improve caddy config

flake.lock

@@ -109,6 +109,30 @@
         "type": "github"
       }
     },
+    "cloudflare-ipv4": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-V4dThTb8iw02hjngubVtSJbEeWgOS1e/ODt1fLjLZvk=",
+        "type": "file",
+        "url": "https://www.cloudflare.com/ips-v4"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://www.cloudflare.com/ips-v4"
+      }
+    },
+    "cloudflare-ipv6": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-BgpkXCAh/MmK3GTAElKiGJctCYUN+/UgvpuawqGmitE=",
+        "type": "file",
+        "url": "https://www.cloudflare.com/ips-v6"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://www.cloudflare.com/ips-v6"
+      }
+    },
     "crane": {
       "locked": {
         "lastModified": 1745454774,
@@ -992,6 +1016,8 @@
     "root": {
       "inputs": {
         "authentik-nix": "authentik-nix",
+        "cloudflare-ipv4": "cloudflare-ipv4",
+        "cloudflare-ipv6": "cloudflare-ipv6",
         "firefox-addons": "firefox-addons",
         "flake-parts": "flake-parts_2",
         "hardware": "hardware",

flake.nix

@@ -78,9 +78,13 @@
     roblox-playtime.url = "github:xunuwu/roblox-playtime";
     roblox-playtime.inputs.nixpkgs.follows = "nixpkgs";
 
-    wallpaper = {
+    cloudflare-ipv4.url = "https://www.cloudflare.com/ips-v4";
-      url = "https://cdn.donmai.us/original/43/20/__kasane_teto_and_kasane_teto_utau_and_1_more_drawn_by_maguru_white__43204cf49ef8c071c34009553d1c0455.jpg";
+    cloudflare-ipv4.flake = false;
-      flake = false;
+
-    };
+    cloudflare-ipv6.url = "https://www.cloudflare.com/ips-v6";
+    cloudflare-ipv6.flake = false;
+
+    wallpaper.url = "https://cdn.donmai.us/original/43/20/__kasane_teto_and_kasane_teto_utau_and_1_more_drawn_by_maguru_white__43204cf49ef8c071c34009553d1c0455.jpg";
+    wallpaper.flake = false;
   };
 }

sys/machines/hopper/lab/caddy.nix

@@ -1,6 +1,7 @@
 {
   config,
   vars,
+  inputs,
   ...
 }: let
   inherit (vars.common) domain;
@@ -20,64 +21,34 @@ in {
   services.caddy = {
     enable = true;
     globalConfig = "metrics";
-    virtualHosts = {
+    virtualHosts = let
-      jellyfin = {
+      mkPublicEntry = name: destination: {
         useACMEHost = domain;
-        hostName = "jellyfin.${domain}:${toString caddyPort}";
+        hostName = "${name}.${domain}:${toString caddyPort}";
         extraConfig = ''
+          @blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
+          respond @blocked "Access only allowed through cloudflare" 403
           reverse_proxy {
             header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
-            to ${bridge}:8096
+            to ${destination}
           }
         '';
       };
-      navidrome = {
+      mkPrivateEntry = name: destination: {
-        useACMEHost = domain;
+        hostName = "${name}.hopper.xun.host:80";
-        hostName = "navidrome.${domain}:${toString caddyPort}";
+        extraConfig = "reverse_proxy ${destination}";
-        extraConfig = ''
-          reverse_proxy unix//var/lib/navidrome/navidrome.sock
-        '';
-      };
-      slskd = {
-        hostName = "slskd.hopper.xun.host:80";
-        extraConfig = ''
-          reverse_proxy localhost:${toString config.services.slskd.settings.web.port}
-        '';
-      };
-      prometheus = {
-        hostName = "prometheus.hopper.xun.host:80";
-        extraConfig = ''
-          reverse_proxy ${bridge}:${toString config.services.prometheus.port}
-        '';
-      };
-      adguard = {
-        hostName = "adguard.hopper.xun.host:80";
-        extraConfig = ''
-          reverse_proxy ${bridge}:${toString config.services.adguardhome.port}
-        '';
-      };
-      transmission = {
-        hostName = "transmission.hopper.xun.host:80";
-        extraConfig = ''
-          reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port}
-        '';
-      };
-      dash = {
-        hostName = "dash.hopper.xun.host:80";
-        extraConfig = ''
-          reverse_proxy ${bridge}:${toString config.services.homepage-dashboard.listenPort}
-        '';
-      };
-      vw = {
-        useACMEHost = domain;
-        hostName = "vw.${domain}:${toString caddyPort}";
-        extraConfig = ''
-          reverse_proxy {
-            header_up X-Real-Ip {http.request.header.CF-Connecting-IP}
-            to ${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT}
-          }
-        '';
       };
+    in {
+      jellyfin = mkPublicEntry "jellyfin" "${bridge}:8096";
+      navidrome = mkPublicEntry "navidrome" "unix//var/lib/navidrome/navidrome.sock";
+      vaultwarden = mkPublicEntry "vw" "${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+
+      slskd = mkPrivateEntry "slskd" "localhost:${toString config.services.slskd.settings.web.port}";
+      prometheus = mkPrivateEntry "prometheus" "${bridge}:${toString config.services.prometheus.port}";
+      adguard = mkPrivateEntry "adguard" "${bridge}:${toString config.services.adguardhome.port}";
+      transmission = mkPrivateEntry "transmission" "localhost:${toString config.services.transmission.settings.rpc-port}";
+      dash = mkPrivateEntry "dash" "${bridge}:${toString config.services.homepage-dashboard.listenPort}";
+
       other = {
         useACMEHost = domain;
         hostName = ":${toString caddyPort}";

sys/machines/hopper/lab/vaultwarden.nix

@@ -6,11 +6,12 @@
   services.vaultwarden = {
     enable = true;
     config = {
-      DOMAIN = "https://${config.services.caddy.virtualHosts.vw.hostName}";
+      DOMAIN = "https://${config.services.caddy.virtualHosts.vaultwarden.hostName}";
       ROCKET_ADDRESS = "0.0.0.0";
       ROCKET_PORT = 35381;
       ROCKET_LOG = "critical";
       SIGNUPS_ALLOWED = false;
+      IP_HEADER = "X-Forwarded-For";
     };
   };