caddy: federate caddy site configs

2025-10-04 15:30:29 -04:00 · 2025-10-04 15:30:29 -04:00 · 55d619a4ce
commit 55d619a4ce
parent 943e9d4cb7
6 changed files with 105 additions and 97 deletions
--- a/modules/nixos/homeserver/authentik.nix
+++ b/modules/nixos/homeserver/authentik.nix
@ -9,6 +9,15 @@
  sops.secrets."authentik/secrets.env".restartUnits = [ "authentik.service" ];
  services.caddy.virtualHosts."authentik.wo2wz.fyi".extraConfig = 
    assert config.services.caddy.enable;
    ''
      import default-settings
      import cloudflare-tls
      reverse_proxy localhost:9000
    '';
  services.authentik = {
    enable = true;
    environmentFile = config.sops.secrets."authentik/secrets.env".path;
--- a/modules/nixos/homeserver/caddy.nix
+++ b/modules/nixos/homeserver/caddy.nix
@ -17,6 +17,8 @@
  };
  services = {
    tailscale.permitCertUid = "caddy";
    caddy = {
      enable = true;
      package = pkgs.caddy.withPlugins {
@ -63,89 +65,12 @@
        }
      '';
-      virtualHosts = {
+      virtualHosts."wo2wz.fyi".extraConfig = ''
        "vaultwarden.taild5f7e6.ts.net".extraConfig = ''
          import default-settings
          bind tailscale/vaultwarden
          # block connections to admin login
          respond /admin/* 403
          reverse_proxy localhost:8000
        '';
        "wo2wz.fyi".extraConfig = ''
        import default-settings
        import cloudflare-tls
        respond "not much to see here"
      '';
        "authentik.wo2wz.fyi".extraConfig = ''
          import default-settings
          import cloudflare-tls
          reverse_proxy localhost:9000
        '';
        "nextcloud.wo2wz.fyi".extraConfig = ''
          import default-settings
          root ${config.services.nginx.virtualHosts."localhost:8002".root}
          file_server
          php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
          redir /.well-known/carddav /remote.php/dav 301
          redir /.well-known/caldav /remote.php/dav 301
          redir /.well-known/webfinger /index.php/webfinger 301
          redir /.well-known/nodeinfo /index.php/nodeinfo 301
          redir /.well-known/* /index.php{uri} 301
          redir /remote/* /remote.php{uri} 301
          @forbidden {
            path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
            path /.* /autotest* /occ* /issue* /indie* /db_* /console*
            not path /.well-known/*
          }
          respond @forbidden 403
          # make .mjs javascript work for the functionality of some buttons/apps
          @mjs path *.mjs
          header @mjs Content-Type application/javascript
        '';
        "onlyoffice.wo2wz.fyi".extraConfig = ''
          import default-settings
          import cloudflare-tls
          @blockinternal {
            path /internal/*
            path /info/*
            not remote_ip 127.0.0.1
          }
          respond @blockinternal 403
          reverse_proxy localhost:8003 
        '';
        "uptime-kuma.wo2wz.fyi".extraConfig = ''
          import default-settings
          import cloudflare-tls
          reverse_proxy localhost:8005
        '';
        "zipline.wo2wz.fyi".extraConfig = ''
          import default-settings
          import cloudflare-tls
          reverse_proxy localhost:8001
        '';
    };
  };
    tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs
  };
 }
--- a/modules/nixos/homeserver/nextcloud.nix
+++ b/modules/nixos/homeserver/nextcloud.nix
@ -1,14 +1,37 @@
 { config, pkgs, ... }:
 {  
-  sops.secrets = {
+  sops.secrets."nextcloud/adminpass" = {};
    "nextcloud/adminpass" = {};
-    "onlyoffice/jwt" = {
+  services.caddy.virtualHosts."nextcloud.wo2wz.fyi".extraConfig =
-      owner = "onlyoffice";
+    assert config.services.caddy.enable;
-      group = "onlyoffice";
+    ''
-    };
+      import default-settings
-  };
+
      root ${config.services.nginx.virtualHosts."localhost:8002".root}
      file_server
      php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
      redir /.well-known/carddav /remote.php/dav 301
      redir /.well-known/caldav /remote.php/dav 301
      redir /.well-known/webfinger /index.php/webfinger 301
      redir /.well-known/nodeinfo /index.php/nodeinfo 301
      redir /.well-known/* /index.php{uri} 301
      redir /remote/* /remote.php{uri} 301
      @forbidden {
        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
        not path /.well-known/*
      }
      respond @forbidden 403
      # make .mjs javascript work for the functionality of some buttons/apps
      @mjs path *.mjs
      header @mjs Content-Type application/javascript
    '';
  services.nginx.enable = false; # disable to use caddy instead
  users.users.nginx = {
@ -44,13 +67,33 @@
        inherit (config.services.nextcloud.package.packages.apps) calendar deck onlyoffice tasks music twofactor_webauthn user_oidc;
      };
    };
  };
-    # onlyoffice document server for rich document editing
+  sops.secrets."onlyoffice/jwt" = {
-    onlyoffice = {
+    owner = "onlyoffice";
    group = "onlyoffice";
  };
  services.caddy.virtualHosts."onlyoffice.wo2wz.fyi".extraConfig =
    assert config.services.caddy.enable;
    ''
      import default-settings
      import cloudflare-tls
      @blockinternal {
        path /internal/*
        path /info/*
        not remote_ip 127.0.0.1
      }
      respond @blockinternal 403
      reverse_proxy localhost:8003
    '';
  services.onlyoffice = {
    enable = true;
    hostname = "localhost";
    port = 8003;
    jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path;
  };
  };
 }
--- a/modules/nixos/homeserver/uptime-kuma.nix
+++ b/modules/nixos/homeserver/uptime-kuma.nix
@ -1,6 +1,15 @@
 { config, ... }:
 {
  services.caddy.virtualHosts."uptime-kuma.wo2wz.fyi".extraConfig =
    assert config.services.caddy.enable;
    ''
      import default-settings
      import cloudflare-tls
      reverse_proxy localhost:8005
    '';
  services.uptime-kuma = {
    enable = true;
    settings.PORT = "8005";
--- a/modules/nixos/homeserver/vaultwarden.nix
+++ b/modules/nixos/homeserver/vaultwarden.nix
@ -3,6 +3,19 @@
 {
  sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
  services.caddy.virtualHosts."vaultwarden.taild5f7e6.net".extraConfig =
    assert config.services.caddy.enable;
    ''
      import default-settings
      bind tailscale/vaultwarden
      # block connections to admin login
      respond /admin/* 403
      reverse_proxy localhost:8000
    '';
  services.vaultwarden = {
    enable = true;
    backupDir = "/var/backups/vaultwarden";
--- a/modules/nixos/homeserver/zipline.nix
+++ b/modules/nixos/homeserver/zipline.nix
@ -3,6 +3,15 @@
 {
  sops.secrets."zipline/secrets.env".restartUnits = [ "zipline.service" ];
  services.caddy.virtualHosts."zipline.wo2wz.fyi".extraConfig =
    assert config.services.caddy.enable;
    ''
      import default-settings
      import cloudflare-tls
      reverse_proxy localhost:8001
    '';
  users.users.zipline = {
    group = "zipline";
    isSystemUser = true;