diff --git a/modules/nixos/homeserver/caddy.nix b/modules/nixos/homeserver/caddy.nix index dff825b..fc1573e 100644 --- a/modules/nixos/homeserver/caddy.nix +++ b/modules/nixos/homeserver/caddy.nix @@ -1,21 +1,45 @@ -{ config, ... }: +{ config, pkgs, ... }: { services = { caddy = { enable = true; + package = pkgs.caddy.withPlugins { + plugins = [ "github.com/WeidiDeng/caddy-cloudflare-ip@v0.0.0-20231130002422-f53b62aa13cb"]; + hash = "sha256-mtKyPOEY6qK1/Uz4LQfzqBMxFnfH1vLfvxyo4t4nXck="; + }; + extraConfig = '' + (cloudflare-tls) { + tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path} + } + + (default-settings) { + encode + + header { + Strict-Transport-Security "max-age=15552000;" + X-Frame-Options "SAMEORIGIN" + X-Content-Type-Options "nosniff" + X-Robots-Tag "noindex, nofollow" + -Server + -X-Powered-By + } + } + ''; + globalConfig = '' + grace_period 30s + servers { + client_ip_headers CF-Connecting-Ip X-Forwarded-For + trusted_proxies cloudflare { + interval 7d + timeout 15s + } + trusted_proxies_strict + } + ''; virtualHosts = { "drone.taild5f7e6.ts.net".extraConfig = '' - encode - - # most of this doesnt matter but why not - header { - Strict-Transport-Security "max-age=31536000;" - X-Frame-Options "SAMEORIGIN" - X-Content-Type-Options "nosniff" - -Server - -X-Powered-By - } + import default-settings # block connections to admin login respond /admin/* 403 @@ -24,25 +48,14 @@ ''; "wo2wz.fyi".extraConfig = '' - encode - - header { - X-Robots-Tag "noindex, nofollow" - -Server - } + import default-settings + import cloudflare-tls respond "not much to see here" ''; "nextcloud.wo2wz.fyi".extraConfig = '' - encode - - tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path} - - header { - X-Robots-Tag "noindex, nofollow" - -Server - } + import default-settings root ${config.services.nginx.virtualHosts."localhost:8002".root} file_server @@ -61,6 +74,7 @@ path /.* /autotest* /occ* /issue* /indie* /db_* /console* not path /.well-known/* } + respond @forbidden 403 # make .mjs javascript work for the functionality of some buttons/apps @@ -68,18 +82,23 @@ header @mjs Content-Type application/javascript ''; - "zipline.wo2wz.fyi".extraConfig = '' - encode + "onlyoffice.wo2wz.fyi".extraConfig = '' + import default-settings + import cloudflare-tls - # most headers are already configured via cloudflare - header { - # nobody is gonna find this site through a search engine anyway - X-Robots-Tag "noindex, nofollow" - -Server + @blockinternal { + path /internal/* + path /info/* + not remote_ip 127.0.0.1 } + respond @blockinternal 403 - # use cloudflare origin certs for https - tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path} + reverse_proxy