test: NAT

jz8132543 · Mar 5, 2024 · e3f1fd6 · e3f1fd6
1 parent b5a69be
commit e3f1fd6
Show file tree

Hide file tree

Showing 10 changed files with 87 additions and 51 deletions.
diff --git a/home-manager/modules/tippy/ssh.nix b/home-manager/modules/tippy/ssh.nix
@@ -19,7 +19,7 @@ with lib.strings; {
         "StrictHostKeyChecking" = "no";
         "LogLevel" = "ERROR";
         "CanonicalizeHostname" = "yes";
-        "CanonicalDomains" = concatStringsSep " " ([osConfig.networking.domain] ++ osConfig.networking.search);
+        "CanonicalDomains" = concatStringsSep " " ([osConfig.networking.domain] ++ osConfig.environment.domains);
         "CanonicalizeMaxDots" = "0";
         # fix kde connection for android
         "HostKeyAlgorithms " = "+ssh-rsa";
@@ -42,7 +42,7 @@ with lib.strings; {
           forwardX11 = true;
         };
         "canonical" = {
-          match = concatStrings ["canonical final Host " (concatMapStringsSep "," (x: concatStrings ["*." x]) ([osConfig.networking.domain] ++ osConfig.networking.search))];
+          match = concatStrings ["canonical final Host " (concatMapStringsSep "," (x: concatStrings ["*." x]) ([osConfig.networking.domain] ++ osConfig.environment.domains))];
           port = osConfig.ports.ssh;
         };
       };

diff --git a/nixos/hosts/isk/default.nix b/nixos/hosts/isk/default.nix
@@ -17,32 +17,9 @@
     ];
   services.qemuGuest.enable = true;
 
-  # environment.isNAT = true;
+  environment.isNAT = true;
   environment.isCN = true;
 
   ports.derp-stun = lib.mkForce 3440;
-  services.traefik.staticConfigOptions.entryPoints.https.address = lib.mkForce ":8443";
-  networking.firewall = {
-    enable = lib.mkForce false;
-    # extraCommands = ''
-    #   iptables -t nat -A PREROUTING -p tcp --dport 8443 -j REDIRECT --to-port 443
-    #   iptables -t nat -A PREROUTING -p udp --dport 8443 -j REDIRECT --to-port 443
-    #   iptables -t nat -A OUTPUT -p tcp --dport 8443 -j REDIRECT --to-port 443
-    #   iptables -t nat -A OUTPUT -p udp --dport 8443 -j REDIRECT --to-port 443
-    # '';
-    allowedUDPPortRanges = [
-      {
-        from = 0;
-        to = 65535;
-      }
-    ];
-    allowedTCPPortRanges = [
-      {
-        from = 0;
-        to = 65535;
-      }
-    ];
-    allowedTCPPorts = [8443];
-    allowedUDPPorts = [8443];
-  };
+  # services.traefik.staticConfigOptions.entryPoints.https.address = lib.mkForce ":8443";
 }
diff --git a/nixos/modules/base/environment/domains/default.nix b/nixos/modules/base/environment/domains/default.nix
@@ -0,0 +1,10 @@
+{lib, ...}:
+with lib; {
+  options.environment.domains = lib.mkOption {
+    type = types.listOf types.str;
+    default = ["ts.dora.im" "users.dora.im"];
+    description = ''
+      tailscale search domains.
+    '';
+  };
+}
diff --git a/nixos/modules/base/environment/isNAT/default.nix b/nixos/modules/base/environment/isNAT/default.nix
@@ -1,10 +1,49 @@
-{lib, ...}:
-with lib; {
-  options.environment.isNAT = lib.mkOption {
-    type = types.bool;
-    default = false;
-    description = ''
-      Whether to enable NAT mode.
-    '';
-  };
-}
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.services.traefik.dynamicConfigOptions.http.routers;
+in
+  with lib; {
+    options.environment = {
+      isNAT = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable NAT mode.
+        '';
+      };
+      AltHTTPS = mkOption {
+        type = types.int;
+        default = 8443;
+        description = ''
+          The port of https alt
+        '';
+      };
+      AltHTTP = mkOption {
+        type = types.int;
+        default = 8080;
+        description = ''
+          The port of http alt
+        '';
+      };
+    };
+    # Traefik
+    options = {
+      services.traefik.dynamicConfigOptions.http.routers = mkOption {
+        type = types.attrsOf types.submodule {
+          options.entryPoints = mkOption {
+            type = types.listOf types.str;
+            default = ["https-alt"];
+          };
+        };
+      };
+      # lib.concatMapAttrs (name: _: {
+      #   ${name}.entryPoints = ["https" "https-alt"];
+      # })
+      # // config.services.traefik.dynamicConfigOptions.http.routers;
+      networking.firewall.allowedTCPPorts = with config.environment; [AltHTTPS AltHTTP];
+      networking.firewall.allowedUDPPorts = with config.environment; [AltHTTPS];
+    };
+  }
diff --git a/nixos/modules/base/network.nix b/nixos/modules/base/network.nix
@@ -4,7 +4,8 @@
     firewall.enable = true;
     nameservers = lib.mkDefault ["1.1.1.1" "1.0.0.1"];
     domain = "dora.im";
-    search = ["ts.dora.im" "users.dora.im"];
+    search = ["dora.im"];
+    # search = ["ts.dora.im" "users.dora.im"];
     dhcpcd.extraConfig = "nohook resolv.conf";
     networkmanager.dns = lib.mkDefault "none";
   };

