sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: use separate domain for pico :/

Browse source
This commit is contained in:
oddlama 2025-04-27 21:46:07 +02:00
parent 4af7e6479c
commit 4c5b592f29
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
6 changed files with 37 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/sentinel/firezone.nix
View file

@ -13,6 +13,7 @@ let
homeDomains = [
globals.services.grafana.domain
globals.services.firefly.domain
globals.services.firefly-pico.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

2
hosts/sire/guests/influxdb.nix
View file

@ -69,7 +69,7 @@ in
let
accessRules = ''
${lib.concatMapStrings (
ip: "allow ${ip};\n"
cidr: "allow ${cidr};\n"
) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses}
deny all;
'';

1
hosts/ward/default.nix
View file

@ -14,6 +14,7 @@ let
homeDomains = [
globals.services.grafana.domain
globals.services.firefly.domain
globals.services.firefly-pico.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

1
hosts/ward/guests/adguardhome.nix
View file

@ -113,6 +113,7 @@ in
# FIXME: new entry here? make new firezone gateway on ward entry too.
globals.services.grafana.domain
globals.services.firefly.domain
globals.services.firefly-pico.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

46
hosts/ward/guests/firefly.nix
View file

@ -6,6 +6,7 @@
}:
let
fireflyDomain = "firefly.${globals.domains.me}";
fireflyPicoDomain = "firefly-pico.${globals.domains.me}";
wardWebProxyCfg = nodes.ward-web-proxy.config;
in
{
@ -15,13 +16,14 @@ in
};
globals.services.firefly.domain = fireflyDomain;
globals.services.firefly-pico.domain = fireflyPicoDomain;
globals.monitoring.http.firefly = {
url = "https://${fireflyDomain}";
expectedBodyRegex = "Firefly III";
network = "home-lan.vlans.services";
};
globals.monitoring.http.firefly-pico = {
url = "https://${fireflyDomain}/pico";
url = "https://${fireflyPicoDomain}";
expectedBodyRegex = "Pico";
network = "home-lan.vlans.services";
};
@ -51,6 +53,11 @@ in
}
];
networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
globals.services.firefly.domain
globals.services.firefly-pico.domain
];
i18n.supportedLocales = [ "all" ];
services.firefly-iii = {
enable = true;
@ -70,10 +77,10 @@ in
services.firefly-pico = {
enable = true;
enableNginx = true;
virtualHost = "pico.internal";
virtualHost = globals.services.firefly-pico.domain;
settings = {
LOG_CHANNEL = "syslog";
APP_URL = "https://${globals.services.firefly.domain}/pico";
APP_URL = "https://${globals.services.firefly-pico.domain}";
TZ = "Europe/Berlin";
FIREFLY_URL = config.services.firefly-iii.settings.APP_URL;
TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
@ -121,22 +128,31 @@ in
proxyPass = "http://firefly";
proxyWebsockets = true;
};
locations."= /pico".return = "302 /pico/";
locations."/pico/" = {
proxyPass = "http://firefly/"; # Trailing slash matters! (remove location suffix)
proxyWebsockets = true;
recommendedProxySettings = false; # We need to change Host without duplicating the header.
extraConfig = ''
proxy_set_header Host pico.internal;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server pico.internal;
# allow self-access
allow ${config.wireguard.proxy-home.ipv4};
allow ${config.wireguard.proxy-home.ipv6};
# allow home traffic
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all;
'';
};
virtualHosts.${fireflyPicoDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/" = {
proxyPass = "http://firefly";
proxyWebsockets = true;
};
extraConfig = ''
# allow self-access
allow ${config.wireguard.proxy-home.ipv4};
allow ${config.wireguard.proxy-home.ipv6};
# allow home traffic
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic

1
modules/firefly-pico.nix
View file

@ -372,6 +372,7 @@ in
[
"${cfg.dataDir}/storage"
"${cfg.dataDir}/storage/app"
"${cfg.dataDir}/storage/database"
"${cfg.dataDir}/storage/framework"
"${cfg.dataDir}/storage/framework/cache"
"${cfg.dataDir}/storage/framework/sessions"