
||||
}
|
||||
|
||||
handle_path /robots.txt {
|
||||
file_server * {
|
||||
root /var/www/robots/robots.txt
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
http://mastodon.ny4.dev:80 {
|
||||
import default
|
||||
handle_path /system/* {
|
||||
root /var/lib/mastodon/public-system
|
||||
}
|
||||
|
||||
handle /api/v1/streaming/* {
|
||||
reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
|
||||
header_up X-Forwarded-Proto "https"
|
||||
}
|
||||
}
|
||||
|
||||
route * {
|
||||
file_server * {
|
||||
root @mastodon@/public
|
||||
pass_thru
|
||||
}
|
||||
reverse_proxy * unix//run/mastodon-web/web.socket {
|
||||
header_up X-Forwarded-Proto "https"
|
||||
}
|
||||
}
|
||||
|
||||
handle_errors {
|
||||
root * @mastodon@/public
|
||||
rewrite 500.html
|
||||
file_server
|
||||
}
|
||||
}
|
||||
|
||||
http://matrix.ny4.dev:80 {
|
||||
import default
|
||||
reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock
|
||||
reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock
|
||||
reverse_proxy /health unix//run/matrix-synapse/synapse.sock
|
||||
}
|
||||
|
||||
http://syncv3.ny4.dev:80 {
|
||||
import default
|
||||
reverse_proxy unix//run/matrix-sliding-sync/sync.sock
|
||||
}
|
|
@ -42,8 +42,9 @@
|
|||
"mastodon/environment" = {
|
||||
restartUnits = ["mastodon-web.service"];
|
||||
};
|
||||
"frp/environment" = {
|
||||
restartUnits = ["frp.service"];
|
||||
"cloudflared/secret" = {
|
||||
restartUnits = ["cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service"];
|
||||
owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -56,70 +57,42 @@
|
|||
openFirewall = true;
|
||||
};
|
||||
|
||||
services.frp = {
|
||||
services.cloudflared = {
|
||||
enable = true;
|
||||
role = "client";
|
||||
settings = {
|
||||
serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
|
||||
serverPort = 7000;
|
||||
auth.method = "token";
|
||||
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
|
||||
proxies = [
|
||||
{
|
||||
name = "synapse";
|
||||
type = "tcp";
|
||||
remotePort = 8600;
|
||||
plugin = {
|
||||
type = "unix_domain_socket";
|
||||
unixPath = "/run/matrix-synapse/synapse.sock";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "syncv3";
|
||||
type = "tcp";
|
||||
remotePort = 8700;
|
||||
plugin = {
|
||||
type = "unix_domain_socket";
|
||||
unixPath = "/run/matrix-sliding-sync/sync.sock";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "mastodon-web";
|
||||
type = "tcp";
|
||||
remotePort = 8900;
|
||||
plugin = {
|
||||
type = "unix_domain_socket";
|
||||
unixPath = "/run/mastodon-web/web.socket";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "mastodon-streaming";
|
||||
type = "tcp";
|
||||
remotePort = 9000;
|
||||
plugin = {
|
||||
type = "unix_domain_socket";
|
||||
unixPath = "/run/mastodon-streaming/streaming-1.socket";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "mastodon-system";
|
||||
type = "tcp";
|
||||
remotePort = 9100;
|
||||
plugin = {
|
||||
# FIXME:
|
||||
type = "static_file";
|
||||
localPath = "/var/lib/mastodon/public-system";
|
||||
};
|
||||
}
|
||||
];
|
||||
tunnels = {
|
||||
"6222a3e0-98da-4325-be19-0f86a7318a41" = {
|
||||
credentialsFile = config.sops.secrets."cloudflared/secret".path;
|
||||
default = "http_status:404";
