From 1e7d994aa817d8bd7e1d84f5307b7cfcf6e43071 Mon Sep 17 00:00:00 2001 From: alejandro-angulo Date: Mon, 5 Aug 2024 20:39:00 -0700 Subject: [PATCH] Removed proxy config Don't need this since my source of truth is my private gitea instance now. --- systems/x86_64-do/proxy/README.md | 5 -- systems/x86_64-do/proxy/default.nix | 110 ---------------------------- 2 files changed, 115 deletions(-) delete mode 100644 systems/x86_64-do/proxy/README.md delete mode 100644 systems/x86_64-do/proxy/default.nix diff --git a/systems/x86_64-do/proxy/README.md b/systems/x86_64-do/proxy/README.md deleted file mode 100644 index 5e3fa24..0000000 --- a/systems/x86_64-do/proxy/README.md +++ /dev/null @@ -1,5 +0,0 @@ -- Log in (SSH key should already be configured) -- Change password with `passwd` -- Set up tailscale with `sudo tailscale up --accept-routes --ssh` -- Write cloudflare creds to `/var/acme/creds` - - Ensure permissions `sudo chmod -R 700 /var/acme/creds` diff --git a/systems/x86_64-do/proxy/default.nix b/systems/x86_64-do/proxy/default.nix deleted file mode 100644 index 0acf1a0..0000000 --- a/systems/x86_64-do/proxy/default.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ - config, - pkgs, - lib, - namespace, - ... -}: { - aa = { - nix.enable = true; - nix.useSelfhostedCache = true; - - security.acme = { - enable = true; - domainName = "proxy.kilonull.com"; - isWildcard = false; - # TODO: Use a different cert with more targetted permissions (this one - # can make wildcard certs) - # TODO: Add machine public key in secrets/secrets.nix - dnsCredentialsFile = "/var/acme/creds"; - }; - - services = { - openssh.enable = true; - # NOTE: Need to run `tailscale login` on first boot - tailscale = { - enable = true; - configureClientRouting = true; - }; - }; - }; - - # Workaround for broken digital ocean image builds - # See: https://github.com/NixOS/nixpkgs/issues/308404 - boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; - boot.loader.grub.device = "/dev/vda"; - - services.nginx = { - enable = true; - appendHttpConfig = '' - log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time'; - access_log /var/log/nginx/access.log upstreamlog; - ''; - virtualHosts."proxy.kilonull.com" = let - commonConfig = pkgs.writeText "common_config.conf" '' - proxy_redirect off; - proxy_set_header Host "hydra.kilonull.com"; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - - allow 127.0.0.1; - allow 100.0.0.0/8; - allow 192.168.113.0/24; - ''; - in { - forceSSL = true; - useACMEHost = "proxy.kilonull.com"; - locations = { - "/" = { - extraConfig = '' - deny all; - ''; - }; - "/hydra" = { - proxyPass = "https://hydra.kilonull.com"; - extraConfig = '' - rewrite /hydra(.*) /$1 break; - include ${commonConfig}; - deny all; - ''; - }; - "/hydra/api/push-github" = { - proxyPass = "https://hydra.kilonull.com/api/push-github"; - extraConfig = '' - include ${commonConfig}; - # GitHub webhook IPs - allow 192.30.252.0/22; - allow 185.199.108.0/22; - allow 140.82.112.0/20; - allow 143.55.64.0/20; - allow 2a0a:a440::/29; - allow 2606:50c0::/3; - deny all; - ''; - }; - }; - }; - }; - - users.users.${config.aa.user.name} = { - initialHashedPassword = "$y$j9T$/AuWXo5argOeEi1hwlu161$bvB.V5tfB.acWAvr6mV9lVucdGzQc16UVffMdPbqWD0"; - }; - networking.firewall.allowedTCPPorts = [ - # SSH - 22 - - # HTTP(S) - # 80 - 443 - ]; - - virtualisation.digitalOcean = { - setRootPassword = true; - setSshKeys = true; - }; - - system.stateVersion = "24.05"; -}