box: setup invidious on tailnet

tailnet: poke holes for work to rimgo and invidious
2024-08-09 14:23:32 -06:00 · 2024-08-09 14:23:32 -06:00 · 73d5c32427
commit 73d5c32427
parent 5f11c31055
2 changed files with 10 additions and 15 deletions
--- a/configs/tailnet.nix
+++ b/configs/tailnet.nix
@ -24,6 +24,8 @@ let
          tv = "100.118.196.38";
          ollama = "100.121.227.121";
          display = "100.77.35.34";
+          rimgo = "100.121.77.91";
+          invidious = "100.71.57.99";
        };

        tagOwners = {
@ -59,7 +61,7 @@ let
          {
            "action" = "accept";
            "src" = [ "tag:work" ];
-            "dst" = [ "console:2222" "startpage:443" ];
+            "dst" = [ "console:2222" "startpage:443" "rimgo:443" "invidious:443" ];
          }
          {
            "action" = "accept";
--- a/hosts/box/default.nix
+++ b/hosts/box/default.nix
@ -101,8 +101,6 @@ in
    graph_key = mkNginxSecret;
    bw_cert = mkNginxSecret;
    bw_key = mkNginxSecret;
-    invidious_cert = mkNginxSecret;
-    invidious_key = mkNginxSecret;
    readarr_cert = mkNginxSecret;
    readarr_key = mkNginxSecret;
    home_cert = mkNginxSecret;
@ -266,6 +264,12 @@ in
    };
    ts-reverse-proxy = {
      servers = {
+        "invidious-service" = {
+          enable = true;
+          reverseName = "invidious";
+          reversePort = config.services.invidious.port;
+          reverseIP = config.services.invidious.address;
+        };
        "rimgo-service" = {
          enable = true;
          reverseName = "rimgo";
@ -484,7 +488,7 @@ in
          host = lib.mkForce "127.0.0.1";
          port = 5432;
        };
-        domain = "invidious.bold.daemon";
+        domain = "invidious.otter-alligator.ts.net";
        https_only = true;
        popular_enabled = false;
        statistics_enabled = false;
@ -898,17 +902,6 @@ in
            proxyWebsockets = true;
          };
        };
-        "invidious.bold.daemon" = {
-          forceSSL = true;
-          sslCertificateKey = "${config.sops.secrets.invidious_key.path}";
-          sslCertificate = "${config.sops.secrets.invidious_cert.path}";
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:${
-              toString config.services.invidious.port
-            }";
-            proxyWebsockets = true;
-          };
-        };
        "box.otter-alligator.ts.net" = {
          forceSSL = true;
          sslCertificateKey = "/etc/nixos/secrets/box.otter-alligator.ts.net.key";