diff --git a/nixos/modules/base/tailscale.nix b/nixos/modules/base/tailscale.nix
@@ -1,20 +1,19 @@
 {
   config,
   pkgs,
-  lib,
   ...
 }: let
   interfaceName = "tailscale0";
 in {
   services.tailscale = {
     enable = true;
     openFirewall = true;
-    # useRoutingFeatures = "both";
+    useRoutingFeatures = "both";
   };
   networking = {
     networkmanager.unmanaged = [interfaceName];
     firewall = {
-      checkReversePath = false;
+      # checkReversePath = false;
       trustedInterfaces = ["tailscale0"];
       allowedUDPPorts = [
         config.services.tailscale.port

diff --git a/nixos/modules/services/derp.nix b/nixos/modules/services/derp.nix
@@ -10,10 +10,10 @@
     serviceConfig = {
       Restart = "always";
       DynamicUser = true;
-      ExecStart =
-        if !config.environment.isNAT
-        then "${pkgs.tailscale}/bin/derper -a ':${toString config.ports.derp}' -stun-port ${toString config.ports.derp-stun} --hostname='${config.networking.fqdn}' -c /tmp/derper.conf -verify-clients -dev"
-        else "${pkgs.tailscale}/bin/derper -a ':${toString config.ports.derp}' -stun-port ${toString config.ports.derp-stun} -http-port='-1' --hostname='${config.networking.fqdn}' -c /tmp/derper.conf -certdir '$CREDENTIALS_DIRECTORY' -certmode manual -verify-clients -dev";
+      ExecStart = "${pkgs.tailscale}/bin/derper -a ':${toString config.ports.derp}' -stun-port ${toString config.ports.derp-stun} --hostname='${config.networking.fqdn}' -c /tmp/derper.conf -verify-clients -dev";
+      # if !config.environment.isNAT
+      # then "${pkgs.tailscale}/bin/derper -a ':${toString config.ports.derp}' -stun-port ${toString config.ports.derp-stun} --hostname='${config.networking.fqdn}' -c /tmp/derper.conf -verify-clients -dev"
+      # else "${pkgs.tailscale}/bin/derper -a ':${toString config.ports.derp}' -stun-port ${toString config.ports.derp-stun} -http-port='-1' --hostname='${config.networking.fqdn}' -c /tmp/derper.conf -certdir '$CREDENTIALS_DIRECTORY' -certmode manual -verify-clients -dev";
       LoadCredential = [
         "${config.networking.fqdn}.crt:${config.security.acme.certs."main".directory}/full.pem"
         "${config.networking.fqdn}.key:${config.security.acme.certs."main".directory}/key.pem"

diff --git a/nixos/modules/services/headscale.nix b/nixos/modules/services/headscale.nix
@@ -16,7 +16,7 @@
           override_local_dns = true;
           base_domain = "dora.im";
           magic_dns = true;
-          domains = config.networking.search;
+          domains = config.environment.domains;
           nameservers = [
             "1.1.1.1"
             "9.9.9.9"

diff --git a/nixos/modules/services/hydra.nix b/nixos/modules/services/hydra.nix
@@ -145,7 +145,7 @@ in {
           CanonicalizeHostname yes
           LogLevel ERROR
           StrictHostKeyChecking no
-          Match canonical final Host ${concatMapStringsSep "," (x: concatStrings ["*." x]) osConfig.networking.search}
+          Match canonical final Host ${concatMapStringsSep "," (x: concatStrings ["*." x]) osConfig.environment.domains}
             Port 1022
             HashKnownHosts no
             UserKnownHostsFile /dev/null

diff --git a/nixos/modules/services/traefik.nix b/nixos/modules/services/traefik.nix
@@ -26,10 +26,20 @@
           address = ":443";
           forwardedHeaders.insecure = true;
           proxyProtocol.insecure = true;
-          http.tls =
-            if config.environment.isNAT
-            then true
-            else {certResolver = "zerossl";};
+          http.tls = "zerossl";
+          # if config.environment.isNAT
+          # then true
+          # else {certResolver = "zerossl";};
+          http3 = {};
+        };
+        https-alt = {
+          address = ":${toString config.environment.altHTTPS}";
+          forwardedHeaders.insecure = true;
+          proxyProtocol.insecure = true;
+          http.tls = "zerossl";
+          # if config.environment.isNAT
+          # then true
+          # else {certResolver = "zerossl";};
           http3 = {};
         };
       };