Networking setup for VMs, new hosts for internal apps

2023-08-15 09:14:14 +01:00 · 2023-08-15 09:14:14 +01:00 · 641b329d55
parent d636c4edb7
commit 641b329d55
1 changed files with 64 additions and 3 deletions
--- a/krops/nas/configuration.nix
+++ b/krops/nas/configuration.nix
@ -163,16 +163,55 @@
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
            '';
          proxyPass = "http://127.0.0.1:8973/";
        };
      };
+      virtualHosts."request-media.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
+            '';
+          proxyPass = "http://127.0.0.1:5055/";
+        };
+      };
+      virtualHosts."flood.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
+            '';
+          proxyPass = "http://192.168.50.187:3000/";
+        };
+      };
    };
    gitea = {
      enable = true;
      stateDir = "/Primary/gitea";
      package = pkgs.forgejo;
      settings = {
+        DEFAULT = {
+          APP_NAME = "Arch's Git Forge";
+        };
        server = {
          ROOT_URL = "https://git.gmem.ca/";
          HTTP_PORT = 8973;
@ -211,12 +250,24 @@
    hostName = "vancouver";
    domain = "gmem.ca";
    firewall = {
-      trustedInterfaces = ["tailscale0"];
+      trustedInterfaces = ["tailscale0" "virbr0"];
      checkReversePath = "loose";
      enable = true;
-      allowedTCPPorts = [ 22 53 80 443 ];
+      allowedTCPPorts = [ 22 53 80 443 2049 ];
      allowedUDPPorts = [ 53 41641 ];
    };
+    useDHCP = false;
+    bridges = {
+      "br0" = {
+        interfaces = [ "eno1" ];
+      };
+    };
+    interfaces.br0.ipv4.addresses = [ {
+      address = "192.168.50.229";
+      prefixLength = 24;
+    } ];
+    defaultGateway = "192.168.50.1";
+    nameservers = ["100.100.100.100" "45.90.28.116" "45.90.30.116"];
    nftables.enable = true;
  };
  environment.systemPackages = with pkgs; [
@ -232,7 +283,7 @@
    cifs-utils
    cloudflared
    bat
-    # atuin
+    virtiofsd
  ];

  time.timeZone = "Europe/London";
@ -313,6 +364,16 @@
    dnsProvider = "route53";
    credentialsFile = "/var/lib/secrets/credentials";
  };
+  security.acme.certs."request-media.gmem.ca" = {
+    domain = "request-media.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };
+  security.acme.certs."flood.gmem.ca" = {
+    domain = "flood.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };

  system.stateVersion = "23.05";
 }