localhost:8003 + ''; + + "zipline.wo2wz.fyi".extraConfig = '' + import default-settings + import cloudflare-tls reverse_proxy localhost:8001 ''; @@ -87,4 +106,4 @@ }; tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs }; -} \ No newline at end of file +} diff --git a/modules/nixos/homeserver/nextcloud.nix b/modules/nixos/homeserver/nextcloud.nix index 4260524..10b9ce8 100644 --- a/modules/nixos/homeserver/nextcloud.nix +++ b/modules/nixos/homeserver/nextcloud.nix @@ -1,14 +1,20 @@ { config, pkgs, ... }: -{ - users.users.caddy.extraGroups = [ "nextcloud" ]; - services = { - nginx.enable = false; # disable to use caddy instead - phpfpm.pools.nextcloud.settings = { - "listen.owner" = "caddy"; - "listen.group" = "caddy"; - }; +{ + services.nginx.enable = false; # disable to use caddy instead + users.users.nginx = { + group = "nginx"; + isSystemUser = true; + }; + users.groups.nginx = {}; + users.users.caddy.extraGroups = [ "nextcloud" ]; + services.phpfpm.pools.nextcloud.settings = { + "listen.owner" = "caddy"; + "listen.group" = "caddy"; + }; + + services = { nextcloud = { enable = true; package = pkgs.nextcloud31; @@ -25,8 +31,16 @@ maxUploadSize = "200G"; extraApps = { - inherit (config.services.nextcloud.package.packages.apps) calendar tasks deck twofactor_webauthn; + inherit (config.services.nextcloud.package.packages.apps) calendar deck onlyoffice tasks twofactor_webauthn; }; + }; + + # onlyoffice document server for rich document editing + onlyoffice = { + enable = true; + hostname = "localhost"; + port = 8003; + jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path; }; }; -} \ No newline at end of file +} diff --git a/modules/nixos/homeserver/sops.nix b/modules/nixos/homeserver/sops.nix index 5c1c06d..0cab13c 100644 --- a/modules/nixos/homeserver/sops.nix +++ b/modules/nixos/homeserver/sops.nix @@ -26,6 +26,8 @@ "nextcloud/adminpass" = {}; + "onlyoffice/jwt" = {}; + "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ]; "zipline/secrets.env".restartUnits = [ "zipline.service" ]; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 12f571a..8cad378 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -5,6 +5,8 @@ cloudflared: 8af2892d-d534-4e32-b867-5b79308a99d5.json: ENC[AES256_GCM,data:4fOlt/pNxQ9CSuKf1ZPv9odtdU+Q7NTlO56xGp5yY0AEZrbpljSlTS/b8dON5iVwRoUjUbUui8+jvDri7ad99e+kZUwzDC2S294oaQyPa5Bl4jrYZSFn6SWZbnBzyV5tVN0hoQlIMQ/oU53TvBAtNrj10toePH7iLB12AmqMCBshWEFUViAJqGcZZMrcarAT453FgtpR+f3vR8Wv90SGc7wHXARJZ4NzEIRmYD4dGA==,iv:1Mt9FJTlT7Sv9FvrNY97icXSi757ejt56lhc7OG1dJM=,tag:JxW5Cg6nPzzh4zxi9Wvw0A==,type:str] nextcloud: adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str] +onlyoffice: + jwt: