From 1e6a17c6a7f4745c987533dd0bc4425f2145defe Mon Sep 17 00:00:00 2001 From: xunuwu Date: Sun, 4 May 2025 07:56:11 +0200 Subject: [PATCH] improve caddy config --- flake.lock | 26 +++++++++ flake.nix | 12 +++-- sys/machines/hopper/lab/caddy.nix | 71 ++++++++----------------- sys/machines/hopper/lab/vaultwarden.nix | 3 +- 4 files changed, 57 insertions(+), 55 deletions(-) diff --git a/flake.lock b/flake.lock index 38adc13..c24d661 100644 --- a/flake.lock +++ b/flake.lock @@ -109,6 +109,30 @@ "type": "github" } }, + "cloudflare-ipv4": { + "flake": false, + "locked": { + "narHash": "sha256-V4dThTb8iw02hjngubVtSJbEeWgOS1e/ODt1fLjLZvk=", + "type": "file", + "url": "https://www.cloudflare.com/ips-v4" + }, + "original": { + "type": "file", + "url": "https://www.cloudflare.com/ips-v4" + } + }, + "cloudflare-ipv6": { + "flake": false, + "locked": { + "narHash": "sha256-BgpkXCAh/MmK3GTAElKiGJctCYUN+/UgvpuawqGmitE=", + "type": "file", + "url": "https://www.cloudflare.com/ips-v6" + }, + "original": { + "type": "file", + "url": "https://www.cloudflare.com/ips-v6" + } + }, "crane": { "locked": { "lastModified": 1745454774, @@ -992,6 +1016,8 @@ "root": { "inputs": { "authentik-nix": "authentik-nix", + "cloudflare-ipv4": "cloudflare-ipv4", + "cloudflare-ipv6": "cloudflare-ipv6", "firefox-addons": "firefox-addons", "flake-parts": "flake-parts_2", "hardware": "hardware", diff --git a/flake.nix b/flake.nix index f22a261..fb9d865 100644 --- a/flake.nix +++ b/flake.nix @@ -78,9 +78,13 @@ roblox-playtime.url = "github:xunuwu/roblox-playtime"; roblox-playtime.inputs.nixpkgs.follows = "nixpkgs"; - wallpaper = { - url = "https://cdn.donmai.us/original/43/20/__kasane_teto_and_kasane_teto_utau_and_1_more_drawn_by_maguru_white__43204cf49ef8c071c34009553d1c0455.jpg"; - flake = false; - }; + cloudflare-ipv4.url = "https://www.cloudflare.com/ips-v4"; + cloudflare-ipv4.flake = false; + + cloudflare-ipv6.url = "https://www.cloudflare.com/ips-v6"; + cloudflare-ipv6.flake = false; + + wallpaper.url = "https://cdn.donmai.us/original/43/20/__kasane_teto_and_kasane_teto_utau_and_1_more_drawn_by_maguru_white__43204cf49ef8c071c34009553d1c0455.jpg"; + wallpaper.flake = false; }; } diff --git a/sys/machines/hopper/lab/caddy.nix b/sys/machines/hopper/lab/caddy.nix index d6eeeeb..74731be 100644 --- a/sys/machines/hopper/lab/caddy.nix +++ b/sys/machines/hopper/lab/caddy.nix @@ -1,6 +1,7 @@ { config, vars, + inputs, ... }: let inherit (vars.common) domain; @@ -20,64 +21,34 @@ in { services.caddy = { enable = true; globalConfig = "metrics"; - virtualHosts = { - jellyfin = { + virtualHosts = let + mkPublicEntry = name: destination: { useACMEHost = domain; - hostName = "jellyfin.${domain}:${toString caddyPort}"; + hostName = "${name}.${domain}:${toString caddyPort}"; extraConfig = '' + @blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])} + respond @blocked "Access only allowed through cloudflare" 403 reverse_proxy { header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} - to ${bridge}:8096 + to ${destination} } ''; }; - navidrome = { - useACMEHost = domain; - hostName = "navidrome.${domain}:${toString caddyPort}"; - extraConfig = '' - reverse_proxy unix//var/lib/navidrome/navidrome.sock - ''; - }; - slskd = { - hostName = "slskd.hopper.xun.host:80"; - extraConfig = '' - reverse_proxy localhost:${toString config.services.slskd.settings.web.port} - ''; - }; - prometheus = { - hostName = "prometheus.hopper.xun.host:80"; - extraConfig = '' - reverse_proxy ${bridge}:${toString config.services.prometheus.port} - ''; - }; - adguard = { - hostName = "adguard.hopper.xun.host:80"; - extraConfig = '' - reverse_proxy ${bridge}:${toString config.services.adguardhome.port} - ''; - }; - transmission = { - hostName = "transmission.hopper.xun.host:80"; - extraConfig = '' - reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port} - ''; - }; - dash = { - hostName = "dash.hopper.xun.host:80"; - extraConfig = '' - reverse_proxy ${bridge}:${toString config.services.homepage-dashboard.listenPort} - ''; - }; - vw = { - useACMEHost = domain; - hostName = "vw.${domain}:${toString caddyPort}"; - extraConfig = '' - reverse_proxy { - header_up X-Real-Ip {http.request.header.CF-Connecting-IP} - to ${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT} - } - ''; + mkPrivateEntry = name: destination: { + hostName = "${name}.hopper.xun.host:80"; + extraConfig = "reverse_proxy ${destination}"; }; + in { + jellyfin = mkPublicEntry "jellyfin" "${bridge}:8096"; + navidrome = mkPublicEntry "navidrome" "unix//var/lib/navidrome/navidrome.sock"; + vaultwarden = mkPublicEntry "vw" "${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + + slskd = mkPrivateEntry "slskd" "localhost:${toString config.services.slskd.settings.web.port}"; + prometheus = mkPrivateEntry "prometheus" "${bridge}:${toString config.services.prometheus.port}"; + adguard = mkPrivateEntry "adguard" "${bridge}:${toString config.services.adguardhome.port}"; + transmission = mkPrivateEntry "transmission" "localhost:${toString config.services.transmission.settings.rpc-port}"; + dash = mkPrivateEntry "dash" "${bridge}:${toString config.services.homepage-dashboard.listenPort}"; + other = { useACMEHost = domain; hostName = ":${toString caddyPort}"; diff --git a/sys/machines/hopper/lab/vaultwarden.nix b/sys/machines/hopper/lab/vaultwarden.nix index 8e21dea..c54c491 100644 --- a/sys/machines/hopper/lab/vaultwarden.nix +++ b/sys/machines/hopper/lab/vaultwarden.nix @@ -6,11 +6,12 @@ services.vaultwarden = { enable = true; config = { - DOMAIN = "https://${config.services.caddy.virtualHosts.vw.hostName}"; + DOMAIN = "https://${config.services.caddy.virtualHosts.vaultwarden.hostName}"; ROCKET_ADDRESS = "0.0.0.0"; ROCKET_PORT = 35381; ROCKET_LOG = "critical"; SIGNUPS_ALLOWED = false; + IP_HEADER = "X-Forwarded-For"; }; };