From aaebb4bc19ce9c4307f66d62c75d1df4ce5e312f Mon Sep 17 00:00:00 2001 From: Fabian Hauser Date: Wed, 11 Dec 2024 13:01:22 +0200 Subject: [PATCH] Fix vpn configuration --- .../cyprianspitz/applications/default.nix | 8 +++++++- nixos-configurations/cyprianspitz/networking.nix | 4 +++- nixos-modules/qois/vpn-server/default.nix | 13 +++++++++---- nixos-modules/vault/default.nix | 2 +- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/nixos-configurations/cyprianspitz/applications/default.nix b/nixos-configurations/cyprianspitz/applications/default.nix index b14b66b..18cd6ea 100644 --- a/nixos-configurations/cyprianspitz/applications/default.nix +++ b/nixos-configurations/cyprianspitz/applications/default.nix @@ -1,4 +1,9 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: { imports = [ @@ -7,4 +12,5 @@ ]; qois.loadbalancer.enable = true; + qois.backplane-net.hosts.loadbalancers = lib.mkForce [ "cyprianspitz" ]; } diff --git a/nixos-configurations/cyprianspitz/networking.nix b/nixos-configurations/cyprianspitz/networking.nix index 9f224b8..de8132d 100644 --- a/nixos-configurations/cyprianspitz/networking.nix +++ b/nixos-configurations/cyprianspitz/networking.nix @@ -39,7 +39,7 @@ in in { enable = true; - resolveLocalQueries = false; + resolveLocalQueries = true; settings = { interface = "vms-nat"; bind-interfaces = true; @@ -85,6 +85,8 @@ in useRoutingFeatures = "server"; authKeyFile = config.sops.secrets."tailscale/key".path; extraUpFlags = [ + "--timeout 60s" + "--accept-dns=false" "--login-server=https://vpn.qo.is" "--advertise-exit-node" ( diff --git a/nixos-modules/qois/vpn-server/default.nix b/nixos-modules/qois/vpn-server/default.nix index e57060e..0b23fdf 100644 --- a/nixos-modules/qois/vpn-server/default.nix +++ b/nixos-modules/qois/vpn-server/default.nix @@ -8,9 +8,13 @@ with lib; let cfg = config.qois.vpn-server; cfgLoadbalancer = config.qois.loadbalancer; - defaultDnsRecords = mapAttrs ( - name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value} - ) cfgLoadbalancer.domains; + defaultDnsRecords = + (mapAttrs ( + name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value} + ) cfgLoadbalancer.domains) + // { + "vpn.qo.is" = config.services.headscale.address; + }; in { @@ -37,6 +41,7 @@ in environment.systemPackages = [ pkgs.headscale ]; + # We bind to the backplane vpn IP, so wait for the wireguard net to be available systemd.services.headscale.after = [ "wireguard-wg-backplane.service" ]; qois.backup-client.includePaths = @@ -63,7 +68,7 @@ in in { enable = true; - address = vnet.backplane.hosts.cyprianspitz.v4.ip; # TODO: This entails that the backplane interface is up. + address = vnet.backplane.hosts.cyprianspitz.v4.ip; port = 46084; settings = { server_url = "https://${cfg.domain}:443"; diff --git a/nixos-modules/vault/default.nix b/nixos-modules/vault/default.nix index 9676d3d..36332af 100644 --- a/nixos-modules/vault/default.nix +++ b/nixos-modules/vault/default.nix @@ -80,7 +80,7 @@ with lib; forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; proxyWebsockets = true; }; };