This commit is contained in:
goeranh 2026-02-25 20:13:18 +01:00
parent 6add85a106
commit 3e82d5f015
No known key found for this signature in database
5 changed files with 173 additions and 166 deletions

View file

@ -44,7 +44,10 @@
systemd.services.authentik-secrets-generator = {
enable = true;
requiredBy = [ "authentik-secrets-setup.service" "authentik-worker.service" ];
requiredBy = [
"authentik-secrets-setup.service"
"authentik-worker.service"
];
script = ''
echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
'';

View file

@ -29,21 +29,14 @@ in
];
networking.hostName = "git";
networking.domain = "test.htw.stura-dresden.de";
networking.interfaces.ens18.ipv4.addresses = [
{
address = "167.235.225.23";
prefixLength = 32;
address = "141.56.51.97";
prefixLength = 24;
}
];
networking.interfaces.ens18.ipv6.addresses = [
{
address = "2a01:4f8:c012:6bd7::1";
prefixLength = 32;
}
];
networking.defaultGateway.address = "172.31.1.1";
networking.defaultGateway.address = "141.56.51.254";
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
@ -53,30 +46,36 @@ in
services.forgejo = {
enable = true;
settings = {
server = {
PROTOCOL = "http+unix";
HTTP_ADDR = "/var/run/forgejo.sock";
HTTP_ADDR = "/run/forgejo/forgejo.sock";
ROOT_URL = "https://${config.networking.fqdn}";
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = "true";
REGISTER_EMAIL_CONFIRM = "false";
username = "email";
};
service = {
SHOW_REGISTRATION_BUTTON = "false";
};
};
};
services.nginx = {
enable = true;
virtualHosts."git.htw.stura-dresden.de" = {
virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://unix:/var/run/forgejo.sock";
proxyPass = "http://unix:/run/forgejo/forgejo.sock";
};
};
};
# virtualisation.docker.enable = true;
security.acme.acceptTerms = true;
security.acme.defaults.email = "cert@stura.htw-dresden.de";
networking.firewall.allowedTCPPorts = [
25
80

View file

@ -36,7 +36,7 @@
};
};
services = {
services = {
openssh = {
enable = true;
listenAddresses = [
@ -46,135 +46,134 @@ services = {
}
];
};
haproxy =
let
forwards = {
plone = {
dest = "141.56.51.3";
domain = "stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
haproxy =
let
forwards = {
plone = {
dest = "141.56.51.3";
domain = "stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
plone_alt = {
dest = "141.56.51.3";
domain = "www.stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
tix = {
dest = "141.56.51.220";
domain = "tix.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
vot = {
dest = "141.56.51.81";
domain = "vot.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
dat = {
dest = "141.56.51.81";
domain = "dat.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
pro = {
dest = "141.56.51.15";
domain = "pro.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
cloud = {
dest = "141.56.51.16";
domain = "cloud.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
wiki = {
dest = "141.56.51.13";
domain = "wiki.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
};
plone_alt = {
dest = "141.56.51.3";
domain = "www.stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
tix = {
dest = "141.56.51.220";
domain = "tix.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
vot = {
dest = "141.56.51.81";
domain = "vot.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
dat = {
dest = "141.56.51.81";
domain = "dat.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
pro = {
dest = "141.56.51.15";
domain = "pro.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
cloud = {
dest = "141.56.51.16";
domain = "cloud.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
wiki = {
dest = "141.56.51.13";
domain = "wiki.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
};
in{
enable = true;
config = ''
global
log /dev/log local0
maxconn 4096
# for ACME/Let's Encrypt cert + key in one file:
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
crt-base /var/lib/acme
in
{
enable = true;
config = ''
global
log /dev/log local0
maxconn 4096
# for ACME/Let's Encrypt cert + key in one file:
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
crt-base /var/lib/acme
defaults
log global
mode tcp
option tcplog
timeout connect 5s
timeout client 30s
timeout server 30s
defaults
log global
mode tcp
option tcplog
timeout connect 5s
timeout client 30s
timeout server 30s
frontend stats
bind 127.0.0.1:8404
mode http
stats enable
stats uri /stats
stats refresh 10s
stats auth admin:yourpassword
stats show-legends
stats show-node
frontend stats
bind 127.0.0.1:8404
mode http
stats enable
stats uri /stats
stats refresh 10s
stats auth admin:yourpassword
stats show-legends
stats show-node
frontend http-in
bind *:80
frontend http-in
bind *:80
${
lib.foldlAttrs(prev: name: value: prev +
"acl is_${name} hdr(host) -i ${value.domain}\n"
) "" forwards
}
${lib.foldlAttrs (
prev: name: value:
prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
) "" forwards}
${
lib.foldlAttrs(prev: name: value: prev +
"use_backend ${name}_80 if is_${name}\n"
) "" forwards
}
${lib.foldlAttrs (
prev: name: value:
prev + "use_backend ${name}_80 if is_${name}\n"
) "" forwards}
default_backend plone_80
default_backend plone_80
frontend ssh_jump_alt
bind *:2142
mode tcp
timeout client 30m
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
use_backend ssh_srs2
frontend ssh_jump_alt
bind *:2142
mode tcp
timeout client 30m
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
use_backend ssh_srs2
# ---- SNI routing (TCP, peek at handshake) ----
frontend sni_router
bind *:443
mode tcp
tcp-request inspect-delay 1s
tcp-request content accept if { req_ssl_hello_type 1 }
# ---- SNI routing (TCP, peek at handshake) ----
frontend sni_router
bind *:443
mode tcp
tcp-request inspect-delay 1s
tcp-request content accept if { req_ssl_hello_type 1 }
# terminated here
${
lib.foldlAttrs(prev: name: value: prev +
"use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
) "" forwards
}
# terminated here
${lib.foldlAttrs (
prev: name: value:
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
) "" forwards}
backend ssh_srs2
mode tcp
timeout server 30m
timeout connect 10s
option tcpka
server srs2 141.56.51.2:80 check
backend ssh_srs2
mode tcp
timeout server 30m
timeout connect 10s
option tcpka
server srs2 141.56.51.2:80 check
${
lib.foldlAttrs(prev: name: value: prev +
''
${lib.foldlAttrs (
prev: name: value:
prev
+ ''
backend ${name}_80
mode http
@ -184,14 +183,11 @@ services = {
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
''
) "" forwards
}
'';
};
) "" forwards}
'';
};
};
environment.systemPackages = with pkgs; [
openvpn
tcpdump

View file

@ -19,7 +19,6 @@
];
networking.defaultGateway.address = "141.56.51.254";
security.acme.acceptTerms = true;
security.acme.defaults.email = "cert@stura.htw-dresden.de";