Berwn
48bf7fb250
web01 terminates TLS for grafana.cnx.network and proxies to Grafana on control over the mesh. Caddy serves a *.cnx.network wildcard cert obtained via ACME DNS-01, using a dedicated acme_web01 TSIG key scoped on ns1 to _acme-challenge on the cnx.network zone only. Ports 80/443 are the only public exposure (80 just redirects); admin and the backend ride ZeroTier. Also reload Caddy on cert renewal for both web01 and mx1, since both reference the cert via explicit tls file paths and would otherwise keep serving a stale cert after a silent renewal.
33 lines
1015 B
Nix
33 lines
1015 B
Nix
# Per-host public network facts: single source of truth for each machine's
|
|
# public IPv4 and its static public IPv6. Consumed by clan.nix's `internet`
|
|
# connection hosts (ipv4) and each machine's `cnx.staticIPv6` (ipv6), so an
|
|
# address is written once instead of being duplicated across configs.
|
|
#
|
|
# NOT a driver for the DNS zone files — those stay hand-edited text, so a record
|
|
# here that also appears as A/AAAA glue still needs a matching manual zone edit.
|
|
#
|
|
# ipv6 is the single address to assign from the host's allocated /64 (we take
|
|
# ::1), without prefix length; cnx.staticIPv6 supplies the /64 default.
|
|
{
|
|
control = {
|
|
ipv4 = "77.42.68.181";
|
|
ipv6 = "2a01:4f9:c013:e6d0::1";
|
|
};
|
|
ns1 = {
|
|
ipv4 = "46.224.170.206";
|
|
ipv6 = "2a01:4f8:c014:b5c5::1";
|
|
};
|
|
ns2 = {
|
|
ipv4 = "157.180.70.82";
|
|
ipv6 = "2a01:4f9:c014:6d87::1";
|
|
};
|
|
mx1 = {
|
|
ipv4 = "5.223.65.38";
|
|
ipv6 = "2a01:4ff:2f0:1963::1";
|
|
};
|
|
web01 = {
|
|
ipv4 = "5.223.55.246";
|
|
ipv6 = "2a01:4ff:2f0:2d8f::1";
|
|
};
|
|
}
|