From c73d69cce546e4e16015d41591dacfa610eb3946 Mon Sep 17 00:00:00 2001
From: Evie Litherland-Smith <evie@xenia.me.uk>
Date: Thu, 25 May 2023 17:05:25 +0100
Subject: [PATCH] Update ports used and relevant traefik configs

---
 home/ssh/common.nix    |  1 -
 home/ssh/personal.nix  |  4 ++--
 home/ssh/work.nix      |  1 +
 server/adguardhome.nix |  1 +
 server/gitea.nix       | 35 +++++++++++++++++++++++++++--------
 server/nextcloud.nix   |  1 +
 server/qbittorrent.nix | 13 +++++++++++++
 server/sshd.nix        | 10 +++++++++-
 server/traefik.nix     | 38 ++++++++++++++++++++++++--------------
 9 files changed, 78 insertions(+), 26 deletions(-)
 create mode 100644 server/qbittorrent.nix

diff --git a/home/ssh/common.nix b/home/ssh/common.nix
index 7a88ed38..81e51b6a 100644
--- a/home/ssh/common.nix
+++ b/home/ssh/common.nix
@@ -6,6 +6,5 @@
     serverAliveCountMax = 3;
     controlMaster = "auto";
     controlPersist = "1s";
-    matchBlocks = {"git.*".user = "git";};
   };
 }
diff --git a/home/ssh/personal.nix b/home/ssh/personal.nix
index 9ceb8e87..d88eb131 100644
--- a/home/ssh/personal.nix
+++ b/home/ssh/personal.nix
@@ -2,8 +2,8 @@
   imports = [./common.nix];
   programs.ssh.matchBlocks = {
     "vanguard" = {user = "xenia";};
-    "git.xenia.me.uk" = lib.hm.dag.entryBefore ["git.*"] {user = "gitea";};
-    "vanguard *xenia.me.uk" = lib.hm.dag.entryAfter ["vanguard"] {
+    "git.xenia.me.uk" = {user = "gitea";};
+    "vanguard *xenia.me.uk" = lib.hm.dag.entryAfter ["vanguard" "git.xenia.me.uk"] {
       hostname = "192.168.1.166";
       port = 2222;
     };
diff --git a/home/ssh/work.nix b/home/ssh/work.nix
index 98fce961..2815d87b 100644
--- a/home/ssh/work.nix
+++ b/home/ssh/work.nix
@@ -6,6 +6,7 @@
   imports = [./common.nix];
   home.packages = with pkgs; [sshfs];
   programs.ssh.matchBlocks = {
+    "git.ccfe.ac.uk" = {user = "git";};
     "batch" = {
       user = "cxsbatch";
       hostname = "heimdall115.jetdata.eu";
diff --git a/server/adguardhome.nix b/server/adguardhome.nix
index dcb532a1..68f6a95a 100644
--- a/server/adguardhome.nix
+++ b/server/adguardhome.nix
@@ -13,6 +13,7 @@
   services.traefik.dynamicConfigOptions.http = {
     routers.adguard = {
       rule = "Host(`guard.xenia.me.uk`)";
+      entryPoints = ["http" "https"];
       service = "adguard-webinterface";
       tls = {certResolver = "default";};
     };
diff --git a/server/gitea.nix b/server/gitea.nix
index e71bd1f9..f6575690 100644
--- a/server/gitea.nix
+++ b/server/gitea.nix
@@ -6,7 +6,10 @@
       server = {
         ROOT_URL = "https://git.xenia.me.uk";
         DOMAIN = "git.xenia.me.uk";
+        START_SSH_SERVER = true;
+        SSH_DOMAIN = "git.xenia.me.uk";
         SSH_PORT = 2222;
+        SSH_LISTEN_PORT = 30922;
       };
       service.DISABLE_REGISTRATION = true;
       ui = {
@@ -15,19 +18,35 @@
     };
     appName = "Gitea";
   };
-  networking.firewall.allowedTCPPorts = [80 443 2222];
-  services.traefik.dynamicConfigOptions.http = {
-    routers.gitea = {
-      rule = "Host(`git.xenia.me.uk`)";
-      service = "gitea-websecure";
-      tls = {certResolver = "default";};
+  services.traefik.dynamicConfigOptions = {
+    http = {
+      routers.gitea = {
+        rule = "Host(`git.xenia.me.uk`)";
+        entryPoints = ["http" "https"];
+        service = "gitea-websecure";
+        tls = {certResolver = "default";};
+      };
+      services.gitea-websecure.loadBalancer.servers = [{url = "http://localhost:3000";}];
+    };
+    tcp = {
+      routers.gitea-ssh = {
+        rule = "HostSNI(`git.xenia.me.uk`)";
+        entryPoints = ["ssh"];
+        service = "gitea-sshservice";
+        tls = {certResolver = "default";};
+      };
+      routers.gitea-ssh-local = {
+        rule = "ClientIP(`192.168.0.0/16`)";
+        entryPoints = ["ssh"];
