chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor Caddy config into networking.caddy module

Browse source 
Move Caddy configuration from individual services to a shared
networking.caddy module. Update service modules and system config to use
the new interface. Remove redundant user definitions and old Caddy
config blocks.
This commit is contained in:
Chris Kruining 2026-03-04 09:29:36 +01:00
parent d3a394dfd9
commit 4e9ef9dc4f
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
10 changed files with 308 additions and 286 deletions
Download patch file Download diff file Expand all files Collapse all files

84
modules/nixos/services/authentication/authelia/default.nix
View file

@ -1,16 +1,36 @@
{ config, lib, pkgs, namespace, ... }:
let
{
config,
lib,
pkgs,
namespace,
...
}: let
inherit (lib) mkIf mkEnableOption;
user = "authelia-testing";
cfg = config.${namespace}.services.authentication.authelia;
in
{
in {
options.${namespace}.services.authentication.authelia = {
enable = mkEnableOption "Authelia";
};
config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};
extraConfig = ''
(auth) {
forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
environment.systemPackages = with pkgs; [
authelia
];
@ -112,8 +132,8 @@ in
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "openid" "profile" "groups" ];
redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/authelia" ];
scopes = ["openid" "profile" "groups"];
redirect_uris = ["https://jellyfin.kruining.eu/sso/OID/redirect/authelia"];
}
{
client_id = "streamarr";
@ -127,8 +147,8 @@ in
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ];
redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ];
scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"];
redirect_uris = ["http://localhost:3000/api/auth/oauth2/callback/authelia"];
}
{
client_id = "forgejo";
@ -142,10 +162,10 @@ in
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ];
scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"];
response_types = ["code"];
grant_types = ["authorization_code"];
redirect_uris = ["http://localhost:5002/user/oauth2/authelia/callback"];
}
];
};
@ -195,48 +215,8 @@ in
- jellyfin-users
- admin
- dev
jacqueline:
disabled: false
displayname: Jacqueline Bevers
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
martijn:
disabled: false
displayname: Martijn Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
andrea:
disabled: false
displayname: Andrea Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
'';
};
};
services.caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};
extraConfig = ''
(auth) {
forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}

37
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -537,7 +537,25 @@ in
};
in
mkIf cfg.enable {
${namespace}.services.persistance.postgresql.enable = true;
${namespace}.services = {
persistance.postgresql.enable = true;
networking.caddy = {
hosts = {
"auth.kruining.eu" = ''
reverse_proxy h2c://::1:9092
'';
};
extraConfig = ''
(auth) {
forward_auth h2c://::1:9092 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
};
environment.systemPackages = with pkgs; [
zitadel
@ -678,23 +696,6 @@ in
}
];
};
caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy h2c://::1:9092
'';
};
extraConfig = ''
(auth) {
forward_auth h2c://::1:9092 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];

138
modules/nixos/services/communication/matrix/default.nix
View file

@ -25,6 +25,75 @@ in {
${namespace}.services = {
persistance.postgresql.enable = true;
# virtualisation.podman.enable = true;
networking.caddy = {
# globalConfig = ''
# layer4 {
# 127.0.0.1:4004
# route {
# proxy {
# upstream synapse:4004
# }
# }
# }
# 127.0.0.1:4005
# route {
# proxy {
# upstream synapse:4005
# }
# }
# }
# }
# '';
hosts = let
server = {
"m.server" = "${fqn}:443";
};
client = {
"m.homeserver".base_url = "https://${fqn}";
"m.identity_server".base_url = "https://auth.${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${domain}/livekit/jwt";
}
];
};
in {
"${domain}, darkch.at" = ''
# Route for lk-jwt-service
handle /livekit/jwt* {
uri strip_prefix /livekit/jwt
reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
handle_path /livekit/sfu* {
reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `${toJSON server}`
respond /.well-known/matrix/client `${toJSON client}`
'';
"${fqn}" = ''
reverse_proxy /_matrix/* http://::1:${toString port}
reverse_proxy /_synapse/client/* http://::1:${toString port}
'';
};
};
};
services = {
@ -197,75 +266,6 @@ in {
];
};
caddy = {
enable = true;
# globalConfig = ''
# layer4 {
# 127.0.0.1:4004
# route {
# proxy {
# upstream synapse:4004
# }
# }
# }
# 127.0.0.1:4005
# route {
# proxy {
# upstream synapse:4005
# }
# }
# }
# }
# '';
virtualHosts = let
server = {
"m.server" = "${fqn}:443";
};
client = {
"m.homeserver".base_url = "https://${fqn}";
"m.identity_server".base_url = "https://auth.${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${domain}/livekit/jwt";
}
];
};
in {
"${domain}, darkch.at".extraConfig = ''
# Route for lk-jwt-service
handle /livekit/jwt* {
uri strip_prefix /livekit/jwt
reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
handle_path /livekit/sfu* {
reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `${toJSON server}`
respond /.well-known/matrix/client `${toJSON client}`
'';
"${fqn}".extraConfig = ''
reverse_proxy /_matrix/* http://::1:${toString port}
reverse_proxy /_synapse/client/* http://::1:${toString port}
'';
};
};
livekit = {
enable = true;
openFirewall = true;

