From 654a8459ebbbbc49eccdc5b4ea4c7ff4b382e16d Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 5 Apr 2026 18:31:16 +0200 Subject: [PATCH] Route IPv6 traffic via valkyrie --- config/hosts/forgejo/nginx.nix | 3 ++- config/hosts/hydra/nginx.nix | 6 +++-- config/hosts/ikiwiki/nginx.nix | 3 ++- config/hosts/keycloak/nginx.nix | 3 ++- config/hosts/mastodon/nginx.nix | 3 ++- config/hosts/matrix/nginx.nix | 9 ++++--- config/hosts/metrics-nekomesh/nginx.nix | 3 ++- config/hosts/nextcloud/nextcloud.nix | 3 ++- config/hosts/searx/nginx.nix | 3 ++- config/hosts/valkyrie/nginx.nix | 26 +++++++++++++++++++ config/hosts/web-public-2/nginx.nix | 1 - .../virtualHosts/element-admin.nekover.se.nix | 5 ++-- .../virtualHosts/element.nekover.se.nix | 5 ++-- .../web-public-2/virtualHosts/nekover.se.nix | 3 ++- 14 files changed, 58 insertions(+), 18 deletions(-) diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix index 6df90b1..3602209 100644 --- a/config/hosts/forgejo/nginx.nix +++ b/config/hosts/forgejo/nginx.nix @@ -29,7 +29,8 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix index 5a15fe1..9aadd25 100644 --- a/config/hosts/hydra/nginx.nix +++ b/config/hosts/hydra/nginx.nix @@ -16,7 +16,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -33,7 +34,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 4bbcf0a..9f6462e 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -39,7 +39,8 @@ in }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index c82597d..e9b46cd 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -27,7 +27,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index 72aec08..02a0d0a 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -57,7 +57,8 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index f4ddec6..c9548b2 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -51,7 +51,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -80,7 +81,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -103,7 +105,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index e2fc483..a754cb6 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -23,7 +23,8 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 88b842a..f27c9a6 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -44,7 +44,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix index a84c171..9283018 100644 --- a/config/hosts/searx/nginx.nix +++ b/config/hosts/searx/nginx.nix @@ -21,7 +21,8 @@ proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index fae78f0..dae48ad 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -33,5 +33,31 @@ }; }; }; + + streamConfig = '' + map $ssl_preread_server_name $address { + cloud.nekover.se 10.202.41.122:8443; + element.nekover.se 10.202.41.100:8443; + element-admin.nekover.se 10.202.41.100:8443; + fi.nekover.se 10.202.41.125:8443; + git.nekover.se 10.202.41.106:8443; + hydra.nekover.se 10.202.41.121:8443; + id.nekover.se 10.202.41.124:8443; + mas.nekover.se 10.202.41.112:8443; + matrix.nekover.se 10.202.41.112:8443; + matrix-rtc.nekover.se 10.202.41.112:8443; + mesh.nekover.se 10.202.41.126:8443; + nekover.se 10.202.41.100:8443; + nix-cache.nekover.se 10.202.41.121:8443; + searx.nekover.se 10.202.41.105:8443; + social.nekover.se 10.202.41.104:8443; + } + server { + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 066f3d2..45e48f8 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -38,7 +38,6 @@ } server { listen 0.0.0.0:443; - listen [::]:443; proxy_pass $address; ssl_preread on; proxy_protocol on; diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix index 69c3a9a..d6af438 100644 --- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix @@ -37,7 +37,7 @@ in enableACME = true; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -86,7 +86,8 @@ in # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 74b7820..6e61d6c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -28,7 +28,7 @@ in ]; }; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -60,7 +60,8 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 40ee30d..233a49c 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -23,7 +23,8 @@ ''; }; extraConfig = '' - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; };