[prefect.caddy] Move from standalone caddyfile to evaluated with Nix

pyrox.dev / nix

fork atom

My Nix Configuration

fork atom

pyrox.dev 1 year ago 5cfe24c2 e197f1af

verified

+166 -182

2 changed files

expand all

systems

x86_64-linux

prefect

services

Caddyfile

caddy.nix

-178

systems/x86_64-linux/prefect/services/Caddyfile

··· 1 - { 2 - email pyrox@pyrox.dev 3 - } 4 - thehedgehog.me { 5 - redir https://pyrox.dev{uri} permanent 6 - } 7 - pyrox.dev { 8 - route { 9 - header /.well-known/matrix/* Access-Control-Allow-Origin * 10 - reverse_proxy /.well-known/matrix/* http://100.123.15.72:6922 11 - redir /.well-known/carddav https://cloud.pyrox.dev/.well-known/carddav temporary 12 - redir /.well-known/caldav https://cloud.pyrox.dev/.well-known/caldav temporary 13 - header /.well-known/openpgpkey/* Access-Control-Allow-Origin * 14 - header /.well-known/openpgpkey/hu/* application/octet-stream 15 - respond /.well-known/openpgpkey/*/policy 200 16 - header /.well-known/fursona Content-Type application/json 17 - header { 18 - X-Content-Type-Options nosniff 19 - Permissions-Policy accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), unload=(), 20 - +Permissions-Policy display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), 21 - +Permissions-Policy gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), 22 - +Permissions-Policy payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), 23 - +Permissions-Policy sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), 24 - +Permissions-Policy clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=() 25 - X-Frame-Options SAMEORIGIN 26 - Referrer-Policy origin 27 - -Server 28 - } 29 - file_server { 30 - root /var/www/blog 31 - hide .git 32 - precompressed br gzip 33 - } 34 - } 35 - } 36 - 37 - www.pyrox.dev { 38 - redir https://pyrox.dev{uri} permanent 39 - } 40 - 41 - # Authentik - Self-hosted OIDC and LDAP server 42 - auth.pyrox.dev:443 { 43 - reverse_proxy http://100.123.15.72:6908 44 - } 45 - auth.pyrox.dev:80 { 46 - reverse_proxy http://100.123.15.72:6908 47 - } 48 - http://auth.pyrox.dev:389 { 49 - reverse_proxy http://100.123.15.72:389 50 - } 51 - auth.pyrox.dev:636 { 52 - reverse_proxy http://100.123.15.72:636 53 - } 54 - 55 - blog.pyrox.dev { 56 - redir https://pyrox.dev{uri} permanent 57 - } 58 - 59 - # Vaultwarden - Self-Hosted Bitwarden Server 60 - bw.pyrox.dev { 61 - reverse_proxy 100.123.15.72:6912 { 62 - header_up X-Real-IP {remote_host} 63 - } 64 - } 65 - 66 - cloud.pyrox.dev { 67 - reverse_proxy http://100.123.15.72:6926 68 - } 69 - 70 - # Deemix - download music from Deezer 71 - deemix.pyrox.dev { 72 - reverse_proxy http://100.123.15.72:6907 73 - } 74 - 75 - # Gitea(Forgejo) - Self-hosted Git forge 76 - git.pyrox.dev { 77 - reverse_proxy http://100.123.15.72:6904 78 - } 79 - 80 - library.pyrox.dev { 81 - reverse_proxy http://100.123.15.72:6921 82 - } 83 - 84 - mail.pyrox.dev { 85 - } 86 - 87 - # Cinny: Elegant matrix client 88 - # Also has Dendrite for matrix server 89 - matrix.pyrox.dev { 90 - @index { 91 - not path /index.html 92 - not path /public/* 93 - not path /assets/* 94 - not path /config.json 95 - not path /manifest.json 96 - not path /pdf.worker.min.js 97 - not path /olm.wasm 98 - path /* 99 - } 100 - handle /_matrix/* { 101 - reverse_proxy http://100.123.15.72:6922 102 - } 103 - handle { 104 - root * /var/www/cinny/dist/ 105 - redir /*/olm.wasm /olm.wasm 106 - redir @index /index.html 107 - file_server 108 - } 109 - } 110 - 111 - # Jellyfin - Self-hosted media server 112 - media.pyrox.dev { 113 - @blocked not remote_ip 100.64.0.0/10 private_ranges 114 - reverse_proxy http://100.123.15.72:8096 115 - handle /metrics* { 116 - respond @blocked "Access Denied" 403 117 - } 118 - } 119 - 120 - mta-sts.pyrox.dev { 121 - header Content-Type text/plain; charset=utf-8 122 - respond /.well-known/mta-sts.txt <<END 123 - version: STSv1 124 - mode: enforce 125 - mx: mail.pyrox.dev 126 - mx:mail2.pyrox.dev 127 - max_age: 2419200 128 - END 200 129 - } 130 - 131 - office.pyrox.dev { 132 - reverse_proxy http://100.123.15.72:6927 133 - } 134 - 135 - # Miniflux 136 - rss.pyrox.dev { 137 - reverse_proxy http://100.123.15.72:6903 138 - } 139 - 140 - # Iceshrimp 141 - soc.pyrox.dev { 142 - reverse_proxy http://100.123.15.72:6923 143 - } 144 - 145 - # Grafana - stats dashboard 146 - stats.pyrox.dev { 147 - reverse_proxy http://100.123.15.72:6914 148 - } 149 - 150 - # Yourmother.website - The best rick-roll URL, period 151 - yourmother.website { 152 - header Content-Type text/html 153 - respond 200 { 154 - body `<!DOCTYPE html> 155 - <html> 156 - <head> 157 - <meta http-equiv="Refresh" content="0; url=https://youtube.com/watch?v=oHg5SJYRHA0" /> 158 - </head> 159 - </html>` 160 - } 161 - } 162 - 163 - plan.cs2a.club { 164 - reverse_proxy http://100.123.15.72:6929 165 - } 166 - 167 - # OpenPGP Key 168 - openpgpkey.thehedgehog.me, openpgpkey.pyrox.dev { 169 - respond /.well-known/openpgpkey/{labels.1}.{labels.0}/policy 200 170 - header Access-Control-Allow-Origin * 171 - header /.well-known/openpgpkey/{labels.1}.{labels.0}/hu/* Content-Type application/octet-stream 172 - file_server { 173 - root /var/www/blog/ 174 - } 175 - } 176 - :6899 { 177 - metrics /metrics 178 - }

