From 55d619a4ce44b45389ed103eeaab0c2e65db218c Mon Sep 17 00:00:00 2001 From: wo2wz <189177184+wo2wz@users.noreply.github.com> Date: Sat, 4 Oct 2025 15:30:29 -0400 Subject: [PATCH] caddy: federate caddy site configs --- modules/nixos/homeserver/authentik.nix | 9 +++ modules/nixos/homeserver/caddy.nix | 89 ++---------------------- modules/nixos/homeserver/nextcloud.nix | 73 +++++++++++++++---- modules/nixos/homeserver/uptime-kuma.nix | 9 +++ modules/nixos/homeserver/vaultwarden.nix | 13 ++++ modules/nixos/homeserver/zipline.nix | 9 +++ 6 files changed, 105 insertions(+), 97 deletions(-) diff --git a/modules/nixos/homeserver/authentik.nix b/modules/nixos/homeserver/authentik.nix index 5ac7606..762c192 100755 --- a/modules/nixos/homeserver/authentik.nix +++ b/modules/nixos/homeserver/authentik.nix @@ -9,6 +9,15 @@ sops.secrets."authentik/secrets.env".restartUnits = [ "authentik.service" ]; + services.caddy.virtualHosts."authentik.wo2wz.fyi".extraConfig = + assert config.services.caddy.enable; + '' + import default-settings + import cloudflare-tls + + reverse_proxy localhost:9000 + ''; + services.authentik = { enable = true; environmentFile = config.sops.secrets."authentik/secrets.env".path; diff --git a/modules/nixos/homeserver/caddy.nix b/modules/nixos/homeserver/caddy.nix index 73b9554..5f564bc 100755 --- a/modules/nixos/homeserver/caddy.nix +++ b/modules/nixos/homeserver/caddy.nix @@ -17,6 +17,8 @@ }; services = { + tailscale.permitCertUid = "caddy"; + caddy = { enable = true; package = pkgs.caddy.withPlugins { @@ -63,89 +65,12 @@ } ''; - virtualHosts = { - "vaultwarden.taild5f7e6.ts.net".extraConfig = '' - import default-settings + virtualHosts."wo2wz.fyi".extraConfig = '' + import default-settings + import cloudflare-tls - bind tailscale/vaultwarden - - # block connections to admin login - respond /admin/* 403 - - reverse_proxy localhost:8000 - ''; - - "wo2wz.fyi".extraConfig = '' - import default-settings - import cloudflare-tls - - respond "not much to see here" - ''; - - "authentik.wo2wz.fyi".extraConfig = '' - import default-settings - import cloudflare-tls - - reverse_proxy localhost:9000 - ''; - - "nextcloud.wo2wz.fyi".extraConfig = '' - import default-settings - - root ${config.services.nginx.virtualHosts."localhost:8002".root} - file_server - - php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} - - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/caldav /remote.php/dav 301 - redir /.well-known/webfinger /index.php/webfinger 301 - redir /.well-known/nodeinfo /index.php/nodeinfo 301 - redir /.well-known/* /index.php{uri} 301 - redir /remote/* /remote.php{uri} 301 - - @forbidden { - path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* - path /.* /autotest* /occ* /issue* /indie* /db_* /console* - not path /.well-known/* - } - - respond @forbidden 403 - - # make .mjs javascript work for the functionality of some buttons/apps - @mjs path *.mjs - header @mjs Content-Type application/javascript - ''; - - "onlyoffice.wo2wz.fyi".extraConfig = '' - import default-settings - import cloudflare-tls - - @blockinternal { - path /internal/* - path /info/* - not remote_ip 127.0.0.1 - } - respond @blockinternal 403 - - reverse_proxy localhost:8003 - ''; - - "uptime-kuma.wo2wz.fyi".extraConfig = '' - import default-settings - import cloudflare-tls - - reverse_proxy localhost:8005 - ''; - - "zipline.wo2wz.fyi".extraConfig = '' - import default-settings - import cloudflare-tls - - reverse_proxy localhost:8001 - ''; - }; + respond "not much to see here" + ''; }; - tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs }; } diff --git a/modules/nixos/homeserver/nextcloud.nix b/modules/nixos/homeserver/nextcloud.nix