Split up caddy config · yemou.pink/nix-configs@3266516

+22 -5

dandelion/config.nix

··· 3 3 imports = [ 4 4 ./hardware.nix 5 5 ./packages.nix 6 - ./services/caddy.nix 7 6 8 7 ../modules/basic.nix 8 + ../modules/caddy.nix 9 9 ../modules/development/nix.nix 10 10 ../modules/development/sh.nix 11 11 ../modules/editor.nix ··· 18 18 ../modules/remoteBuildMachines.nix 19 19 ../modules/sss.nix 20 20 21 - ../modules/services/caddy.nix 21 + ../modules/services/caddy 22 + # ../modules/services/caddy/cp-certs.nix 23 + ../modules/services/caddy/matrix.nix 24 + ../modules/services/caddy/nextcloud.nix 25 + ../modules/services/caddy/pds.nix 26 + ../modules/services/caddy/soju.nix 27 + ../modules/services/caddy/tangled-knot.nix 28 + ../modules/services/caddy/websites/org-butwho.nix 29 + # ../modules/services/caddy/xmpp.nix 22 30 ../modules/services/openssh.nix 23 31 ../modules/services/soju.nix 24 32 ]; ··· 32 40 networking.hostName = "dandelion"; 33 41 nix.settings.max-jobs = 0; 34 42 35 - garden.info.host = { 36 - sss-mount = true; 37 - vps = true; 43 + garden = { 44 + caddy.package = { 45 + plugins = [ 46 + "github.com/mholt/caddy-events-exec@v0.0.0-20231121214933-055bfd2e8b82" 47 + "github.com/mholt/caddy-l4@v0.0.0-20250124234235-87e3e5e2c7f9" 48 + ]; 49 + hash = "sha256-ydan4Lqeh4eMCpuWryXSdcqQ3CBVCxVwPqUcVPedZy0="; 50 + }; 51 + info.host = { 52 + sss-mount = true; 53 + vps = true; 54 + }; 38 55 }; 39 56 40 57 # This option defines the first version of NixOS you have installed on this particular machine,

