run caddy on racksrv asw

2025-06-06 07:01:38 +02:00 · 2025-06-06 07:01:38 +02:00 · 47820c5563
commit 47820c5563
parent 5f1ed3c492
6 changed files with 72 additions and 7 deletions
--- a/sys/machines/hopper/lab/caddy.nix
+++ b/sys/machines/hopper/lab/caddy.nix
@ -23,8 +23,7 @@ in {
    globalConfig = "metrics";
    virtualHosts = let
      mkPublicEntry = name: destination: {
-        useACMEHost = domain;
-        hostName = "${name}.${domain}";
+        hostName = "${name}.${domain}:80";
        extraConfig = ''
          reverse_proxy {
            to ${destination}
@ -33,6 +32,7 @@ in {
      };
      mkPrivateEntry = name: destination: {
        hostName = "${name}.hopper.priv.${domain}";
+        useACMEHost = domain;
        extraConfig = ''
          @blocked not remote_ip ${bridge}
          respond @blocked "limited to intranet" 403
@ -53,8 +53,7 @@ in {
      glances = mkPrivateEntry "glances" "${bridge}:${toString config.services.glances.port}";

      base = {
-        useACMEHost = domain;
-        hostName = "${domain}";
+        hostName = "${domain}:80";
        extraConfig = ''
          root * ${inputs.own-website.packages.${pkgs.system}.default}
          file_server
@ -62,8 +61,7 @@ in {
      };

      other = {
-        useACMEHost = domain;
-        hostName = "*.${domain}";
+        hostName = "*.${domain}:80";
        extraConfig = ''
          respond 404 {
            body "uhh that doesnt exist, i hope this isnt my fault.."
--- a/sys/machines/rackserv/caddy.nix
+++ b/sys/machines/rackserv/caddy.nix
@ -0,0 +1,43 @@
+{
+  vars,
+  config,
+  ...
+}: let
+  inherit (vars) domain;
+  hopper = "10.0.0.2";
+in {
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "xunuwu@gmail.com";
+    certs = {
+      "${domain}" = {
+        domain = "${domain}";
+        extraDomainNames = ["*.${domain}"];
+        dnsProvider = "cloudflare";
+        reloadServices = ["caddy.service"];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
+      };
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      misc = {
+        hostName = "${domain}";
+        serverAliases = ["*.${domain}"];
+        useACMEHost = domain;
+        extraConfig = ''
+          reverse_proxy ${hopper}
+        '';
+      };
+      other = {
+        extraConfig = ''
+          respond 404
+        '';
+      };
+    };
+  };
+}
--- a/sys/machines/rackserv/default.nix
+++ b/sys/machines/rackserv/default.nix
@ -12,6 +12,7 @@
      ./fail2ban.nix
      ./wireguard-server.nix
      ./backups.nix
+      ./caddy.nix
    ]
    ++ (map (x: systemProfiles + x) [
      /secrets/default.nix
--- a/sys/machines/rackserv/wireguard-server.nix
+++ b/sys/machines/rackserv/wireguard-server.nix
@ -7,7 +7,7 @@
  networking.firewall = let
    forwardPorts = {
      "10.0.0.2" =
-        [24001 24002 24003 443 80]
+        [24001 24002 24003]
        |> map (n: {
          protocols = ["tcp"];
          port = n;
--- a/sys/profiles/secrets/rackserv/cloudflare
+++ b/sys/profiles/secrets/rackserv/cloudflare
@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:BPJY1u5e20gtD8RrPDerlI/aUUxYD59WbhkzXEd6szQxKPO/s7SI8cQ=,iv:ZkFo0j58cmSIh4vTg6Is991PPG5Frax1k2M6Ew0p1yU=,tag:1CW8hUHcZwNH3eNFbCjkew==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdHJZMEd5VXV5Wk9Mc0Ft\nZFJaWHE3RFp6SWdpMzZocmtYM1JwTlN6a1hRCldLY0JpK2FLYk8xWk5wb3JYbDNu\nOGZIV3orT1FGVmRjSmx3d1BBbHRPUGMKLS0tIEVDckh6WHFhUEE3RFNReVd2UStG\nTEdWNU5XME0yTUVQTWFPMnFBR0x6UjAK1ir6TPYOptK/LssBSwZJJQNWVhhEk5vw\noWRJO5RZLcSZyYV3v0QMrBP2rowlFEU47ZR6CNV+0Fmba+UmQlJtYQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zutg3s4nth679a6av9xqw4km0ezmfkxlnusu78demf0rzazqn3pqk9exgj",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdHVWZmtuaFNNbXBtQ0FZ\nUjJaRS9ZclJab0txRHJ4WnJ0NWVpd2gxakhnCk5zMEh2ZDRyd2RtR2FqTk95SXJF\nMVN1SWxMb0tyMDdmRDhjcXhlNkpHQ00KLS0tIDQ3aVNWWFFIVjI4UVRPNVFKRk54\nMElMeHJyNU5Ob3IrcnViSjhpd290OTAK77rJSSkGqku0sRcEtNAuMMUO8WLg4bMt\nQaS+WqT7iO7ZC0U+JiCvDl9pJ1h6miF03wSQwNk35C2UsofVVK0aDQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-06T04:48:55Z",
+		"mac": "ENC[AES256_GCM,data:5LizA5pZtuhLszRosowCqa9lo9kPSELFTTPZ6PCwSspRwOFAfiB5d3iP2IHlLlc/E6ou+V3jGTj5xqllauwaKkq62PUHwj941QUeXXmdXHZAL9ERJcwwFLENbf2p/2LZxNo47PCqdJJdtfHBot9lYDyfZ2T9edKKnaQG8PShpao=,iv:nuC0EVMkNkfpO7b1CRbAL1EgbfMeSy0MeQtA1tmF598=,tag:WEX+v7zJS0fnV6lnGZo1Kw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
--- a/sys/profiles/secrets/rackserv/default.nix
+++ b/sys/profiles/secrets/rackserv/default.nix
@ -9,5 +9,9 @@
      format = "binary";
      sopsFile = ./restic-password;
    };
+    cloudflare = {
+      format = "binary";
+      sopsFile = ./cloudflare;
+    };
  };
 }