diff --git a/sys/machines/hopper/lab/caddy.nix b/sys/machines/hopper/lab/caddy.nix index 066c46e..d6eeeeb 100644 --- a/sys/machines/hopper/lab/caddy.nix +++ b/sys/machines/hopper/lab/caddy.nix @@ -5,6 +5,7 @@ }: let inherit (vars.common) domain; caddyPort = 8336; + bridge = config.vpnNamespaces."wg".bridgeAddress; in { systemd.services.caddy.vpnConfinement = { enable = true; @@ -26,7 +27,7 @@ in { extraConfig = '' reverse_proxy { header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} - to localhost:8096 + to ${bridge}:8096 } ''; }; @@ -46,13 +47,13 @@ in { prometheus = { hostName = "prometheus.hopper.xun.host:80"; extraConfig = '' - reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.prometheus.port} + reverse_proxy ${bridge}:${toString config.services.prometheus.port} ''; }; adguard = { hostName = "adguard.hopper.xun.host:80"; extraConfig = '' - reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.adguardhome.port} + reverse_proxy ${bridge}:${toString config.services.adguardhome.port} ''; }; transmission = { @@ -64,7 +65,7 @@ in { dash = { hostName = "dash.hopper.xun.host:80"; extraConfig = '' - reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort} + reverse_proxy ${bridge}:${toString config.services.homepage-dashboard.listenPort} ''; }; vw = { @@ -73,7 +74,7 @@ in { extraConfig = '' reverse_proxy { header_up X-Real-Ip {http.request.header.CF-Connecting-IP} - to localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} + to ${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT} } ''; }; diff --git a/sys/machines/hopper/lab/homepage.nix b/sys/machines/hopper/lab/homepage.nix index 7433254..5192473 100644 --- a/sys/machines/hopper/lab/homepage.nix +++ b/sys/machines/hopper/lab/homepage.nix @@ -5,11 +5,6 @@ }: let inherit (vars.common) domain; in { - systemd.services.homepage-dashboard.vpnConfinement = { - enable = true; - vpnNamespace = "wg"; - }; - systemd.services.homepage-dashboard.environment.HOMEPAGE_ALLOWED_HOSTS = "dash.hopper.xun.host"; services.homepage-dashboard = { diff --git a/sys/machines/hopper/lab/jellyfin.nix b/sys/machines/hopper/lab/jellyfin.nix index 17b70a0..bdd5469 100644 --- a/sys/machines/hopper/lab/jellyfin.nix +++ b/sys/machines/hopper/lab/jellyfin.nix @@ -1,8 +1,4 @@ { - systemd.services.jellyfin.vpnConfinement = { - enable = true; - vpnNamespace = "wg"; - }; services.jellyfin.enable = true; services.restic.backups.hopper.paths = [ diff --git a/sys/machines/hopper/lab/vaultwarden.nix b/sys/machines/hopper/lab/vaultwarden.nix index afb73ef..ebed042 100644 --- a/sys/machines/hopper/lab/vaultwarden.nix +++ b/sys/machines/hopper/lab/vaultwarden.nix @@ -1,10 +1,6 @@ {config, ...}: { systemd.services.vaultwarden = { serviceConfig.EnvironmentFile = config.sops.secrets.vaultwarden-env.path; - vpnConfinement = { - enable = true; - vpnNamespace = "wg"; - }; }; # NOTE send doesnt work, probably due to my cloudflare port rewriting rules services.vaultwarden = { diff --git a/sys/machines/hopper/lab/vpn-namespace.nix b/sys/machines/hopper/lab/vpn-namespace.nix index e600e3c..d8e2a39 100644 --- a/sys/machines/hopper/lab/vpn-namespace.nix +++ b/sys/machines/hopper/lab/vpn-namespace.nix @@ -7,6 +7,9 @@ allowTcpFromVPNToDefaultPorts = [ config.services.prometheus.port config.services.adguardhome.port + config.services.vaultwarden.config.ROCKET_PORT + config.services.homepage-dashboard.listenPort + 8096 # jellyfin port ]; in { extraCommands = builtins.concatStringsSep "\n" (map