Update ports used and relevant traefik configs

This commit is contained in:
Evie Litherland-Smith 2023-05-25 17:05:25 +01:00
parent 7370df89ef
commit c73d69cce5
9 changed files with 78 additions and 26 deletions

View file

@ -6,6 +6,5 @@
serverAliveCountMax = 3; serverAliveCountMax = 3;
controlMaster = "auto"; controlMaster = "auto";
controlPersist = "1s"; controlPersist = "1s";
matchBlocks = {"git.*".user = "git";};
}; };
} }

View file

@ -2,8 +2,8 @@
imports = [./common.nix]; imports = [./common.nix];
programs.ssh.matchBlocks = { programs.ssh.matchBlocks = {
"vanguard" = {user = "xenia";}; "vanguard" = {user = "xenia";};
"git.xenia.me.uk" = lib.hm.dag.entryBefore ["git.*"] {user = "gitea";}; "git.xenia.me.uk" = {user = "gitea";};
"vanguard *xenia.me.uk" = lib.hm.dag.entryAfter ["vanguard"] { "vanguard *xenia.me.uk" = lib.hm.dag.entryAfter ["vanguard" "git.xenia.me.uk"] {
hostname = "192.168.1.166"; hostname = "192.168.1.166";
port = 2222; port = 2222;
}; };

View file

@ -6,6 +6,7 @@
imports = [./common.nix]; imports = [./common.nix];
home.packages = with pkgs; [sshfs]; home.packages = with pkgs; [sshfs];
programs.ssh.matchBlocks = { programs.ssh.matchBlocks = {
"git.ccfe.ac.uk" = {user = "git";};
"batch" = { "batch" = {
user = "cxsbatch"; user = "cxsbatch";
hostname = "heimdall115.jetdata.eu"; hostname = "heimdall115.jetdata.eu";

View file

@ -13,6 +13,7 @@
services.traefik.dynamicConfigOptions.http = { services.traefik.dynamicConfigOptions.http = {
routers.adguard = { routers.adguard = {
rule = "Host(`guard.xenia.me.uk`)"; rule = "Host(`guard.xenia.me.uk`)";
entryPoints = ["http" "https"];
service = "adguard-webinterface"; service = "adguard-webinterface";
tls = {certResolver = "default";}; tls = {certResolver = "default";};
}; };

View file

@ -6,7 +6,10 @@
server = { server = {
ROOT_URL = "https://git.xenia.me.uk"; ROOT_URL = "https://git.xenia.me.uk";
DOMAIN = "git.xenia.me.uk"; DOMAIN = "git.xenia.me.uk";
START_SSH_SERVER = true;
SSH_DOMAIN = "git.xenia.me.uk";
SSH_PORT = 2222; SSH_PORT = 2222;
SSH_LISTEN_PORT = 30922;
}; };
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
ui = { ui = {
@ -15,19 +18,35 @@
}; };
appName = "Gitea"; appName = "Gitea";
}; };
networking.firewall.allowedTCPPorts = [80 443 2222]; services.traefik.dynamicConfigOptions = {
services.traefik.dynamicConfigOptions.http = { http = {
routers.gitea = { routers.gitea = {
rule = "Host(`git.xenia.me.uk`)"; rule = "Host(`git.xenia.me.uk`)";
service = "gitea-websecure"; entryPoints = ["http" "https"];
tls = {certResolver = "default";}; service = "gitea-websecure";
tls = {certResolver = "default";};
};
services.gitea-websecure.loadBalancer.servers = [{url = "http://localhost:3000";}];
};
tcp = {
routers.gitea-ssh = {
rule = "HostSNI(`git.xenia.me.uk`)";
entryPoints = ["ssh"];
service = "gitea-sshservice";
tls = {certResolver = "default";};
};
routers.gitea-ssh-local = {
rule = "ClientIP(`192.168.0.0/16`)";
entryPoints = ["ssh"];
service = "gitea-sshservice";
};
services.gitea-sshservice.loadBalancer.servers = [{address = "localhost:30922";}];
}; };
services.gitea-websecure.loadBalancer.servers = [{url = "http://localhost:3000";}];
}; };
services.fail2ban.jails.gitea = '' services.fail2ban.jails.gitea = ''
enabled = true enabled = true
filter = sshd filter = sshd
ports = 2222 ports = 30922
backend = systemd backend = systemd
''; '';
} }

