make caddy a L4 proxy to terminate TLS for HiveMQ
This commit is contained in:
@@ -21,13 +21,16 @@
|
||||
# GEBOS_POSTGRES_PASSWORD sourced from /run/secrets/gebos-env (sops-nix).
|
||||
};
|
||||
|
||||
# Caddy fronts TLS for `ingest.gebos.online` and forwards to HiveMQ.
|
||||
# Caddy (layer4) terminates TLS on :8883 and forwards cleartext MQTT to
|
||||
# HiveMQ's loopback listener on :1883. tcpProxy is the upstream backend.
|
||||
services.gebos.caddy = {
|
||||
enable = true;
|
||||
sites = {
|
||||
"ingest.gebos.online" = { tcpProxy = "127.0.0.1:8883"; };
|
||||
"ingest.gebos.online" = { tcpProxy = "127.0.0.1:1883"; };
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 8883 ];
|
||||
# 8883: MQTTS for senders. 80/443: ACME challenge so Caddy can obtain/renew
|
||||
# the ingest.gebos.online cert that the layer4 TLS handler serves.
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 8883 ];
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user