caddy: federate caddy site configs

2025-10-04 15:30:29 -04:00 · 2025-10-04 15:30:29 -04:00 · 55d619a4ce
commit 55d619a4ce
parent 943e9d4cb7
6 changed files with 105 additions and 97 deletions
--- a/modules/nixos/homeserver/nextcloud.nix
+++ b/modules/nixos/homeserver/nextcloud.nix
@ -1,14 +1,37 @@
 { config, pkgs, ... }:

 {  
-  sops.secrets = {
-    "nextcloud/adminpass" = {};
+  sops.secrets."nextcloud/adminpass" = {};

-    "onlyoffice/jwt" = {
-      owner = "onlyoffice";
-      group = "onlyoffice";
-    };
-  };
+  services.caddy.virtualHosts."nextcloud.wo2wz.fyi".extraConfig =
+    assert config.services.caddy.enable;
+    ''
+      import default-settings
+
+      root ${config.services.nginx.virtualHosts."localhost:8002".root}
+      file_server
+
+      php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
+
+      redir /.well-known/carddav /remote.php/dav 301
+      redir /.well-known/caldav /remote.php/dav 301
+      redir /.well-known/webfinger /index.php/webfinger 301
+      redir /.well-known/nodeinfo /index.php/nodeinfo 301
+      redir /.well-known/* /index.php{uri} 301
+      redir /remote/* /remote.php{uri} 301
+
+      @forbidden {
+        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+        not path /.well-known/*
+      }
+
+      respond @forbidden 403
+
+      # make .mjs javascript work for the functionality of some buttons/apps
+      @mjs path *.mjs
+      header @mjs Content-Type application/javascript
+    '';

  services.nginx.enable = false; # disable to use caddy instead
  users.users.nginx = {
@ -43,14 +66,34 @@
      extraApps = {
        inherit (config.services.nextcloud.package.packages.apps) calendar deck onlyoffice tasks music twofactor_webauthn user_oidc;
      };
-    };    
-
-    # onlyoffice document server for rich document editing
-    onlyoffice = {
-      enable = true;
-      hostname = "localhost";
-      port = 8003;
-      jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path;
    };
  };
+
+  sops.secrets."onlyoffice/jwt" = {
+    owner = "onlyoffice";
+    group = "onlyoffice";
+  };
+
+  services.caddy.virtualHosts."onlyoffice.wo2wz.fyi".extraConfig =
+    assert config.services.caddy.enable;
+    ''
+      import default-settings
+      import cloudflare-tls
+
+      @blockinternal {
+        path /internal/*
+        path /info/*
+        not remote_ip 127.0.0.1
+      }
+      respond @blockinternal 403
+
+      reverse_proxy localhost:8003
+    '';
+
+  services.onlyoffice = {
+    enable = true;
+    hostname = "localhost";
+    port = 8003;
+    jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path;
+  };
 }