Migrate NetBox to Chaosknoten and hamburg.ccc.de domain

2023-09-21 19:09:28 +02:00 · 2023-09-21 19:09:28 +02:00 · 01a6d189f2
parent 2e3e8c7031
commit 01a6d189f2
5 changed files with 47 additions and 14 deletions
--- a/config/hosts/netbox/default.nix
+++ b/config/hosts/netbox/default.nix
@ -4,6 +4,7 @@
  imports = [
    ./configuration.nix
    ./netbox.nix
+    ./networking.nix
    ./nginx.nix
  ];
 }
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@ -11,7 +11,7 @@
    enable = true;
    secretKeyFile = "/secrets/netbox-secret-key.secret";
    settings = {
-      ALLOWED_HOSTS = [ "netbox.ccchh.net" "10.31.208.29" ];
+      ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
      SESSION_COOKIE_SECURE = true;
    };
  };
--- a/config/hosts/netbox/networking.nix
+++ b/config/hosts/netbox/networking.nix
@ -0,0 +1,26 @@
+# Networking configuration for the host.
+# Sources for this configuration:
+# - https://nixos.org/manual/nixos/stable/#sec-networking
+# - https://nixos.wiki/wiki/Systemd-networkd
+# - https://wiki.archlinux.org/title/Systemd-networkd
+
+{ config, pkgs, ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.149";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "62:ED:44:20:7C:C1";
+    linkConfig.Name = "net0";
+  };
+}
--- a/config/hosts/netbox/nginx.nix
+++ b/config/hosts/netbox/nginx.nix
@ -12,10 +12,10 @@
    # So nginx can access the Netbox static files.
    user = "netbox";

-    virtualHosts."acme-netbox.ccchh.net" = {
+    virtualHosts."acme-netbox.hamburg.ccc.de" = {
      default = true;
      enableACME = true;
-      serverName = "netbox.ccchh.net";
+      serverName = "netbox.hamburg.ccc.de";

      listen = [
        {
@ -25,20 +25,17 @@
      ];
    };

-    virtualHosts."netbox.ccchh.net" = {
+    virtualHosts."netbox.hamburg.ccc.de" = {
      default = true;
      forceSSL = true;
-      useACMEHost = "netbox.ccchh.net";
+      useACMEHost = "netbox.hamburg.ccc.de";

      listen = [
        {
          addr = "0.0.0.0";
-          port = 80;
-        }
-        {
-          addr = "0.0.0.0";
-          port = 443;
+          port = 8443;
          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
        }
      ];

@ -51,11 +48,20 @@
      };

      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
        client_max_body_size 25m;
      '';
    };
  };

-  networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
-  networking.firewall.allowedUDPPorts = [ 443 ];
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
 }
--- a/flake.nix
+++ b/flake.nix
@ -65,10 +65,10 @@

      netbox = {
        deployment = {
-          targetHost = "netbox.z9.ccchh.net";
+          targetHost = "netbox-intern.hamburg.ccc.de";
          targetPort = 22;
          targetUser = "colmena-deploy";
-          tags = [ "thinkcccluster" ];
+          tags = [ "chaosknoten" ];
        };
        imports = [ 
          ./config/common