From de754b0033d192fedcb2dbffeaab243774ff0b77 Mon Sep 17 00:00:00 2001 From: sid Date: Fri, 3 Apr 2026 15:16:28 +0200 Subject: [PATCH 1/6] use public domain for internal services via intra subdomain --- constants.nix | 9 +++------ hosts/sid/services/headscale.nix | 18 ++++-------------- hosts/sid/services/nginx.nix | 2 +- 3 files changed, 8 insertions(+), 21 deletions(-) diff --git a/constants.nix b/constants.nix index 44b9422..a647979 100644 --- a/constants.nix +++ b/constants.nix @@ -3,15 +3,12 @@ rec { hosts = { sid = { ip = "100.64.0.6"; - domain = "sid.tail"; }; rx4 = { ip = "100.64.0.10"; - domain = "rx4.tail"; }; vde = { ip = "100.64.0.1"; - domain = "vde.tail"; }; }; services = { @@ -27,7 +24,7 @@ rec { port = 8085; }; netdata = { - fqdn = "netdata.sid.tail"; + fqdn = "netdata.intra." + domain; port = 19999; }; open-webui-oci = { @@ -43,11 +40,11 @@ rec { port = 1200; }; vaultwarden = { - fqdn = "pw.rx4.tail"; + fqdn = "pw.intra." + domain; port = 8222; }; webdav = { - fqdn = "dav.rx4.tail"; + fqdn = "dav.intra." + domain; port = 8080; }; }; diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix index adb3296..1647e6a 100644 --- a/hosts/sid/services/headscale.nix +++ b/hosts/sid/services/headscale.nix @@ -21,11 +21,10 @@ .:53 { bind ${hosts.sid.ip} hosts { - ${hosts.sid.ip} sid.tail - ${hosts.sid.ip} netdata.sid.tail + ${hosts.rx4.ip} ${services.vaultwarden.fqdn} + ${hosts.rx4.ip} ${services.webdav.fqdn} ${hosts.rx4.ip} rx4.tail - ${hosts.rx4.ip} dav.rx4.tail - ${hosts.rx4.ip} pw.rx4.tail + ${hosts.sid.ip} sid.tail ${hosts.vde.ip} vde.tail fallthrough } @@ -54,16 +53,7 @@ }; settings = { dns = { - magic_dns = true; - base_domain = "tail"; - search_domains = [ "tail" ]; - override_local_dns = true; - nameservers = { - global = [ "1.1.1.1" ]; - split = { - "tail" = [ constants.hosts.sid.ip ]; - }; - }; + magic_dns = true; # NOTE: should coredns handle everything? }; }; }; diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix index d3aaba8..0bc8752 100644 --- a/hosts/sid/services/nginx.nix +++ b/hosts/sid/services/nginx.nix @@ -35,7 +35,7 @@ in port = constants.services.miniflux.port; }; virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost { - ssl = false; + inherit ssl; port = constants.services.netdata.port; }; virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost { -- 2.51.2 From 4c166e1c471b34acda0e1c5e07ff1901dac2ae71 Mon Sep 17 00:00:00 2001 From: sid Date: Fri, 3 Apr 2026 15:18:18 +0200 Subject: [PATCH 2/6] vaultwarden: enable ssl --- hosts/rx4/services/vaultwarden.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/hosts/rx4/services/vaultwarden.nix b/hosts/rx4/services/vaultwarden.nix index 4675f1b..4a5b191 100644 --- a/hosts/rx4/services/vaultwarden.nix +++ b/hosts/rx4/services/vaultwarden.nix @@ -1,14 +1,12 @@ { constants, config, - lib, ... }: let inherit (constants) domain; inherit (constants.services.vaultwarden) fqdn port; - inherit (lib) mkForce; in { services.vaultwarden = { @@ -38,8 +36,6 @@ in }; }; - services.nginx.virtualHosts."