chore: migrate from cloudflare to haproxy+frp

hosts/arumi/configuration.nix

@@ -7,9 +7,11 @@
     (abs "lib/desu")
     ./disk-config.nix
 
-    ./services/sing-box.nix
+    ./services/xray.nix
     ./services/uptime-kuma.nix
     ./services/mumble.nix
+    ./services/frp.nix
+    ./services/haproxy.nix
   ];
 
   boot.loader.grub = {

hosts/arumi/services/frp.nix

@@ -0,0 +1,31 @@
+{ config, ... }: 
+
+{
+  desu.secrets.arumi-frp-token = {};
+
+  services.frp = {
+    enable = true;
+    role = "server";
+    settings = {
+      bindAddr = "0.0.0.0";
+      bindPort = 7000;
+      kcpBindPort = 7000;
+
+      auth = {
+        method = "token";
+        token = "{{ .Envs.FRP_TOKEN }}";
+      };
+
+      allowPorts = [
+        { single = 8443; }
+      ];
+    };
+  };
+
+  systemd.services.frp.serviceConfig.EnvironmentFile = [
+    config.desu.secrets.arumi-frp-token.path
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 7000 ];
+  networking.firewall.allowedUDPPorts = [ 7000 ];
+} 

hosts/arumi/services/haproxy.nix

@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  services.haproxy = {
+    enable = true;
+    config = ''
+      frontend https-in
+        mode tcp
+        bind 0.0.0.0:443
+        tcp-request inspect-delay 3s
+        tcp-request content capture req.ssl_sni len 10
+        use_backend xray if { req.ssl_sni updates.cdn-apple.com }
+        default_backend koi
+      
+      frontend http-in
+        bind *:80
+        mode http
+        redirect scheme https code 301
+
+      backend koi
+        server koi 127.0.0.1:8443 send-proxy-v2
+
+      backend xray
+        server xray 127.0.0.1:1234
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}

hosts/arumi/services/xray.nix

@@ -28,7 +28,7 @@
       log = { level = "info"; timestamp = true; };
       inbounds = [
         {
-          port = 443;
+          port = 1234;
           protocol = "vless";
           settings = {
             decryption = "none";
@@ -66,5 +66,4 @@
         | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
   '';
 
-  networking.firewall.allowedTCPPorts = [ 443 ];
 }

hosts/koi/configuration.nix

@@ -24,6 +24,7 @@
     ./services/geesefs.nix
     ./services/actions-runner
     ./services/autorestic
+    ./services/frp.nix
 
     ./containers/torrent.nix
     ./containers/soulseek
@@ -45,7 +46,6 @@
     ./containers/teisu.nix
     ./containers/bots/pcre-sub-bot.nix
     ./containers/bots/channel-logger-bot.nix
-    ./containers/bots/bsky-crossposter
     ./vms/hass.nix
     ./vms/bnuuy.nix
     # ./vms/windows.nix

hosts/koi/services/frp.nix

@@ -0,0 +1,35 @@
+{ config, ... }: 
+
+{
+  desu.secrets.arumi-frp-token = {};
+
+  services.frp = {
+    enable = true;
+    role = "client";
+    settings = {
+      serverAddr = config.desu.readUnsafeSecret "arumi-ip";
+      serverPort = 7000;
+
+      auth = {
+        method = "token";
+        token = "{{ .Envs.FRP_TOKEN }}";
+      };
+
+      transport.protocol = "kcp";
+
+      proxies = [
+        {
+          name = "http";
+          type = "tcp";
+          localIP = "127.0.0.1";
+          localPort = 8443;
+          remotePort = 8443;
+        }
+      ];
+    };
+  };
+
+  systemd.services.frp.serviceConfig.EnvironmentFile = [
+    config.desu.secrets.arumi-frp-token.path
+  ];
+} 

hosts/koi/services/nginx.nix

@@ -15,33 +15,17 @@
     enableReload = true;
 
     commonHttpConfig = ''
-      set_real_ip_from 103.21.244.0/22;
-      set_real_ip_from 103.22.200.0/22;
-      set_real_ip_from 103.31.4.0/22;
-      set_real_ip_from 104.16.0.0/13;
-      set_real_ip_from 104.24.0.0/14;
-      set_real_ip_from 108.162.192.0/18;
-      set_real_ip_from 131.0.72.0/22;
-      set_real_ip_from 141.101.64.0/18;
-      set_real_ip_from 162.158.0.0/15;
-      set_real_ip_from 172.64.0.0/13;
-      set_real_ip_from 173.245.48.0/20;
-      set_real_ip_from 188.114.96.0/20;
-      set_real_ip_from 190.93.240.0/20;
-      set_real_ip_from 197.234.240.0/22;
-      set_real_ip_from 198.41.128.0/17;
-      set_real_ip_from 2400:cb00::/32;
-      set_real_ip_from 2606:4700::/32;
-      set_real_ip_from 2803:f800::/32;
-      set_real_ip_from 2405:b500::/32;
-      set_real_ip_from 2405:8100::/32;
-      set_real_ip_from 2c0f:f248::/32;
-      set_real_ip_from 2a06:98c0::/29;
-      real_ip_header CF-Connecting-IP;
+      set_real_ip_from 127.0.0.1/32;
+      real_ip_header proxy_protocol;
 
       proxy_headers_hash_bucket_size 128;
     '';
 
+    defaultListen = [
+      { addr = "0.0.0.0"; port = 443; ssl = true; }
+      { addr = "0.0.0.0"; port = 8443; ssl = true; proxyProtocol = true; }
+    ];
+
     # default server that would reject all unmatched requests
     appendHttpConfig = ''
       server {

secrets/arumi-frp-token.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw /Vkx3GW0FnqhBswN37q9aI53zw+94lshHnkVbY2NhVo
+aYfMX6fveWE5MjqVyRNiVI7J0D6twv3Flx2Tqua9eQc
+--- z0VnnFlIGXDUo6Qccrp+fkB9QPz8z1x9bHLJQAOni4E
+U?
+a9mß1Ê>G =¨÷8¬Ãu˜´ºYŽFS2ÚŸ‡¥<>–þð2;åëu·æMÊŒ—lu„ŒõáŽÏøj~n“ÕDPÄÿ½¼