teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: migrate from cloudflare to haproxy+frp

Browse source
This commit is contained in:
alina 🌸 2025-01-31 15:48:36 +03:00
parent eec469ab31
commit 6f06f32af6
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
8 changed files with 113 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hosts/arumi/configuration.nix
View file

@ -7,9 +7,11 @@
(abs "lib/desu") (abs "lib/desu")
./disk-config.nix ./disk-config.nix
./services/sing-box.nix ./services/xray.nix
./services/uptime-kuma.nix ./services/uptime-kuma.nix
./services/mumble.nix ./services/mumble.nix
./services/frp.nix
./services/haproxy.nix
]; ];
boot.loader.grub = { boot.loader.grub = {

31
hosts/arumi/services/frp.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, ... }:
{
desu.secrets.arumi-frp-token = {};
services.frp = {
enable = true;
role = "server";
settings = {
bindAddr = "0.0.0.0";
bindPort = 7000;
kcpBindPort = 7000;
auth = {
method = "token";
token = "{{ .Envs.FRP_TOKEN }}";
};
allowPorts = [
{ single = 8443; }
];
};
};
systemd.services.frp.serviceConfig.EnvironmentFile = [
config.desu.secrets.arumi-frp-token.path
];
networking.firewall.allowedTCPPorts = [ 7000 ];
networking.firewall.allowedUDPPorts = [ 7000 ];
}

29
hosts/arumi/services/haproxy.nix Normal file
View file

@ -0,0 +1,29 @@
{ ... }:
{
services.haproxy = {
enable = true;
config = ''
frontend https-in
mode tcp
bind 0.0.0.0:443
tcp-request inspect-delay 3s
tcp-request content capture req.ssl_sni len 10
use_backend xray if { req.ssl_sni updates.cdn-apple.com }
default_backend koi
frontend http-in
bind *:80
mode http
redirect scheme https code 301
backend koi
server koi 127.0.0.1:8443 send-proxy-v2
backend xray
server xray 127.0.0.1:1234
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

3
hosts/arumi/services/sing-box.nix → hosts/arumi/services/xray.nix
View file

@ -28,7 +28,7 @@
log = { level = "info"; timestamp = true; }; log = { level = "info"; timestamp = true; };
inbounds = [ inbounds = [
{ {
port = 443; port = 1234;
protocol = "vless"; protocol = "vless";
settings = { settings = {
decryption = "none"; decryption = "none";
@ -66,5 +66,4 @@
| .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file} | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
''; '';
networking.firewall.allowedTCPPorts = [ 443 ];
} }

2
hosts/koi/configuration.nix
View file

@ -24,6 +24,7 @@
./services/geesefs.nix ./services/geesefs.nix
./services/actions-runner ./services/actions-runner
./services/autorestic ./services/autorestic
./services/frp.nix
./containers/torrent.nix ./containers/torrent.nix
./containers/soulseek ./containers/soulseek
@ -45,7 +46,6 @@
./containers/teisu.nix ./containers/teisu.nix
./containers/bots/pcre-sub-bot.nix ./containers/bots/pcre-sub-bot.nix
./containers/bots/channel-logger-bot.nix ./containers/bots/channel-logger-bot.nix
./containers/bots/bsky-crossposter
./vms/hass.nix ./vms/hass.nix
./vms/bnuuy.nix ./vms/bnuuy.nix
# ./vms/windows.nix # ./vms/windows.nix

35
hosts/koi/services/frp.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }:
{
desu.secrets.arumi-frp-token = {};
services.frp = {
enable = true;
role = "client";
settings = {
serverAddr = config.desu.readUnsafeSecret "arumi-ip";
serverPort = 7000;
auth = {
method = "token";
token = "{{ .Envs.FRP_TOKEN }}";
};
transport.protocol = "kcp";
proxies = [
{
name = "http";
type = "tcp";
localIP = "127.0.0.1";
localPort = 8443;
remotePort = 8443;
}
];
};
};
systemd.services.frp.serviceConfig.EnvironmentFile = [
config.desu.secrets.arumi-frp-token.path
];
}

30
hosts/koi/services/nginx.nix
View file

@ -15,33 +15,17 @@
enableReload = true; enableReload = true;
commonHttpConfig = '' commonHttpConfig = ''
set_real_ip_from 103.21.244.0/22; set_real_ip_from 127.0.0.1/32;
set_real_ip_from 103.22.200.0/22; real_ip_header proxy_protocol;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
proxy_headers_hash_bucket_size 128; proxy_headers_hash_bucket_size 128;
''; '';
defaultListen = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 8443; ssl = true; proxyProtocol = true; }
];
# default server that would reject all unmatched requests # default server that would reject all unmatched requests
appendHttpConfig = '' appendHttpConfig = ''
server { server {

6
secrets/arumi-frp-token.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 sj88Xw /Vkx3GW0FnqhBswN37q9aI53zw+94lshHnkVbY2NhVo
aYfMX6fveWE5MjqVyRNiVI7J0D6twv3Flx2Tqua9eQc
--- z0VnnFlIGXDUo6Qccrp+fkB9QPz8z1x9bHLJQAOni4E
U?
a9mß1Ê>G =¨÷8¬Ãu˜´ºYŽFS2ÚŸ‡¥<>þð2;åëu·æMÊŒ—lu„ŒõáŽÏøj~n“ÕDPÄÿ½¼