+166 -4

systems/x86_64-linux/prefect/services/caddy.nix

··· 1 - { pkgs, ... }: 2 - { 1 + { pkgs, lib, ... }: let 2 + pns = lib.py.data.services; 3 + marvin = lib.py.data.hosts.marvin.ts.ip4; 4 + reverseProxyToMarvin = port: { 5 + extraConfig = '' 6 + reverse_proxy http://${marvin}:${toString port} 7 + ''; 8 + }; 9 + # Hosts that are just a reverse proxy declaration and nothing else 10 + simpleHosts = [ 11 + "nextcloud" 12 + "nextcloud-office" 13 + "git" 14 + "miniflux" 15 + "iceshrimp" 16 + "grafana" 17 + "deemix" 18 + "planka" 19 + ]; 20 + 21 + simpleHostAttrs = lib.mapAttrs' (name: value: lib.nameValuePair "${pns.${name}.extUrl}" (reverseProxyToMarvin (toString pns.${value}.port))) 22 + (lib.genAttrs simpleHosts (name: name)); 23 + in { 3 24 services.caddy = { 4 25 enable = true; 5 26 package = pkgs.caddy.withPlugins { ··· 9 30 ]; 10 31 hash = "sha256-nfBjtwqn7UOGRr5Aqy0y1u9AYhWU9TLjbdhZ9uAwtHY="; 11 32 }; 12 - configFile = ./Caddyfile; 13 - adapter = "caddyfile"; 33 + email = "pyrox@pyrox.dev"; 34 + virtualHosts = { 35 + # Just get TLS certs for mailserver 36 + "mail.pyrox.dev" = {}; 37 + # Redirect old domains -> pyrox.dev 38 + "blog.pyrox.dev" = { 39 + serverAliases = ["www.pyrox.dev" "thehedgehog.me"]; 40 + extraConfig = '' 41 + redir https://pyrox.dev{uri} permanent 42 + ''; 43 + }; 44 + "pyrox.dev" = { 45 + extraConfig = '' 46 + route { 47 + header /.well-known/matrix/* Access-Control-Allow-Origin * 48 + reverse_proxy /.well-known/matrix/* http://100.123.15.72:6922 49 + redir /.well-known/carddav https://cloud.pyrox.dev/.well-known/carddav temporary 50 + redir /.well-known/caldav https://cloud.pyrox.dev/.well-known/caldav temporary 51 + header /.well-known/openpgpkey/* Access-Control-Allow-Origin * 52 + header /.well-known/openpgpkey/hu/* application/octet-stream 53 + respond /.well-known/openpgpkey/*/policy 200 54 + header /.well-known/fursona Content-Type application/json 55 + header { 56 + X-Content-Type-Options nosniff 57 + Permissions-Policy accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), unload=(), 58 + +Permissions-Policy display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), 59 + +Permissions-Policy gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), 60 + +Permissions-Policy payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), 61 + +Permissions-Policy sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), 62 + +Permissions-Policy clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=() 63 + X-Frame-Options SAMEORIGIN 64 + Referrer-Policy origin 65 + -Server 66 + } 67 + file_server { 68 + root /var/www/blog 69 + hide .git 70 + precompressed br gzip 71 + } 72 + } 73 + ''; 74 + }; 75 + 76 + # Authentik 77 + "${pns.authentik.extUrl}:443" = reverseProxyToMarvin