From 4db060800b11b91138dbd68f66c8059bdef6c332 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Tue, 17 Sep 2024 23:02:00 +0200 Subject: [PATCH] Shorten the subdomains of hosted services --- .../docker/actualbudget/default.nix | 24 ++++++++++------- .../containers/docker/onlyoffice/default.nix | 26 +++++++++++-------- .../containers/nspawn/forgejo/default.nix | 5 +++- .../containers/nspawn/nextcloud/default.nix | 9 ++++++- .../containers/nspawn/paperless/default.nix | 5 +++- modules/system/tailscale.nix | 5 ++++ 6 files changed, 50 insertions(+), 24 deletions(-) diff --git a/hosts/stratus/containers/docker/actualbudget/default.nix b/hosts/stratus/containers/docker/actualbudget/default.nix index 05dea91..1f36bb6 100644 --- a/hosts/stratus/containers/docker/actualbudget/default.nix +++ b/hosts/stratus/containers/docker/actualbudget/default.nix @@ -1,42 +1,46 @@ { config, pkgs, ... }: +let + serviceName = "actualbudget"; + subdomain = "budget"; +in { - sops.secrets."container/actualbudget/tailscale-auth-key" = { }; + sops.secrets."container/${serviceName}/tailscale-auth-key" = { }; virtualisation.oci-containers.containers = { - actualbudget = { + ${serviceName} = { image = "ghcr.io/actualbudget/actual-server:latest"; - volumes = [ "/data/actualbudget:/data" ]; + volumes = [ "/data/${serviceName}:/data" ]; }; - tailscale-actualbudget = + "tailscale-${serviceName}" = let configPath = pkgs.writeTextFile { name = "config"; destination = "/tailscale-serve.json"; text = builtins.toJSON { TCP."443".HTTPS = true; - Web."actualbudget.${config.networking.domain}:443".Handlers."/".Proxy = "http://127.0.0.1:5006"; + Web."${subdomain}.${config.networking.domain}:443".Handlers."/".Proxy = "http://127.0.0.1:5006"; }; }; in { image = "ghcr.io/tailscale/tailscale:latest"; environment = { - TS_HOSTNAME = "actualbudget"; + TS_HOSTNAME = subdomain; TS_STATE_DIR = "/var/lib/tailscale"; TS_SERVE_CONFIG = "/config/tailscale-serve.json"; TS_USERSPACE = "true"; # https://github.com/tailscale/tailscale/issues/11372 }; environmentFiles = [ # Contains "TS_AUTHKEY=" - config.sops.secrets."container/actualbudget/tailscale-auth-key".path + config.sops.secrets."container/${serviceName}/tailscale-auth-key".path ]; volumes = [ - "/var/lib/tailscale-actualbudget:/var/lib/tailscale" + "/var/lib/tailscale-${serviceName}:/var/lib/tailscale" "${configPath}:/config" ]; - extraOptions = [ "--network=container:actualbudget" ]; - dependsOn = [ "actualbudget" ]; + extraOptions = [ "--network=container:${serviceName}" ]; + dependsOn = [ serviceName ]; }; }; } diff --git a/hosts/stratus/containers/docker/onlyoffice/default.nix b/hosts/stratus/containers/docker/onlyoffice/default.nix index 0210207..998f5ea 100644 --- a/hosts/stratus/containers/docker/onlyoffice/default.nix +++ b/hosts/stratus/containers/docker/onlyoffice/default.nix @@ -1,48 +1,52 @@ { config, pkgs, ... }: +let + serviceName = "onlyoffice"; + subdomain = "office"; +in { sops.secrets = { - "container/onlyoffice/tailscale-auth-key" = { }; - "container/onlyoffice/jwt-secret" = { }; + "container/${serviceName}/tailscale-auth-key" = { }; + "container/${serviceName}/jwt-secret" = { }; }; virtualisation.oci-containers.containers = { - onlyoffice = { + ${serviceName} = { image = "onlyoffice/documentserver"; environmentFiles = [ # Contains "JWT_SECRET=" - config.sops.secrets."container/onlyoffice/jwt-secret".path + config.sops.secrets."container/${serviceName}/jwt-secret".path ]; }; - tailscale-onlyoffice = + "tailscale-${serviceName}" = let configPath = pkgs.writeTextFile { name = "config"; destination = "/tailscale-serve.json"; text = builtins.toJSON { TCP."443".HTTPS = true; - Web."onlyoffice.