From 4c5b592f29cb11615e28d0a6e95dfdd4cd30187b Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 27 Apr 2025 21:46:07 +0200 Subject: [PATCH] fix: use separate domain for pico :/ --- hosts/sentinel/firezone.nix | 1 + hosts/sire/guests/influxdb.nix | 2 +- hosts/ward/default.nix | 1 + hosts/ward/guests/adguardhome.nix | 1 + hosts/ward/guests/firefly.nix | 48 ++++++++++++++++++++----------- modules/firefly-pico.nix | 1 + 6 files changed, 37 insertions(+), 17 deletions(-) diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix index b2f73b2..674b72f 100644 --- a/hosts/sentinel/firezone.nix +++ b/hosts/sentinel/firezone.nix @@ -13,6 +13,7 @@ let homeDomains = [ globals.services.grafana.domain globals.services.firefly.domain + globals.services.firefly-pico.domain globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index b41b356..6115dfd 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -69,7 +69,7 @@ in let accessRules = '' ${lib.concatMapStrings ( - ip: "allow ${ip};\n" + cidr: "allow ${cidr};\n" ) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses} deny all; ''; diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index a959564..f69e832 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -14,6 +14,7 @@ let homeDomains = [ globals.services.grafana.domain globals.services.firefly.domain + globals.services.firefly-pico.domain globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index d4a23ee..fe00c8b 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -113,6 +113,7 @@ in # FIXME: new entry here? make new firezone gateway on ward entry too. globals.services.grafana.domain globals.services.firefly.domain + globals.services.firefly-pico.domain globals.services.immich.domain globals.services.influxdb.domain globals.services.loki.domain diff --git a/hosts/ward/guests/firefly.nix b/hosts/ward/guests/firefly.nix index 65abdbd..ab43289 100644 --- a/hosts/ward/guests/firefly.nix +++ b/hosts/ward/guests/firefly.nix @@ -6,6 +6,7 @@ }: let fireflyDomain = "firefly.${globals.domains.me}"; + fireflyPicoDomain = "firefly-pico.${globals.domains.me}"; wardWebProxyCfg = nodes.ward-web-proxy.config; in { @@ -15,13 +16,14 @@ in }; globals.services.firefly.domain = fireflyDomain; + globals.services.firefly-pico.domain = fireflyPicoDomain; globals.monitoring.http.firefly = { url = "https://${fireflyDomain}"; expectedBodyRegex = "Firefly III"; network = "home-lan.vlans.services"; }; globals.monitoring.http.firefly-pico = { - url = "https://${fireflyDomain}/pico"; + url = "https://${fireflyPicoDomain}"; expectedBodyRegex = "Pico"; network = "home-lan.vlans.services"; }; @@ -51,6 +53,11 @@ in } ]; + networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [ + globals.services.firefly.domain + globals.services.firefly-pico.domain + ]; + i18n.supportedLocales = [ "all" ]; services.firefly-iii = { enable = true; @@ -70,10 +77,10 @@ in services.firefly-pico = { enable = true; enableNginx = true; - virtualHost = "pico.internal"; + virtualHost = globals.services.firefly-pico.domain; settings = { LOG_CHANNEL = "syslog"; - APP_URL = "https://${globals.services.firefly.domain}/pico"; + APP_URL = "https://${globals.services.firefly-pico.domain}"; TZ = "Europe/Berlin"; FIREFLY_URL = config.services.firefly-iii.settings.APP_URL; TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4; @@ -121,22 +128,31 @@ in proxyPass = "http://firefly"; proxyWebsockets = true; }; - locations."= /pico".return = "302 /pico/"; - locations."/pico/" = { - proxyPass = "http://firefly/"; # Trailing slash matters! (remove location suffix) + extraConfig = '' + # allow self-access + allow ${config.wireguard.proxy-home.ipv4}; + allow ${config.wireguard.proxy-home.ipv6}; + # allow home traffic + allow ${globals.net.home-lan.vlans.home.cidrv4}; + allow ${globals.net.home-lan.vlans.home.cidrv6}; + # Firezone traffic + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4}; + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6}; + deny all; + ''; + }; + virtualHosts.${fireflyPicoDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/" = { + proxyPass = "http://firefly"; proxyWebsockets = true; - - recommendedProxySettings = false; # We need to change Host without duplicating the header. - extraConfig = '' - proxy_set_header Host pico.internal; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server pico.internal; - ''; }; extraConfig = '' + # allow self-access + allow ${config.wireguard.proxy-home.ipv4}; + allow ${config.wireguard.proxy-home.ipv6}; + # allow home traffic allow ${globals.net.home-lan.vlans.home.cidrv4}; allow ${globals.net.home-lan.vlans.home.cidrv6}; # Firezone traffic diff --git a/modules/firefly-pico.nix b/modules/firefly-pico.nix index 2c6bc24..e86c92c 100644 --- a/modules/firefly-pico.nix +++ b/modules/firefly-pico.nix @@ -372,6 +372,7 @@ in [ "${cfg.dataDir}/storage" "${cfg.dataDir}/storage/app" + "${cfg.dataDir}/storage/database" "${cfg.dataDir}/storage/framework" "${cfg.dataDir}/storage/framework/cache" "${cfg.dataDir}/storage/framework/sessions"