diff --git a/hosts/cloud/networking.nix b/hosts/cloud/networking.nix index 71af8e1..3c5c08d 100644 --- a/hosts/cloud/networking.nix +++ b/hosts/cloud/networking.nix @@ -19,7 +19,9 @@ networkConfig = { Address = [ "188.245.196.27/32" + "116.202.5.66/32" "2a01:4f8:c17:7f8a::1/64" + "2a01:4f8:c17:7f8a::617/64" ]; DNS = [ "2a01:4ff:ff00::add:1" diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix index 483f126..d092b02 100644 --- a/hosts/cloud/proxy/default.nix +++ b/hosts/cloud/proxy/default.nix @@ -52,8 +52,7 @@ in # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; ''; - # default vhost - + virtualHosts."oxapentane.com" = { forceSSL = true; enableACME = true; diff --git a/hosts/cloud/proxy/git.nix b/hosts/cloud/proxy/git.nix index 20ef08a..49be270 100644 --- a/hosts/cloud/proxy/git.nix +++ b/hosts/cloud/proxy/git.nix @@ -1,5 +1,37 @@ { ... }: { + # ssh config for forgejo + # need ip forward for nat + boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; + + networking.firewall = { + # open port explicitly + allowedTCPPorts = [ 22 ]; + # git.oxapentane.com: port forward 22 to forgejo + # TODO do a proper thing with ipv6 + extraCommands = '' + iptables -t nat -I PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222 + iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE + ''; + extraStopCommands = '' + iptables -t nat -D PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222 || true + ''; + }; + # host sshd: only listen on oxapentane.com and mgmt vpn + services.openssh.listenAddresses = map (a : + { + addr = a; + port = 22; + }) [ + # enp1s0 + "188.245.196.27" + "2a01:4f8:c17:7f8a::1" + # wg-0xa-mgmt + "10.89.87.1" + "fd31:185d:722e::1" + ]; + + services.nginx.upstreams.forgejo = { servers = { "10.89.88.15:3000" = { };