chore: migrate from cloudflare to haproxy+frp

Revert "feat: bsky crossposter"
This reverts commit 0090530484.
2025-01-31 15:48:36 +03:00 · 2025-01-31 13:09:39 +03:00 · 2025-01-31 13:09:32 +03:00 · 2025-01-31 13:08:45 +03:00 · 2025-01-18 11:22:30 +03:00 · 2025-01-18 11:22:11 +03:00
12 changed files with 121 additions and 29 deletions
--- a/hosts/arumi/configuration.nix
+++ b/hosts/arumi/configuration.nix
@ -7,9 +7,11 @@
    (abs "lib/desu")
    ./disk-config.nix

-    ./services/sing-box.nix
+    ./services/xray.nix
    ./services/uptime-kuma.nix
    ./services/mumble.nix
+    ./services/frp.nix
+    ./services/haproxy.nix
  ];

  boot.loader.grub = {
--- a/hosts/arumi/services/frp.nix
+++ b/hosts/arumi/services/frp.nix
@ -0,0 +1,31 @@
+{ config, ... }: 
+
+{
+  desu.secrets.arumi-frp-token = {};
+
+  services.frp = {
+    enable = true;
+    role = "server";
+    settings = {
+      bindAddr = "0.0.0.0";
+      bindPort = 7000;
+      kcpBindPort = 7000;
+
+      auth = {
+        method = "token";
+        token = "{{ .Envs.FRP_TOKEN }}";
+      };
+
+      allowPorts = [
+        { single = 8443; }
+      ];
+    };
+  };
+
+  systemd.services.frp.serviceConfig.EnvironmentFile = [
+    config.desu.secrets.arumi-frp-token.path
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 7000 ];
+  networking.firewall.allowedUDPPorts = [ 7000 ];
+} 
--- a/hosts/arumi/services/haproxy.nix
+++ b/hosts/arumi/services/haproxy.nix
@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  services.haproxy = {
+    enable = true;
+    config = ''
+      frontend https-in
+        mode tcp
+        bind 0.0.0.0:443
+        tcp-request inspect-delay 3s
+        tcp-request content capture req.ssl_sni len 10
+        use_backend xray if { req.ssl_sni updates.cdn-apple.com }
+        default_backend koi
+      
+      frontend http-in
+        bind *:80
+        mode http
+        redirect scheme https code 301
+
+      backend koi
+        server koi 127.0.0.1:8443 send-proxy-v2
+
+      backend xray
+        server xray 127.0.0.1:1234
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/hosts/arumi/services/sing-box.nix
+++ b/hosts/arumi/services/sing-box.nix
@ -28,7 +28,7 @@
      log = { level = "info"; timestamp = true; };
      inbounds = [
        {
-          port = 443;
+          port = 1234;
          protocol = "vless";
          settings = {
            decryption = "none";
@ -66,5 +66,4 @@
        | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
  '';

-  networking.firewall.allowedTCPPorts = [ 443 ];
 }
--- a/hosts/koi/configuration.nix
+++ b/hosts/koi/configuration.nix
@ -24,6 +24,7 @@
    ./services/geesefs.nix
    ./services/actions-runner
    ./services/autorestic
+    ./services/frp.nix

    ./containers/torrent.nix
    ./containers/soulseek
@ -45,7 +46,6 @@
    ./containers/teisu.nix
    ./containers/bots/pcre-sub-bot.nix
    ./containers/bots/channel-logger-bot.nix
-    ./containers/bots/bsky-crossposter
    ./vms/hass.nix
    ./vms/bnuuy.nix
    # ./vms/windows.nix
--- a/hosts/koi/containers/sftpgo/default.nix
+++ b/hosts/koi/containers/sftpgo/default.nix
@ -83,6 +83,8 @@ in {
        extraConfig = ''
          alias /mnt/s3-desu-priv-encrypted/public/;
          autoindex on;
+          add_header 'Access-Control-Allow-Origin' '*';
+          add_header 'Access-Control-Allow-Methods' 'GET';
        '';
      };
    };
--- a/hosts/koi/containers/siyuan/default.nix
+++ b/hosts/koi/containers/siyuan/default.nix
@ -43,6 +43,10 @@ in {
  services.nginx.virtualHosts."siyuan.tei.su" = {
    forceSSL = true;
    useACMEHost = "tei.su";
+    extraConfig = ''
+      allow 10.0.0.0/8;
+      deny all;
+    '';

    locations."/" = {
      proxyPass = "http://siyuan-teidesu-oidc.docker$request_uri";
--- a/hosts/koi/services/actions-runner/default.nix
+++ b/hosts/koi/services/actions-runner/default.nix
@ -34,7 +34,7 @@
        "docker:docker://node:22-bookworm"
      ];
      settings = {
-        runner.capacity = 8;
+        runner.capacity = 16;
      };
    };

