Server: move services to subdomains

Server/dns: localise queries
Server/traefik: set http entrypoint address to the tailscale IP
2023-12-10 18:12:27 +01:00 · 2023-12-09 19:38:21 +01:00 · 2023-12-09 18:39:45 +01:00 · 2023-12-09 18:31:08 +01:00 · 2023-12-09 18:00:03 +01:00
6 changed files with 72 additions and 26 deletions
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@ -15,5 +15,6 @@
 		./tailscale.nix
 		./traefik.nix
 		./minecraft.nix
+		./dns.nix
 	];
 }
--- a/roles/server/dns.nix
+++ b/roles/server/dns.nix
@ -0,0 +1,43 @@
+{ ... }:
+
+{
+  services.dnsmasq = {
+    enable = true;
+    
+    # Only using this for tailscale IPs, so better to let tailscale itself deal with it
+    resolveLocalQueries = false;
+    
+    settings = {
+      listen-address = [ "100.73.96.48" ];
+      
+      /*
+      Dnsmasq tries to use the tailscale dns server, which is bad cause that points to dnsmasq
+      From the little testing I have done it seems to not cause any issues, but better to be safe
+      than sorry :P
+      */
+      dns-loop-detect = true;
+      
+      # If this isn't set a cname that targets a host might return the wrong ip
+      localise-queries = true;
+      ## IPv6 is not a thing in Spain so I'm guaranteed to not use it
+      filter-AAAA = true;
+      expand-hosts = true;
+      domain = "sable-pancake.ts.net";
+      domain-needed = true;
+    };
+  };
+
+  # Add tailscale hosts
+  networking.hosts = {
+    "100.73.96.48" = [ "everest" ];
+    "100.113.139.93" = [ "archie" ];
+    "100.85.48.85" = [ "steamdeck" ];
+    "100.96.92.13" = [ "surfecego" ];
+  };
+
+  # Dnsmasq conflicts with the resolved dns stub listener
+  services.resolved.extraConfig = ''
+    [Resolve]
+    DNSStubListener=no
+  '';
+}
--- a/roles/server/gitea.nix
+++ b/roles/server/gitea.nix
@ -9,31 +9,27 @@
 			server = {
 				#server.SSH_PORT = 69;
 				DISABLE_REGISTRATION = lib.mkDefault true;
-				ROOT_URL = "http://everest/gitea/";
+				ROOT_URL = "http://git.everest.sable-pancake.ts.net";
 			};
 		};
 	};
+
+	# Add a cname for gitea
+	services.dnsmasq.settings.cname = [ "git.everest.sable-pancake.ts.net,everest" ];
+
 	# Set up traefik as the reverse proxy for Gitea
 	services.traefik = {
 		dynamicConfigOptions = {
 			http = {
 				routers = {
-					/*
-					Gitea works best as a subdomain, but I do not have a dns server (yet),
-					and since tailscale doesn't support adding subdomains with MagicDNS I'll
-					just put it in a subpath for now
-					*/
 					gitea-subpath = {
-						middlewares = [ "gitea-strip-prefix" ];
-						rule = "PathPrefix(`/gitea`)";
+						rule = "Host(`git.everest.sable-pancake.ts.net`)";
 						service = "gitea";
 					};
 				};
 				services.gitea.loadBalancer.servers = [
 					{ url = "http://localhost:${toString config.services.gitea.settings.server.HTTP_PORT}"; }
 				];
-				# Gitea freaks out if you don't remove the subpath it's being proxied from
-				middlewares.gitea-strip-prefix.stripprefix.prefixes = "/gitea";
 			};
 		};
 	};
--- a/roles/server/syncthing.nix
+++ b/roles/server/syncthing.nix
@ -34,26 +34,22 @@
 		AmbientCapabilities = "CAP_CHOWN CAP_FOWNER";
 	};

+	# Add a cname for syncthing
+	services.dnsmasq.settings.cname = [ "sync.everest.sable-pancake.ts.net,everest" ];
+
 	# Set up traefik as the reverse proxy for syncthing
 	services.traefik = {
 		dynamicConfigOptions = {
 			http = {
 				routers = {
-					syncthing-subpath = {
-						middlewares = [ "syncthing-add-trailing-slash" "syncthing-strip-prefix" ];
-						rule = "PathPrefix(`/syncthing`)";
+					syncthing-subdomain = {
+						rule = "Host(`sync.everest.sable-pancake.ts.net`)";
 						service = "syncthing";
 					};
 				};
 				services.syncthing.loadBalancer.servers = [
 					{ url = "http://localhost:8384"; }
 				];
-				middlewares.syncthing-strip-prefix.stripprefix.prefixes = "/syncthing";
-				middlewares.syncthing-add-trailing-slash.redirectRegex = {
-					# Going to everest/syncthing without a slash at the end breaks things
-					regex = "http:\/\/everest\/syncthing+$";
-					replacement = "http://everest/syncthing/";
-				};
 			};
 		};
 	};
--- a/roles/server/traefik.nix
+++ b/roles/server/traefik.nix
@ -1,14 +1,21 @@
 { config, ... }:

 {
+	specialisation.traefikEnableWebUI.configuration.services.traefik = {
+		staticConfigOptions = {
+			api = {
+				# Enable the web ui
+				insecure = true;
+				dashboard = true;
+			};
+		};
+	};
+	
 	services.traefik = {
 		enable = true;
 		staticConfigOptions = {
-			# Enable the web ui
-			api.insecure = true;
-			api.dashboard = true;
 			entryPoints = {
-				http = { address = ":80"; };
+				http = { address = "100.73.96.48:80"; };
 			};
 		};
 	};
--- a/roles/server/transmission.nix
+++ b/roles/server/transmission.nix
@ -7,18 +7,21 @@
 		settings = {
 			incomplete-dir-enabled = false;
 			rpc-bind-address = "0.0.0.0";
-			rpc-host-whitelist = "everest";
+			rpc-host-whitelist = "transmission.everest.sable-pancake.ts.net";
 			rpc-whitelist = "127.0.0.1";
 		};
 	};

+	# Add a cname for transmission
+	services.dnsmasq.settings.cname = [ "transmission.everest.sable-pancake.ts.net,everest" ];
+
 	# Set up traefik as the reverse proxy for transmission
 	services.traefik = {
 		dynamicConfigOptions = {
 			http = {
 				routers = {
-					transmission-subpath = {
-						rule = "PathPrefix(`/transmission`)";
+					transmission-subdomain = {
+						rule = "Host(`transmission.everest.sable-pancake.ts.net`)";
 						service = "transmission";
 					};
 				};
Author	SHA1	Message	Date
Toast	1a84aa2290	Server: move services to subdomains	2023-12-10 18:12:27 +01:00
Toast	5a52fd9f3a	Server/dns: localise queries	2023-12-09 19:38:21 +01:00
Toast	78d3ac4d4e	Server/traefik: set http entrypoint address to the tailscale IP	2023-12-09 18:39:45 +01:00
Toast	3e4b9056f4	Server/traefik: only enable web ui in specialisation	2023-12-09 18:31:08 +01:00
Toast	486d719d52	Server/dns: enable and configure dnsmasq	2023-12-09 18:00:03 +01:00