65 lines
1.7 KiB
Nix
65 lines
1.7 KiB
Nix
{ ... }:
|
|
{
|
|
# ssh config for forgejo
|
|
# need ip forward for nat
|
|
boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
|
|
|
|
networking.firewall = {
|
|
# open port explicitly
|
|
allowedTCPPorts = [ 22 ];
|
|
# git.oxapentane.com: port forward 22 to forgejo
|
|
# TODO do a proper thing with ipv6
|
|
extraCommands = ''
|
|
iptables -t nat -I PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222
|
|
iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE
|
|
'';
|
|
extraStopCommands = ''
|
|
iptables -t nat -D PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222 || true
|
|
'';
|
|
};
|
|
# host sshd: only listen on oxapentane.com and mgmt vpn
|
|
services.openssh.listenAddresses = map (a :
|
|
{
|
|
addr = a;
|
|
port = 22;
|
|
}) [
|
|
# enp1s0
|
|
"188.245.196.27"
|
|
"2a01:4f8:c17:7f8a::1"
|
|
# wg-0xa-mgmt
|
|
"10.89.87.1"
|
|
"fd31:185d:722e::1"
|
|
];
|
|
|
|
|
|
services.nginx.upstreams.forgejo = {
|
|
servers = {
|
|
"10.89.88.15:3000" = { };
|
|
"[fd31:185d:722f::15]:3000" = { };
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."git.oxapentane.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://forgejo";
|
|
extraConfig = ''
|
|
client_max_body_size 50000M;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_read_timeout 600s;
|
|
proxy_send_timeout 600s;
|
|
send_timeout 600s;
|
|
'';
|
|
};
|
|
};
|
|
}
|