From 6f06f32af6cb517d0ea4d9c89ce633710006c9c0 Mon Sep 17 00:00:00 2001
From: teidesu <alina@tei.su>
Date: Fri, 31 Jan 2025 15:48:36 +0300
Subject: [PATCH] chore: migrate from cloudflare to haproxy+frp

---
 hosts/arumi/configuration.nix                 |  4 ++-
 hosts/arumi/services/frp.nix                  | 31 ++++++++++++++++
 hosts/arumi/services/haproxy.nix              | 29 +++++++++++++++
 .../arumi/services/{sing-box.nix => xray.nix} |  3 +-
 hosts/koi/configuration.nix                   |  2 +-
 hosts/koi/services/frp.nix                    | 35 +++++++++++++++++++
 hosts/koi/services/nginx.nix                  | 30 ++++------------
 secrets/arumi-frp-token.age                   |  6 ++++
 8 files changed, 113 insertions(+), 27 deletions(-)
 create mode 100644 hosts/arumi/services/frp.nix
 create mode 100644 hosts/arumi/services/haproxy.nix
 rename hosts/arumi/services/{sing-box.nix => xray.nix} (96%)
 create mode 100644 hosts/koi/services/frp.nix
 create mode 100644 secrets/arumi-frp-token.age

diff --git a/hosts/arumi/configuration.nix b/hosts/arumi/configuration.nix
index 7f2a4ce..b035d8b 100644
--- a/hosts/arumi/configuration.nix
+++ b/hosts/arumi/configuration.nix
@@ -7,9 +7,11 @@
     (abs "lib/desu")
     ./disk-config.nix
 
-    ./services/sing-box.nix
+    ./services/xray.nix
     ./services/uptime-kuma.nix
     ./services/mumble.nix
+    ./services/frp.nix
+    ./services/haproxy.nix
   ];
 
   boot.loader.grub = {
diff --git a/hosts/arumi/services/frp.nix b/hosts/arumi/services/frp.nix
new file mode 100644
index 0000000..458cbff
--- /dev/null
+++ b/hosts/arumi/services/frp.nix
@@ -0,0 +1,31 @@
+{ config, ... }: 
+
+{
+  desu.secrets.arumi-frp-token = {};
+
+  services.frp = {
+    enable = true;
+    role = "server";
+    settings = {
+      bindAddr = "0.0.0.0";
+      bindPort = 7000;
+      kcpBindPort = 7000;
+
+      auth = {
+        method = "token";
+        token = "{{ .Envs.FRP_TOKEN }}";
+      };
+
+      allowPorts = [
+        { single = 8443; }
+      ];
+    };
+  };
+
+  systemd.services.frp.serviceConfig.EnvironmentFile = [
+    config.desu.secrets.arumi-frp-token.path
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 7000 ];
+  networking.firewall.allowedUDPPorts = [ 7000 ];
+} 
\ No newline at end of file
diff --git a/hosts/arumi/services/haproxy.nix b/hosts/arumi/services/haproxy.nix
new file mode 100644
index 0000000..6b6bde2
--- /dev/null
+++ b/hosts/arumi/services/haproxy.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  services.haproxy = {
+    enable = true;
+    config = ''
+      frontend https-in
+        mode tcp
+        bind 0.0.0.0:443
+        tcp-request inspect-delay 3s
+        tcp-request content capture req.ssl_sni len 10
+        use_backend xray if { req.ssl_sni updates.cdn-apple.com }
+        default_backend koi
+      
+      frontend http-in
+        bind *:80
+        mode http
+        redirect scheme https code 301
+
+      backend koi
+        server koi 127.0.0.1:8443 send-proxy-v2
+
+      backend xray
+        server xray 127.0.0.1:1234
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
\ No newline at end of file
diff --git a/hosts/arumi/services/sing-box.nix b/hosts/arumi/services/xray.nix
similarity index 96%
rename from hosts/arumi/services/sing-box.nix
rename to hosts/arumi/services/xray.nix
index a965fc1..1895591 100644
--- a/hosts/arumi/services/sing-box.nix
+++ b/hosts/arumi/services/xray.nix
@@ -28,7 +28,7 @@
       log = { level = "info"; timestamp = true; };
       inbounds = [
         {
-          port = 443;
+          port = 1234;
           protocol = "vless";
           settings = {
             decryption = "none";
@@ -66,5 +66,4 @@
         | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
   '';
 