${config.networking.domain}:443".Handlers."/".Proxy = "http://127.0.0.1:80"; + Web."${subdomain}.${config.networking.domain}:443".Handlers."/".Proxy = "http://127.0.0.1:80"; }; }; in { image = "ghcr.io/tailscale/tailscale:latest"; environment = { - TS_HOSTNAME = "onlyoffice"; + TS_HOSTNAME = subdomain; TS_STATE_DIR = "/var/lib/tailscale"; TS_SERVE_CONFIG = "/config/tailscale-serve.json"; TS_USERSPACE = "true"; # https://github.com/tailscale/tailscale/issues/11372 }; environmentFiles = [ # Contains "TS_AUTHKEY=" - config.sops.secrets."container/onlyoffice/tailscale-auth-key".path + config.sops.secrets."container/${serviceName}/tailscale-auth-key".path ]; volumes = [ - "/var/lib/tailscale-onlyoffice:/var/lib/tailscale" + "/var/lib/tailscale-${serviceName}:/var/lib/tailscale" "${configPath}:/config" ]; - extraOptions = [ "--network=container:onlyoffice" ]; - dependsOn = [ "onlyoffice" ]; + extraOptions = [ "--network=container:${serviceName}" ]; + dependsOn = [ serviceName ]; }; }; } diff --git a/hosts/stratus/containers/nspawn/forgejo/default.nix b/hosts/stratus/containers/nspawn/forgejo/default.nix index 7e59bdc..5747253 100644 --- a/hosts/stratus/containers/nspawn/forgejo/default.nix +++ b/hosts/stratus/containers/nspawn/forgejo/default.nix @@ -41,6 +41,9 @@ $create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat ${config.sops.secrets.forgejo-admin-password.path})" || true ''; - myConfig.tailscale.serve = "3000"; + myConfig.tailscale = { + subdomain = "git"; + serve = "3000"; + }; }; } diff --git a/hosts/stratus/containers/nspawn/nextcloud/default.nix b/hosts/stratus/containers/nspawn/nextcloud/default.nix index 8b622ac..f72e22c 100644 --- a/hosts/stratus/containers/nspawn/nextcloud/default.nix +++ b/hosts/stratus/containers/nspawn/nextcloud/default.nix @@ -1,3 +1,6 @@ +let + subdomain = "cloud"; +in { containers.nextcloud.config = { @@ -41,6 +44,7 @@ https = true; settings = { overwriteProtocol = "https"; + trusted_domains = [ "${subdomain}.${config.networking.domain}" ]; trusted_proxies = [ "127.0.0.1" ]; log_type = "file"; default_phone_region = "DE"; @@ -87,6 +91,9 @@ environment.systemPackages = [ pkgs.ffmpeg ]; - myConfig.tailscale.serve = "80"; + myConfig.tailscale = { + inherit subdomain; + serve = "80"; + }; }; } diff --git a/hosts/stratus/containers/nspawn/paperless/default.nix b/hosts/stratus/containers/nspawn/paperless/default.nix index 9206f73..88018e2 100644 --- a/hosts/stratus/containers/nspawn/paperless/default.nix +++ b/hosts/stratus/containers/nspawn/paperless/default.nix @@ -17,6 +17,9 @@ settings.PAPERLESS_OCR_LANGUAGE = "deu+eng"; }; - myConfig.tailscale.serve = "28981"; + myConfig.tailscale = { + subdomain = "paper"; + serve = "28981"; + }; }; } diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index fea8c20..2cae16c 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -10,6 +10,10 @@ in { options.myConfig.tailscale = { enable = lib.mkEnableOption ""; + subdomain = lib.mkOption { + type = lib.types.nonEmptyStr; + default = config.networking.hostName; + }; ssh.enable = lib.mkEnableOption ""; exitNode.enable = lib.mkEnableOption ""; serve = lib.mkOption { @@ -28,6 +32,7 @@ in useRoutingFeatures = if (cfg.exitNode.enable || (cfg.serve != null)) then "server" else "client"; extraUpFlags = [ "--reset=true" ]; extraSetFlags = [ + "--hostname=${cfg.subdomain}" "--ssh=${lib.boolToString cfg.ssh.enable}" "--advertise-exit-node=${lib.boolToString cfg.exitNode.enable}" ];