nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos: frp -> cloudflared

Browse source
This commit is contained in:
Guanran Wang 2024-06-21 15:18:05 +08:00
parent cd9a65a649
commit 55be394c9c
5 changed files with 101 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
hosts/blacksteel/Caddyfile Normal file
View file

@ -0,0 +1,62 @@
(default) {
encode zstd gzip
header {
# https://observatory.mozilla.org/analyze/ny4.dev
# https://infosec.mozilla.org/guidelines/web_security
# https://caddyserver.com/docs/caddyfile/directives/header#examples
?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
?Permissions-Policy interest-Hpcohort=()
?Strict-Transport-Security max-age=31536000;
?X-Content-Type-Options nosniff
?X-Frame-Options DENY
}
handle_path /robots.txt {
file_server * {
root /var/www/robots/robots.txt
}
}
}
http://mastodon.ny4.dev:80 {
import default
handle_path /system/* {
root /var/lib/mastodon/public-system
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
header_up X-Forwarded-Proto "https"
}
}
route * {
file_server * {
root @mastodon@/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket {
header_up X-Forwarded-Proto "https"
}
}
handle_errors {
root * @mastodon@/public
rewrite 500.html
file_server
}
}
http://matrix.ny4.dev:80 {
import default
reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock
reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock
reverse_proxy /health unix//run/matrix-synapse/synapse.sock
}
http://syncv3.ny4.dev:80 {
import default
reverse_proxy unix//run/matrix-sliding-sync/sync.sock
}

91
hosts/blacksteel/default.nix
View file

@ -42,8 +42,9 @@
"mastodon/environment" = {
restartUnits = ["mastodon-web.service"];
};
"frp/environment" = {
restartUnits = ["frp.service"];
"cloudflared/secret" = {
restartUnits = ["cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service"];
owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
};
};
};
@ -56,70 +57,42 @@
openFirewall = true;
};
services.frp = {
services.cloudflared = {
enable = true;
role = "client";
settings = {
serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
serverPort = 7000;
auth.method = "token";
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
proxies = [
{
name = "synapse";
type = "tcp";
remotePort = 8600;
plugin = {
type = "unix_domain_socket";
unixPath = "/run/matrix-synapse/synapse.sock";
};
}
{
name = "syncv3";
type = "tcp";
remotePort = 8700;
plugin = {
type = "unix_domain_socket";
unixPath = "/run/matrix-sliding-sync/sync.sock";
};
}
{
name = "mastodon-web";
type = "tcp";
remotePort = 8900;
plugin = {
type = "unix_domain_socket";
unixPath = "/run/mastodon-web/web.socket";
};
}
{
name = "mastodon-streaming";
type = "tcp";
remotePort = 9000;
plugin = {
type = "unix_domain_socket";
unixPath = "/run/mastodon-streaming/streaming-1.socket";
};
}
{
name = "mastodon-system";
type = "tcp";
remotePort = 9100;
plugin = {
# FIXME:
type = "static_file";
localPath = "/var/lib/mastodon/public-system";
};
}
];
tunnels = {
"6222a3e0-98da-4325-be19-0f86a7318a41" = {
credentialsFile = config.sops.secrets."cloudflared/secret".path;
default = "http_status:404";
ingress = {
# TODO: is this safe?
# browser <-> cloudflare cdn <-> cloudflared <-> caddy <-> mastodon
# ^ no tls in this part?
"mastodon.ny4.dev" = "http://localhost:80";
"matrix.ny4.dev" = "http://localhost:80";
"syncv3.ny4.dev" = "http://localhost:80";
};
};
};
};
systemd.services.frp.serviceConfig = {
EnvironmentFile = [config.sops.secrets."frp/environment".path];
services.caddy = {
enable = true;
configFile = pkgs.substituteAll {
src = ./Caddyfile;
inherit (pkgs) mastodon;
};
};
systemd.services.caddy.serviceConfig = {
SupplementaryGroups = ["mastodon" "matrix-synapse"];
};
systemd.tmpfiles.settings = {
"10-www" = {
"/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
};
};
services.postgresql = {
enable = true;
settings = {