View file

@ -22,6 +22,7 @@
services.traefik.dynamicConfigOptions.http = { services.traefik.dynamicConfigOptions.http = {
routers.nextcloud = { routers.nextcloud = {
rule = "Host(`cloud.xenia.me.uk`)"; rule = "Host(`cloud.xenia.me.uk`)";
entryPoints = ["http" "https"];
service = "nextcloud-webinterface"; service = "nextcloud-webinterface";
tls = {certResolver = "default";}; tls = {certResolver = "default";};
}; };

13
server/qbittorrent.nix Normal file
View file

@ -0,0 +1,13 @@
{pkgs, ...}: {
imports = [./traefik.nix];
environment.systemPackages = [pkgs.qbittorrent];
services.traefik.dynamicConfigOptions.http = {
routers.qbittorrent = {
rule = "Host(`torrent.xenia.me.uk`)";
entryPoints = ["http" "https"];
service = "qbittorrent-webinterface";
tls = {certResolver = "default";};
};
services.qbittorrent-webinterface.loadBalancer.servers = [{url = "http://localhost:8090";}];
};
}

View file

@ -1,7 +1,7 @@
{...}: { {...}: {
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [2222]; ports = [22];
settings = { settings = {
UseDns = true; UseDns = true;
PermitRootLogin = "no"; PermitRootLogin = "no";
@ -10,4 +10,12 @@
LogLevel = "VERBOSE"; LogLevel = "VERBOSE";
}; };
}; };
services.traefik.dynamicConfigOptions.tcp = {
routers.ssh = {
rule = "ClientIP(`192.168.0.0/16`)";
entryPoints = ["ssh"];
service = "ssh-redirect";
};
services.ssh-redirect.loadBalancer.servers = [{address = "localhost:22";}];
};
} }

View file

@ -5,8 +5,15 @@
staticConfigOptions = { staticConfigOptions = {
api = {insecure = true;}; api = {insecure = true;};
entryPoints = { entryPoints = {
http = {address = ":80";}; http = {
address = ":80";
http.redirections.entryPoint = {
to = "https";
scheme = "https";
};
};
https = {address = ":443";}; https = {address = ":443";};
ssh = {address = ":2222";};
}; };
certificatesResolvers = { certificatesResolvers = {
default = { default = {
@ -21,26 +28,29 @@
dynamicConfigOptions.http = { dynamicConfigOptions.http = {
routers.traefik = { routers.traefik = {
rule = "Host(`traefik.xenia.me.uk`)"; rule = "Host(`traefik.xenia.me.uk`)";
entryPoints = ["http" "https"];
service = "traefik-webinterface"; service = "traefik-webinterface";
tls = {certResolver = "default";}; tls = {certResolver = "default";};
}; };
services.traefik-webinterface.loadBalancer.servers = [{url = "http://localhost:8080";}]; services.traefik-webinterface.loadBalancer.servers = [{url = "http://localhost:8080";}];
routers.qbittorrent = {
rule = "Host(`torrent.xenia.me.uk`)";
service = "qbittorrent-webinterface";
tls = {certResolver = "default";};
};
services.qbittorrent-webinterface.loadBalancer.servers = [{url = "http://localhost:8090";}];
}; };
}; };
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [80 443 8080 8090]; allowedTCPPorts = [80 443 2222];
};
services.fail2ban.jails = {
traefik-http = ''
enabled = true
filter = traefik-auth
ports = http,https,2222
backend = systemd
'';
traefik-ssh = ''
enabled = true
filter = sshd
ports = 2222
backend = systemd
'';
}; };
services.fail2ban.jails.traefik = ''
enabled = true
filter = traefik-auth
ports = http,https,8080
backend = systemd
'';
} }