-183

dandelion/services/caddy.nix

··· 1 - # TODO: Put the sss import in this directory since it makes direct use of it 2 - # TODO: Separate caddy config into separate files 3 - { config, pkgs, ... }: 4 - let 5 - lily = config.garden.info.network.lily.netbird-ip; 6 - cpCerts = pkgs.writeShellApplication { 7 - name = "cpCerts"; 8 - runtimeInputs = with pkgs; [ coreutils ]; 9 - text = '' 10 - prog_name=''${0##*/} 11 - 12 - case $1 in 13 - "proxy.butwho.org" | "conference.butwho.org" | "pubsub.butwho.org" | \ 14 - "upload.butwho.org" | "butwho.org" ) 15 - caddy_path="/var/lib/caddy/.local/share/caddy" 16 - printf '%s\n' "$prog_name: Copying certs for '$1' to /sss/certs/$1" 17 - 18 - mkdir -p "/sss/certs/$1" 19 - cp -f "$caddy_path/$2" "/sss/certs/$1" 20 - cp -f "$caddy_path/$3" "/sss/certs/$1" 21 - 22 - # Read both the .crt file and the .key file to make a .pem 23 - crt=$(cat "$caddy_path/$2") 24 - key=$(cat "$caddy_path/$3") 25 - printf '%s\n\n%s\n' "$crt" "$key" > "/sss/certs/$1/$1.pem" 26 - 27 - printf '%s\n' "$prog_name: Copied certs for '$1'" 28 - ;; 29 - * ) printf '%s\n' "$prog_name: Skipping $1" ;; 30 - esac 31 - ''; 32 - }; 33 - cpCertsCommand = "${cpCerts}/bin/cpCerts {event.data.identifier} {event.data.certificate_path} {event.data.private_key_path}"; 34 - in 35 - { 36 - environment.persistence."/data/persistent".directories = [ 37 - { 38 - directory = "/var/www/org.butwho"; 39 - user = "mou"; 40 - group = "caddy"; 41 - mode = "0750"; 42 - } 43 - ]; 44 - 45 - networking.firewall.interfaces."enp1s0".allowedTCPPorts = [ 46 - 22 47 - 6697 48 - ]; 49 - 50 - services.caddy = { 51 - package = pkgs.caddy.withPlugins { 52 - plugins = [ 53 - "github.com/mholt/caddy-events-exec@v0.0.0-20231121214933-055bfd2e8b82" 54 - "github.com/mholt/caddy-l4@v0.0.0-20250124234235-87e3e5e2c7f9" 55 - ]; 56 - hash = "sha256-ydan4Lqeh4eMCpuWryXSdcqQ3CBVCxVwPqUcVPedZy0="; 57 - }; 58 - globalConfig = '' 59 - events { 60 - on cert_obtained exec ${cpCertsCommand} 61 - } 62 - 63 - on_demand_tls { 64 - ask http://${lily}:3000/tls-check 65 - } 66 - 67 - layer4 { 68 - [::]:6697 { 69 - route { 70 - tls { 71 - connection_policy { 72 - alpn irc 73 - default_sni soju.y6d.boo 74 - } 75 - } 76 - proxy [::1]:6667 77 - } 78 - } 79 - [::]:22 { 80 - route { 81 - proxy ${lily}:2222 82 - } 83 - } 84 - } 85 - ''; 86 - virtualHosts = { 87 - "butwho.org".extraConfig = '' 88 - encode zstd gzip 89 - 90 - # Should I set this for all .well-known files? 91 - # header /.well-known/* Access-Control-Allow-Origin * 92 - 93 - # Unsure if this works without 94 - # header /.well-known/host-meta* Access-Control-Allow-Origin * 95 - 96 - # header /.well-known/host-meta Content-Type text/xml 97 - # respond /.well-known/host-meta <<XML 98 - # <?xml version='1.0' encoding='utf-8'?> 99 - # <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> 100 - # <Link rel="urn:xmpp:alt-connections:xbosh" href="https://butwho.org:5443/bosh" /> 101 - # <Link rel="urn:xmpp:alt-connections:websocket" href="wss://butwho.org:5443/ws" /> 102 - # </XRD> 103 - # XML 104 - 105 - # header /.well-known/host-meta.json Content-Type application/json 106 - # respond /.well-known/host-meta.json <<JSON 107 - # { 108 - # "links": [ 109 - # { "rel": "urn:xmpp:alt-connections:xbosh", "href": "https://butwho.org:5443/bosh" }, 110 - # { "rel": "urn:xmpp:alt-connections:websocket", "href": "wss://butwho.org:5443/ws" } 111 - # ] 112 - # } 113 - # JSON 114 - 115 - header /.well-known/matrix/* Access-Control-Allow-Origin * 116 - header /.well-known/matrix/* Content-Type application/json 117 - respond /.well-known/matrix/client <<JSON 118 - { 119 - "m.homeserver": { "base_url": "https://matrix.butwho.org" } 120 - } 121 - JSON 122 - respond /.well-known/matrix/server `{"m.server": "matrix.butwho.org:443"}` 123 - 124 - root * /var/www/org.butwho 125 - file_server { 126 - hide .git readme.md license 127 - } 128 - 129 - handle_errors { 130 - respond "{err.status_code} {err.status_text}" 131 - } 132 - ''; 133 - # "conference.butwho.org".extraConfig = '' 134 - # redir https://butwho.org{uri} 135 - # ''; 136 - "matrix.butwho.org".extraConfig = '' 137 - encode zstd gzip 138 - reverse_proxy ${lily}:8008 139 - ''; 140 - "pds.butwho.org".extraConfig = '' 141 - encode zstd gzip 142 - tls { 143 - on_demand 144 - } 145 - reverse_proxy ${lily}:3000 146 - ''; 147 - "*.pds.butwho.org".extraConfig = '' 148 - encode zstd gzip 149 - tls { 150 - on_demand 151 - } 152 - reverse_proxy ${lily}:3000 153 - ''; 154 - "knot.butwho.org".extraConfig = '' 155 - encode zstd gzip 156 - reverse_proxy ${lily}:5555 157 - ''; 158 - # "proxy.butwho.org".extraConfig = '' 159 - # redir https://butwho.org{uri} 160 - # ''; 161 - # "pubsub.butwho.org".extraConfig = '' 162 - # redir https://butwho.org{uri} 163 - # ''; 164 - # "upload.butwho.org".extraConfig = '' 165 - # redir https://butwho.org{uri} 166 - # ''; 167 - "cloud.lilac.pink".extraConfig = '' 168 - encode zstd gzip 169 - reverse_proxy ${lily}:80 { 170 - # NixOS uses nginx as a webserver for NextCloud by default and nginx will send 301 redirects to the client 171 - # using http as the protocol instead of https since it doesn't have SSL certs of its own. 172 - # Because the redirect isn't also https, this can cause a Content-Security-Policy error on the client. 173 - # In practice this prevents us from enabling apps on NextCloud without this line. 174 - header_down Location http:// https:// 175 - } 176 - ''; 177 - "soju.y6d.boo".extraConfig = '' 178 - encode zstd gzip 179 - reverse_proxy [::1]:8080 180 - ''; 181 - }; 182 - }; 183 - }

