move some things out of the vpn namespace

2025-04-22 12:31:55 +02:00 · 2025-04-22 12:31:55 +02:00 · f3a04f8bd7
commit f3a04f8bd7
parent 0f71ca1484
5 changed files with 9 additions and 18 deletions
--- a/sys/machines/hopper/lab/caddy.nix
+++ b/sys/machines/hopper/lab/caddy.nix
@ -5,6 +5,7 @@
 }: let
  inherit (vars.common) domain;
  caddyPort = 8336;
+  bridge = config.vpnNamespaces."wg".bridgeAddress;
 in {
  systemd.services.caddy.vpnConfinement = {
    enable = true;
@ -26,7 +27,7 @@ in {
        extraConfig = ''
          reverse_proxy {
            header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
-            to localhost:8096
+            to ${bridge}:8096
          }
        '';
      };
@ -46,13 +47,13 @@ in {
      prometheus = {
        hostName = "prometheus.hopper.xun.host:80";
        extraConfig = ''
-          reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.prometheus.port}
+          reverse_proxy ${bridge}:${toString config.services.prometheus.port}
        '';
      };
      adguard = {
        hostName = "adguard.hopper.xun.host:80";
        extraConfig = ''
-          reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.adguardhome.port}
+          reverse_proxy ${bridge}:${toString config.services.adguardhome.port}
        '';
      };
      transmission = {
@ -64,7 +65,7 @@ in {
      dash = {
        hostName = "dash.hopper.xun.host:80";
        extraConfig = ''
-          reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}
+          reverse_proxy ${bridge}:${toString config.services.homepage-dashboard.listenPort}
        '';
      };
      vw = {
@ -73,7 +74,7 @@ in {
        extraConfig = ''
          reverse_proxy {
            header_up X-Real-Ip {http.request.header.CF-Connecting-IP}
-            to localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}
+            to ${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT}
          }
        '';
      };
--- a/sys/machines/hopper/lab/homepage.nix
+++ b/sys/machines/hopper/lab/homepage.nix
@ -5,11 +5,6 @@
 }: let
  inherit (vars.common) domain;
 in {
-  systemd.services.homepage-dashboard.vpnConfinement = {
-    enable = true;
-    vpnNamespace = "wg";
-  };
-
  systemd.services.homepage-dashboard.environment.HOMEPAGE_ALLOWED_HOSTS = "dash.hopper.xun.host";

  services.homepage-dashboard = {
--- a/sys/machines/hopper/lab/jellyfin.nix
+++ b/sys/machines/hopper/lab/jellyfin.nix
@ -1,8 +1,4 @@
 {
-  systemd.services.jellyfin.vpnConfinement = {
-    enable = true;
-    vpnNamespace = "wg";
-  };
  services.jellyfin.enable = true;

  services.restic.backups.hopper.paths = [
--- a/sys/machines/hopper/lab/vaultwarden.nix
+++ b/sys/machines/hopper/lab/vaultwarden.nix
@ -1,10 +1,6 @@
 {config, ...}: {
  systemd.services.vaultwarden = {
    serviceConfig.EnvironmentFile = config.sops.secrets.vaultwarden-env.path;
-    vpnConfinement = {
-      enable = true;
-      vpnNamespace = "wg";
-    };
  };
  # NOTE send doesnt work, probably due to my cloudflare port rewriting rules
  services.vaultwarden = {
--- a/sys/machines/hopper/lab/vpn-namespace.nix
+++ b/sys/machines/hopper/lab/vpn-namespace.nix
@ -7,6 +7,9 @@
    allowTcpFromVPNToDefaultPorts = [
      config.services.prometheus.port
      config.services.adguardhome.port
+      config.services.vaultwarden.config.ROCKET_PORT
+      config.services.homepage-dashboard.listenPort
+      8096 # jellyfin port
    ];
  in {
    extraCommands = builtins.concatStringsSep "\n" (map