From 89998061114d8c135874cc958b7276e29cbe3c34 Mon Sep 17 00:00:00 2001
From: Chris Toph <toph@ryot.foo>
Date: Wed, 11 Jun 2025 02:52:33 -0400
Subject: [PATCH] Revise networking, proxy, and DNS configs for *ryot.foo zone

- Remove static host mappings from networking config
- Add reverse proxy settings for multiple subdomains
- Introduce DNSMASQ configuration with custom DNS records and firewall rules
- Update firewall UDP port settings and system stateVersion
---
 hosts/global/core/networking.nix     | 11 -----
 hosts/nixos/proxy/config/caddy.nix   | 52 ++++++++++++++++++++++
 hosts/nixos/proxy/config/dnsmasq.nix | 65 ++++++++++++++++++++++++++++
 hosts/nixos/proxy/default.nix        |  3 +-
 4 files changed, 119 insertions(+), 12 deletions(-)
 create mode 100644 hosts/nixos/proxy/config/dnsmasq.nix

diff --git a/hosts/global/core/networking.nix b/hosts/global/core/networking.nix
index f2d0db9..bd0fd30 100644
--- a/hosts/global/core/networking.nix
+++ b/hosts/global/core/networking.nix
@@ -12,16 +12,5 @@
     useDHCP = lib.mkDefault true;
     useHostResolvConf = false;
     usePredictableInterfaceNames = true;
-
-    hosts = {
-      "104.40.3.1" = [ "opn" ];
-      "104.40.3.3" = [ "pve" ];
-      "104.40.3.24" = [ "cloud" ];
-      "104.40.3.34" = [ "proxy" ];
-      "104.40.3.44" = [ "komodo" ];
-      "104.40.3.54" = [ "nix" ];
-      "104.40.4.1" = [ "opn" ];
-      "104.40.4.7" = [ "rune" ];
-    };
   };
 }
diff --git a/hosts/nixos/proxy/config/caddy.nix b/hosts/nixos/proxy/config/caddy.nix
index 85fe253..95ef0fe 100644
--- a/hosts/nixos/proxy/config/caddy.nix
+++ b/hosts/nixos/proxy/config/caddy.nix
@@ -8,6 +8,58 @@
           reverse_proxy localhost:14333
         '';
       };
+
+      ## openWRT ##
+
+      "wrt.ryot.foo" = {
+        useACMEHost = "ryot.foo";
+        extraConfig = ''
+          reverse_proxy http://104.40.3.1 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Port {server_port}
+          }
+        '';
+      };
+
+      ## PROXMOX NODES ##
+
+      "ochre.ryot.foo" = {
+        useACMEHost = "ryot.foo";
+        extraConfig = ''
+          reverse_proxy https://104.40.3.2:8006 {
+            transport http {
+              tls_insecure_skip_verify
+              # optional: tls_server_name 104.40.3.2
+            }
+            # ensure Proxmox sees the right Host
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Port {server_port}
+          }
+        '';
+      };
+
+      "pve.ryot.foo" = {
+        useACMEHost = "ryot.foo";
+        extraConfig = ''
+          reverse_proxy https://104.40.3.3:8006 {
+            transport http {
+              tls_insecure_skip_verify
+              # optional: tls_server_name 104.40.3.3
+            }
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Port {server_port}
+          }
+        '';
+      };
     };
   };
 }
diff --git a/hosts/nixos/proxy/config/dnsmasq.nix b/hosts/nixos/proxy/config/dnsmasq.nix
new file mode 100644
index 0000000..ea20758
--- /dev/null
+++ b/hosts/nixos/proxy/config/dnsmasq.nix
@@ -0,0 +1,65 @@
+{
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # Listen on eth0 for external clients and lo for local host
+      interface = [
+        "eth0"
+        "lo"
+      ];
+
+      no-hosts = true;
+      no-resolv = true;
+
+      server = [
+        "104.40.3.1" # Query openWRT first for non-ryot.foo domains
+        "1.1.1.1" # Fallback public DNS
+        "1.0.0.1" # Fallback public DNS
+        "8.8.8.8" # Fallback public DNS
+      ];
+
+      address = [
+
+        ## CLOUD ##
+        "/drive.ryot.foo/104.40.3.24"
+
+        ## PROXY ##
+        "/cloudflared.ryot.foo/104.40.3.34"
+        "/ochre.ryot.foo/104.40.3.34"
+        "/pve.ryot.foo/104.40.3.34"
+        "/wrt.ryot.foo/104.40.3.34"
+
+        ## KOMO ##
+        "/auth.ryot.foo/104.40.3.44"
+        "/frp.ryot.foo/104.40.3.44"
+        "/git.ryot.foo/104.40.3.44"
+        "/grafana.ryot.foo/104.40.3.44"
+        "/home.ryot.foo/104.40.3.44"
+        "/influx.ryot.foo/104.40.3.44"
+        "/komodo.ryot.foo/104.40.3.44"
+        "/mail.ryot.foo/104.40.3.44"
+        "/map.ryot.foo/104.40.3.44"
+        "/outline.ryot.foo/104.40.3.44"
+        "/plane.ryot.foo/104.40.3.44"
+
+        ## SOCK ##
+        "/upsnap.ryot.foo/104.40.3.54"
+        "/sock.ryot.foo/104.40.3.54"
+
+      ];
+
+      cache-size = 1000;
+
+      # Log queries for debugging (optional)'
+      # log-queries = true;
+    };
+  };
+
+  networking = {
+    # Open DNS port in firewall
+    firewall = {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+  };
+}
diff --git a/hosts/nixos/proxy/default.nix b/hosts/nixos/proxy/default.nix
index 0008e6d..f3c031a 100644
--- a/hosts/nixos/proxy/default.nix
+++ b/hosts/nixos/proxy/default.nix
@@ -52,6 +52,7 @@ in
   networking = {
     enableIPv6 = false;
     firewall.allowedTCPPorts = firewall.allowedTCPPorts;
+    firewall.allowedUDPPorts = firewall.allowedUDPPorts;
   };
 
   ## System-wide packages ##
@@ -67,5 +68,5 @@ in
   };
 
   # https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.05";
 }