+10 -10

flake.lock

··· 62 62 ] 63 63 }, 64 64 "locked": { 65 - "lastModified": 1744360457, 66 - "narHash": "sha256-Rcd9KYFRYPkMfOsz6vzWosEfggJMGjb1/j9mnxC7q9s=", 65 + "lastModified": 1744380363, 66 + "narHash": "sha256-cXjAUuAfQDPSLSsckZuTioQ986iqSPTzx8D7dLAcC+Q=", 67 67 "owner": "nix-community", 68 68 "repo": "home-manager", 69 - "rev": "da624eaad0fefd4dac002e1f09d300d150c20483", 69 + "rev": "e43c6bcb101ba3301522439c459288c4a248f624", 70 70 "type": "github" 71 71 }, 72 72 "original": { ··· 159 159 }, 160 160 "nixpkgs": { 161 161 "locked": { 162 - "lastModified": 1744348691, 163 - "narHash": "sha256-dIPrBepej1ebT1IaWEFLI5mpQO65+oM+SArkrNI9gjo=", 162 + "lastModified": 1744371553, 163 + "narHash": "sha256-KjvhD+DkQsOAggIFyuxSAZIs84UahDb/O9ojpvyFNe0=", 164 164 "owner": "NixOS", 165 165 "repo": "nixpkgs", 166 - "rev": "6b93024f590b15b1f3888fcc6e56a0866e0c26c2", 166 + "rev": "6f061f35682410185d9a1582601e9241bfa6ad96", 167 167 "type": "github" 168 168 }, 169 169 "original": { ··· 335 335 "yemou-dotfiles": { 336 336 "flake": false, 337 337 "locked": { 338 - "lastModified": 1744136969, 339 - "narHash": "sha256-Pv4OUJbopgHxW64DwFA/9RF69WicSLsA+Vfqd61ufBY=", 338 + "lastModified": 1744381009, 339 + "narHash": "sha256-N6FmFNELNT6bR6VyM7W2nU6PjKn011/uZsxRG65mXrY=", 340 340 "ref": "refs/heads/main", 341 - "rev": "ed4446edcbe0787bdc43fff8fe4c9606698d47ce", 342 - "revCount": 89, 341 + "rev": "169fceb54947dfb8ed9a9e8bcdfa1638dd8806c0", 342 + "revCount": 90, 343 343 "type": "git", 344 344 "url": "https://tangled.sh/@yemou.pink/dotfiles" 345 345 },

+41

modules/caddy.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: 7 + { 8 + options.garden.caddy = { 9 + package = { 10 + plugins = lib.mkOption { 11 + type = lib.types.listOf lib.types.str; 12 + default = [ ]; 13 + description = "Caddy plugins to install"; 14 + }; 15 + hash = lib.mkOption { 16 + type = lib.types.str; 17 + default = lib.fakeSha256; 18 + description = "Hash for Caddy plugins"; 19 + }; 20 + }; 21 + layer4 = lib.mkOption { 22 + type = lib.types.lines; 23 + default = ""; 24 + description = "Caddy-L4 configurations"; 25 + }; 26 + }; 27 + 28 + config = { 29 + services.caddy = { 30 + package = pkgs.caddy.withPlugins { 31 + plugins = config.garden.caddy.package.plugins; 32 + hash = config.garden.caddy.package.hash; 33 + }; 34 + globalConfig = lib.mkIf (config.garden.caddy.layer4 != "") '' 35 + layer4 { 36 + ${config.garden.caddy.layer4} 37 + } 38 + ''; 39 + }; 40 + }; 41 + }