6
hosts/blacksteel/secrets.yaml
View file

@ -7,6 +7,8 @@ mastodon:
environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
frp:
environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
cloudflared:
secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str]
sops:
kms: []
gcp_kms: []
@ -31,8 +33,8 @@ sops:
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-20T14:23:30Z"
mac: ENC[AES256_GCM,data:cgDwV6lXR+eTOFcfytKDc2cCs+w/PGDS3fASoKw5VQ95StbmvVNt0go4yAt1D86LXa5p1ReW8dVaciDovuhCFd/jZ+zJpA7sNwKBNrlye7sURW6zDiVM7ITyslPd31bSeIL5/qtiwyT+1tdnthSTjtJPrnPu9NfsRrkUsITT7WA=,iv:ComILTHFTb8lHooVemIg+Nx9ZDWr6SyweZTtmsjWALQ=,tag:7Bj38htDNkoHZdVDMgEiBA==,type:str]
lastmodified: "2024-06-21T06:02:58Z"
mac: ENC[AES256_GCM,data:PbD0uslwMgh75Ih3QnuBqq7O+wzQhHJCnWSlYWUpC3aK0Ki4LnKK/7F2eiN/PFjFMC4KX5hTqn424tfswzmMIvRd30zUn8xgTj25f6AJQwJP5fNbYqnvivQ+nOtcqYIr0dDHNATywZoNL1Mq4oFiIIO6hgCM/oGkoaxvjER5Wtg=,iv:uDmETlO6R0DAuZLZXAfbtK4cyOeLsnf0XkprSTBlSuQ=,tag:uba5xaHsf3o9IyREabCS9g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

48
hosts/lightsail-tokyo/Caddyfile
View file

@ -6,7 +6,9 @@
}
}
(header) {
(default) {
encode zstd gzip
header {
# https://observatory.mozilla.org/analyze/ny4.dev
# https://infosec.mozilla.org/guidelines/web_security
@ -18,13 +20,7 @@
?X-Content-Type-Options nosniff
?X-Frame-Options DENY
}
}
(compression) {
encode zstd gzip
}
(robots) {
handle_path /robots.txt {
file_server * {
root /var/www/robots/robots.txt
@ -32,12 +28,6 @@
}
}
(default) {
import header
import compression
import robots
}
www.ny4.dev {
import default
redir https://ny4.dev
@ -91,13 +81,6 @@ pixiv.ny4.dev {
reverse_proxy unix//run/pixivfe/pixiv.sock
}
matrix.ny4.dev {
import default
reverse_proxy /_matrix/* localhost:8600
reverse_proxy /_synapse/client/* localhost:8600
reverse_proxy /health localhost:8600
}
syncv3.ny4.dev {
import default
reverse_proxy localhost:8700
@ -114,31 +97,6 @@ element.ny4.dev {
file_server
}
mastodon.ny4.dev {
import default
handle_path /system/* {
reverse_proxy localhost:9100
}
handle /api/v1/streaming/* {
reverse_proxy localhost:9000
}
route * {
file_server * {
root @mastodon@/public
pass_thru
}
reverse_proxy * localhost:8900
}
handle_errors {
root * @mastodon@/public
rewrite 500.html
file_server
}
}
git.ny4.dev {
import default
reverse_proxy unix//run/forgejo/forgejo.sock

20
hosts/lightsail-tokyo/default.nix
View file

@ -39,9 +39,6 @@
"searx/environment" = {
restartUnits = ["searx.service"];
};
"frp/environment" = {
restartUnits = ["frp.service"];
};
};
templates = {
@ -69,9 +66,6 @@
# caddy
80
443
# frp
7000
];
systemd.tmpfiles.settings = {
@ -118,20 +112,6 @@
];
};
services.frp = {
enable = true;
role = "server";
settings = {
bindPort = 7000;
auth.method = "token";
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
};
};
systemd.services.frp.serviceConfig = {
EnvironmentFile = [config.sops.secrets."frp/environment".path];
};
# `journalctl -u murmur.service | grep Password`
services.murmur = {
enable = true;