diff --git a/sys/machines/hopper/lab/caddy.nix b/sys/machines/hopper/lab/caddy.nix index 54a2430..e8825a6 100644 --- a/sys/machines/hopper/lab/caddy.nix +++ b/sys/machines/hopper/lab/caddy.nix @@ -23,8 +23,7 @@ in { globalConfig = "metrics"; virtualHosts = let mkPublicEntry = name: destination: { - useACMEHost = domain; - hostName = "${name}.${domain}"; + hostName = "${name}.${domain}:80"; extraConfig = '' reverse_proxy { to ${destination} @@ -33,6 +32,7 @@ in { }; mkPrivateEntry = name: destination: { hostName = "${name}.hopper.priv.${domain}"; + useACMEHost = domain; extraConfig = '' @blocked not remote_ip ${bridge} respond @blocked "limited to intranet" 403 @@ -53,8 +53,7 @@ in { glances = mkPrivateEntry "glances" "${bridge}:${toString config.services.glances.port}"; base = { - useACMEHost = domain; - hostName = "${domain}"; + hostName = "${domain}:80"; extraConfig = '' root * ${inputs.own-website.packages.${pkgs.system}.default} file_server @@ -62,8 +61,7 @@ in { }; other = { - useACMEHost = domain; - hostName = "*.${domain}"; + hostName = "*.${domain}:80"; extraConfig = '' respond 404 { body "uhh that doesnt exist, i hope this isnt my fault.." diff --git a/sys/machines/rackserv/caddy.nix b/sys/machines/rackserv/caddy.nix new file mode 100644 index 0000000..1799f0c --- /dev/null +++ b/sys/machines/rackserv/caddy.nix @@ -0,0 +1,43 @@ +{ + vars, + config, + ... +}: let + inherit (vars) domain; + hopper = "10.0.0.2"; +in { + networking.firewall.allowedTCPPorts = [80 443]; + + security.acme = { + acceptTerms = true; + defaults.email = "xunuwu@gmail.com"; + certs = { + "${domain}" = { + domain = "${domain}"; + extraDomainNames = ["*.${domain}"]; + dnsProvider = "cloudflare"; + reloadServices = ["caddy.service"]; + credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path; + }; + }; + }; + + services.caddy = { + enable = true; + virtualHosts = { + misc = { + hostName = "${domain}"; + serverAliases = ["*.${domain}"]; + useACMEHost = domain; + extraConfig = '' + reverse_proxy ${hopper} + ''; + }; + other = { + extraConfig = '' + respond 404 + ''; + }; + }; + }; +} diff --git a/sys/machines/rackserv/default.nix b/sys/machines/rackserv/default.nix index 5301313..1665f87 100644 --- a/sys/machines/rackserv/default.nix +++ b/sys/machines/rackserv/default.nix @@ -12,6 +12,7 @@ ./fail2ban.nix ./wireguard-server.nix ./backups.nix + ./caddy.nix ] ++ (map (x: systemProfiles + x) [ /secrets/default.nix diff --git a/sys/machines/rackserv/wireguard-server.nix b/sys/machines/rackserv/wireguard-server.nix index ac24f23..476e7c4 100644 --- a/sys/machines/rackserv/wireguard-server.nix +++ b/sys/machines/rackserv/wireguard-server.nix @@ -7,7 +7,7 @@ networking.firewall = let forwardPorts = { "10.0.0.2" = - [24001 24002 24003 443 80] + [24001 24002 24003] |> map (n: { protocols = ["tcp"]; port = n; diff --git a/sys/profiles/secrets/rackserv/cloudflare b/sys/profiles/secrets/rackserv/cloudflare new file mode 100644 index 0000000..a4f5c02 --- /dev/null +++ b/sys/profiles/secrets/rackserv/cloudflare @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:BPJY1u5e20gtD8RrPDerlI/aUUxYD59WbhkzXEd6szQxKPO/s7SI8cQ=,iv:ZkFo0j58cmSIh4vTg6Is991PPG5Frax1k2M6Ew0p1yU=,tag:1CW8hUHcZwNH3eNFbCjkew==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdHJZMEd5VXV5Wk9Mc0Ft\nZFJaWHE3RFp6SWdpMzZocmtYM1JwTlN6a1hRCldLY0JpK2FLYk8xWk5wb3JYbDNu\nOGZIV3orT1FGVmRjSmx3d1BBbHRPUGMKLS0tIEVDckh6WHFhUEE3RFNReVd2UStG\nTEdWNU5XME0yTUVQTWFPMnFBR0x6UjAK1ir6TPYOptK/LssBSwZJJQNWVhhEk5vw\noWRJO5RZLcSZyYV3v0QMrBP2rowlFEU47ZR6CNV+0Fmba+UmQlJtYQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zutg3s4nth679a6av9xqw4km0ezmfkxlnusu78demf0rzazqn3pqk9exgj", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdHVWZmtuaFNNbXBtQ0FZ\nUjJaRS9ZclJab0txRHJ4WnJ0NWVpd2gxakhnCk5zMEh2ZDRyd2RtR2FqTk95SXJF\nMVN1SWxMb0tyMDdmRDhjcXhlNkpHQ00KLS0tIDQ3aVNWWFFIVjI4UVRPNVFKRk54\nMElMeHJyNU5Ob3IrcnViSjhpd290OTAK77rJSSkGqku0sRcEtNAuMMUO8WLg4bMt\nQaS+WqT7iO7ZC0U+JiCvDl9pJ1h6miF03wSQwNk35C2UsofVVK0aDQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-06-06T04:48:55Z", + "mac": "ENC[AES256_GCM,data:5LizA5pZtuhLszRosowCqa9lo9kPSELFTTPZ6PCwSspRwOFAfiB5d3iP2IHlLlc/E6ou+V3jGTj5xqllauwaKkq62PUHwj941QUeXXmdXHZAL9ERJcwwFLENbf2p/2LZxNo47PCqdJJdtfHBot9lYDyfZ2T9edKKnaQG8PShpao=,iv:nuC0EVMkNkfpO7b1CRbAL1EgbfMeSy0MeQtA1tmF598=,tag:WEX+v7zJS0fnV6lnGZo1Kw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/sys/profiles/secrets/rackserv/default.nix b/sys/profiles/secrets/rackserv/default.nix index a45238c..9bf2957 100644 --- a/sys/profiles/secrets/rackserv/default.nix +++ b/sys/profiles/secrets/rackserv/default.nix @@ -9,5 +9,9 @@ format = "binary"; sopsFile = ./restic-password; }; + cloudflare = { + format = "binary"; + sopsFile = ./cloudflare; + }; }; }