nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos/caddy: caddyfile -> rfc42

Browse source
This commit is contained in:
Guanran Wang 2024-08-31 10:15:09 +08:00
parent 5bf6e5f576
commit 602995c205
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
19 changed files with 368 additions and 225 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
hosts/pek0/Caddyfile
View file

@ -1,67 +0,0 @@
{
servers {
trusted_proxies static private_ranges
trusted_proxies_strict
}
}
(default) {
encode zstd gzip
handle_path /robots.txt {
file_server * {
root @robots@
}
}
}
http://pek0.ny4.dev:80 {
import default
basicauth {
prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
}
reverse_proxy localhost:9091
}
http://mastodon.ny4.dev:80 {
import default
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
header_up X-Forwarded-Proto "https"
}
}
route * {
file_server * {
root @mastodon@/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket {
header_up X-Forwarded-Proto "https"
}
}
handle_errors {
root * @mastodon@/public
rewrite 500.html
file_server
}
}
http://matrix.ny4.dev:80 {
import default
reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock {
header_up X-Forwarded-Proto "https"
}
reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock {
header_up X-Forwarded-Proto "https"
}
reverse_proxy /health unix//run/matrix-synapse/synapse.sock {
header_up X-Forwarded-Proto "https"
}
}

19
hosts/pek0/default.nix
View file

@ -67,12 +67,21 @@
};
};
services.caddy = {
enable = true;
configFile = pkgs.replaceVars ./Caddyfile {
robots = toString ../tyo0/robots.txt;
inherit (pkgs) mastodon;
services.caddy.enable = true;
services.caddy.settings.apps.http.servers.srv0 = {
listen = [ ":80" ];
trusted_proxies = {
ranges = [
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"127.0.0.1/8"
"fd00::/8"
"::1"
];
source = "static";
};
trusted_proxies_strict = 1;
};
systemd.services.caddy.serviceConfig = {

85
hosts/pek0/services/mastodon.nix
View file

@ -1,4 +1,9 @@
{ config, ... }:
{
lib,
pkgs,
config,
...
}:
{
services.mastodon = {
enable = true;
@ -35,4 +40,82 @@
};
systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "mastodon.ny4.dev" ];
};
handle = lib.singleton {
handler = "subroute";
routes = [
{
match = lib.singleton {
path = [ "/api/v1/streaming/*" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
headers.request.set."X-Forwarded-Proto" = [ "https" ];
upstreams = lib.singleton {
dial = "unix//run/mastodon-streaming/streaming-1.socket";
};
};
}
{
match = lib.singleton {
path = [ "/system/*" ];
};
handle = [
{
handler = "rewrite";
strip_path_prefix = "/system";
}
{
handler = "file_server";
root = "/var/lib/mastodon/public-system";
}
];
}
{
handle = [
{
handler = "file_server";
root = "${pkgs.mastodon}/public";
pass_thru = true;
}
{
handler = "reverse_proxy";
headers.request.set."X-Forwarded-Proto" = [ "https" ];
upstreams = lib.singleton {
dial = "unix//run/mastodon-web/web.socket";
};
}
];
}
];
};
};
services.caddy.settings.apps.http.servers.srv0.errors.routes = lib.singleton {
match = lib.singleton {
host = [ "mastodon.ny4.dev" ];
};
handle = lib.singleton {
handler = "subroute";
routes = [
{
handle = lib.singleton {
handler = "rewrite";
uri = "500.html";
};
}
{
handle = lib.singleton {
handler = "file_server";
root = "${pkgs.mastodon}/public";
};
}
];
};
};
}

25
hosts/pek0/services/matrix.nix
View file

@ -54,4 +54,29 @@
environment = config.networking.proxy.envVars;
serviceConfig.RuntimeDirectory = [ "matrix-synapse" ];
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "matrix.ny4.dev" ];
};
handle = lib.singleton {
handler = "subroute";
routes = lib.singleton {
match = lib.singleton {
path = [
"/_matrix/*"
"/_synapse/*"
"/health"
];
};
handle = lib.singleton {
handler = "reverse_proxy";
headers.request.set."X-Forwarded-Proto" = [ "https" ];
upstreams = lib.singleton {
dial = "unix//run/matrix-synapse/synapse.sock";
};
};
};
};
};
}

115
hosts/tyo0/Caddyfile
View file

@ -1,115 +0,0 @@
(default) {
encode zstd gzip
handle_path /robots.txt {
file_server * {
root /var/www/robots/robots.txt
}
}
}
www.ny4.dev {
import default
redir https://blog.ny4.dev
}
# get the certificate for hysteria
tyo0.ny4.dev {
import default
basicauth {
prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
}
reverse_proxy localhost:9091
}
ny4.dev {
import default
# Synapse
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/matrix/* {
file_server * {
root /var/www/matrix
}
}
# Mastodon
header /.well-known/webfinger Access-Control-Allow-Origin *
redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent
# TODO: Build Hugo blog with Nix
# How do I use hugo modules without using FOD?
route * {
redir https://blog.ny4.dev
}
}
pb.ny4.dev {
import default
reverse_proxy localhost:8200
}
ntfy.ny4.dev {
import default
reverse_proxy unix//run/ntfy-sh/ntfy.sock
}
id.ny4.dev {
import default
reverse_proxy localhost:8800
}
element.ny4.dev {
import default
root * @element@
header X-Frame-Options SAMEORIGIN;
header X-Content-Type-Options nosniff;
header X-XSS-Protection "1; mode=block";
header Content-Security-Policy "frame-ancestors 'self'";
file_server
}
cinny.ny4.dev {
import default
@index {
not path /index.html
not path /public/*
not path /assets/*
not path /config.json
not path /manifest.json
not path /pdf.worker.min.js
not path /olm.wasm
path /*
}
root * @cinny@
rewrite /*/olm.wasm /olm.wasm
rewrite @index /index.html
file_server
}
git.ny4.dev {
import default
reverse_proxy unix//run/forgejo/forgejo.sock
}
rss.ny4.dev {
import default
reverse_proxy localhost:9300
}
reddit.ny4.dev {
import default
reverse_proxy localhost:9400
}
vault.ny4.dev {
import default
reverse_proxy localhost:9500
}
prom.ny4.dev {
import default
reverse_proxy localhost:9090
}

139
hosts/tyo0/default.nix
View file

@ -23,6 +23,7 @@
];
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
networking.hostName = "tyo0";
system.stateVersion = "24.05";
swapDevices = lib.singleton {
@ -57,32 +58,146 @@
443
];
systemd.tmpfiles.settings = {
"10-www" = {
"/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
"/var/www/matrix/client".C.argument = toString ./matrix-client.json;
"/var/www/matrix/server".C.argument = toString ./matrix-server.json;
};
services.caddy.enable = true;
services.caddy.settings.apps.http.servers.srv0 = {
listen = [ ":443" ];
};
services.caddy = {
enable = true;
configFile = pkgs.replaceVars ./Caddyfile {
"element" = pkgs.element-web.override {
services.caddy.settings.apps.http.servers.srv0.routes = [
{
match = lib.singleton {
host = [ "ny4.dev" ];
path = [ "/.well-known/matrix/server" ];
};
handle = lib.singleton {
handler = "static_response";
status_code = 200;
headers = {
Access-Control-Allow-Origin = [ "*" ];
Content-Type = [ "application/json" ];
};
body = builtins.toJSON {
"m.server" = "matrix.ny4.dev:443";
};
};
}
{
match = lib.singleton {
host = [ "ny4.dev" ];
path = [ "/.well-known/matrix/client" ];
};
handle = lib.singleton {
handler = "static_response";
status_code = 200;
headers = {
Access-Control-Allow-Origin = [ "*" ];
Content-Type = [ "application/json" ];
};
body = builtins.toJSON {
"m.homeserver" = {
"base_url" = "https://matrix.ny4.dev";
};
};
};
}
{
match = lib.singleton {
host = [ "ny4.dev" ];
path = [ "/.well-known/webfinger" ];
};
handle = lib.singleton {
handler = "static_response";
status_code = 301;
headers = {
Access-Control-Allow-Origin = [ "*" ];
Location = [ "https://mastodon.ny4.dev{http.request.uri}" ];
};
};
}
{
match = lib.singleton {
host = [ "ny4.dev" ];
};
handle = lib.singleton {
handler = "static_response";
status_code = 302;
headers = {
Location = [ "https://blog.ny4.dev" ];
};
};
}
{
match = lib.singleton {
host = [ "element.ny4.dev" ];
};
handle = [
{
handler = "headers";
response.set = {
X-Frame-Options = [ "SAMEORIGIN" ];
X-Content-Type-Options = [ "nosniff" ];
X-XSS-Protection = [ "1; mode=block" ];
Content-Security-Policy = [ "frame-ancestors 'self'" ];
};
}
{
handler = "file_server";
root = pkgs.element-web.override {
conf.default_server_config."m.homeserver" = {
base_url = "https://matrix.ny4.dev";
server_name = "ny4.dev";
};
};
"cinny" = pkgs.cinny.override {
}
];
}
{
match = lib.singleton {
host = [ "cinny.ny4.dev" ];
};
handle = lib.singleton {
handler = "subroute";
routes = [
{
match = [ { "path" = [ "/*/olm.wasm" ]; } ];
handle = lib.singleton {
handler = "rewrite";
uri = "/olm.wasm";
};
}
{
match = lib.singleton {
not = [
{ path = [ "/index.html" ]; }
{ path = [ "/public/*" ]; }
{ path = [ "/assets/*" ]; }
{ path = [ "/config.json" ]; }
{ path = [ "/manifest.json" ]; }
{ path = [ "/pdf.worker.min.js" ]; }
{ path = [ "/olm.wasm" ]; }
];
path = [ "/*" ];
};
handle = lib.singleton {
handler = "rewrite";
uri = "/index.html";
};
}
{
handle = lib.singleton {
handler = "file_server";
root = pkgs.cinny.override {
conf = {
defaultHomeserver = 0;
homeserverList = [ "ny4.dev" ];
};
};
};
}
];
};
}
];
services.postgresql = {
package = pkgs.postgresql_16;

5
hosts/tyo0/matrix-client.json
View file

@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://matrix.ny4.dev"
}
}

3
hosts/tyo0/matrix-server.json
View file

@ -1,3 +0,0 @@
{
"m.server": "matrix.ny4.dev:443"
}

4
hosts/tyo0/robots.txt
View file

@ -1,4 +0,0 @@
User-Agent: *
Disallow: /harming/humans
Disallow: /ignoring/human/orders
Disallow: /harm/to/self

12
hosts/tyo0/services/forgejo.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ lib, pkgs, ... }:
{
services.forgejo = {
enable = true;
@ -26,4 +26,14 @@
};
};
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "git.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "unix//run/forgejo/forgejo.sock"; } ];
};
};
}

13
hosts/tyo0/services/keycloak.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ lib, pkgs, ... }:
{
services.keycloak = {
enable = true;
@ -8,8 +8,17 @@
http-host = "127.0.0.1";
http-port = 8800;
proxy = "edge";
# proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
};
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "id.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:8800"; } ];
};
};
}

12
hosts/tyo0/services/miniflux.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ lib, config, ... }:
{
services.miniflux = {
enable = true;
@ -14,4 +14,14 @@
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
};
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "rss.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:9300"; } ];
};
};
}

11
hosts/tyo0/services/ntfy.nix
View file

@ -1,3 +1,4 @@
{ lib, ... }:
{
services.ntfy-sh = {
enable = true;
@ -11,4 +12,14 @@
};
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = [ "ntfy-sh" ];
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "ntfy.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "unix//run/ntfy-sh/ntfy.sock"; } ];
};
};
}

10
hosts/tyo0/services/prometheus.nix
View file

@ -139,4 +139,14 @@
};
};
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "prom.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "127.0.0.1:9090"; } ];
};
};
}

11
hosts/tyo0/services/redlib.nix
View file

@ -1,7 +1,18 @@
{ lib, ... }:
{
services.redlib = {
enable = true;
address = "127.0.0.1";
port = 9400;
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "reddit.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:9400"; } ];
};
};
}

12
hosts/tyo0/services/vaultwarden.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ lib, config, ... }:
{
services.vaultwarden = {
enable = true;
@ -15,4 +15,14 @@
ORG_CREATION_USERS = "none";
};
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "vault.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:9500"; } ];
};
};
}

11
hosts/tyo0/services/wastebin.nix
View file

@ -1,6 +1,17 @@
{ lib, ... }:
{
services.wastebin = {
enable = true;
settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "pb.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:8200"; } ];
};
};
}

21
nixos/profiles/prometheus/default.nix
View file

@ -1,3 +1,4 @@
{ config, lib, ... }:
{
services.prometheus.exporters.node = {
enable = true;
@ -5,4 +6,24 @@
port = 9091;
enabledCollectors = [ "systemd" ];
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ config.networking.fqdn ];
path = [ "/metrics" ];
};
handle = [
{
handler = "authentication";
providers.http_basic.accounts = lib.singleton {
username = "prometheus";
password = "$2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.";
};
}
{
handler = "reverse_proxy";
upstreams = lib.singleton { dial = "127.0.0.1:9091"; };
}
];
};
}

2
nixos/profiles/server/default.nix
View file

@ -19,4 +19,6 @@
];
time.timeZone = "UTC";
networking.domain = "ny4.dev";
}