use custom local subdomains for prometheus and adguard webui

2025-04-21 23:03:58 +02:00 · 2025-04-21 23:03:58 +02:00 · dababfe6ee
commit dababfe6ee
parent fb2b347ec0
4 changed files with 31 additions and 3 deletions
--- a/sys/machines/hopper/lab/caddy.nix
+++ b/sys/machines/hopper/lab/caddy.nix
@ -43,6 +43,18 @@ in {
          reverse_proxy localhost:${toString config.services.slskd.settings.web.port}
        '';
      };
+      prometheus = {
+        hostName = "prometheus.hopper.xun.host:80";
+        extraConfig = ''
+          reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.prometheus.port}
+        '';
+      };
+      adguard = {
+        hostName = "adguard.hopper.xun.host:80";
+        extraConfig = ''
+          reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.adguardhome.port}
+        '';
+      };
      transmission = {
        hostName = "transmission.hopper.xun.host:80";
        extraConfig = ''
--- a/sys/machines/hopper/lab/homepage.nix
+++ b/sys/machines/hopper/lab/homepage.nix
@ -60,13 +60,13 @@ in {
          }
          {
            "adguard home" = {
-              href = "http://${config.networking.hostName}:${toString config.services.adguardhome.port}";
+              href = "http://adguard.hopper.xun.host";
              icon = "adguard-home";
            };
          }
          {
            "prometheus" = {
-              href = "http://${config.networking.hostName}:${toString config.services.prometheus.port}";
+              href = "http://prometheus.hopper.xun.host";
              icon = "prometheus";
            };
          }
--- a/sys/machines/hopper/lab/prometheus.nix
+++ b/sys/machines/hopper/lab/prometheus.nix
@ -23,7 +23,7 @@
      {
        job_name = "caddy";
        static_configs = lib.singleton {
-          targets = ["192.168.15.1:2019"];
+          targets = ["${config.vpnNamespaces."wg".namespaceAddress}:2019"];
        };
      }
    ];
--- a/sys/machines/hopper/lab/vpn-namespace.nix
+++ b/sys/machines/hopper/lab/vpn-namespace.nix
@ -3,6 +3,22 @@
  lib,
  ...
 }: {
+  networking.firewall = let
+    allowTcpFromVPNToDefaultPorts = [
+      config.services.prometheus.port
+      config.services.adguardhome.port
+    ];
+  in {
+    extraCommands = builtins.concatStringsSep "\n" (map
+      (port: "iptables -A nixos-fw -p tcp -s ${config.vpnNamespaces."wg".namespaceAddress} --dport ${toString port} -j nixos-fw-accept")
+      allowTcpFromVPNToDefaultPorts);
+    extraStopCommands = builtins.concatStringsSep "\n" (
+      map
+      (port: "iptables -D nixos-fw -p tcp -s ${config.vpnNamespaces."wg".namespaceAddress} --dport ${toString port} -j nixos-fw-accept || true")
+      allowTcpFromVPNToDefaultPorts
+    );
+  };
+
  vpnNamespaces."wg" = {
    enable = true;
    wireguardConfigFile = config.sops.secrets.wireguard.path;