Route IPv6 traffic via valkyrie

2026-04-05 18:31:16 +02:00 · 2026-04-05 18:31:16 +02:00 · 654a8459eb
commit 654a8459eb
parent d793308ebe
14 changed files with 58 additions and 18 deletions
--- a/config/hosts/forgejo/nginx.nix
+++ b/config/hosts/forgejo/nginx.nix
@ -29,7 +29,8 @@
      };
      extraConfig = ''
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/hydra/nginx.nix
+++ b/config/hosts/hydra/nginx.nix
@ -16,7 +16,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
@ -33,7 +34,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
--- a/config/hosts/ikiwiki/nginx.nix
+++ b/config/hosts/ikiwiki/nginx.nix
@ -39,7 +39,8 @@ in
        };
      };
      extraConfig = ''
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/keycloak/nginx.nix
+++ b/config/hosts/keycloak/nginx.nix
@ -27,7 +27,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
          add_header Strict-Transport-Security "max-age=63072000" always;
--- a/config/hosts/mastodon/nginx.nix
+++ b/config/hosts/mastodon/nginx.nix
@ -57,7 +57,8 @@
      };
      extraConfig = ''
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -51,7 +51,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
@ -80,7 +81,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
@ -103,7 +105,8 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
--- a/config/hosts/metrics-nekomesh/nginx.nix
+++ b/config/hosts/metrics-nekomesh/nginx.nix
@ -23,7 +23,8 @@
          proxyWebsockets = true;
        };
        extraConfig = ''
-          set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
        '';
      };
--- a/config/hosts/nextcloud/nextcloud.nix
+++ b/config/hosts/nextcloud/nextcloud.nix
@ -44,7 +44,8 @@
      extraConfig = ''
        listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/searx/nginx.nix
+++ b/config/hosts/searx/nginx.nix
@ -21,7 +21,8 @@
        proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}";
      };
      extraConfig = ''
-        set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
        set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
        real_ip_header proxy_protocol;
      '';
    };
--- a/config/hosts/valkyrie/nginx.nix
+++ b/config/hosts/valkyrie/nginx.nix
@ -33,5 +33,31 @@
        };
      };
    };
    streamConfig = ''
      map $ssl_preread_server_name $address {
        cloud.nekover.se 10.202.41.122:8443;
        element.nekover.se 10.202.41.100:8443;
        element-admin.nekover.se 10.202.41.100:8443;
        fi.nekover.se 10.202.41.125:8443;
        git.nekover.se 10.202.41.106:8443;
        hydra.nekover.se 10.202.41.121:8443;
        id.nekover.se 10.202.41.124:8443;
        mas.nekover.se 10.202.41.112:8443;
        matrix.nekover.se 10.202.41.112:8443;
        matrix-rtc.nekover.se 10.202.41.112:8443;
        mesh.nekover.se 10.202.41.126:8443;
        nekover.se 10.202.41.100:8443;
        nix-cache.nekover.se 10.202.41.121:8443;
        searx.nekover.se 10.202.41.105:8443;
        social.nekover.se 10.202.41.104:8443;
      }
      server {
        listen [::]:443;
        proxy_pass $address;
        ssl_preread on;
        proxy_protocol on;
      }
    '';
  };
 }
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@ -38,7 +38,6 @@
        }
        server {
          listen 0.0.0.0:443;
          listen [::]:443;
          proxy_pass $address;
          ssl_preread on;
          proxy_protocol on;
--- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix
@ -37,7 +37,7 @@ in
    enableACME = true;
    listen = [{
-      addr = "localhost";
+      addr = "0.0.0.0";
      port = 8443;
      ssl = true;
      extraParameters = ["proxy_protocol"];
@ -86,7 +86,8 @@ in
      # $remote_port to the client address and client port, when using proxy
      # protocol.
      # First set our proxy protocol proxy as trusted.
-      set_real_ip_from 127.0.0.1;
+      set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
      set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
      # Then tell the realip_module to get the addreses from the proxy protocol
      # header.
      real_ip_header proxy_protocol;
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@ -28,7 +28,7 @@ in
      ];
    };
    listen = [{
-      addr = "localhost";
+      addr = "0.0.0.0";
      port = 8443;
      ssl = true;
      extraParameters = ["proxy_protocol"];
@ -60,7 +60,8 @@ in
      # redirect server error pages to the static page /50x.html
      error_page   500 502 503 504  /50x.html;
-      set_real_ip_from 127.0.0.1;
+      set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
      set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
      real_ip_header proxy_protocol;
    '';
  };
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@ -23,7 +23,8 @@
      '';
    };
    extraConfig = ''
-      set_real_ip_from 127.0.0.1;
+      set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
      set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
      real_ip_header proxy_protocol;
    '';
  };