xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

improve caddy config

Browse source
This commit is contained in:
xunuwu 2025-05-04 07:56:11 +02:00
parent 2edfd18ed0
commit 1e6a17c6a7
4 changed files with 57 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

26
flake.lock generated
View file

@ -109,6 +109,30 @@
"type": "github"
}
},
"cloudflare-ipv4": {
"flake": false,
"locked": {
"narHash": "sha256-V4dThTb8iw02hjngubVtSJbEeWgOS1e/ODt1fLjLZvk=",
"type": "file",
"url": "https://www.cloudflare.com/ips-v4"
},
"original": {
"type": "file",
"url": "https://www.cloudflare.com/ips-v4"
}
},
"cloudflare-ipv6": {
"flake": false,
"locked": {
"narHash": "sha256-BgpkXCAh/MmK3GTAElKiGJctCYUN+/UgvpuawqGmitE=",
"type": "file",
"url": "https://www.cloudflare.com/ips-v6"
},
"original": {
"type": "file",
"url": "https://www.cloudflare.com/ips-v6"
}
},
"crane": {
"locked": {
"lastModified": 1745454774,
@ -992,6 +1016,8 @@
"root": {
"inputs": {
"authentik-nix": "authentik-nix",
"cloudflare-ipv4": "cloudflare-ipv4",
"cloudflare-ipv6": "cloudflare-ipv6",
"firefox-addons": "firefox-addons",
"flake-parts": "flake-parts_2",
"hardware": "hardware",

12
flake.nix
View file

@ -78,9 +78,13 @@
roblox-playtime.url = "github:xunuwu/roblox-playtime";
roblox-playtime.inputs.nixpkgs.follows = "nixpkgs";
wallpaper = {
url = "https://cdn.donmai.us/original/43/20/__kasane_teto_and_kasane_teto_utau_and_1_more_drawn_by_maguru_white__43204cf49ef8c071c34009553d1c0455.jpg";
flake = false;
};
cloudflare-ipv4.url = "https://www.cloudflare.com/ips-v4";
cloudflare-ipv4.flake = false;
cloudflare-ipv6.url = "https://www.cloudflare.com/ips-v6";
cloudflare-ipv6.flake = false;
wallpaper.url = "https://cdn.donmai.us/original/43/20/__kasane_teto_and_kasane_teto_utau_and_1_more_drawn_by_maguru_white__43204cf49ef8c071c34009553d1c0455.jpg";
wallpaper.flake = false;
};
}

71
sys/machines/hopper/lab/caddy.nix
View file

@ -1,6 +1,7 @@
{
config,
vars,
inputs,
...
}: let
inherit (vars.common) domain;
@ -20,64 +21,34 @@ in {
services.caddy = {
enable = true;
globalConfig = "metrics";
virtualHosts = {
jellyfin = {
virtualHosts = let
mkPublicEntry = name: destination: {
useACMEHost = domain;
hostName = "jellyfin.${domain}:${toString caddyPort}";
hostName = "${name}.${domain}:${toString caddyPort}";
extraConfig = ''
@blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
respond @blocked "Access only allowed through cloudflare" 403
reverse_proxy {
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
to ${bridge}:8096
to ${destination}
}
'';
};
navidrome = {
useACMEHost = domain;
hostName = "navidrome.${domain}:${toString caddyPort}";
extraConfig = ''
reverse_proxy unix//var/lib/navidrome/navidrome.sock
'';
};
slskd = {
hostName = "slskd.hopper.xun.host:80";
extraConfig = ''
reverse_proxy localhost:${toString config.services.slskd.settings.web.port}
'';
};
prometheus = {
hostName = "prometheus.hopper.xun.host:80";
extraConfig = ''
reverse_proxy ${bridge}:${toString config.services.prometheus.port}
'';
};
adguard = {
hostName = "adguard.hopper.xun.host:80";
extraConfig = ''
reverse_proxy ${bridge}:${toString config.services.adguardhome.port}
'';
};
transmission = {
hostName = "transmission.hopper.xun.host:80";
extraConfig = ''
reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port}
'';
};
dash = {
hostName = "dash.hopper.xun.host:80";
extraConfig = ''
reverse_proxy ${bridge}:${toString config.services.homepage-dashboard.listenPort}
'';
};
vw = {
useACMEHost = domain;
hostName = "vw.${domain}:${toString caddyPort}";
extraConfig = ''
reverse_proxy {
header_up X-Real-Ip {http.request.header.CF-Connecting-IP}
to ${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT}
}
'';
mkPrivateEntry = name: destination: {
hostName = "${name}.hopper.xun.host:80";
extraConfig = "reverse_proxy ${destination}";
};
in {
jellyfin = mkPublicEntry "jellyfin" "${bridge}:8096";
navidrome = mkPublicEntry "navidrome" "unix//var/lib/navidrome/navidrome.sock";
vaultwarden = mkPublicEntry "vw" "${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
slskd = mkPrivateEntry "slskd" "localhost:${toString config.services.slskd.settings.web.port}";
prometheus = mkPrivateEntry "prometheus" "${bridge}:${toString config.services.prometheus.port}";
adguard = mkPrivateEntry "adguard" "${bridge}:${toString config.services.adguardhome.port}";
transmission = mkPrivateEntry "transmission" "localhost:${toString config.services.transmission.settings.rpc-port}";
dash = mkPrivateEntry "dash" "${bridge}:${toString config.services.homepage-dashboard.listenPort}";
other = {
useACMEHost = domain;
hostName = ":${toString caddyPort}";

3
sys/machines/hopper/lab/vaultwarden.nix
View file

@ -6,11 +6,12 @@
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://${config.services.caddy.virtualHosts.vw.hostName}";
DOMAIN = "https://${config.services.caddy.virtualHosts.vaultwarden.hostName}";
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = 35381;
ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = false;
IP_HEADER = "X-Forwarded-For";
};
};