+1 -1

modules/services/caddy.nix modules/services/caddy/default.nix

··· 8 8 9 9 services.caddy = { 10 10 enable = true; 11 - email = "acme@lilac.pink"; 11 + email = "acme@mou.pink"; 12 12 }; 13 13 }

+38

modules/services/caddy/cp-certs.nix

··· 1 + { pkgs, ... }: 2 + let 3 + cpCerts = pkgs.writeShellApplication { 4 + name = "cpCerts"; 5 + runtimeInputs = with pkgs; [ coreutils ]; 6 + text = '' 7 + prog_name=''${0##*/} 8 + 9 + case $1 in 10 + "proxy.butwho.org" | "conference.butwho.org" | "pubsub.butwho.org" | \ 11 + "upload.butwho.org" | "butwho.org" ) 12 + caddy_path="/var/lib/caddy/.local/share/caddy" 13 + printf '%s\n' "$prog_name: Copying certs for '$1' to /sss/certs/$1" 14 + 15 + mkdir -p "/sss/certs/$1" 16 + cp -f "$caddy_path/$2" "/sss/certs/$1" 17 + cp -f "$caddy_path/$3" "/sss/certs/$1" 18 + 19 + # Read both the .crt file and the .key file to make a .pem 20 + crt=$(cat "$caddy_path/$2") 21 + key=$(cat "$caddy_path/$3") 22 + printf '%s\n\n%s\n' "$crt" "$key" > "/sss/certs/$1/$1.pem" 23 + 24 + printf '%s\n' "$prog_name: Copied certs for '$1'" 25 + ;; 26 + * ) printf '%s\n' "$prog_name: Skipping $1" ;; 27 + esac 28 + ''; 29 + }; 30 + cpCertsCommand = "${cpCerts}/bin/cpCerts {event.data.identifier} {event.data.certificate_path} {event.data.private_key_path}"; 31 + in 32 + { 33 + services.caddy.globalConfig = '' 34 + events { 35 + on cert_obtained exec ${cpCertsCommand} 36 + } 37 + ''; 38 + }

+19

modules/services/caddy/matrix.nix

··· 1 + { config, ... }: 2 + { 3 + services.caddy.virtualHosts = { 4 + "butwho.org".extraConfig = '' 5 + header /.well-known/matrix/* Access-Control-Allow-Origin * 6 + header /.well-known/matrix/* Content-Type application/json 7 + respond /.well-known/matrix/client <<JSON 8 + { 9 + "m.homeserver": { "base_url": "https://matrix.butwho.org" } 10 + } 11 + JSON 12 + respond /.well-known/matrix/server `{"m.server": "matrix.butwho.org:443"}` 13 + ''; 14 + "matrix.butwho.org".extraConfig = '' 15 + encode 16 + reverse_proxy ${config.garden.info.network.lily.netbird-ip}:8008 17 + ''; 18 + }; 19 + }

+13

modules/services/caddy/nextcloud.nix

··· 1 + { config, ... }: 2 + { 3 + services.caddy.virtualHosts."cloud.lilac.pink".extraConfig = '' 4 + encode 5 + reverse_proxy ${config.garden.info.network.lily.netbird-ip}:80 { 6 + # NixOS uses nginx as a webserver for NextCloud by default and nginx will send 301 redirects to the client 7 + # using http as the protocol instead of https since it doesn't have SSL certs of its own. 8 + # Because the redirect isn't also https, this can cause a Content-Security-Policy error on the client. 9 + # In practice this prevents us from enabling apps on NextCloud without this line. 10 + header_down Location http:// https:// 11 + } 12 + ''; 13 + }

