feat: Expose hydra to the local network

fix #64
This commit is contained in:
Charlotte 🦝 Delenk 2022-03-12 10:37:16 +01:00
parent 2dc89616a8
commit eb0042cd81
Signed by: darkkirb
GPG key ID: AB2BD8DAF2E37122
4 changed files with 89 additions and 7 deletions

View file

@ -8,6 +8,7 @@
./desktop.nix
./services/tpm2.nix
./services/hydra.nix
./server.nix
];
hardware.cpu.amd.updateMicrocode = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp" ];

View file

@ -1,4 +1,11 @@
{ ... }: {
{ lib, config, ... }:
let
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
add_header Alt-Svc 'h3=":443"';
'';
in
{
imports = [
./postgres.nix
../../modules/hydra.nix
@ -6,7 +13,7 @@
];
services.hydra = {
enable = true;
hydraURL = "http://localhost:3000";
hydraURL = "https://hydra.int.chir.rs/";
notificationSender = "hydra@chir.rs";
useSubstitutes = true;
extraConfig = ''
@ -28,4 +35,14 @@
];
nix.settings.allowed-uris = [ "https://github.com/" "https://git.chir.rs/" "https://minio.int.chir.rs/" ];
sops.secrets."services/hydra/gitea_token" = { };
services.nginx.virtualHosts."hydra.int.chir.rs" = {
listenAddresses = listenIPs;
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
proxyWebsockets = true;
};
extraConfig = listenStatements;
};
}

View file

@ -7,6 +7,9 @@ services:
security:
restic:
password: ENC[AES256_GCM,data:HLaaeITkzp+7LkD0EggKHpVJmzI=,iv:YsgJ8RiuVlZ0etnjD+un1H8qDI00jyctM5aBW6b/mow=,tag:H6+iOvbYRKtTrmuh7zmTWw==,type:str]
acme:
dns: ENC[AES256_GCM,data:08qtPbnPmc8BYg8UoXCbNGRwLEc3uRq4kDgCaX2DgEaYpMInwAY/KQiQBpNfyeKhIU+5IlWp1nD5Nil27Ell7Gz8Gn7YjJoIU9QR55aLvH7kHA6H5ojfAk2bBzqr/BU6byti7jWvSsSz66GPzJU9YK+RfR6fxPTgB46wKmFBxJKG1Nvep4TXkeweTYkTLWvcLw1qE4E5UNtv36KbWsRXil0ZrLwQKdiAiLJltdRRRGASNXgBVKqBWUUM5+I0tTznfFvlOZh7a5m5sEyJYyD/OTpr4uRPzVHl4g==,iv:FjC4mjo+aK5gbPDWEWBkil6lnFHPCsn+5RnjqAF8NBU=,tag:/WdAnX8pP1HwwNyTN622qA==,type:str]
cloudflare: ENC[AES256_GCM,data:4msfkxlL3QDvdroYQJdZv5BHukp/TRM7EFBszOdVkVA0T1V6gqQCibdIM794nSTAABKPODjYcKg71p2a9Q3aBg2n4JbN8ez1jPhlGEuWUN0aapIJ+F8yN9Dt4E1sb26c6BSAArYmd/WKBaEVF4OxMzYEbCcnjJJZ9zHoi02/EMyDjUosy4XyHxEqOa6ikKuJJF0ewUhL9zHWZ84xHE5JU4vKhegWWMQIH7k1W1tUAuNXb8uJHhWuQ6Q=,iv:2ksR8uPpHOMTagd1b/vuWAgstN0Badrta3cJFk60gTQ=,tag:uD7IA2hBKIX1wR6O2DL02g==,type:str]
email:
lotte@chir.rs: ENC[AES256_GCM,data:7XsLQMZex88Pdh25FI3GwUmjHA==,iv:e/YhtFBnLZBVfngnR3n2WS1c1FNlSN8grLzEpcRFW38=,tag:TQNx+tgtMyUcJZ3/bQOXtw==,type:str]
mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:6+yoCDtAqlXX4fZLR73TyNKqXz6kKTwqK1JnKwTnoRJvjXjpCJ3zC8bHgIXfQFNPxaWQN85N21qSGp9ahbljKw==,iv:XtysXD6fL4XNVC7JNhH8eU3J8/x4uL8pSBQV5jQN4yE=,tag:VKZeLMnFNst69OWS97fjYg==,type:str]
@ -25,8 +28,8 @@ sops:
VW5LZnh5QnNwTHdVTEM4L0FRS2cwNUkKKCs+yd3J6hSRCjv9OwefPhSLS48vPAla
DbzaS7ec6uAgW1tvw/AucDv+w38EqpBHPD/FxwbxJPadRw5JtxCx8w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-03-06T15:15:16Z"
mac: ENC[AES256_GCM,data:dKStSnugA6RbXnv5tGvSOA+8LdjEIgv2GGhOc9L+bWgtV2xOZ0hsr4m5VA7ArMTbw1Ns1YiaJyUtxJSrufwlL5TmPYEw6U2JxSyy1d/NPbev5/Y4k3wqqVy6w++6j3iwp19wnvKKxhYk+w5YYimageNzpGa5QEWDG7TwrnI9jVQ=,iv:kjuiTvbWuoAltcRO/9sfW7htZW7f92ciOImXzsA9CK0=,tag:zBAGiaUXwm/ZIjec/7vItw==,type:str]
lastmodified: "2022-03-12T09:45:06Z"
mac: ENC[AES256_GCM,data:fg94tQFQTvJVldXUDTrO3e4uzUfrVA7mKHYUZp90CiJKrvDUWsuEh47pRH4g4I2M+ZW/SMTrFjGCX3uLx8TixxbZxmtINx0VT+brh30FUPs7bI66QFpkPTXv5/tI9iwesbexW/Ez1jcm2/sjKL6gLp9kM2cdFYWHO3ZoyPvopbQ=,iv:8sV+nKOfVGFinBQNlorDlfctcALom5RNdKcUcNsEYE8=,tag:LfDZVN+PGW20Hc9OyOxlaA==,type:str]
pgp:
- created_at: "2022-02-02T17:49:32Z"
enc: |

