sid/sid.ovh
1
0
Fork 0
Code Issues 3 Pull requests 2 Projects Releases Packages Wiki Activity Actions

Merge pull request 'use public domain for internal services via intra subdomain' (#14) from develop into master
Some checks failed
Deploy configs / deploy-configs (push) Failing after 33s
Details

Browse source 
Reviewed-on: #14
This commit is contained in:
sid 2026-04-03 15:57:36 +02:00
commit 53ff79e55c
5 changed files with 58 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

10
constants.nix
View file

@ -1,17 +1,15 @@
rec { rec {
domain = "sid.ovh"; domain = "sid.ovh";
intranet = "intra." + domain;
hosts = { hosts = {
sid = { sid = {
ip = "100.64.0.6"; ip = "100.64.0.6";
domain = "sid.tail";
}; };
rx4 = { rx4 = {
ip = "100.64.0.10"; ip = "100.64.0.10";
domain = "rx4.tail";
}; };
vde = { vde = {
ip = "100.64.0.1"; ip = "100.64.0.1";
domain = "vde.tail";
}; };
}; };
services = { services = {
@ -27,7 +25,7 @@ rec {
port = 8085; port = 8085;
}; };
netdata = { netdata = {
fqdn = "netdata.sid.tail"; fqdn = "netdata." + intranet;
port = 19999; port = 19999;
}; };
open-webui-oci = { open-webui-oci = {
@ -43,11 +41,11 @@ rec {
port = 1200; port = 1200;
}; };
vaultwarden = { vaultwarden = {
fqdn = "pw.rx4.tail"; fqdn = "pw." + intranet;
port = 8222; port = 8222;
}; };
webdav = { webdav = {
fqdn = "dav.rx4.tail"; fqdn = "dav." + intranet;
port = 8080; port = 8080;
}; };
}; };

6
hosts/rx4/services/vaultwarden.nix
View file

@ -1,14 +1,12 @@
{ {
constants, constants,
config, config,
lib,
... ...
}: }:
let let
inherit (constants) domain; inherit (constants) domain;
inherit (constants.services.vaultwarden) fqdn port; inherit (constants.services.vaultwarden) fqdn port;
inherit (lib) mkForce;
in in
{ {
services.vaultwarden = { services.vaultwarden = {
@ -17,7 +15,7 @@ in
dbBackend = "postgresql"; dbBackend = "postgresql";
configurePostgres = true; configurePostgres = true;
configureNginx = true; configureNginx = false;
domain = fqdn; domain = fqdn;
environmentFile = [ config.sops.templates."vaultwarden/env-file".path ]; environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
@ -38,8 +36,6 @@ in
}; };
}; };
services.nginx.virtualHosts."${fqdn}".forceSSL = mkForce false; # let Tailnet handle SSL
sops = sops =
let let
owner = config.users.users.vaultwarden.name; owner = config.users.users.vaultwarden.name;

5
hosts/sid/secrets/secrets.yaml
View file

@ -32,6 +32,7 @@ mailserver:
vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str] vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str]
radicale: radicale:
sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str] sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str]
hetzner-dns-api-key: ENC[AES256_GCM,data:KQooOZjQMtCSVqMI8yKVEk0xebTEuNs5WsxTDC9kcXdGZIgq8ZIEk5ku94EV95i0ad9y5Zx0ozt7aWcNHiMMfQ==,iv:jssQ7PejT5awmeMowdSIEFKDfLW7PWvsd++lh9/MlXs=,tag:UoNRz9neDzDxDjmGmBNPjA==,type:str]
sops: sops:
age: age:
- recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@ -52,7 +53,7 @@ sops:
RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB
UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg== UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-03T11:37:47Z" lastmodified: "2026-04-03T13:35:11Z"
mac: ENC[AES256_GCM,data:5f4/mIJzzvKhZjES4WA0Ds2g642FDS03oSmH4dUi0pnF01aQD75eZ0HI3vcdks6kY+b5xyH5BJ283cgrnIiG2oPjYsIt8ULFnXZql31QQJArirYC35qf5lIiN4gC0ObzC5nSTR4rzrqpWtmf2vrvxDXWftK+JdwPyPjk/4IAu50=,iv:tfHDum7KB+nYQnxfukm+w/BotWW+Itmn11yy6O4V6oE=,tag:0/sFkH9Z2ZP2wzVfJEYFqA==,type:str] mac: ENC[AES256_GCM,data:fUOfIHeXjpDe57Q5sTYFlAefk1JpX2uvwmgpr9Mvl7pH47NBJUnQjC2NH5e89gc08H91ZYD8T4xE2e/E0zBb4rnW6geVpTPfV7NTj/HPOpRZCj/4ikMv/u6cFDODSThTRRRm4rBhFv2jpNR9Ez50OxOxbOGXILEAaQ1yytyVQKs=,iv:5F85fPxdab1KKHN978stzLhFTOH811+qwFZ0mP13Dx0=,tag:euM1ecdQX1d5L9ViZZknQw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.1 version: 3.12.1