|
||||
ingress = {
|
||||
# TODO: is this safe?
|
||||
# browser <-> cloudflare cdn <-> cloudflared <-> caddy <-> mastodon
|
||||
# ^ no tls in this part?
|
||||
"mastodon.ny4.dev" = "http://localhost:80";
|
||||
"matrix.ny4.dev" = "http://localhost:80";
|
||||
"syncv3.ny4.dev" = "http://localhost:80";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.frp.serviceConfig = {
|
||||
EnvironmentFile = [config.sops.secrets."frp/environment".path];
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
configFile = pkgs.substituteAll {
|
||||
src = ./Caddyfile;
|
||||
inherit (pkgs) mastodon;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.caddy.serviceConfig = {
|
||||
SupplementaryGroups = ["mastodon" "matrix-synapse"];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings = {
|
||||
"10-www" = {
|
||||
"/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
|
|
@ -7,6 +7,8 @@ mastodon:
|
|||
environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
|
||||
frp:
|
||||
environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
|
||||
cloudflared:
|
||||
secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -31,8 +33,8 @@ sops:
|
|||
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
|
||||
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-20T14:23:30Z"
|
||||
mac: ENC[AES256_GCM,data:cgDwV6lXR+eTOFcfytKDc2cCs+w/PGDS3fASoKw5VQ95StbmvVNt0go4yAt1D86LXa5p1ReW8dVaciDovuhCFd/jZ+zJpA7sNwKBNrlye7sURW6zDiVM7ITyslPd31bSeIL5/qtiwyT+1tdnthSTjtJPrnPu9NfsRrkUsITT7WA=,iv:ComILTHFTb8lHooVemIg+Nx9ZDWr6SyweZTtmsjWALQ=,tag:7Bj38htDNkoHZdVDMgEiBA==,type:str]
|
||||
lastmodified: "2024-06-21T06:02:58Z"
|
||||
mac: ENC[AES256_GCM,data:PbD0uslwMgh75Ih3QnuBqq7O+wzQhHJCnWSlYWUpC3aK0Ki4LnKK/7F2eiN/PFjFMC4KX5hTqn424tfswzmMIvRd30zUn8xgTj25f6AJQwJP5fNbYqnvivQ+nOtcqYIr0dDHNATywZoNL1Mq4oFiIIO6hgCM/oGkoaxvjER5Wtg=,iv:uDmETlO6R0DAuZLZXAfbtK4cyOeLsnf0XkprSTBlSuQ=,tag:uba5xaHsf3o9IyREabCS9g==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
|
@ -6,7 +6,9 @@
|
|||
}
|
||||
}
|
||||
|
||||
(header) {
|
||||
(default) {
|
||||
encode zstd gzip
|
||||
|
||||
header {
|
||||
# https://observatory.mozilla.org/analyze/ny4.dev
|
||||
# https://infosec.mozilla.org/guidelines/web_security
|
||||
|
@ -18,13 +20,7 @@
|
|||
?X-Content-Type-Options nosniff
|
||||
?X-Frame-Options DENY
|
||||
}
|
||||
}
|
||||
|
||||
(compression) {
|
||||
encode zstd gzip
|
||||
}
|
||||
|
||||
(robots) {
|
||||
handle_path /robots.txt {
|
||||
file_server * {
|
||||
root /var/www/robots/robots.txt
|
||||
|
@ -32,12 +28,6 @@
|
|||
}
|
||||
}
|
||||
|
||||
(default) {
|
||||
import header
|
||||
import compression
|
||||
import robots
|
||||
}
|
||||
|
||||
www.ny4.dev {
|
||||
import default
|
||||
redir https://ny4.dev
|
||||
|
@ -91,13 +81,6 @@ pixiv.ny4.dev {
|
|||
reverse_proxy unix//run/pixivfe/pixiv.sock
|
||||
}
|
||||
|
||||
matrix.ny4.dev {
|
||||
import default
|
||||
reverse_proxy /_matrix/* localhost:8600
|
||||
reverse_proxy /_synapse/client/* localhost:8600
|
||||
reverse_proxy /health localhost:8600
|
||||
}
|
||||
|
||||
syncv3.ny4.dev {
|
||||
import default
|
||||
reverse_proxy localhost:8700
|
||||
|
@ -114,31 +97,6 @@ element.ny4.dev {
|
|||
file_server
|
||||
}
|
||||
|
||||
mastodon.ny4.dev {
|
||||
import default
|
||||
handle_path /system/* {
|
||||
reverse_proxy localhost:9100
|
||||
}
|
||||
|
||||
handle /api/v1/streaming/* {
|
||||
reverse_proxy localhost:9000
|
||||
}
|
||||
|
||||
route * {
|
||||
file_server * {
|
||||
root @mastodon@/public
|
||||
pass_thru
|
||||
}
|
||||
reverse_proxy * localhost:8900
|
||||
}
|
||||
|
||||
handle_errors {
|
||||
root * @mastodon@/public
|
||||
rewrite 500.html
|
||||
file_server
|
||||
}
|
||||
}
|
||||
|
||||
git.ny4.dev {
|
||||
import default
|
||||
reverse_proxy unix//run/forgejo/forgejo.sock
|
||||
|
|
|
@ -39,9 +39,6 @@
|
|||
"searx/environment" = {
|
||||
restartUnits = ["searx.service"];
|
||||
};
|
||||
"frp/environment" = {
|
||||
restartUnits = ["frp.service"];
|
||||
};
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
@ -69,9 +66,6 @@
|
|||
# caddy
|
||||
80
|
||||
443
|
||||
|
||||
# frp
|
||||
7000
|
||||
];
|
||||
|
||||
systemd.tmpfiles.settings = {
|
||||
|
@ -118,20 +112,6 @@
|
|||
];
|
||||
};
|
||||
|
||||
services.frp = {
|
||||
enable = true;
|
||||
role = "server";
|
||||
settings = {
|
||||
bindPort = 7000;
|
||||
auth.method = "token";
|
||||
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.frp.serviceConfig = {
|
||||
EnvironmentFile = [config.sops.secrets."frp/environment".path];
|
||||
};
|
||||
|
||||
# `journalctl -u murmur.service | grep Password`
|
||||
services.murmur = {
|
||||
enable = true;
|
||||
|
|
Loading…
Reference in a new issue