View file

@ -8,7 +8,7 @@ in
SOA = {
nameServer = "ns2.darkkirb.de.";
adminEmail = "lotte@chir.rs";
serial = 1;
serial = 2;
};
NS = [
"ns2.darkkirb.de."
@ -100,8 +100,68 @@ in
svcPriority = 1;
targetName = ".";
alpn = [ "http/1.1" "h2" "h3" ];
ipv4hint = [ "138.201.155.128" ];
ipv6hint = [ "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49" ];
ipv6hint = [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
ttl = zoneTTL;
}
];
CAA = [
{
issuerCritical = false;
tag = "issue";
value = "letsencrypt.org";
ttl = zoneTTL;
}
{
issuerCritical = false;
tag = "issuewild";
value = "letsencrypt.org";
ttl = zoneTTL;
}
{
issuerCritical = false;
tag = "iodef";
value = "mailto:lotte@chir.rs";
ttl = zoneTTL;
}
];
};
nutty-noon = {
AAAA = [
(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437"))
];
SSHFP = [
{
algorithm = "rsa";
mode = "sha1";
fingerprint = "02e148adb73781d6c60202de7f17a164d3a8e1a4";
ttl = zoneTTL;
}
{
algorithm = "rsa";
mode = "sha256";
fingerprint = "9d7f38a6c8bed75a9bacb253aa172dd4b4a1291ba77c1f07e5b9a0c38a353040";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha1";
fingerprint = "932070039e800bf2ae259b8dbf253342e7ee0da6";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha256";
fingerprint = "78c585ece995f82bd0c23890c7fd59e0fa7d2c1741f303dc9e301b0161e9e2c3";
ttl = zoneTTL;
}
];
# TODO: add TLSA
HTTPS = [
{
svcPriority = 1;
targetName = ".";
alpn = [ "http/1.1" "h2" "h3" ];
ipv4hint = [ "fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437" ];
ttl = zoneTTL;
}
];
@ -132,5 +192,6 @@ in
minio-console.CNAME = [ "nixos-8gb-fsn1-1" ];
backup.CNAME = [ "nas" ];
cache.CNAME = [ "nixos-8gb-fsn1-1" ];
hydra.CNAME = [ "nutty-noon" ];
};
}