CoreDNS, dedicated git.gmem.ca route for NAS
This commit is contained in:
parent
89e425c201
commit
e1e7b401fc
|
@ -27,6 +27,30 @@
|
|||
};
|
||||
|
||||
services = {
|
||||
coredns = {
|
||||
enable = true;
|
||||
config =
|
||||
''
|
||||
.:53 {
|
||||
cache
|
||||
bind tailscale0
|
||||
}
|
||||
git.gmem.ca {
|
||||
cache
|
||||
bind tailscale0
|
||||
template IN A {
|
||||
answer "{{ .Name }} 0 IN A 100.116.48.47"
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
pipewire = {
|
||||
enable = true;
|
||||
alsa.enable = true;
|
||||
alsa.support32Bit = true;
|
||||
pulse.enable = true;
|
||||
jack.enable = true;
|
||||
};
|
||||
zfs.autoScrub.enable = true;
|
||||
tailscale.enable = true;
|
||||
openssh.enable = true;
|
||||
|
@ -104,28 +128,24 @@
|
|||
recommendedBrotliSettings = true;
|
||||
recommendedZstdSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
recommendedTlsSettings = true;
|
||||
# We can only proxy one port with Tailscale Funnel so we abuse locations instead.
|
||||
virtualHosts."vancouver.gmem.ca" = {
|
||||
default = true;
|
||||
enableACME = false;
|
||||
forceSSL = false;
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
acmeRoot = null;
|
||||
locations."/" = {
|
||||
root = "/var/www/";
|
||||
extraConfig = ''
|
||||
error_page 404 /404.html;
|
||||
'';
|
||||
};
|
||||
locations."/git/" = {
|
||||
proxyWebsockets = false; # needed if you need to use WebSocket
|
||||
locations."/git" = {
|
||||
extraConfig =
|
||||
''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
return 301 $scheme://git.gmem.ca;
|
||||
'';
|
||||
proxyPass = "http://127.0.0.1:8973/";
|
||||
};
|
||||
locations."/n8n/" = {
|
||||
proxyPass = "http://127.0.0.1:5678/";
|
||||
|
@ -136,6 +156,21 @@
|
|||
'';
|
||||
};
|
||||
};
|
||||
virtualHosts."git.gmem.ca" = {
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
acmeRoot = null;
|
||||
locations."/" = {
|
||||
extraConfig =
|
||||
''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
'';
|
||||
proxyPass = "http://127.0.0.1:8973/";
|
||||
};
|
||||
};
|
||||
};
|
||||
gitea = {
|
||||
enable = true;
|
||||
|
@ -143,7 +178,7 @@
|
|||
package = pkgs.forgejo;
|
||||
settings = {
|
||||
server = {
|
||||
ROOT_URL = "https://vancouver.scorpion-ghost.ts.net/git/";
|
||||
ROOT_URL = "https://git.gmem.ca/";
|
||||
HTTP_PORT = 8973;
|
||||
};
|
||||
service = {
|
||||
|
@ -159,6 +194,7 @@
|
|||
};
|
||||
};
|
||||
gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances = {
|
||||
vancouver = {
|
||||
name = "vancouver";
|
||||
|
@ -167,8 +203,7 @@
|
|||
"debian-latest:docker://node:18-bullseye"
|
||||
"nix:docker://nixos/nix"
|
||||
];
|
||||
url = "https://vancouver.scorpion-ghost.ts.net/git";
|
||||
token = "";
|
||||
url = "https://git.gmem.ca/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -182,7 +217,9 @@
|
|||
firewall = {
|
||||
trustedInterfaces = ["tailscale0"];
|
||||
checkReversePath = "loose";
|
||||
enable = false;
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 22 53 80 443 ];
|
||||
allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
nftables.enable = true;
|
||||
};
|
||||
|
@ -197,6 +234,8 @@
|
|||
screen
|
||||
nix-output-monitor
|
||||
cifs-utils
|
||||
cloudflared
|
||||
bat
|
||||
# atuin
|
||||
];
|
||||
|
||||
|
@ -233,9 +272,13 @@
|
|||
isNormalUser = true;
|
||||
home = "/Primary/becki";
|
||||
};
|
||||
root.openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr"
|
||||
];
|
||||
root.openssh.authorizedKeys.keys = let
|
||||
authorizedKeys = pkgs.fetchurl {
|
||||
url = "https://gmem.ca/ssh";
|
||||
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
|
||||
};
|
||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
||||
authorizedKeys);
|
||||
};
|
||||
|
||||
home-manager.users.gsimmer = { pkgs, ... }: {
|
||||
|
@ -251,22 +294,25 @@
|
|||
virtualisation = {
|
||||
docker = {
|
||||
enable = true;
|
||||
rootless = {
|
||||
enable = true;
|
||||
setSocketVariable = true;
|
||||
};
|
||||
};
|
||||
libvirtd.enable = true;
|
||||
};
|
||||
|
||||
sound.enable = true;
|
||||
security.rtkit.enable = true;
|
||||
services.pipewire = {
|
||||
enable = true;
|
||||
alsa.enable = true;
|
||||
alsa.support32Bit = true;
|
||||
pulse.enable = true;
|
||||
jack.enable = true;
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "acme@gmem.ca";
|
||||
security.acme.certs."git.gmem.ca" = {
|
||||
domain = "git.gmem.ca";
|
||||
dnsProvider = "route53";
|
||||
credentialsFile = "/var/lib/secrets/credentials";
|
||||
};
|
||||
security.acme.certs."vancouver.gmem.ca" = {
|
||||
domain = "vancouver.gmem.ca";
|
||||
dnsProvider = "route53";
|
||||
credentialsFile = "/var/lib/secrets/credentials";
|
||||
};
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue