diff --git a/hosts/pek0/Caddyfile b/hosts/pek0/Caddyfile deleted file mode 100644 index a4a5109..0000000 --- a/hosts/pek0/Caddyfile +++ /dev/null @@ -1,67 +0,0 @@ -{ - servers { - trusted_proxies static private_ranges - trusted_proxies_strict - } -} - -(default) { - encode zstd gzip - handle_path /robots.txt { - file_server * { - root @robots@ - } - } -} - -http://pek0.ny4.dev:80 { - import default - basicauth { - prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/. - } - reverse_proxy localhost:9091 -} - -http://mastodon.ny4.dev:80 { - import default - handle_path /system/* { - file_server * { - root /var/lib/mastodon/public-system - } - } - - handle /api/v1/streaming/* { - reverse_proxy unix//run/mastodon-streaming/streaming-1.socket { - header_up X-Forwarded-Proto "https" - } - } - - route * { - file_server * { - root @mastodon@/public - pass_thru - } - reverse_proxy * unix//run/mastodon-web/web.socket { - header_up X-Forwarded-Proto "https" - } - } - - handle_errors { - root * @mastodon@/public - rewrite 500.html - file_server - } -} - -http://matrix.ny4.dev:80 { - import default - reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock { - header_up X-Forwarded-Proto "https" - } - reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock { - header_up X-Forwarded-Proto "https" - } - reverse_proxy /health unix//run/matrix-synapse/synapse.sock { - header_up X-Forwarded-Proto "https" - } -} diff --git a/hosts/pek0/default.nix b/hosts/pek0/default.nix index 0e10fee..3b276b5 100644 --- a/hosts/pek0/default.nix +++ b/hosts/pek0/default.nix @@ -67,12 +67,21 @@ }; }; - services.caddy = { - enable = true; - configFile = pkgs.replaceVars ./Caddyfile { - robots = toString ../tyo0/robots.txt; - inherit (pkgs) mastodon; + services.caddy.enable = true; + services.caddy.settings.apps.http.servers.srv0 = { + listen = [ ":80" ]; + trusted_proxies = { + ranges = [ + "192.168.0.0/16" + "172.16.0.0/12" + "10.0.0.0/8" + "127.0.0.1/8" + "fd00::/8" + "::1" + ]; + source = "static"; }; + trusted_proxies_strict = 1; }; systemd.services.caddy.serviceConfig = { diff --git a/hosts/pek0/services/mastodon.nix b/hosts/pek0/services/mastodon.nix index c8e6d69..9dbcf86 100644 --- a/hosts/pek0/services/mastodon.nix +++ b/hosts/pek0/services/mastodon.nix @@ -1,4 +1,9 @@ -{ config, ... }: +{ + lib, + pkgs, + config, + ... +}: { services.mastodon = { enable = true; @@ -35,4 +40,82 @@ }; systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "mastodon.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "subroute"; + routes = [ + { + match = lib.singleton { + path = [ "/api/v1/streaming/*" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + headers.request.set."X-Forwarded-Proto" = [ "https" ]; + upstreams = lib.singleton { + dial = "unix//run/mastodon-streaming/streaming-1.socket"; + }; + }; + } + { + match = lib.singleton { + path = [ "/system/*" ]; + }; + handle = [ + { + handler = "rewrite"; + strip_path_prefix = "/system"; + } + { + handler = "file_server"; + root = "/var/lib/mastodon/public-system"; + } + ]; + } + { + handle = [ + { + handler = "file_server"; + root = "${pkgs.mastodon}/public"; + pass_thru = true; + } + { + handler = "reverse_proxy"; + headers.request.set."X-Forwarded-Proto" = [ "https" ]; + upstreams = lib.singleton { + dial = "unix//run/mastodon-web/web.socket"; + }; + } + ]; + } + ]; + }; + }; + + services.caddy.settings.apps.http.servers.srv0.errors.routes = lib.singleton { + match = lib.singleton { + host = [ "mastodon.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "subroute"; + routes = [ + { + handle = lib.singleton { + handler = "rewrite"; + uri = "500.html"; + }; + } + { + handle = lib.singleton { + handler = "file_server"; + root = "${pkgs.mastodon}/public"; + }; + } + ]; + }; + }; + } diff --git a/hosts/pek0/services/matrix.nix b/hosts/pek0/services/matrix.nix index 7c266e7..7c434cf 100644 --- a/hosts/pek0/services/matrix.nix +++ b/hosts/pek0/services/matrix.nix @@ -54,4 +54,29 @@ environment = config.networking.proxy.envVars; serviceConfig.RuntimeDirectory = [ "matrix-synapse" ]; }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "matrix.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "subroute"; + routes = lib.singleton { + match = lib.singleton { + path = [ + "/_matrix/*" + "/_synapse/*" + "/health" + ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + headers.request.set."X-Forwarded-Proto" = [ "https" ]; + upstreams = lib.singleton { + dial = "unix//run/matrix-synapse/synapse.sock"; + }; + }; + }; + }; + }; } diff --git a/hosts/tyo0/Caddyfile b/hosts/tyo0/Caddyfile deleted file mode 100644 index 0656b88..0000000 --- a/hosts/tyo0/Caddyfile +++ /dev/null @@ -1,115 +0,0 @@ -(default) { - encode zstd gzip - handle_path /robots.txt { - file_server * { - root /var/www/robots/robots.txt - } - } -} - -www.ny4.dev { - import default - redir https://blog.ny4.dev -} - -# get the certificate for hysteria -tyo0.ny4.dev { - import default - basicauth { - prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/. - } - reverse_proxy localhost:9091 -} - -ny4.dev { - import default - - # Synapse - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - handle_path /.well-known/matrix/* { - file_server * { - root /var/www/matrix - } - } - - # Mastodon - header /.well-known/webfinger Access-Control-Allow-Origin * - redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent - - # TODO: Build Hugo blog with Nix - # How do I use hugo modules without using FOD? - route * { - redir https://blog.ny4.dev - } -} - -pb.ny4.dev { - import default - reverse_proxy localhost:8200 -} - -ntfy.ny4.dev { - import default - reverse_proxy unix//run/ntfy-sh/ntfy.sock -} - -id.ny4.dev { - import default - reverse_proxy localhost:8800 -} - -element.ny4.dev { - import default - root * @element@ - header X-Frame-Options SAMEORIGIN; - header X-Content-Type-Options nosniff; - header X-XSS-Protection "1; mode=block"; - header Content-Security-Policy "frame-ancestors 'self'"; - file_server -} - -cinny.ny4.dev { - import default - - @index { - not path /index.html - not path /public/* - not path /assets/* - not path /config.json - not path /manifest.json - not path /pdf.worker.min.js - not path /olm.wasm - path /* - } - - root * @cinny@ - rewrite /*/olm.wasm /olm.wasm - rewrite @index /index.html - file_server -} - -git.ny4.dev { - import default - reverse_proxy unix//run/forgejo/forgejo.sock -} - -rss.ny4.dev { - import default - reverse_proxy localhost:9300 -} - -reddit.ny4.dev { - import default - reverse_proxy localhost:9400 -} - -vault.ny4.dev { - import default - reverse_proxy localhost:9500 -} - -prom.ny4.dev { - import default - reverse_proxy localhost:9090 -} diff --git a/hosts/tyo0/default.nix b/hosts/tyo0/default.nix index f35737d..b3a7238 100644 --- a/hosts/tyo0/default.nix +++ b/hosts/tyo0/default.nix @@ -23,6 +23,7 @@ ]; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + networking.hostName = "tyo0"; system.stateVersion = "24.05"; swapDevices = lib.singleton { @@ -57,32 +58,146 @@ 443 ]; - systemd.tmpfiles.settings = { - "10-www" = { - "/var/www/robots/robots.txt".C.argument = toString ./robots.txt; - "/var/www/matrix/client".C.argument = toString ./matrix-client.json; - "/var/www/matrix/server".C.argument = toString ./matrix-server.json; - }; + services.caddy.enable = true; + services.caddy.settings.apps.http.servers.srv0 = { + listen = [ ":443" ]; }; - services.caddy = { - enable = true; - configFile = pkgs.replaceVars ./Caddyfile { - "element" = pkgs.element-web.override { - conf.default_server_config."m.homeserver" = { - base_url = "https://matrix.ny4.dev"; - server_name = "ny4.dev"; + services.caddy.settings.apps.http.servers.srv0.routes = [ + { + match = lib.singleton { + host = [ "ny4.dev" ]; + path = [ "/.well-known/matrix/server" ]; + }; + handle = lib.singleton { + handler = "static_response"; + status_code = 200; + headers = { + Access-Control-Allow-Origin = [ "*" ]; + Content-Type = [ "application/json" ]; + }; + body = builtins.toJSON { + "m.server" = "matrix.ny4.dev:443"; }; }; - - "cinny" = pkgs.cinny.override { - conf = { - defaultHomeserver = 0; - homeserverList = [ "ny4.dev" ]; + } + { + match = lib.singleton { + host = [ "ny4.dev" ]; + path = [ "/.well-known/matrix/client" ]; + }; + handle = lib.singleton { + handler = "static_response"; + status_code = 200; + headers = { + Access-Control-Allow-Origin = [ "*" ]; + Content-Type = [ "application/json" ]; + }; + body = builtins.toJSON { + "m.homeserver" = { + "base_url" = "https://matrix.ny4.dev"; + }; }; }; - }; - }; + } + { + match = lib.singleton { + host = [ "ny4.dev" ]; + path = [ "/.well-known/webfinger" ]; + }; + handle = lib.singleton { + handler = "static_response"; + status_code = 301; + headers = { + Access-Control-Allow-Origin = [ "*" ]; + Location = [ "https://mastodon.ny4.dev{http.request.uri}" ]; + }; + }; + } + { + match = lib.singleton { + host = [ "ny4.dev" ]; + }; + handle = lib.singleton { + handler = "static_response"; + status_code = 302; + headers = { + Location = [ "https://blog.ny4.dev" ]; + }; + }; + } + { + match = lib.singleton { + host = [ "element.ny4.dev" ]; + }; + handle = [ + { + handler = "headers"; + response.set = { + X-Frame-Options = [ "SAMEORIGIN" ]; + X-Content-Type-Options = [ "nosniff" ]; + X-XSS-Protection = [ "1; mode=block" ]; + Content-Security-Policy = [ "frame-ancestors 'self'" ]; + }; + } + { + handler = "file_server"; + root = pkgs.element-web.override { + conf.default_server_config."m.homeserver" = { + base_url = "https://matrix.ny4.dev"; + server_name = "ny4.dev"; + }; + }; + } + ]; + } + { + match = lib.singleton { + host = [ "cinny.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "subroute"; + routes = [ + { + match = [ { "path" = [ "/*/olm.wasm" ]; } ]; + handle = lib.singleton { + handler = "rewrite"; + uri = "/olm.wasm"; + }; + } + { + match = lib.singleton { + not = [ + { path = [ "/index.html" ]; } + { path = [ "/public/*" ]; } + { path = [ "/assets/*" ]; } + { path = [ "/config.json" ]; } + { path = [ "/manifest.json" ]; } + { path = [ "/pdf.worker.min.js" ]; } + { path = [ "/olm.wasm" ]; } + ]; + path = [ "/*" ]; + }; + handle = lib.singleton { + handler = "rewrite"; + uri = "/index.html"; + }; + } + { + handle = lib.singleton { + handler = "file_server"; + root = pkgs.cinny.override { + conf = { + defaultHomeserver = 0; + homeserverList = [ "ny4.dev" ]; + }; + }; + }; + } + ]; + }; + } + ]; services.postgresql = { package = pkgs.postgresql_16; diff --git a/hosts/tyo0/matrix-client.json b/hosts/tyo0/matrix-client.json deleted file mode 100644 index b46b51a..0000000 --- a/hosts/tyo0/matrix-client.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "m.homeserver": { - "base_url": "https://matrix.ny4.dev" - } -} diff --git a/hosts/tyo0/matrix-server.json b/hosts/tyo0/matrix-server.json deleted file mode 100644 index 938e84e..0000000 --- a/hosts/tyo0/matrix-server.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "m.server": "matrix.ny4.dev:443" -} diff --git a/hosts/tyo0/robots.txt b/hosts/tyo0/robots.txt deleted file mode 100644 index fbbc48e..0000000 --- a/hosts/tyo0/robots.txt +++ /dev/null @@ -1,4 +0,0 @@ -User-Agent: * -Disallow: /harming/humans -Disallow: /ignoring/human/orders -Disallow: /harm/to/self diff --git a/hosts/tyo0/services/forgejo.nix b/hosts/tyo0/services/forgejo.nix index 1d134e2..4956069 100644 --- a/hosts/tyo0/services/forgejo.nix +++ b/hosts/tyo0/services/forgejo.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ lib, pkgs, ... }: { services.forgejo = { enable = true; @@ -26,4 +26,14 @@ }; }; }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "git.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + upstreams = [ { dial = "unix//run/forgejo/forgejo.sock"; } ]; + }; + }; } diff --git a/hosts/tyo0/services/keycloak.nix b/hosts/tyo0/services/keycloak.nix index 979b27c..dcad564 100644 --- a/hosts/tyo0/services/keycloak.nix +++ b/hosts/tyo0/services/keycloak.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ lib, pkgs, ... }: { services.keycloak = { enable = true; @@ -8,8 +8,17 @@ http-host = "127.0.0.1"; http-port = 8800; proxy = "edge"; - # proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS. }; database.passwordFile = toString (pkgs.writeText "password" "keycloak"); }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "id.