kitten.sh / system
Personal Nix setup
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Review caddy settings

Phil Pluckthun 5da08e24 b8ae8d40

+55 -11
+43 -5
modules/server/caddy.nix
··· 20 20 handle_path /vault/* { 21 21 reverse_proxy /notifications/hub/negotiate 127.0.0.1:8000 22 22 reverse_proxy /notifications/hub 127.0.0.1:8001 23 - reverse_proxy localhost:8000 { 23 + reverse_proxy 127.0.0.1:8000 { 24 24 header_up X-Real-IP {remote_host} 25 25 } 26 26 } ··· 31 31 redir * /media/ 32 32 } 33 33 34 - reverse_proxy /media/* localhost:8096 { 34 + reverse_proxy /media/* 127.0.0.1:8096 { 35 35 header_up X-Real-IP {remote_host} 36 36 } 37 37 '' else ""; ··· 44 44 45 45 tailscaleConfig = if tailscaleEnabled then '' 46 46 ${hostname}.${domain} { 47 + bind tailscale0 48 + tls { 49 + protocols tls1.3 50 + } 47 51 import network_paths 48 52 } 49 53 '' else ""; 50 54 51 55 knotConfig = if knotEnabled then '' 52 56 ${cfg.tangled.hostname} { 53 - reverse_proxy ${config.services.tangled.knot.server.listenAddr} 57 + log 58 + request_body { 59 + max_size 512MB 60 + } 61 + header { 62 + X-Content-Type-Options nosniff 63 + X-Frame-Options DENY 64 + Referrer-Policy strict-origin-when-cross-origin 65 + Strict-Transport-Security "max-age=31536000" 66 + -Server 67 + } 68 + reverse_proxy ${config.services.tangled.knot.server.listenAddr} { 69 + header_up X-Real-IP {remote_host} 70 + } 54 71 } 55 72 '' else ""; 56 73 ··· 86 103 87 104 exposeFolders = mkOption { 88 105 default = {}; 89 - description = "Folders to expose via Cadddy."; 106 + description = "Folders to expose via Caddy."; 90 107 example = { files = "/share/files"; }; 91 108 type = types.attrsOf types.str; 92 109 }; ··· 100 117 services.caddy = { 101 118 enable = true; 102 119 email = "phil@kitten.sh"; 120 + globalConfig = '' 121 + servers { 122 + timeouts { 123 + read_body 10s 124 + read_header 5s 125 + idle 60s 126 + } 127 + max_header_size 16384 128 + protocols h1 h2 h3 129 + } 130 + ''; 103 131 extraConfig = let 104 132 addresses = filter (x: x != null) [ cfgRouter.address "127.0.0.1" "[::1]" ]; 105 133 in '' 106 134 (network_paths) { 135 + request_body { 136 + max_size 10MB 137 + } 138 + header { 139 + X-Content-Type-Options nosniff 140 + X-Frame-Options SAMEORIGIN 141 + Referrer-Policy strict-origin-when-cross-origin 142 + Strict-Transport-Security "max-age=31536000" 143 + -Server 144 + } 107 145 ${vaultwardenHandlerConfig} 108 146 ${jellyfinHandlerConfig} 109 147 ${hassHandlerConfig} ··· 115 153 116 154 :80 { 117 155 bind ${concatStringsSep " " addresses} 118 - import network_paths 156 + redir https://${if cfgRouter.address != null then cfgRouter.address else "{host}"}{uri} permanent 119 157 } 120 158 121 159 :443 {
+10 -4
modules/server/tailscale.nix
··· 13 13 description = "Whether to enable Tailscale."; 14 14 type = types.bool; 15 15 }; 16 + 17 + domain = mkOption { 18 + default = "fable-pancake.ts.net"; 19 + description = "Tailscale MagicDNS domain."; 20 + type = types.str; 21 + }; 16 22 }; 17 23 18 24 config = mkIf (cfg.enable && cfgRoot.enable) (helpers.linuxAttrs { 19 25 networking = { 20 - domain = mkIf cfgRouter.enable "fable-pancake.ts.net"; 21 - search = [ "fable-pancake.ts.net" ]; 26 + domain = mkIf cfgRouter.enable cfg.domain; 27 + search = [ cfg.domain ]; 22 28 firewall.trustedInterfaces = [ "tailscale0" ]; 23 - hosts."${cfgRouter.address}" = mkIf cfgRouter.enable [ "${hostname}.fable-pancake.ts.net" hostname ]; 29 + hosts."${cfgRouter.address}" = mkIf cfgRouter.enable [ "${hostname}.${cfg.domain}" hostname ]; 24 30 }; 25 31 26 32 age.secrets."tailscale" = { ··· 43 49 44 50 environment.systemPackages = mkIf config.modules.desktop.enable [ pkgs.tail-tray ]; 45 51 } // helpers.darwinAttrs { 46 - networking.search = [ "fable-pancake.ts.net" ]; 52 + networking.search = [ cfg.domain ]; 47 53 48 54 services.tailscale = { 49 55 enable = true;
+2 -2
modules/server/vaultwarden.nix
··· 2 2 3 3 with lib; 4 4 let 5 - address = config.modules.router.adress; 5 + address = config.modules.router.address; 6 6 cfg = config.modules.server; 7 7 in helpers.linuxAttrs { 8 8 options.modules.server.vaultwarden = { ··· 17 17 config = mkIf (cfg.enable && cfg.vaultwarden.enable) { 18 18 services.vaultwarden = let 19 19 baseURL = if (cfg.caddy.enable && cfg.tailscale.enable) 20 - then "https://${hostname}.fable-pancake.ts.net/vault/" 20 + then "https://${hostname}.${cfg.tailscale.domain}/vault/" 21 21 else if cfg.caddy.enable then "http://${address}/vault/" 22 22 else "http://${address}:8000/vault/"; 23 23 in {