sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: use separate domain for pico :/

Browse source
This commit is contained in:
oddlama 2025-04-27 21:46:07 +02:00
parent 4af7e6479c
commit 4c5b592f29
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
6 changed files with 37 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/sentinel/firezone.nix
View file

@ -13,6 +13,7 @@ let
homeDomains = [ homeDomains = [
globals.services.grafana.domain globals.services.grafana.domain
globals.services.firefly.domain globals.services.firefly.domain
globals.services.firefly-pico.domain
globals.services.immich.domain globals.services.immich.domain
globals.services.influxdb.domain globals.services.influxdb.domain
globals.services.loki.domain globals.services.loki.domain

2
hosts/sire/guests/influxdb.nix
View file

@ -69,7 +69,7 @@ in
let let
accessRules = '' accessRules = ''
${lib.concatMapStrings ( ${lib.concatMapStrings (
ip: "allow ${ip};\n" cidr: "allow ${cidr};\n"
) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses} ) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses}
deny all; deny all;
''; '';

1
hosts/ward/default.nix
View file

@ -14,6 +14,7 @@ let
homeDomains = [ homeDomains = [
globals.services.grafana.domain globals.services.grafana.domain
globals.services.firefly.domain globals.services.firefly.domain
globals.services.firefly-pico.domain
globals.services.immich.domain globals.services.immich.domain
globals.services.influxdb.domain globals.services.influxdb.domain
globals.services.loki.domain globals.services.loki.domain

1
hosts/ward/guests/adguardhome.nix
View file

@ -113,6 +113,7 @@ in
# FIXME: new entry here? make new firezone gateway on ward entry too. # FIXME: new entry here? make new firezone gateway on ward entry too.
globals.services.grafana.domain globals.services.grafana.domain
globals.services.firefly.domain globals.services.firefly.domain
globals.services.firefly-pico.domain
globals.services.immich.domain globals.services.immich.domain
globals.services.influxdb.domain globals.services.influxdb.domain
globals.services.loki.domain globals.services.loki.domain

48
hosts/ward/guests/firefly.nix
View file

@ -6,6 +6,7 @@
}: }:
let let
fireflyDomain = "firefly.${globals.domains.me}"; fireflyDomain = "firefly.${globals.domains.me}";
fireflyPicoDomain = "firefly-pico.${globals.domains.me}";
wardWebProxyCfg = nodes.ward-web-proxy.config; wardWebProxyCfg = nodes.ward-web-proxy.config;
in in
{ {
@ -15,13 +16,14 @@ in
}; };
globals.services.firefly.domain = fireflyDomain; globals.services.firefly.domain = fireflyDomain;
globals.services.firefly-pico.domain = fireflyPicoDomain;
globals.monitoring.http.firefly = { globals.monitoring.http.firefly = {
url = "https://${fireflyDomain}"; url = "https://${fireflyDomain}";
expectedBodyRegex = "Firefly III"; expectedBodyRegex = "Firefly III";
network = "home-lan.vlans.services"; network = "home-lan.vlans.services";
}; };
globals.monitoring.http.firefly-pico = { globals.monitoring.http.firefly-pico = {
url = "https://${fireflyDomain}/pico"; url = "https://${fireflyPicoDomain}";
expectedBodyRegex = "Pico"; expectedBodyRegex = "Pico";
network = "home-lan.vlans.services"; network = "home-lan.vlans.services";
}; };
@ -51,6 +53,11 @@ in
} }
]; ];
networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
globals.services.firefly.domain
globals.services.firefly-pico.domain
];
i18n.supportedLocales = [ "all" ]; i18n.supportedLocales = [ "all" ];
services.firefly-iii = { services.firefly-iii = {
enable = true; enable = true;
@ -70,10 +77,10 @@ in
services.firefly-pico = { services.firefly-pico = {
enable = true; enable = true;
enableNginx = true; enableNginx = true;
virtualHost = "pico.internal"; virtualHost = globals.services.firefly-pico.domain;
settings = { settings = {
LOG_CHANNEL = "syslog"; LOG_CHANNEL = "syslog";
APP_URL = "https://${globals.services.firefly.domain}/pico"; APP_URL = "https://${globals.services.firefly-pico.domain}";
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
FIREFLY_URL = config.services.firefly-iii.settings.APP_URL; FIREFLY_URL = config.services.firefly-iii.settings.APP_URL;
TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4; TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
@ -121,22 +128,31 @@ in
proxyPass = "http://firefly"; proxyPass = "http://firefly";
proxyWebsockets = true; proxyWebsockets = true;
}; };
locations."= /pico".return = "302 /pico/"; extraConfig = ''
locations."/pico/" = { # allow self-access
proxyPass = "http://firefly/"; # Trailing slash matters! (remove location suffix) allow ${config.wireguard.proxy-home.ipv4};
allow ${config.wireguard.proxy-home.ipv6};
# allow home traffic
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all;
'';
};
virtualHosts.${fireflyPicoDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/" = {
proxyPass = "http://firefly";
proxyWebsockets = true; proxyWebsockets = true;
recommendedProxySettings = false; # We need to change Host without duplicating the header.
extraConfig = ''
proxy_set_header Host pico.internal;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server pico.internal;
'';
}; };
extraConfig = '' extraConfig = ''
# allow self-access
allow ${config.wireguard.proxy-home.ipv4};
allow ${config.wireguard.proxy-home.ipv6};
# allow home traffic
allow ${globals.net.home-lan.vlans.home.cidrv4}; allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6}; allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic # Firezone traffic

1
modules/firefly-pico.nix
View file

@ -372,6 +372,7 @@ in
[ [
"${cfg.dataDir}/storage" "${cfg.dataDir}/storage"
"${cfg.dataDir}/storage/app" "${cfg.dataDir}/storage/app"
"${cfg.dataDir}/storage/database"
"${cfg.dataDir}/storage/framework" "${cfg.dataDir}/storage/framework"
"${cfg.dataDir}/storage/framework/cache" "${cfg.dataDir}/storage/framework/cache"
"${cfg.dataDir}/storage/framework/sessions" "${cfg.dataDir}/storage/framework/sessions"