feat: add internal proxy to high-volume applications at home

2024-05-20 02:30:17 +02:00 · 2024-05-20 02:30:17 +02:00 · 20a5e1e66a
commit 20a5e1e66a
parent b01c521830
32 changed files with 301 additions and 21 deletions
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -6,6 +6,7 @@
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
+  wardCfg = nodes.ward.config;
  influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}";
  influxdbPort = 8086;
 in {
@ -14,6 +15,11 @@ in {
    firewallRuleForNode.sentinel.allowedTCPPorts = [influxdbPort];
  };

+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [influxdbPort];
+  };
+
  nodes.sentinel = {
    networking.providedDomains.influxdb = influxdbDomain;

@ -50,6 +56,40 @@ in {
    };
  };

+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.influxdb = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = {};
+        extraConfig = ''
+          zone influxdb 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${influxdbDomain} = let
+        accessRules = ''
+          ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
+          deny all;
+        '';
+      in {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://influxdb";
+          proxyWebsockets = true;
+          extraConfig = accessRules;
+        };
+        locations."/api/v2/write" = {
+          proxyPass = "http://influxdb/api/v2/write";
+          proxyWebsockets = true;
+          extraConfig = ''
+            ${accessRules}
+            access_log off;
+          '';
+        };
+      };
+    };
+  };
+
  age.secrets.influxdb-admin-password = {
    generator.script = "alnum";
    mode = "440";