index 064af03..9804972 100755 --- a/modules/nixos/homeserver/nextcloud.nix +++ b/modules/nixos/homeserver/nextcloud.nix @@ -1,14 +1,37 @@ { config, pkgs, ... }: { - sops.secrets = { - "nextcloud/adminpass" = {}; + sops.secrets."nextcloud/adminpass" = {}; - "onlyoffice/jwt" = { - owner = "onlyoffice"; - group = "onlyoffice"; - }; - }; + services.caddy.virtualHosts."nextcloud.wo2wz.fyi".extraConfig = + assert config.services.caddy.enable; + '' + import default-settings + + root ${config.services.nginx.virtualHosts."localhost:8002".root} + file_server + + php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/webfinger /index.php/webfinger 301 + redir /.well-known/nodeinfo /index.php/nodeinfo 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + + respond @forbidden 403 + + # make .mjs javascript work for the functionality of some buttons/apps + @mjs path *.mjs + header @mjs Content-Type application/javascript + ''; services.nginx.enable = false; # disable to use caddy instead users.users.nginx = { @@ -43,14 +66,34 @@ extraApps = { inherit (config.services.nextcloud.package.packages.apps) calendar deck onlyoffice tasks music twofactor_webauthn user_oidc; }; - }; - - # onlyoffice document server for rich document editing - onlyoffice = { - enable = true; - hostname = "localhost"; - port = 8003; - jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path; }; }; + + sops.secrets."onlyoffice/jwt" = { + owner = "onlyoffice"; + group = "onlyoffice"; + }; + + services.caddy.virtualHosts."onlyoffice.wo2wz.fyi".extraConfig = + assert config.services.caddy.enable; + '' + import default-settings + import cloudflare-tls + + @blockinternal { + path /internal/* + path /info/* + not remote_ip 127.0.0.1 + } + respond @blockinternal 403 + + reverse_proxy localhost:8003 + ''; + + services.onlyoffice = { + enable = true; + hostname = "localhost"; + port = 8003; + jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path; + }; } diff --git a/modules/nixos/homeserver/uptime-kuma.nix b/modules/nixos/homeserver/uptime-kuma.nix index b82c549..02c5189 100755 --- a/modules/nixos/homeserver/uptime-kuma.nix +++ b/modules/nixos/homeserver/uptime-kuma.nix @@ -1,6 +1,15 @@ { config, ... }: { + services.caddy.virtualHosts."uptime-kuma.wo2wz.fyi".extraConfig = + assert config.services.caddy.enable; + '' + import default-settings + import cloudflare-tls + + reverse_proxy localhost:8005 + ''; + services.uptime-kuma = { enable = true; settings.PORT = "8005"; diff --git a/modules/nixos/homeserver/vaultwarden.nix b/modules/nixos/homeserver/vaultwarden.nix index e011e1d..8f3dc9a 100755 --- a/modules/nixos/homeserver/vaultwarden.nix +++ b/modules/nixos/homeserver/vaultwarden.nix @@ -3,6 +3,19 @@ { sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ]; + services.caddy.virtualHosts."vaultwarden.taild5f7e6.net".extraConfig = + assert config.services.caddy.enable; + '' + import default-settings + + bind tailscale/vaultwarden + + # block connections to admin login + respond /admin/* 403 + + reverse_proxy localhost:8000 + ''; + services.vaultwarden = { enable = true; backupDir = "/var/backups/vaultwarden"; diff --git a/modules/nixos/homeserver/zipline.nix b/modules/nixos/homeserver/zipline.nix index b7d704e..823781f 100755 --- a/modules/nixos/homeserver/zipline.nix +++ b/modules/nixos/homeserver/zipline.nix @@ -3,6 +3,15 @@ { sops.secrets."zipline/secrets.env".restartUnits = [ "zipline.service" ]; + services.caddy.virtualHosts."zipline.wo2wz.fyi".extraConfig = + assert config.services.caddy.enable; + '' + import default-settings + import cloudflare-tls + + reverse_proxy localhost:8001 + ''; + users.users.zipline = { group = "zipline"; isSystemUser = true;