+26

modules/services/caddy/pds.nix

··· 1 + { config, ... }: 2 + { 3 + services.caddy = { 4 + globalConfig = '' 5 + on_demand_tls { 6 + ask http://${config.garden.info.network.lily.netbird-ip}:3000/tls-check 7 + } 8 + ''; 9 + virtualHosts = { 10 + "pds.butwho.org".extraConfig = '' 11 + tls { 12 + on_demand 13 + } 14 + encode 15 + reverse_proxy ${config.garden.info.network.lily.netbird-ip}:3000 16 + ''; 17 + "*.pds.butwho.org".extraConfig = '' 18 + tls { 19 + on_demand 20 + } 21 + encode 22 + reverse_proxy ${config.garden.info.network.lily.netbird-ip}:3000 23 + ''; 24 + }; 25 + }; 26 + }

+23

modules/services/caddy/soju.nix

··· 1 + { ... }: 2 + { 3 + networking.firewall.interfaces."enp1s0".allowedTCPPorts = [ 6697 ]; 4 + 5 + services.caddy.virtualHosts."soju.y6d.boo".extraConfig = '' 6 + encode 7 + reverse_proxy [::1]:8080 8 + ''; 9 + 10 + garden.caddy.layer4 = '' 11 + [::]:6697 { 12 + route { 13 + tls { 14 + connection_policy { 15 + alpn irc 16 + default_sni soju.y6d.boo 17 + } 18 + } 19 + proxy [::1]:6667 20 + } 21 + } 22 + ''; 23 + }

+17

modules/services/caddy/tangled-knot.nix

··· 1 + { config, ... }: 2 + { 3 + networking.firewall.interfaces."enp1s0".allowedTCPPorts = [ 22 ]; 4 + 5 + services.caddy.virtualHosts."knot.butwho.org".extraConfig = '' 6 + encode 7 + reverse_proxy ${config.garden.info.network.lily.netbird-ip}:5555 8 + ''; 9 + 10 + garden.caddy.layer4 = '' 11 + [::]:22 { 12 + route { 13 + proxy ${config.garden.info.network.lily.netbird-ip}:2222 14 + } 15 + } 16 + ''; 17 + }

+23

modules/services/caddy/websites/org-butwho.nix

··· 1 + { ... }: 2 + { 3 + environment.persistence."/data/persistent".directories = [ 4 + { 5 + directory = "/var/www/org.butwho"; 6 + user = "mou"; 7 + group = "caddy"; 8 + mode = "0750"; 9 + } 10 + ]; 11 + 12 + services.caddy.virtualHosts."butwho.org".extraConfig = '' 13 + encode 14 + root * /var/www/org.butwho 15 + file_server { 16 + hide .git license 17 + } 18 + 19 + handle_errors { 20 + respond "{err.status_code} {err.status_text}" 21 + } 22 + ''; 23 + }

+41

modules/services/caddy/xmpp.nix

··· 1 + { ... }: 2 + { 3 + services.caddy.virtualHosts = { 4 + "butwho.org".extraConfig = '' 5 + header /.well-known/host-meta Content-Type text/xml 6 + respond /.well-known/host-meta <<XML 7 + <?xml version='1.0' encoding='utf-8'?> 8 + <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> 9 + <Link rel="urn:xmpp:alt-connections:xbosh" href="https://butwho.org:5443/bosh" /> 10 + <Link rel="urn:xmpp:alt-connections:websocket" href="wss://butwho.org:5443/ws" /> 11 + </XRD> 12 + XML 13 + 14 + header /.well-known/host-meta.json Content-Type application/json 15 + respond /.well-known/host-meta.json <<JSON 16 + { 17 + "links": [ 18 + { "rel": "urn:xmpp:alt-connections:xbosh", "href": "https://butwho.org:5443/bosh" }, 19 + { "rel": "urn:xmpp:alt-connections:websocket", "href": "wss://butwho.org:5443/ws" } 20 + ] 21 + } 22 + JSON 23 + ''; 24 + "conference.butwho.org".extraConfig = '' 25 + encode 26 + redir https://butwho.org{uri} 27 + ''; 28 + "proxy.butwho.org".extraConfig = '' 29 + encode 30 + redir https://butwho.org{uri} 31 + ''; 32 + "pubsub.butwho.org".extraConfig = '' 33 + encode 34 + redir https://butwho.org{uri} 35 + ''; 36 + "upload.butwho.org".extraConfig = '' 37 + encode 38 + redir https://butwho.org{uri} 39 + ''; 40 + }; 41 + }

Configure Feed

Configure Feed