pns.authentik.port; 78 + "${pns.authentik.extUrl}:80" = reverseProxyToMarvin pns.authentik.port; 79 + "http://${pns.authentik.extUrl}:389" = reverseProxyToMarvin 389; 80 + "${pns.authentik.extUrl}:636" = reverseProxyToMarvin 636; 81 + 82 + # Vaultwarden 83 + ${pns.vaultwarden.extUrl} = { 84 + extraConfig = '' 85 + header / { 86 + Strict-Transport-Security "max-age=31536000;" 87 + X-XSS-Protection "0" 88 + X-Frame-Options "DENY" 89 + X-Robots-Tag "noindex, nofollow" 90 + X-Content-Type-Options "nosniff" 91 + -Server 92 + -X-Powered-By 93 + -Last-Modified 94 + } 95 + reverse_proxy ${marvin}:${toString pns.vaultwarden.port} { 96 + header_up X-Real-IP {remote_host} 97 + } 98 + ''; 99 + }; 100 + 101 + # Cinny + Conduit 102 + ${pns.matrix-server.extUrl} = { 103 + extraConfig = '' 104 + handle /_matrix/* { 105 + reverse_proxy http://100.123.15.72:6922 106 + } 107 + @nativeRouter not file {path} / 108 + handle { 109 + rewrite @nativeRouter {http.matchers.file.relative} 110 + root * /var/www/cinny/dist 111 + file_server 112 + } 113 + ''; 114 + }; 115 + 116 + # Jellyfin 117 + ${pns.jellyfin.extUrl} = { 118 + extraConfig = '' 119 + @blocked not remote_ip 100.64.0.0/10 private_ranges 120 + reverse_proxy http://${marvin}:${toString pns.jellyfin.port} 121 + handle /metrics* { 122 + respond @blocked "Access Denied" 403 123 + } 124 + ''; 125 + }; 126 + 127 + # MTA-STS Setup for mailserver 128 + "mta-sts.pyrox.dev" = { 129 + extraConfig = '' 130 + header Content-Type text/plain; charset=utf-8 131 + respond /.well-known/mta-sts.txt <<END 132 + version: STSv1 133 + mode: enforce 134 + mx: mail.pyrox.dev 135 + mx:mail2.pyrox.dev 136 + max_age: 2419200 137 + END 200 138 + ''; 139 + }; 140 + 141 + # Yourmother.website 142 + "yourmother.website" = { 143 + extraConfig = '' 144 + header Content-Type text/html 145 + respond 200 { 146 + body `<!DOCTYPE html> 147 + <html> 148 + <head> 149 + <meta http-equiv="Refresh" content="0; url=https://youtube.com/watch?v=oHg5SJYRHA0" /> 150 + </head> 151 + </html>` 152 + } 153 + ''; 154 + }; 155 + 156 + # OpenPGP WKD stuff 157 + "openpgpkey.pyrox.dev" = { 158 + serverAliases = [ "openpgpkey.thehedgehog.me" ]; 159 + extraConfig = '' 160 + respond /.well-known/openpgpkey/{labels.1}.{labels.0}/policy 200 161 + header Access-Control-Allow-Origin * 162 + header /.well-known/openpgpkey/{labels.1}.{labels.0}/hu/* Content-Type application/octet-stream 163 + file_server { 164 + root /var/www/blog/ 165 + } 166 + ''; 167 + }; 168 + 169 + # Metrics 170 + ":6899" = { 171 + extraConfig = '' 172 + metrics /metrics 173 + ''; 174 + }; 175 + } // simpleHostAttrs; 14 176 }; 15 177 systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; 16 178 systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";