diff --git a/config/hosts/public-reverse-proxy/configuration.nix b/config/hosts/public-reverse-proxy/configuration.nix new file mode 100644 index 0000000..31aa8e8 --- /dev/null +++ b/config/hosts/public-reverse-proxy/configuration.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + networking.hostName = "public-reverse-proxy"; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/public-reverse-proxy/default.nix b/config/hosts/public-reverse-proxy/default.nix new file mode 100644 index 0000000..20dd895 --- /dev/null +++ b/config/hosts/public-reverse-proxy/default.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix new file mode 100644 index 0000000..b9f5ac6 --- /dev/null +++ b/config/hosts/public-reverse-proxy/nginx.nix @@ -0,0 +1,66 @@ +# Sources for this configuration: +# - https://nixos.wiki/wiki/Nginx +# - https://nixos.org/manual/nixos/stable/#sec-firewall +# - https://git.grzb.de/yuri/nix-infra/-/tree/3896d34f4f7f3b5dd5cbd270a14b56b102ef3a2a/hosts/web-public-2 + +{ config, pkgs, ... }: + +{ + services.nginx.streamConfig = '' + map $ssl_preread_server_name $address { + status.ccchh.net 10.31.206.15:8443; + } + + # Listen on port 443 as a reverse proxy and use PROXY Protocol for the + # upstreams. + server { + listen 0.0.0.0:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; + + services.nginx.appendHttpConfig = '' + map $host $upstream_acme_challenge_host { + club-assistant.ccchh.net 10.31.208.10; + netbox.ccchh.net 10.31.208.29; + light.ccchh.net 10.31.208.23; + thinkcccore0.ccchh.net 10.31.242.3; + thinkcccore1.ccchh.net 10.31.242.4; + thinkcccore2.ccchh.net 10.31.242.5; + thinkcccore3.ccchh.net 10.31.242.6; + zigbee2mqtt.ccchh.net 10.31.208.25:31820; + esphome.ccchh.net 10.31.208.24:31820; + proxmox-backup-server.ccchh.net 10.31.208.28; + status.ccchh.net 10.31.206.15:31820; + default ""; + } + ''; + + services.nginx = { + enable = true; + + virtualHosts."well-known_acme-challenge" = { + default = true; + + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + + locations."/.well-known/acme-challenge/" = { + proxyPass = "http://$upstream_acme_challenge_host"; + }; + + # Better safe than sorry. + # Don't do a permanent redirect to avoid acme challenge pain. + locations."/" = { + return = "307 https://$host$request_uri"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; +} diff --git a/flake.nix b/flake.nix index c2b93b2..284037b 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,20 @@ ./config/hosts/audio ]; }; + + public-reverse-proxy = { + deployment = { + targetHost = "public-reverse-proxy.z9.ccchh.net"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "thinkcccluster" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/public-reverse-proxy + ]; + }; }; packages.x86_64-linux = {