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + upstreams = [ { dial = "localhost:8800"; } ]; + }; + }; } diff --git a/hosts/tyo0/services/miniflux.nix b/hosts/tyo0/services/miniflux.nix index 2482a17..0746b8f 100644 --- a/hosts/tyo0/services/miniflux.nix +++ b/hosts/tyo0/services/miniflux.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ lib, config, ... }: { services.miniflux = { enable = true; @@ -14,4 +14,14 @@ OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4"; }; }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "rss.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + upstreams = [ { dial = "localhost:9300"; } ]; + }; + }; } diff --git a/hosts/tyo0/services/ntfy.nix b/hosts/tyo0/services/ntfy.nix index 25c6340..1cf1ee1 100644 --- a/hosts/tyo0/services/ntfy.nix +++ b/hosts/tyo0/services/ntfy.nix @@ -1,3 +1,4 @@ +{ lib, ... }: { services.ntfy-sh = { enable = true; @@ -11,4 +12,14 @@ }; systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = [ "ntfy-sh" ]; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "ntfy.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + upstreams = [ { dial = "unix//run/ntfy-sh/ntfy.sock"; } ]; + }; + }; } diff --git a/hosts/tyo0/services/prometheus.nix b/hosts/tyo0/services/prometheus.nix index 3b8046a..181f4ee 100644 --- a/hosts/tyo0/services/prometheus.nix +++ b/hosts/tyo0/services/prometheus.nix @@ -139,4 +139,14 @@ }; }; }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "prom.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + upstreams = [ { dial = "127.0.0.1:9090"; } ]; + }; + }; } diff --git a/hosts/tyo0/services/redlib.nix b/hosts/tyo0/services/redlib.nix index caf0ea8..8093b3d 100644 --- a/hosts/tyo0/services/redlib.nix +++ b/hosts/tyo0/services/redlib.nix @@ -1,7 +1,18 @@ +{ lib, ... }: { services.redlib = { enable = true; address = "127.0.0.1"; port = 9400; }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "reddit.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + upstreams = [ { dial = "localhost:9400"; } ]; + }; + }; } diff --git a/hosts/tyo0/services/vaultwarden.nix b/hosts/tyo0/services/vaultwarden.nix index c735d17..0663ed5 100644 --- a/hosts/tyo0/services/vaultwarden.nix +++ b/hosts/tyo0/services/vaultwarden.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ lib, config, ... }: { services.vaultwarden = { enable = true; @@ -15,4 +15,14 @@ ORG_CREATION_USERS = "none"; }; }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "vault.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + upstreams = [ { dial = "localhost:9500"; } ]; + }; + }; } diff --git a/hosts/tyo0/services/wastebin.nix b/hosts/tyo0/services/wastebin.nix index e324d8c..fbef1ac 100644 --- a/hosts/tyo0/services/wastebin.nix +++ b/hosts/tyo0/services/wastebin.nix @@ -1,6 +1,17 @@ +{ lib, ... }: { services.wastebin = { enable = true; settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200"; }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ "pb.ny4.dev" ]; + }; + handle = lib.singleton { + handler = "reverse_proxy"; + upstreams = [ { dial = "localhost:8200"; } ]; + }; + }; } diff --git a/nixos/profiles/prometheus/default.nix b/nixos/profiles/prometheus/default.nix index fe41da6..0fe4b4b 100644 --- a/nixos/profiles/prometheus/default.nix +++ b/nixos/profiles/prometheus/default.nix @@ -1,3 +1,4 @@ +{ config, lib, ... }: { services.prometheus.exporters.node = { enable = true; @@ -5,4 +6,24 @@ port = 9091; enabledCollectors = [ "systemd" ]; }; + + services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton { + match = lib.singleton { + host = [ config.networking.fqdn ]; + path = [ "/metrics" ]; + }; + handle = [ + { + handler = "authentication"; + providers.http_basic.accounts = lib.singleton { + username = "prometheus"; + password = "$2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/."; + }; + } + { + handler = "reverse_proxy"; + upstreams = lib.singleton { dial = "127.0.0.1:9091"; }; + } + ]; + }; } diff --git a/nixos/profiles/server/default.nix b/nixos/profiles/server/default.nix index 621dfe1..057fea1 100644 --- a/nixos/profiles/server/default.nix +++ b/nixos/profiles/server/default.nix @@ -19,4 +19,6 @@ ]; time.timeZone = "UTC"; + + networking.domain = "ny4.dev"; }