${fqdn}".forceSSL = mkForce false; # let Tailnet handle SSL - sops = let owner = config.users.users.vaultwarden.name; -- 2.51.2 From 245d853b05a251500eebd76a352b2e43c460a40c Mon Sep 17 00:00:00 2001 From: sid Date: Fri, 3 Apr 2026 15:36:07 +0200 Subject: [PATCH 3/6] add hetzner-dns for intranet challenges --- constants.nix | 7 ++++--- hosts/sid/secrets/secrets.yaml | 5 +++-- hosts/sid/services/headscale.nix | 27 ------------------------ hosts/sid/services/nginx.nix | 36 ++++++++++++++++++++++++++++++++ 4 files changed, 43 insertions(+), 32 deletions(-) diff --git a/constants.nix b/constants.nix index a647979..cfa6d05 100644 --- a/constants.nix +++ b/constants.nix @@ -1,5 +1,6 @@ rec { domain = "sid.ovh"; + intranet = "intra." + domain; hosts = { sid = { ip = "100.64.0.6"; @@ -24,7 +25,7 @@ rec { port = 8085; }; netdata = { - fqdn = "netdata.intra." + domain; + fqdn = "netdata." + intranet; port = 19999; }; open-webui-oci = { @@ -40,11 +41,11 @@ rec { port = 1200; }; vaultwarden = { - fqdn = "pw.intra." + domain; + fqdn = "pw." + intranet; port = 8222; }; webdav = { - fqdn = "dav.intra." + domain; + fqdn = "dav." + intranet; port = 8080; }; }; diff --git a/hosts/sid/secrets/secrets.yaml b/hosts/sid/secrets/secrets.yaml index 5df246e..9612a65 100644 --- a/hosts/sid/secrets/secrets.yaml +++ b/hosts/sid/secrets/secrets.yaml @@ -32,6 +32,7 @@ mailserver: vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str] radicale: sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str] +hetzner-dns-api-key: ENC[AES256_GCM,data:KQooOZjQMtCSVqMI8yKVEk0xebTEuNs5WsxTDC9kcXdGZIgq8ZIEk5ku94EV95i0ad9y5Zx0ozt7aWcNHiMMfQ==,iv:jssQ7PejT5awmeMowdSIEFKDfLW7PWvsd++lh9/MlXs=,tag:UoNRz9neDzDxDjmGmBNPjA==,type:str] sops: age: - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy @@ -52,7 +53,7 @@ sops: RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-03T11:37:47Z" - mac: ENC[AES256_GCM,data:5f4/mIJzzvKhZjES4WA0Ds2g642FDS03oSmH4dUi0pnF01aQD75eZ0HI3vcdks6kY+b5xyH5BJ283cgrnIiG2oPjYsIt8ULFnXZql31QQJArirYC35qf5lIiN4gC0ObzC5nSTR4rzrqpWtmf2vrvxDXWftK+JdwPyPjk/4IAu50=,iv:tfHDum7KB+nYQnxfukm+w/BotWW+Itmn11yy6O4V6oE=,tag:0/sFkH9Z2ZP2wzVfJEYFqA==,type:str] + lastmodified: "2026-04-03T13:35:11Z" + mac: ENC[AES256_GCM,data:fUOfIHeXjpDe57Q5sTYFlAefk1JpX2uvwmgpr9Mvl7pH47NBJUnQjC2NH5e89gc08H91ZYD8T4xE2e/E0zBb4rnW6geVpTPfV7NTj/HPOpRZCj/4ikMv/u6cFDODSThTRRRm4rBhFv2jpNR9Ez50OxOxbOGXILEAaQ1yytyVQKs=,iv:5F85fPxdab1KKHN978stzLhFTOH811+qwFZ0mP13Dx0=,tag:euM1ecdQX1d5L9ViZZknQw==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix index 1647e6a..3faf0b0 100644 --- a/hosts/sid/services/headscale.nix +++ b/hosts/sid/services/headscale.nix @@ -1,6 +1,5 @@ { inputs, - constants, ... }: @@ -10,32 +9,6 @@ inputs.synix.nixosModules.headscale ]; - services.resolved.enable = false; - networking.resolvconf.enable = false; - - networking.nameservers = [ constants.hosts.sid.ip ]; - - services.coredns = { - enable = true; - config = with constants; '' - .:53 { - bind ${hosts.sid.ip} - hosts { - ${hosts.rx4.ip} ${services.vaultwarden.fqdn} - ${hosts.rx4.ip} ${services.webdav.fqdn} - ${hosts.rx4.ip} rx4.tail - ${hosts.sid.ip} sid.tail - ${hosts.vde.ip} vde.tail - fallthrough - } - forward . 