diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2025-01-18 19:36:31 +0100 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2025-01-26 22:44:50 +0100 |
| commit | 66d20b789ee1f53898196ace7f7f717cfdd2abe2 (patch) | |
| tree | fe6f7a27abaf2d1545e29d1b30a30b187ce92af9 | |
| parent | 429e2c9fb1c7f981fe562b80feb270c40758d3da (diff) | |
add headscale
| -rw-r--r-- | config/services/default.nix | 6 | ||||
| -rw-r--r-- | config/services/mesh/default.nix | 45 | ||||
| -rw-r--r-- | config/services/web/searx/filtron/default.nix | 45 | ||||
| -rw-r--r-- | tests/configuration.nix | 34 |
4 files changed, 90 insertions, 40 deletions
diff --git a/config/services/default.nix b/config/services/default.nix index e1dcb81..5cabb7a 100644 --- a/config/services/default.nix +++ b/config/services/default.nix @@ -1,5 +1,3 @@ -{ ... }: - -{ - imports = [ ./web ]; +{...}: { + imports = [./mesh ./web]; } diff --git a/config/services/mesh/default.nix b/config/services/mesh/default.nix new file mode 100644 index 0000000..791a5a6 --- /dev/null +++ b/config/services/mesh/default.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + ... +}: let + cfg = config.services.headscale; + url = "mesh.${config.networking.domain}"; +in { + networking.firewall.allowedUDPPorts = [3478]; + + services.headscale = { + enable = true; + port = 8001; + settings = { + server_url = "https://${url}:443"; + derps = { + server = { + enabled = true; + stun_listen_addr = "0.0.0.0:3478"; + }; + urls = []; + }; + dns.base_domain = "aristote.mesh"; + }; + }; + + services.nginx.virtualHosts.mesh = lib.mkIf cfg.enable { + serverName = "${url}"; + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${cfg.address}:${toString cfg.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $server_name; + proxy_redirect http:// https://; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + ''; + }; + }; +} diff --git a/config/services/web/searx/filtron/default.nix b/config/services/web/searx/filtron/default.nix index cc637c3..da4f1e6 100644 --- a/config/services/web/searx/filtron/default.nix +++ b/config/services/web/searx/filtron/default.nix @@ -1,8 +1,7 @@ -{ ... }: - -{ +{...}: { services.filtron = { enable = true; + target.port = 8000; rules = [ { name = "roboagent limit"; @@ -12,10 +11,10 @@ limit = 0; stop = true; actions = [ - { name = "log"; } + {name = "log";} { name = "block"; - params = { message = "Rate limit exceeded"; }; + params = {message = "Rate limit exceeded";}; } ]; } @@ -27,37 +26,37 @@ limit = 0; stop = true; actions = [ - { name = "log"; } + {name = "log";} { name = "block"; - params = { message = "Rate limit exceeded"; }; + params = {message = "Rate limit exceeded";}; } ]; } { name = "suspiciously frequent IP"; - filters = [ ]; + filters = []; interval = 600; limit = 30; - aggregations = [ "Header:X-Forwarded-For" ]; - actions = [{ name = "log"; }]; + aggregations = ["Header:X-Forwarded-For"]; + actions = [{name = "log";}]; } { name = "search request"; - filters = [ "Param:q" "Path=^(/|/search)$" ]; + filters = ["Param:q" "Path=^(/|/search)$"]; interval = 61; limit = 999; subrules = [ { name = "missing Accept-Language"; - filters = [ "!Header:Accept-Language" ]; + filters = ["!Header:Accept-Language"]; limit = 0; stop = true; actions = [ - { name = "log"; } + {name = "log";} { name = "block"; - params = { message = "Rate limit exceeded"; }; + params = {message = "Rate limit exceeded";}; } ]; } @@ -79,26 +78,26 @@ interval = 61; limit = 9; stop = true; - aggregations = [ "Header:X-Forwarded-For" ]; + aggregations = ["Header:X-Forwarded-For"]; actions = [ - { name = "log"; } + {name = "log";} { name = "block"; - params = { message = "Rate limit exceeded"; }; + params = {message = "Rate limit exceeded";}; } ]; } { name = "rss/json limit"; - filters = [ "Param:format=(csv|json|rss)" ]; + filters = ["Param:format=(csv|json|rss)"]; interval = 121; limit = 2; stop = true; actions = [ - { name = "log"; } + {name = "log";} { name = "block"; - params = { message = "Rate limit exceeded"; }; + params = {message = "Rate limit exceeded";}; } ]; } @@ -106,12 +105,12 @@ name = "useragent limit"; interval = 61; limit = 199; - aggregations = [ "Header:User-Agent" ]; + aggregations = ["Header:User-Agent"]; actions = [ - { name = "log"; } + {name = "log";} { name = "block"; - params = { message = "Rate limit exceeded"; }; + params = {message = "Rate limit exceeded";}; } ]; } diff --git a/tests/configuration.nix b/tests/configuration.nix index 965f365..e46c726 100644 --- a/tests/configuration.nix +++ b/tests/configuration.nix @@ -1,41 +1,49 @@ -{ config, lib, modulesPath, ... }: - -let - nginxPorts = lib.concatLists +{ + config, + lib, + ... +}: let + nginxPorts = + lib.concatLists (lib.mapAttrsToList (_: cfg: (builtins.map (x: x.port) cfg.listen)) config.services.nginx.virtualHosts); nginxMakeLocal = port: { - listen = lib.mkForce [{ - inherit port; - addr = "0.0.0.0"; - }]; + listen = lib.mkForce [ + { + inherit port; + addr = "0.0.0.0"; + } + ]; forceSSL = lib.mkForce false; enableACME = lib.mkForce false; }; in { - imports = [ ../config ]; + imports = [../config]; boot.isContainer = true; networking = lib.mkForce { domain = "aristote.vm"; - interfaces = { }; + interfaces = {}; defaultGateway = null; - nameservers = [ ]; + nameservers = []; - firewall = { allowedTCPPorts = nginxPorts; }; + firewall = {allowedTCPPorts = nginxPorts;}; }; - services.filtron.rules = lib.mkForce [ ]; + services.filtron.rules = lib.mkForce []; services.rss-bridge.debug = true; + services.headscale.settings.server_url = lib.mkForce "http://10.233.1.2:8085/"; + services.nginx.virtualHosts = { quentin = nginxMakeLocal 8080; searx = nginxMakeLocal 8081; rss = nginxMakeLocal 8083; webkeydirectory = nginxMakeLocal 8084; + mesh = nginxMakeLocal 8085; }; environment.etc = { |