Move services to IPv6/TLS internally

peterablehmann · Sep 19, 2024 · 841a9a9 · 841a9a9
1 parent 1987d82
commit 841a9a9
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 9 deletions.
diff --git a/modules/common/exporters.nix b/modules/common/exporters.nix
@@ -24,12 +24,13 @@ in
     forceSSL = true;
     kTLS = true;
     locations."/" = {
-      proxyPass = "https://localhost:${builtins.toString config.services.prometheus.exporters.node.port }";
+      proxyPass = "https://${config.services.prometheus.exporters.node.listenAddress}:${builtins.toString config.services.prometheus.exporters.node.port }";
     };
   };
 
   services.prometheus.exporters.node = {
     enable = true;
+    listenAddress = "[::1]";
     port = 3043;
     enabledCollectors = [
       "systemd"

diff --git a/modules/monitoring/blackbox.nix b/modules/monitoring/blackbox.nix
@@ -24,12 +24,13 @@ in
     kTLS = true;
     forceSSL = true;
     locations."/" = {
-      proxyPass = "https://localhost:${builtins.toString config.services.prometheus.exporters.blackbox.port }";
+      proxyPass = "https://${config.services.prometheus.exporters.blackbox.listenAddress}:${builtins.toString config.services.prometheus.exporters.blackbox.port }";
     };
   };
 
   services.prometheus.exporters.blackbox = {
     enable = true;
+    listenAddress = "[::1]";
     port = 3044;
     extraFlags = [
       "--web.config.file=${webConfig}"

diff --git a/modules/monitoring/grafana.nix b/modules/monitoring/grafana.nix
@@ -20,7 +20,7 @@ in
     kTLS = true;
     forceSSL = true;
     locations."/" = {
-      proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port }";
+      proxyPass = "http://[${config.services.grafana.settings.server.http_addr}]:${builtins.toString config.services.grafana.settings.server.http_port }";
       proxyWebsockets = true;
     };
   };
@@ -34,7 +34,7 @@ in
     enable = true;
     settings = {
       server = {
-        http_addr = "127.0.0.1";
+        http_addr = "::1";
         http_port = 3312;
         root_url = "https://${domain}";
         inherit domain;
@@ -62,7 +62,7 @@ in
       datasources.settings.datasources = [
         {
           name = "prometheus";
-          url = "http://localhost:9001";
+          url = "http://${config.services.prometheus.listenAddress}:${builtins.toString config.services.prometheus.port}";
           type = "prometheus";
           editable = false;
         }

diff --git a/modules/monitoring/prometheus.nix b/modules/monitoring/prometheus.nix
@@ -12,6 +12,7 @@
   services = {
     prometheus = {
       enable = true;
+      listenAddress = "[::1]";
       port = 9001;
       checkConfig = "syntax-only";
       retentionTime = "90d";

diff --git a/modules/paperless.nix b/modules/paperless.nix
@@ -60,6 +60,8 @@ in
   services.paperless = {
     enable = true;
     passwordFile = config.sops.secrets."paperless/password".path;
+    address = "[::1]";
+    port = 28981;
     settings = {
       PAPERLESS_ADMIN_USER = "peter";
       PAPERLESS_PRE_CONSUME_SCRIPT = pre_consume_script.outPath;

diff --git a/modules/restic-server/default.nix b/modules/restic-server/default.nix
@@ -3,6 +3,7 @@
 }:
 let
   domain = "restic.${config.networking.hostName}.xnee.net";
+  tls-dir = config.security.acme.certs.${domain}.directory;
 in
 {
   security.acme.certs."${domain}" = { };
@@ -13,17 +14,29 @@ in
     kTLS = true;
     forceSSL = true;
     locations."/" = {
-      proxyPass = "http://${config.services.restic.server.listenAddress}";
+      proxyPass = "https://${config.services.restic.server.listenAddress}";
       extraConfig = "client_max_body_size 10G;";
     };
   };
 
+  systemd.services.restic-rest-server = {
+    serviceConfig = {
+      SupplementaryGroups = [ config.security.acme.certs.${domain}.group ];
+      BindReadOnlyPaths = [ tls-dir ];
+    };
+  };
+
   services.restic.server = {
     enable = true;
     dataDir = "/var/lib/restic";
     appendOnly = true;
-    listenAddress = "127.0.0.1:8000";
+    listenAddress = "[::1]:8000";
     privateRepos = true;
-    extraFlags = [ "--htpasswd-file=${./.htpasswd}" ];
+    extraFlags = [
+      "--htpasswd-file=${./.htpasswd}"
+      "--tls"
+      "--tls-cert=${tls-dir}/fullchain.pem"
+      "--tls-key=${tls-dir}/key.pem"
+      ];
   };
 }
diff --git a/modules/syncthing.nix b/modules/syncthing.nix
@@ -20,7 +20,7 @@ in
   services.syncthing = {
     enable = true;
     dataDir = "/var/lib/syncthing";
-    guiAddress = "127.0.0.1:8384";
+    guiAddress = "[::1]:8384";
     settings = {
       gui.insecureSkipHostcheck = true;
       devices = {