Skip to content

Commit 2df73d5

Browse files
authored
Merge pull request #563 from ncaq/avoid-tailscale-error
2 parents df2f7ed + 2f0a061 commit 2df73d5

2 files changed

Lines changed: 5 additions & 54 deletions

File tree

nixos/host/seminar/caddy.nix

Lines changed: 5 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -1,31 +1,15 @@
1-
{
2-
config,
3-
...
4-
}:
1+
{ config, ... }:
52
let
63
atticdAddr = config.containerAddresses.atticd.container;
7-
tailscale = config.services.tailscale.package;
8-
tailscaleDomain = "seminar.border-saurolophus.ts.net";
9-
certDir = "/var/lib/tailscale-cert";
10-
certFile = "${certDir}/${tailscaleDomain}.crt";
11-
keyFile = "${certDir}/${tailscaleDomain}.key";
124
in
135
{
146
services.caddy = {
157
enable = true;
168
email = "ncaq@ncaq.net";
17-
# tailnet内からのアクセス用。
18-
# 分かり易さのためCaddyがまとめてリクエストを管理します。
19-
virtualHosts."${tailscaleDomain}".extraConfig = ''
20-
tls ${certFile} ${keyFile}
21-
handle_path /nix/cache/* {
22-
reverse_proxy http://${atticdAddr}:8080
23-
}
24-
redir /nix/cache /nix/cache/
25-
'';
26-
# Tailscale Funnelからのリクエストを受けるリバースプロキシ。
27-
# Tailscale Funnelはlocalhostへの転送しかサポートしていないため、
28-
# コンテナへの転送をするためにCaddyでプロキシします。
9+
# Tailscale Serve/Funnelからのリクエストを受けるリバースプロキシ。
10+
# tailscaledがTLS終端を行い、ここにHTTPで転送します。
11+
# tailnet内からのHTTPSアクセスもtailscaledが処理するため、
12+
# Caddyが443をlistenする必要はありません。
2913
virtualHosts.":8080".extraConfig = ''
3014
bind 127.0.0.1
3115
handle_path /nix/cache/* {
@@ -34,36 +18,4 @@ in
3418
redir /nix/cache /nix/cache/
3519
'';
3620
};
37-
38-
# Tailscaleドメイン用のTLS証明書を取得・更新するサービス。
39-
# Caddyがtailnet内からのアクセスでもTLSを提供できるようにします。
40-
systemd.tmpfiles.rules = [
41-
"d ${certDir} 0750 caddy caddy -"
42-
];
43-
systemd.services.tailscale-cert-for-caddy = {
44-
description = "Generate Tailscale TLS certificates for Caddy";
45-
requires = [ "tailscaled.service" ];
46-
after = [ "tailscaled.service" ];
47-
wantedBy = [ "multi-user.target" ];
48-
serviceConfig = {
49-
Type = "oneshot";
50-
ExecStart = "${tailscale}/bin/tailscale cert --cert-file ${certFile} --key-file ${keyFile} ${tailscaleDomain}";
51-
RemainAfterExit = true;
52-
User = "caddy";
53-
Group = "caddy";
54-
};
55-
};
56-
systemd.timers.tailscale-cert-for-caddy = {
57-
description = "Weekly renewal of Tailscale TLS certificates";
58-
wantedBy = [ "timers.target" ];
59-
timerConfig = {
60-
OnCalendar = "weekly";
61-
Persistent = true;
62-
};
63-
};
64-
65-
systemd.services.caddy = {
66-
wants = [ "tailscale-cert-for-caddy.service" ];
67-
after = [ "tailscale-cert-for-caddy.service" ];
68-
};
6921
}

nixos/host/seminar/tailscale.nix

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ in
77
# 基本的なTailscale有効化は nixos/core/tailscale.nix で行っています。
88
services.tailscale = {
99
openFirewall = true;
10-
permitCertUid = "caddy";
1110
useRoutingFeatures = "both";
1211
};
1312

0 commit comments

Comments
 (0)