proxy ssh connections to :220 to drifvarkaden ssh

datasektionen · Jan 11, 2025 · aa3ee4b · aa3ee4b
1 parent 310f0f3
commit aa3ee4b
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/hosts/hades.nix b/hosts/hades.nix
@@ -34,13 +34,12 @@
         endpoint = "mjukglass.datasektionen.se:51800";
         presharedKeyFile = config.age.secrets.wireguard-preshared-key.path;
         publicKey = "QszePOBh9UBg8v4BNHkY4ZeqBfiLXr5uwDVjTSRqHX0=";
-        allowedIPs = [ "10.83.1.1/32" ];
+        allowedIPs = [ "${config.dsekt.addresses.hosts.mjukglass}/32" ];
       }
       {
-        # drifvarkaden
         presharedKeyFile = config.age.secrets.wireguard-preshared-key.path;
         publicKey = "9O+wjIbvxZq3sVk6gxfoI4jhSCfPOte0dWnMbG3obT0=";
-        allowedIPs = [ "10.83.1.2/32" ];
+        allowedIPs = [ "${config.dsekt.addresses.hosts.drifvarkaden}/32" ];
       }
     ];
   };

diff --git a/modules/addresses.nix b/modules/addresses.nix
@@ -23,6 +23,7 @@ in
       artemis = "10.83.0.6";
 
       mjukglass = "10.83.1.1";
+      drifvarkaden = "10.83.1.2";
 
       self = self.${config.networking.hostName};
     });

diff --git a/profiles/traefik-external.nix b/profiles/traefik-external.nix
@@ -14,8 +14,6 @@
       (pkgs.writeText "traefik-cloudflare-config" "[email protected]")
     ];
     staticConfigOptions = {
-      entryPoints.mattermost-calls-tcp.address = ":8443/tcp";
-      entryPoints.mattermost-calls-udp.address = ":8443/udp";
       entryPoints.web = {
         address = ":443";
         asDefault = true;
@@ -30,6 +28,10 @@
         };
       };
 
+      entryPoints.mattermost-calls-tcp.address = ":8443/tcp";
+      entryPoints.mattermost-calls-udp.address = ":8443/udp";
+      entryPoints.drifvarkaden-ssh.address = ":220/tcp";
+
       certificatesresolvers.default.acme = {
         # Good for testing: caserver = "https://acme-staging-v02.api.letsencrypt.org/directory";
         email = "[email protected]";
@@ -59,6 +61,16 @@
         };
         serversTransports.nomadTransport.rootCAs = "${../files/nomad-agent-ca.pem}";
       };
+      tcp = {
+        routers.drifvarkaden-ssh = {
+          entryPoints = [ "drifvarkaden-ssh" ];
+          rule = "HostSNI(`*`)";
+          service = "drifvarkaden-ssh";
+        };
+        services.drifvarkaden-ssh.loadBalancer = {
+          servers = [ { address = "drifvarkaden.dsekt.internal:22"; } ];
+        };
+      };
       tls.stores.default.defaultGeneratedCert = {
         resolver = "default";
         domain = {
@@ -72,6 +84,7 @@
     80
     443
     8443
+    220
   ];
   networking.firewall.allowedUDPPorts = [ 8443 ];