1.1.1.1 - cache - log - errors - } - ''; - }; - services.headplane = { enable = true; reverseProxy = { diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix index 0bc8752..98fb554 100644 --- a/hosts/sid/services/nginx.nix +++ b/hosts/sid/services/nginx.nix @@ -1,6 +1,7 @@ { inputs, constants, + config, lib, ... }: @@ -15,6 +16,41 @@ in inputs.synix.nixosModules.nginx ]; + services.resolved.enable = false; + networking.resolvconf.enable = false; + + networking.nameservers = [ constants.hosts.sid.ip ]; + + services.coredns = { + enable = true; + config = with constants; '' + .:53 { + bind ${hosts.sid.ip} + hosts { + ${hosts.rx4.ip} ${services.vaultwarden.fqdn} + ${hosts.rx4.ip} ${services.webdav.fqdn} + ${hosts.rx4.ip} rx4.tail + ${hosts.sid.ip} sid.tail + ${hosts.vde.ip} vde.tail + fallthrough + } + forward . 1.1.1.1 + cache + log + errors + } + ''; + }; + + security.acme = { + certs."${constants.intranet}" = { + domain = "*.${constants.intranet}"; + dnsProvider = "hetzner"; + credentialsFile = config.sops.secrets.hetzner-dns-api-key.path; + }; + }; + sops.secrets.hetzner-dns-api-key = { }; + services.nginx = { enable = true; openFirewall = true; -- 2.51.2 From f26b7b12dc7028c00a88ed2b21e24fd3108d7484 Mon Sep 17 00:00:00 2001 From: sid Date: Fri, 3 Apr 2026 15:42:45 +0200 Subject: [PATCH 4/6] intranet: add reverse proxies to sid --- hosts/sid/services/nginx.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix index 98fb554..2a18722 100644 --- a/hosts/sid/services/nginx.nix +++ b/hosts/sid/services/nginx.nix @@ -30,6 +30,7 @@ in ${hosts.rx4.ip} ${services.vaultwarden.fqdn} ${hosts.rx4.ip} ${services.webdav.fqdn} ${hosts.rx4.ip} rx4.tail + ${hosts.sid.ip} ${services.netdata.fqdn} ${hosts.sid.ip} sid.tail ${hosts.vde.ip} vde.tail fallthrough @@ -91,6 +92,16 @@ in address = constants.hosts.rx4.ip; port = constants.services.rsshub-oci.port; }; + virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost { + inherit ssl; + address = constants.hosts.rx4.ip; + port = constants.services.vaultwarden.port; + }; + virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost { + inherit ssl; + address = constants.hosts.rx4.ip; + port = constants.services.webdav.port; + }; # FIXME # virtualHosts."print.sid.ovh" = { # enableACME = true; -- 2.51.2 From 5f408cc9568a760405b69ab21866f2693b3f779c Mon Sep 17 00:00:00 2001 From: sid Date: Fri, 3 Apr 2026 15:49:39 +0200 Subject: [PATCH 5/6] intranet uses hetzner instead of webroot --- hosts/sid/services/nginx.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix index 2a18722..faceb96 100644 --- a/hosts/sid/services/nginx.nix +++ b/hosts/sid/services/nginx.nix @@ -46,6 +46,7 @@ in security.acme = { certs."${constants.intranet}" = { domain = "*.${constants.intranet}"; + webroot = null; dnsProvider = "hetzner"; credentialsFile = config.sops.secrets.hetzner-dns-api-key.path; }; -- 2.51.2 From e74970f1425174385166c6670c41a83e53cc6db4 Mon Sep 17 00:00:00 2001 From: sid Date: Fri, 3 Apr 2026 15:56:27 +0200 Subject: [PATCH 6/6] vaultwarden: disable local nginx --- hosts/rx4/services/vaultwarden.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/rx4/services/vaultwarden.nix b/hosts/rx4/services/vaultwarden.nix index 4a5b191..7d32011 100644 --- a/hosts/rx4/services/vaultwarden.nix +++ b/hosts/rx4/services/vaultwarden.nix @@ -15,7 +15,7 @@ in dbBackend = "postgresql"; configurePostgres = true; - configureNginx = true; + configureNginx = false; domain = fqdn; environmentFile = [ config.sops.templates."vaultwarden/env-file".path ]; -- 2.51.2