39
hosts/sid/services/headscale.nix
View file

@ -1,6 +1,5 @@
{ {
inputs, inputs,
constants,
... ...
}: }:
@ -10,33 +9,6 @@
inputs.synix.nixosModules.headscale inputs.synix.nixosModules.headscale
]; ];
services.resolved.enable = false;
networking.resolvconf.enable = false;
networking.nameservers = [ constants.hosts.sid.ip ];
services.coredns = {
enable = true;
config = with constants; ''
.:53 {
bind ${hosts.sid.ip}
hosts {
${hosts.sid.ip} sid.tail
${hosts.sid.ip} netdata.sid.tail
${hosts.rx4.ip} rx4.tail
${hosts.rx4.ip} dav.rx4.tail
${hosts.rx4.ip} pw.rx4.tail
${hosts.vde.ip} vde.tail
fallthrough
}
forward . 1.1.1.1
cache
log
errors
}
'';
};
services.headplane = { services.headplane = {
enable = true; enable = true;
reverseProxy = { reverseProxy = {
@ -54,16 +26,7 @@
}; };
settings = { settings = {
dns = { dns = {
magic_dns = true; magic_dns = true; # NOTE: should coredns handle everything?
base_domain = "tail";
search_domains = [ "tail" ];
override_local_dns = true;
nameservers = {
global = [ "1.1.1.1" ];
split = {
"tail" = [ constants.hosts.sid.ip ];
};
};
}; };
}; };
}; };

50
hosts/sid/services/nginx.nix
View file

@ -1,6 +1,7 @@
{ {
inputs, inputs,
constants, constants,
config,
lib, lib,
... ...
}: }:
@ -15,6 +16,43 @@ in
inputs.synix.nixosModules.nginx inputs.synix.nixosModules.nginx
]; ];
services.resolved.enable = false;
networking.resolvconf.enable = false;
networking.nameservers = [ constants.hosts.sid.ip ];
services.coredns = {
enable = true;
config = with constants; ''
.:53 {
bind ${hosts.sid.ip}
hosts {
${hosts.rx4.ip} ${services.vaultwarden.fqdn}
${hosts.rx4.ip} ${services.webdav.fqdn}
${hosts.rx4.ip} rx4.tail
${hosts.sid.ip} ${services.netdata.fqdn}
${hosts.sid.ip} sid.tail
${hosts.vde.ip} vde.tail
fallthrough
}
forward . 1.1.1.1
cache
log
errors
}
'';
};
security.acme = {
certs."${constants.intranet}" = {
domain = "*.${constants.intranet}";
webroot = null;
dnsProvider = "hetzner";
credentialsFile = config.sops.secrets.hetzner-dns-api-key.path;
};
};
sops.secrets.hetzner-dns-api-key = { };
services.nginx = { services.nginx = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -35,7 +73,7 @@ in
port = constants.services.miniflux.port; port = constants.services.miniflux.port;
}; };
virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost { virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
ssl = false; inherit ssl;
port = constants.services.netdata.port; port = constants.services.netdata.port;
}; };
virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost { virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
@ -55,6 +93,16 @@ in
address = constants.hosts.rx4.ip; address = constants.hosts.rx4.ip;
port = constants.services.rsshub-oci.port; port = constants.services.rsshub-oci.port;
}; };
virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = constants.services.vaultwarden.port;
};
virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = constants.services.webdav.port;
};
# FIXME # FIXME
# virtualHosts."print.sid.ovh" = { # virtualHosts."print.sid.ovh" = {
# enableACME = true; # enableACME = true;