Fix vpn configuration
This commit is contained in:
parent
747c637f80
commit
aaebb4bc19
4 changed files with 20 additions and 7 deletions
|
|
@ -1,4 +1,9 @@
|
||||||
{ config, pkgs, ... }:
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
{
|
{
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
|
|
@ -7,4 +12,5 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
qois.loadbalancer.enable = true;
|
qois.loadbalancer.enable = true;
|
||||||
|
qois.backplane-net.hosts.loadbalancers = lib.mkForce [ "cyprianspitz" ];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ in
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
enable = true;
|
enable = true;
|
||||||
resolveLocalQueries = false;
|
resolveLocalQueries = true;
|
||||||
settings = {
|
settings = {
|
||||||
interface = "vms-nat";
|
interface = "vms-nat";
|
||||||
bind-interfaces = true;
|
bind-interfaces = true;
|
||||||
|
|
@ -85,6 +85,8 @@ in
|
||||||
useRoutingFeatures = "server";
|
useRoutingFeatures = "server";
|
||||||
authKeyFile = config.sops.secrets."tailscale/key".path;
|
authKeyFile = config.sops.secrets."tailscale/key".path;
|
||||||
extraUpFlags = [
|
extraUpFlags = [
|
||||||
|
"--timeout 60s"
|
||||||
|
"--accept-dns=false"
|
||||||
"--login-server=https://vpn.qo.is"
|
"--login-server=https://vpn.qo.is"
|
||||||
"--advertise-exit-node"
|
"--advertise-exit-node"
|
||||||
(
|
(
|
||||||
|
|
|
||||||
|
|
@ -8,9 +8,13 @@ with lib;
|
||||||
let
|
let
|
||||||
cfg = config.qois.vpn-server;
|
cfg = config.qois.vpn-server;
|
||||||
cfgLoadbalancer = config.qois.loadbalancer;
|
cfgLoadbalancer = config.qois.loadbalancer;
|
||||||
defaultDnsRecords = mapAttrs (
|
defaultDnsRecords =
|
||||||
name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value}
|
(mapAttrs (
|
||||||
) cfgLoadbalancer.domains;
|
name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value}
|
||||||
|
) cfgLoadbalancer.domains)
|
||||||
|
// {
|
||||||
|
"vpn.qo.is" = config.services.headscale.address;
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|
@ -37,6 +41,7 @@ in
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.headscale ];
|
environment.systemPackages = [ pkgs.headscale ];
|
||||||
|
|
||||||
|
# We bind to the backplane vpn IP, so wait for the wireguard net to be available
|
||||||
systemd.services.headscale.after = [ "wireguard-wg-backplane.service" ];
|
systemd.services.headscale.after = [ "wireguard-wg-backplane.service" ];
|
||||||
|
|
||||||
qois.backup-client.includePaths =
|
qois.backup-client.includePaths =
|
||||||
|
|
@ -63,7 +68,7 @@ in
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
enable = true;
|
enable = true;
|
||||||
address = vnet.backplane.hosts.cyprianspitz.v4.ip; # TODO: This entails that the backplane interface is up.
|
address = vnet.backplane.hosts.cyprianspitz.v4.ip;
|
||||||
port = 46084;
|
port = 46084;
|
||||||
settings = {
|
settings = {
|
||||||
server_url = "https://${cfg.domain}:443";
|
server_url = "https://${cfg.domain}:443";
|
||||||
|
|
|
||||||
|
|
@ -80,7 +80,7 @@ with lib;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue