~liljamo/nix-arta (4ed092fcd486da686907ca6066b6f3c7ffba0a1f): systems/hosts/proxy/default.nix blame

9fde61d8 Jonni Liljamo

2 months ago

{
  config,
  pkgs,
  ...
}: let
  promtailPort = 3100;
in {
  sops.secrets.wg0PrivateKey = {};
  sops.secrets.wg0PresharedKey = {};

  networking.firewall.interfaces."eth0".allowedTCPPorts = [443 promtailPort 8404];
  networking.firewall.interfaces."wg0".allowedTCPPorts = [80];
  networking.wireguard.interfaces."wg0" = {
    ips = ["10.100.0.10/24"];
    listenPort = 51820;

    # pubKey pxbf41wTYSpBxTQW8ksQKNd7VOjTEUWKpW381qEnQyw=
    privateKeyFile = config.sops.secrets.wg0PrivateKey.path;

    peers = [
      {
        publicKey = "+HChRIruvl92cxk4Ztyut28T/m1ilEy3hqDd3HH6XRk=";
        presharedKeyFile = config.sops.secrets.wg0PresharedKey.path;
        allowedIPs = ["10.100.0.0/24"];
        endpoint = "172.234.96.20:51820";
        persistentKeepalive = 25;
      }
    ];
  };

  systemd.services.caddy.path = [
    pkgs.nssTools
  ];

  environment.etc = {
    "haproxy/domainstobackends.map" = {
      text = builtins.readFile ./domainstobackends.map;
    };
  };

  services = {
    haproxy = {
      enable = true;
      config = builtins.readFile ./haproxy.conf;
    };
    caddy = {
      enable = true;
      logFormat = "level ERROR";
      globalConfig = ''
        http_port 8080
        https_port 8443
      '';
      virtualHosts = {
        "dns.rustylily.home.arpa".extraConfig = ''
          tls internal
          reverse_proxy http://10.1.2.3:80
        '';

        "multi.media.rustylily.home.arpa".extraConfig = ''
          tls internal
          reverse_proxy http://10.1.2.30:8096
        '';
        "books.media.rustylily.home.arpa".extraConfig = ''
          tls internal
          reverse_proxy http://10.1.2.30:5000
        '';
        "nextcloud.rustylily.home.arpa".extraConfig = ''
          tls internal
          reverse_proxy http://10.1.2.15:80
        '';

        "metrics.rustylily.home.arpa".extraConfig = ''
          tls internal
          reverse_proxy http://10.1.2.5:3000
        '';

        "portainer.uwulpine.home.arpa".extraConfig = ''
          tls internal
          reverse_proxy http://10.1.1.10:9080
        '';
        "registry.uwulpine.home.arpa".extraConfig = ''
          tls internal
          reverse_proxy http://10.1.1.10:5000
        '';
        "registryui.uwulpine.home.arpa".extraConfig = ''
          tls internal
          reverse_proxy http://10.1.1.10:5080
        '';
      };
    };
  };

  services.promtail = {
    enable = true;
    configuration = {
      server = {
        http_listen_port = promtailPort;
        grpc_listen_port = 0;
      };
      positions = {
        filename = "/tmp/positions.yaml";
      };
      clients = [
        {
          url = "http://10.1.2.5:9091/loki/api/v1/push";
        }
      ];
      scrape_configs = [
        {
          job_name = "journal";
          journal = {
            max_age = "12h";
            labels = {
              job = "systemd-journal";
              host = "lxcproxy";
            };
          };
          relabel_configs = [
            {
              action = "keep";
              source_labels = ["__journal__systemd_unit"];
              regex = "haproxy.service";
            }
            {
              source_labels = ["__journal__systemd_unit"];
              target_label = "unit";
            }
          ];
        }
      ];
    };
  };

  system.stateVersion = "23.05";
}