Route IPv6 traffic via valkyrie

2026-04-05 18:31:16 +02:00 · 2026-04-05 18:31:16 +02:00 · 654a8459eb
commit 654a8459eb
parent d793308ebe
14 changed files with 58 additions and 18 deletions
--- a/config/hosts/forgejo/nginx.nix
+++ b/config/hosts/forgejo/nginx.nix
@ -29,7 +29,8 @@
      };

      extraConfig = ''
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/hydra/nginx.nix
+++ b/config/hosts/hydra/nginx.nix
@ -16,7 +16,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;

-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
@ -33,7 +34,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;

-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
--- a/config/hosts/ikiwiki/nginx.nix
+++ b/config/hosts/ikiwiki/nginx.nix
@ -39,7 +39,8 @@ in
        };
      };
      extraConfig = ''
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/keycloak/nginx.nix
+++ b/config/hosts/keycloak/nginx.nix
@ -27,7 +27,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;

-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;

          add_header Strict-Transport-Security "max-age=63072000" always;
--- a/config/hosts/mastodon/nginx.nix
+++ b/config/hosts/mastodon/nginx.nix
@ -57,7 +57,8 @@
      };

      extraConfig = ''
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -51,7 +51,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;

-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
@ -80,7 +81,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;

-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
@ -103,7 +105,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;

-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
--- a/config/hosts/metrics-nekomesh/nginx.nix
+++ b/config/hosts/metrics-nekomesh/nginx.nix
@ -23,7 +23,8 @@
          proxyWebsockets = true;
        };
        extraConfig = ''
-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
--- a/config/hosts/nextcloud/nextcloud.nix
+++ b/config/hosts/nextcloud/nextcloud.nix
@ -44,7 +44,8 @@
      extraConfig = ''
        listen 0.0.0.0:8443 http2 ssl proxy_protocol;

-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/searx/nginx.nix
+++ b/config/hosts/searx/nginx.nix
@ -21,7 +21,8 @@
        proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}";
      };
      extraConfig = ''
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/valkyrie/nginx.nix
+++ b/config/hosts/valkyrie/nginx.nix
@ -33,5 +33,31 @@
        };
      };
    };
+
+    streamConfig = ''
+      map $ssl_preread_server_name $address {
+        cloud.nekover.se 10.202.41.122:8443;
+        element.nekover.se 10.202.41.100:8443;
+        element-admin.nekover.se 10.202.41.100:8443;
+        fi.nekover.se 10.202.41.125:8443;
+        git.nekover.se 10.202.41.106:8443;
+        hydra.nekover.se 10.202.41.121:8443;
+        id.nekover.se 10.202.41.124:8443;
+        mas.nekover.se 10.202.41.112:8443;
+        matrix.nekover.se 10.202.41.112:8443;
+        matrix-rtc.nekover.se 10.202.41.112:8443;
+        mesh.nekover.se 10.202.41.126:8443;
+        nekover.se 10.202.41.100:8443;
+        nix-cache.nekover.se 10.202.41.121:8443;
+        searx.nekover.se 10.202.41.105:8443;
+        social.nekover.se 10.202.41.104:8443;
+      }
+      server {
+        listen [::]:443;
+        proxy_pass $address;
+        ssl_preread on;
+        proxy_protocol on;
+      }
+    '';
  };
 }
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@ -38,7 +38,6 @@
        }
        server {
          listen 0.0.0.0:443;
-          listen [::]:443;
          proxy_pass $address;
          ssl_preread on;
          proxy_protocol on;
--- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix
@ -37,7 +37,7 @@ in
    enableACME = true;

    listen = [{
-      addr = "localhost";
+      addr = "0.0.0.0";
      port = 8443;
      ssl = true;
      extraParameters = ["proxy_protocol"];
@ -86,7 +86,8 @@ in
      # $remote_port to the client address and client port, when using proxy
      # protocol.
      # First set our proxy protocol proxy as trusted.
-      set_real_ip_from 127.0.0.1;
+      set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+      set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
      # Then tell the realip_module to get the addreses from the proxy protocol
      # header.
      real_ip_header proxy_protocol;
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@ -28,7 +28,7 @@ in
      ];
    };
    listen = [{
-      addr = "localhost";
+      addr = "0.0.0.0";
      port = 8443;
      ssl = true;
      extraParameters = ["proxy_protocol"];
@ -60,7 +60,8 @@ in
      # redirect server error pages to the static page /50x.html
      error_page   500 502 503 504  /50x.html;

-      set_real_ip_from 127.0.0.1;
+      set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+      set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
      real_ip_header proxy_protocol;
    '';
  };
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@ -23,7 +23,8 @@
      '';
    };
    extraConfig = ''
-      set_real_ip_from 127.0.0.1;
+      set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
+      set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
      real_ip_header proxy_protocol;
    '';
  };