Migrate NetBox to Chaosknoten and hamburg.ccc.de domain

2023-09-21 19:09:28 +02:00 · 2023-09-21 19:09:28 +02:00 · 01a6d189f2
commit 01a6d189f2
parent 2e3e8c7031
5 changed files with 47 additions and 14 deletions
--- a/config/hosts/netbox/nginx.nix
+++ b/config/hosts/netbox/nginx.nix
@ -12,10 +12,10 @@
    # So nginx can access the Netbox static files.
    user = "netbox";

-    virtualHosts."acme-netbox.ccchh.net" = {
+    virtualHosts."acme-netbox.hamburg.ccc.de" = {
      default = true;
      enableACME = true;
-      serverName = "netbox.ccchh.net";
+      serverName = "netbox.hamburg.ccc.de";

      listen = [
        {
@ -25,20 +25,17 @@
      ];
    };

-    virtualHosts."netbox.ccchh.net" = {
+    virtualHosts."netbox.hamburg.ccc.de" = {
      default = true;
      forceSSL = true;
-      useACMEHost = "netbox.ccchh.net";
+      useACMEHost = "netbox.hamburg.ccc.de";

      listen = [
        {
          addr = "0.0.0.0";
-          port = 80;
-        }
-        {
-          addr = "0.0.0.0";
-          port = 443;
+          port = 8443;
          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
        }
      ];

@ -51,11 +48,20 @@
      };

      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
        client_max_body_size 25m;
      '';
    };
  };

-  networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
-  networking.firewall.allowedUDPPorts = [ 443 ];
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
 }