ENC[AES256_GCM,data:NVDBwIY6wBFUkm4ry97cbO2uSczzN5IDR17sroVn5hXcMRNNxWitp3hU7qruj4wUEg9BGrCyFgknm6tBss0DAaCnbGAynCdaaaIhYjFLTUx4tHzVXZflWaEM+c0nYaTf2to4B3c2r+DpRRBjlfQbJXjlaW2kpZ07EmWo11a5Tn8=,iv:ZO4TpnVppBHhw5e72x+PqUY5QT6M96s/vZDIDDcnLBE=,tag:PA7WCqwaV9fAeJG+1wiXfg==,type:str] tailscale: drone.taild5f7e6.ts.net.crt: ENC[AES256_GCM,data:I5K/jdSx8kM1r6o0+lyvDkGrLhJM8djE4fm7hH2m7U602o8b+HMVeSjMe6KuA7hEWLz4n5E5RUO8m2JCIV7pHzBNviR8bctbJtFBl54RkcJEE/sn7XcyTqFZkrEr2Fm5N2v7FYkvnpmuZagzTTc3U3Uioszn17eK5syX3k56TJgEkZu+q22H5QbvnzhiZUsVfVLrgbXBfXApIgrJ53/uJqFIksTma5ZoGFUCVqVifKxI7ej4PXg3gHE8evibQeOrNEloez+UEMlIYg4JxyHBUOhYPuOTpmcBSFfDsJOiocJf/H618UKqFmlulHbz4VppehG6w5z3rxkIqaRzQIin+SdOWAdvMdnuHW71XuDq2rr8LI6UiBq+GZ0vcC6GrTHCAbVgDZksg4kB2WFMYnWZyErLHe0y5lyaTIS+TDjLFydtu+OEANjuM0E9oHQGUeWABrekfexE1dpgtRp4lMK8+NbI7qRq359pc/JwgC6IkWl94iWaVWzPAqOU3ML91I3L3gH+cujRkdjgYmBfEVDTlDh7yehlnA3VjjwiVB3lESESDQYe6qzB+9XPQYNA61Wyords56S1ZLW7Vg04lDiMzIxYUl4In4MWwCygvEKbW+KKB19v7+VoAy9FvBmCAWGMonbW2YrfH910wr2h11PIru2seI/2hQtyrK6JY0/R/o1jINDM7d9ky0PeQzijSJwDAGwIS+F8tXnrL/9wrf574TBTaVK5RQczZ4W2u77WaRwphOttrjcLSSngK7wt3Jr2aceIN7hOqv9DzLE0dvCJXzSm0sTAcBJJTqyoizk9awc86R2IYVxMugwX94YQN4y6MuQes3iO4OwwEfI2xCNhKYNl+fRg2tbS19BFk+kC6q7RmgG86Crqnd20D6CFo9gRLIIsth9VnKflF1jG0mQ/87E5NWymXF/3AiF1Co+a/a3MxrlgOAYgajWQXLuKbTVVPHLRK28Si34/cH9GG4ssJr4P9Whr6v9OUP3qPTwSZQZF8hFhHNFFvGOFIuxGgdKvG3lr3fs0TWcpGswzETWxaC0Xb3foROV4P6Hn6X/rXg8SPQ2+6NUwP721uIR4Q7s6wbAzW7nO5zkPu9neEeO6Vpr3iii4JNZ3efXr1ap6zFM/0/IgBgG4xbvsGQL25/jDVHBpYcQTfpKA7pPr9qh4MSksFYVlWOQO1e9JV3M70+sDuwd0RoPTqAh6CRuH/6ihKMMx9mjExP4KJnnTetrg5Qg/zEaxF0FXto/BNv6ppqYN/xydn6vbXhrgF4HkhrJ0kBur3TP/SRkiMdIlD5FkazYXzAMZNWxkzd3nxr+xI6Kaalz3lux3+Lj4VvNlodwyRz/zwtiNl3pJUe+nPSL6nP/btXmXW5mfPy3S1XJ/QxdsR1QvhF78FZoYKuNSiXIaRi/UocqY0KifRp9l+E3kesaNOim4uTygTDUD9tWnbKY7k1F8swuuXyQ/+wAZIA2dRvcxnD+iNUpLjlLZTtyqEwKz0fDkZ8z9Prfs4Z3OX41UaxMjy6fhps9bdipAEW/vy4zWxsdXRHtLAgS1MJ2rAtngypoDB99uQyDTQHOVwq7IzG8w+nAXmATzI2RAw8uUmez7TCxnx6g0Uzq6lzdRs4L5PnSjcwW9AgRQuYHBn/vOSyMFCiX8ryzf039sCGDd13gr969lhpCXSTOPQGi2qGVvf7KKGF6wPVcWqSR6IK9kEo2gX47HyK551bjUH+Hzys4nOnPSB4Tfl6PWu8Zk5fLVsjYOTp8MIVMNtcH+pMR3XsrW3bfXQv9yJ0kxrWkiYpN6N6r5Bcakdd3KEkhYFjKCBzwqE4T7GKwm9LY+PYn7UmDQD2TfMArS2u/L8JPx3EMtZie6RHvyW0dmCI2VmmyiyZo5iNHzUy3ygQHDfQmnYGo7EEq2pRc47KslK292Ewfapll/Tq3alLm2Xqkr3xGeygzlAVE7//SbHMnEgDkBTVGdJ57hJPUnF7nQodMdx4HvakFv/R6EuybRQP+JXCarWYU+q1sutV6IcA61peLbmfrnGhnp6rkVbFKiRDD8xUQEL32NVReSdqnCs3uYRz8fuh3fZ9gzPoiPKiHXq0F+ZnAJldYF8BKC1HikhnqkfryHhWhOgKMVS7ZywXp7XglmgFaZqfhVhEH+CpBUUDKpKwwEEDFHeEi+dFXCsyqAPbduiICqEyrTNAk/GV6U9tvKpnEsvy83KBi+ykbRpNoyN6Q6rLj6IN11gs2XJ/ewQ2XXu0LFiD+iCTYhLlKnmcWYSUcPV6VC3UuyZiDQJhmiiXl92ZUX7NWxxotF7fksEbgkezO+WwTC+7i4VvtBC8orY3YE5/C0LkLeJ+e5OtMrOSjj2lXg1sb/VSzUSl1N8NGpVVuyfAQgPax+igF66buIziyyUq+9JraRbYTg4zm/twTq+rW6ixo2LAKJubIHUyd1mWFC48qz+133EK6utgB2vsrb+d7dMj+bD+5TiomjfB44bPfTlsOXxsLA+GQ5Hn8xohgrYD8iCddoGN/3v9XBxKdTfShOxkGn1zVbLEeDmbtWJSeU3VP5ggeRr3pm2PK37k4SxA+MOUcJ5kwhuLYdDEL4sbsrDn3AvPAbzM0Ed1EOiiyH9HNBqNZmiJn+TShsQ5tb0zvY6gK+y2Y1XayOBqfY6xzs4npHx2hcCcv9evYGUYg3p3zWe8+Xh7YMPTpVcoLwGrhQ7SL+WTOjEgj5lmZNjq2mKGFmIQ1YALpYMXeCE59EEadHw1ScotB56S6C6yBkkitUPs2RPTF12XTWbLZanP+mGTc96CieauMzF2rdi2XiMvJ8XVff64gqSz4WQgShFs16o3k/VYNSD/vek0dzvwbI62elhjZeP35y71wYdmP4SV02OVfjcpFVoFpCQegPy/Rxd7D3OurQmN0ZxHrhfQ0Obw3mLCeNI3+1F3Q8GYCjLQ2ETGUA1/zLZoX4YD+HcpdtyYBkiY3HVqGilkydXCAWEHht7Eu+NXECLhjguxotxqn47gRv8pLKz2gbJevQyHh/vjHBb9ZtxwHXxoxfe1+/NdG6fD1Fucz67k7QaRcTE4J2SzqTqzO7mCeOmA+/PJQCDpyk5Ygp7R7z8mDmK40hhGwmzogDoqwGSTKLf429Wbx/uQ7OiX2yKdy0XVswj5MeIeVQnw4yvKiejDbz6EYTm776MNTKg+GVtuwzhEayGjLBikrS1M9zsNT5OrbdKJ6oKNZpLOtO3VsXwTfmsvSqJngrlAkIstV/fXoNyRjT1r+SpLOfO4fta7bs/ndxSx0T9uHsnQIIBna1Zq48yTHwM+WFW/Cw46DRCXl1jIZ0xHS9aJV7vzjpTSiJYLExPIg1/dL1dXQ79mXsdBxJWII9Ryy42vGnwYkSC+XcbpZ8WYg1yl7eSdmdc6lKQlFqyIvhu6sfP6S0fljy6SnbQjGZPJxqyzaqpibEfcdx7/nABuOT1Rev7XvB+s/5RaYOyGLFrZIH3V5+GFSNtNy7SwjifKRTGsfjEOPM+GyY7lIIHrDwe7FFylg8/69AqeIiZCpB9GM2Ob9D7Jjt6n/RRofe6znia1GNleHgCAsktaQQK7ee+zCA5CcTiHecOUn4+aECa6c/5UEIz5JWsFfjWsbopqMuIyGg85SM+Li9KhxMAwVKhUTcymEmid4Er/v4+W2UAQ/3KrMk9hE7u5NzqoVsCoogvGc9QQGqBYIwRndJvATD9d4sNHvPF39Ad/wJFNzVDK9bjLlfeT9arDFt2xb3XZpDf7beUUnCtyYk9p2sSc9pSbh2iVYAIAYfUMelgtFG1EPOVlmhQR7GmzN1xG4NBMGqV5O/P5X3pO2FlEZIrELi8xacF/kP,iv:let5DG6B4Dy1UWmldZPQ5dfUTU4q3Rc+WXdUXgjI8Wk=,tag:vIlcLk2mbCY5lwmI0iC00w==,type:str] drone.taild5f7e6.ts.net.key: ENC[AES256_GCM,data:PYx24EEH4evfSC+TxJ8myVs6A4nMMCVPD4IhA5DmwHbB13li7O8q/+45MpdXimEXN3abvucgSQnPDnpQ2OZyLK7ym03abrlFZneQXe3IcuDX2EHMIRq5nFN6VESt3yB2PFOb1aEXYeCBj8bkeebi9zirg7BJz3jRChYsP+BBsMCXtMN+w5VtFDhsh87rBmXo4O9zO95S8NkG9R9+f/fBN7AF5K4hR0eldJe+86QP7fKjDYDiATucuU0Up3uqx6vMcFfiH9UnhMy287Hm6NJQ3oKbVUeT4Vz7/lHCamkWU7083ig=,iv:b83/uKx0j5gwLdGIwpQtAEsx9FZ2y4kATD78iJyWYlY=,tag:5QCcCweEk8bX6CDW77AYlQ==,type:str] @@ -23,7 +25,7 @@ sops: N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-12T20:35:10Z" - mac: ENC[AES256_GCM,data:zoZOy9jZw1ZHnXkkbh1xv4JgeLlWHik56uWYF0VmIurWsC8gQ6Db88FdQiN9Iqko9aPg9taxVdjcz7wx8j4CzP+jYlnD2LiPbgqKgspL/ZnoPUFLp9poffC72y9hxMJQ1etkvzXQjKNL/UQisx5LoLxqNPO7GMq97Sw+7uZ39Rk=,iv:VE60K5gs6RdFXGKvPkkHJBuU7/ZL5HHQ7LDxRdWJ7ac=,tag:PpPmtHZ/qZf12HVS6RuCxg==,type:str] + lastmodified: "2025-09-01T18:38:50Z" + mac: ENC[AES256_GCM,data:KnSzm4tWvMMkHSLZjgF2gzlujGKYCpsG6A2jcV5Z7KtdPXHyF35u6Ug+0oUYpnAZIVYy9Y4an/e/IZ7mL3Kk1TngrCf1+XRpzcWJRuqW2yaRzcqPhcy2xEQSFVLvMXW3U4SDGuQ5Ent5zuLI42O/xeO0XZabKNy863eJ0NHOwJc=,iv:0osjbyEOh49v6DEvyQ34hE8Zy6G6pmZ6Kqw/eZ3D5ys=,tag:iu5wQBGH5fIc4NSoNUX9eA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2