-  networking.firewall.allowedTCPPorts = [ 443 ];
 }
\ No newline at end of file
diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix
index f089bae..e8d4744 100755
--- a/hosts/koi/configuration.nix
+++ b/hosts/koi/configuration.nix
@@ -24,6 +24,7 @@
     ./services/geesefs.nix
     ./services/actions-runner
     ./services/autorestic
+    ./services/frp.nix
 
     ./containers/torrent.nix
     ./containers/soulseek
@@ -45,7 +46,6 @@
     ./containers/teisu.nix
     ./containers/bots/pcre-sub-bot.nix
     ./containers/bots/channel-logger-bot.nix
-    ./containers/bots/bsky-crossposter
     ./vms/hass.nix
     ./vms/bnuuy.nix
     # ./vms/windows.nix
diff --git a/hosts/koi/services/frp.nix b/hosts/koi/services/frp.nix
new file mode 100644
index 0000000..c5da6e3
--- /dev/null
+++ b/hosts/koi/services/frp.nix
@@ -0,0 +1,35 @@
+{ config, ... }: 
+
+{
+  desu.secrets.arumi-frp-token = {};
+
+  services.frp = {
+    enable = true;
+    role = "client";
+    settings = {
+      serverAddr = config.desu.readUnsafeSecret "arumi-ip";
+      serverPort = 7000;
+
+      auth = {
+        method = "token";
+        token = "{{ .Envs.FRP_TOKEN }}";
+      };
+
+      transport.protocol = "kcp";
+
+      proxies = [
+        {
+          name = "http";
+          type = "tcp";
+          localIP = "127.0.0.1";
+          localPort = 8443;
+          remotePort = 8443;
+        }
+      ];
+    };
+  };
+
+  systemd.services.frp.serviceConfig.EnvironmentFile = [
+    config.desu.secrets.arumi-frp-token.path
+  ];
+} 
\ No newline at end of file
diff --git a/hosts/koi/services/nginx.nix b/hosts/koi/services/nginx.nix
index e6dcd90..29325a3 100644
--- a/hosts/koi/services/nginx.nix
+++ b/hosts/koi/services/nginx.nix
@@ -15,33 +15,17 @@
     enableReload = true;
 
     commonHttpConfig = ''
-      set_real_ip_from 103.21.244.0/22;
-      set_real_ip_from 103.22.200.0/22;
-      set_real_ip_from 103.31.4.0/22;
-      set_real_ip_from 104.16.0.0/13;
-      set_real_ip_from 104.24.0.0/14;
-      set_real_ip_from 108.162.192.0/18;
-      set_real_ip_from 131.0.72.0/22;
-      set_real_ip_from 141.101.64.0/18;
-      set_real_ip_from 162.158.0.0/15;
-      set_real_ip_from 172.64.0.0/13;
-      set_real_ip_from 173.245.48.0/20;
-      set_real_ip_from 188.114.96.0/20;
-      set_real_ip_from 190.93.240.0/20;
-      set_real_ip_from 197.234.240.0/22;
-      set_real_ip_from 198.41.128.0/17;
-      set_real_ip_from 2400:cb00::/32;
-      set_real_ip_from 2606:4700::/32;
-      set_real_ip_from 2803:f800::/32;
-      set_real_ip_from 2405:b500::/32;
-      set_real_ip_from 2405:8100::/32;
-      set_real_ip_from 2c0f:f248::/32;
-      set_real_ip_from 2a06:98c0::/29;
-      real_ip_header CF-Connecting-IP;
+      set_real_ip_from 127.0.0.1/32;
+      real_ip_header proxy_protocol;
 
       proxy_headers_hash_bucket_size 128;
     '';
 
+    defaultListen = [
+      { addr = "0.0.0.0"; port = 443; ssl = true; }
+      { addr = "0.0.0.0"; port = 8443; ssl = true; proxyProtocol = true; }
+    ];
+
     # default server that would reject all unmatched requests
     appendHttpConfig = ''
       server {
diff --git a/secrets/arumi-frp-token.age b/secrets/arumi-frp-token.age
new file mode 100644
index 0000000..486e157
--- /dev/null
+++ b/secrets/arumi-frp-token.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw /Vkx3GW0FnqhBswN37q9aI53zw+94lshHnkVbY2NhVo
+aYfMX6fveWE5MjqVyRNiVI7J0D6twv3Flx2Tqua9eQc
+--- z0VnnFlIGXDUo6Qccrp+fkB9QPz8z1x9bHLJQAOni4E
+U?
+a9m�1�>G =��8��u���Y�FS2ڟ������2;��u��Mʌ�lu������j~n��DP����
\ No newline at end of file