+        service = "gitea-sshservice";
+      };
+      services.gitea-sshservice.loadBalancer.servers = [{address = "localhost:30922";}];
     };
-    services.gitea-websecure.loadBalancer.servers = [{url = "http://localhost:3000";}];
   };
   services.fail2ban.jails.gitea = ''
     enabled = true
     filter = sshd
-    ports = 2222
+    ports = 30922
     backend = systemd
   '';
 }
diff --git a/server/nextcloud.nix b/server/nextcloud.nix
index 6c0206ca..fa940371 100644
--- a/server/nextcloud.nix
+++ b/server/nextcloud.nix
@@ -22,6 +22,7 @@
   services.traefik.dynamicConfigOptions.http = {
     routers.nextcloud = {
       rule = "Host(`cloud.xenia.me.uk`)";
+      entryPoints = ["http" "https"];
       service = "nextcloud-webinterface";
       tls = {certResolver = "default";};
     };
diff --git a/server/qbittorrent.nix b/server/qbittorrent.nix
new file mode 100644
index 00000000..1efc40de
--- /dev/null
+++ b/server/qbittorrent.nix
@@ -0,0 +1,13 @@
+{pkgs, ...}: {
+  imports = [./traefik.nix];
+  environment.systemPackages = [pkgs.qbittorrent];
+  services.traefik.dynamicConfigOptions.http = {
+    routers.qbittorrent = {
+      rule = "Host(`torrent.xenia.me.uk`)";
+      entryPoints = ["http" "https"];
+      service = "qbittorrent-webinterface";
+      tls = {certResolver = "default";};
+    };
+    services.qbittorrent-webinterface.loadBalancer.servers = [{url = "http://localhost:8090";}];
+  };
+}
diff --git a/server/sshd.nix b/server/sshd.nix
index 511a07f7..32250f13 100644
--- a/server/sshd.nix
+++ b/server/sshd.nix
@@ -1,7 +1,7 @@
 {...}: {
   services.openssh = {
     enable = true;
-    ports = [2222];
+    ports = [22];
     settings = {
       UseDns = true;
       PermitRootLogin = "no";
@@ -10,4 +10,12 @@
       LogLevel = "VERBOSE";
     };
   };
+  services.traefik.dynamicConfigOptions.tcp = {
+    routers.ssh = {
+      rule = "ClientIP(`192.168.0.0/16`)";
+      entryPoints = ["ssh"];
+      service = "ssh-redirect";
+    };
+    services.ssh-redirect.loadBalancer.servers = [{address = "localhost:22";}];
+  };
 }
diff --git a/server/traefik.nix b/server/traefik.nix
index 92bfd4fa..b2346413 100644
--- a/server/traefik.nix
+++ b/server/traefik.nix
@@ -5,8 +5,15 @@
     staticConfigOptions = {
       api = {insecure = true;};
       entryPoints = {
-        http = {address = ":80";};
+        http = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "https";
+            scheme = "https";
+          };
+        };
         https = {address = ":443";};
+        ssh = {address = ":2222";};
       };
       certificatesResolvers = {
         default = {
@@ -21,26 +28,29 @@
     dynamicConfigOptions.http = {
       routers.traefik = {
         rule = "Host(`traefik.xenia.me.uk`)";
+        entryPoints = ["http" "https"];
         service = "traefik-webinterface";
         tls = {certResolver = "default";};
       };
       services.traefik-webinterface.loadBalancer.servers = [{url = "http://localhost:8080";}];
-      routers.qbittorrent = {
-        rule = "Host(`torrent.xenia.me.uk`)";
-        service = "qbittorrent-webinterface";
-        tls = {certResolver = "default";};
-      };
-      services.qbittorrent-webinterface.loadBalancer.servers = [{url = "http://localhost:8090";}];
     };
   };
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [80 443 8080 8090];
+    allowedTCPPorts = [80 443 2222];
+  };
+  services.fail2ban.jails = {
+    traefik-http = ''
+      enabled = true
+      filter = traefik-auth
+      ports = http,https,2222
+      backend = systemd
+    '';
+    traefik-ssh = ''
+      enabled = true
+      filter = sshd
+      ports = 2222
+      backend = systemd
+    '';
   };
-  services.fail2ban.jails.traefik = ''
-    enabled = true
-    filter = traefik-auth
-    ports = http,https,8080
-    backend = systemd
-  '';
 }