wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

caddy: federate caddy site configs

Browse source
This commit is contained in:
wo2wz 2025-10-04 15:30:29 -04:00
parent 943e9d4cb7
commit 55d619a4ce
6 changed files with 105 additions and 97 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/nixos/homeserver/authentik.nix
View file

@ -9,6 +9,15 @@
sops.secrets."authentik/secrets.env".restartUnits = [ "authentik.service" ];
services.caddy.virtualHosts."authentik.wo2wz.fyi".extraConfig =
assert config.services.caddy.enable;
''
import default-settings
import cloudflare-tls
reverse_proxy localhost:9000
'';
services.authentik = {
enable = true;
environmentFile = config.sops.secrets."authentik/secrets.env".path;

81
modules/nixos/homeserver/caddy.nix
View file

@ -17,6 +17,8 @@
};
services = {
tailscale.permitCertUid = "caddy";
caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
@ -63,89 +65,12 @@
}
'';
virtualHosts = {
"vaultwarden.taild5f7e6.ts.net".extraConfig = ''
import default-settings
bind tailscale/vaultwarden
# block connections to admin login
respond /admin/* 403
reverse_proxy localhost:8000
'';
"wo2wz.fyi".extraConfig = ''
virtualHosts."wo2wz.fyi".extraConfig = ''
import default-settings
import cloudflare-tls
respond "not much to see here"
'';
"authentik.wo2wz.fyi".extraConfig = ''
import default-settings
import cloudflare-tls
reverse_proxy localhost:9000
'';
"nextcloud.wo2wz.fyi".extraConfig = ''
import default-settings
root ${config.services.nginx.virtualHosts."localhost:8002".root}
file_server
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/webfinger 301
redir /.well-known/nodeinfo /index.php/nodeinfo 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
respond @forbidden 403
# make .mjs javascript work for the functionality of some buttons/apps
@mjs path *.mjs
header @mjs Content-Type application/javascript
'';
"onlyoffice.wo2wz.fyi".extraConfig = ''
import default-settings
import cloudflare-tls
@blockinternal {
path /internal/*
path /info/*
not remote_ip 127.0.0.1
}
respond @blockinternal 403
reverse_proxy localhost:8003
'';
"uptime-kuma.wo2wz.fyi".extraConfig = ''
import default-settings
import cloudflare-tls
reverse_proxy localhost:8005
'';
"zipline.wo2wz.fyi".extraConfig = ''
import default-settings
import cloudflare-tls
reverse_proxy localhost:8001
'';
};
};
tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs
};
}

63
modules/nixos/homeserver/nextcloud.nix
View file

@ -1,14 +1,37 @@
{ config, pkgs, ... }:
{
sops.secrets = {
"nextcloud/adminpass" = {};
sops.secrets."nextcloud/adminpass" = {};
"onlyoffice/jwt" = {
owner = "onlyoffice";
group = "onlyoffice";
};
};
services.caddy.virtualHosts."nextcloud.wo2wz.fyi".extraConfig =
assert config.services.caddy.enable;
''
import default-settings
root ${config.services.nginx.virtualHosts."localhost:8002".root}
file_server
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/webfinger 301
redir /.well-known/nodeinfo /index.php/nodeinfo 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
respond @forbidden 403
# make .mjs javascript work for the functionality of some buttons/apps
@mjs path *.mjs
header @mjs Content-Type application/javascript
'';
services.nginx.enable = false; # disable to use caddy instead
users.users.nginx = {
@ -44,13 +67,33 @@
inherit (config.services.nextcloud.package.packages.apps) calendar deck onlyoffice tasks music twofactor_webauthn user_oidc;
};
};
};
# onlyoffice document server for rich document editing
onlyoffice = {
sops.secrets."onlyoffice/jwt" = {
owner = "onlyoffice";
group = "onlyoffice";
};
services.caddy.virtualHosts."onlyoffice.wo2wz.fyi".extraConfig =
assert config.services.caddy.enable;
''
import default-settings
import cloudflare-tls
@blockinternal {
path /internal/*
path /info/*
not remote_ip 127.0.0.1
}
respond @blockinternal 403
reverse_proxy localhost:8003
'';
services.onlyoffice = {
enable = true;
hostname = "localhost";
port = 8003;
jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path;
};
};
}

9
modules/nixos/homeserver/uptime-kuma.nix
View file

@ -1,6 +1,15 @@
{ config, ... }:
{
services.caddy.virtualHosts."uptime-kuma.wo2wz.fyi".extraConfig =
assert config.services.caddy.enable;
''
import default-settings
import cloudflare-tls
reverse_proxy localhost:8005
'';
services.uptime-kuma = {
enable = true;
settings.PORT = "8005";

13
modules/nixos/homeserver/vaultwarden.nix
View file

@ -3,6 +3,19 @@
{
sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
services.caddy.virtualHosts."vaultwarden.taild5f7e6.net".extraConfig =
assert config.services.caddy.enable;
''
import default-settings
bind tailscale/vaultwarden
# block connections to admin login
respond /admin/* 403
reverse_proxy localhost:8000
'';
services.vaultwarden = {
enable = true;
backupDir = "/var/backups/vaultwarden";

9
modules/nixos/homeserver/zipline.nix
View file

@ -3,6 +3,15 @@
{
sops.secrets."zipline/secrets.env".restartUnits = [ "zipline.service" ];
services.caddy.virtualHosts."zipline.wo2wz.fyi".extraConfig =
assert config.services.caddy.enable;
''
import default-settings
import cloudflare-tls
reverse_proxy localhost:8001
'';
users.users.zipline = {
group = "zipline";
isSystemUser = true;