--- a/hosts/koi/services/frp.nix
+++ b/hosts/koi/services/frp.nix
@ -0,0 +1,35 @@
+{ config, ... }: 
+
+{
+  desu.secrets.arumi-frp-token = {};
+
+  services.frp = {
+    enable = true;
+    role = "client";
+    settings = {
+      serverAddr = config.desu.readUnsafeSecret "arumi-ip";
+      serverPort = 7000;
+
+      auth = {
+        method = "token";
+        token = "{{ .Envs.FRP_TOKEN }}";
+      };
+
+      transport.protocol = "kcp";
+
+      proxies = [
+        {
+          name = "http";
+          type = "tcp";
+          localIP = "127.0.0.1";
+          localPort = 8443;
+          remotePort = 8443;
+        }
+      ];
+    };
+  };
+
+  systemd.services.frp.serviceConfig.EnvironmentFile = [
+    config.desu.secrets.arumi-frp-token.path
+  ];
+} 
--- a/hosts/koi/services/landing/assets/index.html
+++ b/hosts/koi/services/landing/assets/index.html
@ -54,7 +54,7 @@
    <footer>
      <a href="https://arumi-kuma.stupid.fish/status/meow">status</a>
      //
-      <a href="https://github.com/teidesu/nixfiles">source</a>
+      <a href="https://git.stupid.fish/teidesu/nixfiles">source</a>
    </footer>
  </body>
 </html>
--- a/hosts/koi/services/nginx.nix
+++ b/hosts/koi/services/nginx.nix
@ -15,33 +15,17 @@
    enableReload = true;

    commonHttpConfig = ''
-      set_real_ip_from 103.21.244.0/22;
-      set_real_ip_from 103.22.200.0/22;
-      set_real_ip_from 103.31.4.0/22;
-      set_real_ip_from 104.16.0.0/13;
-      set_real_ip_from 104.24.0.0/14;
-      set_real_ip_from 108.162.192.0/18;
-      set_real_ip_from 131.0.72.0/22;
-      set_real_ip_from 141.101.64.0/18;
-      set_real_ip_from 162.158.0.0/15;
-      set_real_ip_from 172.64.0.0/13;
-      set_real_ip_from 173.245.48.0/20;
-      set_real_ip_from 188.114.96.0/20;
-      set_real_ip_from 190.93.240.0/20;
-      set_real_ip_from 197.234.240.0/22;
-      set_real_ip_from 198.41.128.0/17;
-      set_real_ip_from 2400:cb00::/32;
-      set_real_ip_from 2606:4700::/32;
-      set_real_ip_from 2803:f800::/32;
-      set_real_ip_from 2405:b500::/32;
-      set_real_ip_from 2405:8100::/32;
-      set_real_ip_from 2c0f:f248::/32;
-      set_real_ip_from 2a06:98c0::/29;
-      real_ip_header CF-Connecting-IP;
+      set_real_ip_from 127.0.0.1/32;
+      real_ip_header proxy_protocol;

      proxy_headers_hash_bucket_size 128;
    '';

+    defaultListen = [
+      { addr = "0.0.0.0"; port = 443; ssl = true; }
+      { addr = "0.0.0.0"; port = 8443; ssl = true; proxyProtocol = true; }
+    ];
+
    # default server that would reject all unmatched requests
    appendHttpConfig = ''
      server {
--- a/secrets/arumi-frp-token.age
+++ b/secrets/arumi-frp-token.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw /Vkx3GW0FnqhBswN37q9aI53zw+94lshHnkVbY2NhVo
+aYfMX6fveWE5MjqVyRNiVI7J0D6twv3Flx2Tqua9eQc
+--- z0VnnFlIGXDUo6Qccrp+fkB9QPz8z1x9bHLJQAOni4E
+U?
+a9mß1Ê>G =¨÷8¬Ãu˜´ºYŽFS2ÚŸ‡¥<>–þð2;åëu·æMÊŒ—lu„ŒõáŽÏøj~n“ÕDPÄÿ½¼
Author	SHA1	Message	Date
teidesu	6f06f32af6	chore: migrate from cloudflare to haproxy+frp	2025-01-31 15:48:36 +03:00
teidesu	eec469ab31	Revert "feat: bsky crossposter" This reverts commit `0090530484`.	2025-01-31 13:09:39 +03:00
teidesu	0090530484	feat: bsky crossposter	2025-01-31 13:09:32 +03:00
teidesu	185b213349	fix(koi): fix landing	2025-01-31 13:08:45 +03:00
teidesu	e18893c629	koi: restrict siyuan to lan	2025-01-18 11:22:30 +03:00
teidesu	0155400fe3	koi: increased runner capacity	2025-01-18 11:22:11 +03:00