Vpn: Fix proxy access.

2024-11-24 04:41:06 +03:00 · 2024-11-24 04:41:06 +03:00 · 02006b1ff7
parent 76f33841c8
commit 02006b1ff7
23 changed files with 31 additions and 28 deletions
--- a/container/Vpn.nix
+++ b/container/Vpn.nix
@ -30,6 +30,10 @@ in {
 			default = "${config.container.storage}/vpn";
 			type    = lib.types.str;
 		};
 		clients = lib.mkOption {
 			default = "10.1.1.0/24";
 			type    = lib.types.str;
 		};
 	};
 	config = lib.mkIf cfg.enable {
@ -38,14 +42,14 @@ in {
 		];
 		# HACK: When using `networking.interfaces.*` it breaks. This works tho.
-		systemd.services.vpn-route = {
+		systemd.services.vpn-route = util.mkStaticSystemdService {
 			enable = true;
 			description = "Hack vpn routes on host";
 			after    = [ "container@vpn.service" ];
 			wants    = [ "container@vpn.service" ];
 			wantedBy = [ "multi-user.target" ];
 			serviceConfig = {
-				ExecStart = "${pkgs.iproute2}/bin/ip route add 10.1.1.0/24 via ${cfg.address} dev ve-vpn";
+				ExecStart = "${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn";
 				Type      = "oneshot";
 			};
 		};
--- a/container/proxy/host/Camera.nix
+++ b/container/proxy/host/Camera.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				return 301 rtsp://${address}:${toString port}/live/main;
--- a/container/proxy/host/Change.nix
+++ b/container/proxy/host/Change.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
--- a/container/proxy/host/Chat.nix
+++ b/container/proxy/host/Chat.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
--- a/container/proxy/host/Cloud.nix
+++ b/container/proxy/host/Cloud.nix
@ -15,7 +15,7 @@ in {
 			location ~ ^/(settings/admin|settings/users|settings/apps|login|api) {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Download.nix
+++ b/container/proxy/host/Download.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Git.nix
+++ b/container/proxy/host/Git.nix
@ -14,7 +14,7 @@ in {
 			location ~ ^/(admin|api|user) {
 				allow ${config.container.localAccess};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Home.nix
+++ b/container/proxy/host/Home.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Iot.nix
+++ b/container/proxy/host/Iot.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
--- a/container/proxy/host/Mail.nix
+++ b/container/proxy/host/Mail.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Office.nix
+++ b/container/proxy/host/Office.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				# allow ${config.container.localAccess};
 				# allow ${config.container.module.status.address};
-				# allow ${config.container.module.vpn.address};
+				# allow ${config.container.module.vpn.clients};
 				# allow ${config.container.module.frkn.address};
 				# deny all;
 				add_header X-Forwarded-Proto https;
--- a/container/proxy/host/Paper.nix
+++ b/container/proxy/host/Paper.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Pass.nix
+++ b/container/proxy/host/Pass.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Print.nix
+++ b/container/proxy/host/Print.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
--- a/container/proxy/host/Printer.nix
+++ b/container/proxy/host/Printer.nix
@ -17,7 +17,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Read.nix
+++ b/container/proxy/host/Read.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Router.nix
+++ b/container/proxy/host/Router.nix
@ -17,7 +17,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Search.nix
+++ b/container/proxy/host/Search.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Status.nix
+++ b/container/proxy/host/Status.nix
@ -14,7 +14,7 @@ in {
 			location ~ ^/(dashboard|settings) {
 				allow ${config.container.localAccess};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
@ -22,7 +22,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Stock.nix
+++ b/container/proxy/host/Stock.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Watch.nix
+++ b/container/proxy/host/Watch.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
 				proxy_pass http://''$${name}$request_uri;
--- a/container/proxy/host/Yt.nix
+++ b/container/proxy/host/Yt.nix
@ -15,7 +15,7 @@ in {
 			location / {
 				allow ${config.container.localAccess};
 				allow ${config.container.module.status.address};
-				allow ${config.container.module.vpn.address};
+				allow ${config.container.module.vpn.clients};
 				allow ${config.container.module.frkn.address};
 				deny all;
--- a/host/x86_64-linux/home/Network.nix
+++ b/host/x86_64-linux/home/Network.nix
@ -50,8 +50,7 @@ in {
 				iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
 				# Full access from VPN clients.
-				# iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal}
+				iptables -I INPUT -j ACCEPT -s ${cfg.vpn.clients} -d ${internal}
 				iptables -I INPUT -j ACCEPT -s 10.1.1.0/24 -d ${internal}
 				iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal}
 				# Full access from Lan.
@ -89,13 +88,13 @@ in {
 			+ (mkForward external 54631 cfg.download.address 54631 udp)
 			# Git SSH connections.
-			# + (mkForward external cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)
+			+ (mkForward external cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)
 			+ (mkForward internal cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)
 			# Print serivce.
 			+ (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp);
-			# SSH access.
+			# SSH access from WAN.
 			# + (mkForward external 22143 config.container.host 22143 tcp)
 		};