29
modules/nixos/services/development/forgejo/default.nix
View file

@ -28,6 +28,20 @@ in {
${namespace}.services = {
persistance.postgresql.enable = true;
virtualisation.podman.enable = true;
networking.caddy = {
hosts = {
"${domain}" = ''
# import auth
# stupid dumb way to prevent the login page and go to zitadel instead
# be aware that this does not disable local login at all!
# rewrite /user/login /user/oauth2/Zitadel
reverse_proxy http://127.0.0.1:${toString cfg.port}
'';
};
};
};
environment.systemPackages = with pkgs; [forgejo];
@ -168,21 +182,6 @@ in {
};
};
};
caddy = {
enable = true;
virtualHosts = {
"${domain}".extraConfig = ''
# import auth
# stupid dumb way to prevent the login page and go to zitadel instead
# be aware that this does not disable local login at all!
# rewrite /user/login /user/oauth2/Zitadel
reverse_proxy http://127.0.0.1:${toString cfg.port}
'';
};
};
};
users = {

17
modules/nixos/services/media/jellyfin/default.nix
View file

@ -17,6 +17,14 @@ in {
};
config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts = {
"jellyfin.kruining.eu" = ''
reverse_proxy http://[::1]:8096
'';
};
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
@ -34,15 +42,6 @@ in {
user = "media";
group = "media";
};
caddy = {
enable = true;
virtualHosts = {
"jellyfin.kruining.eu".extraConfig = ''
reverse_proxy http://[::1]:8096
'';
};
};
};
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";

29
modules/nixos/services/media/nextcloud/default.nix
View file

@ -1,11 +1,15 @@
{ config, lib, pkgs, namespace, ... }:
let
{
config,
lib,
pkgs,
namespace,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str;
cfg = config.${namespace}.services.media.nextcloud;
in
{
in {
options.${namespace}.services.media.nextcloud = {
enable = mkEnableOption "Nextcloud";
@ -21,6 +25,14 @@ in
};
config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts."cloud.kruining.eu" = ''
php_fastcgi unix//run/phpfpm/nextcloud.sock {
env front_controller_active true
}
'';
};
users = {
users.${cfg.user} = {
isSystemUser = true;
@ -75,14 +87,5 @@ in
# startServices = true;
# };
services.caddy = {
enable = true;
virtualHosts."cloud.kruining.eu".extraConfig = ''
php_fastcgi unix//run/phpfpm/nextcloud.sock {
env front_controller_active true
}
'';
};
};
}

40
modules/nixos/services/networking/caddy/default.nix Normal file
View file

@ -0,0 +1,40 @@
{
config,
pkgs,
lib,
namespace,
...
}: let
inherit (builtins) length;
inherit (lib) mkIf mkEnableOption mkOption types attrNames mapAttrs;
cfg = config.${namespace}.services.networking.caddy;
hasHosts = (cfg.hosts |> attrNames |> length) > 0;
in {
options.${namespace}.services.networking.caddy = {
enable = mkEnableOption "enable caddy" // {default = true;};
hosts = mkOption {
type = types.attrsOf types.str;
};
extraConfig = mkOption {
type = types.str;
};
};
config = mkIf hasHosts {
services.caddy = {
enable = cfg.enable;
package = pkgs.caddy.withPlugins {
plugins = ["https://github.com/corazawaf/coraza-caddy@2.1.0"];
hash = lib.fakeHash;
};
virtualHosts =
cfg.hosts
|> mapAttrs (host: extraConfig: {inherit extraConfig;});
};
};
}

35
modules/nixos/services/security/vaultwarden/default.nix
View file

@ -91,6 +91,22 @@ in {
};
config = mkIf cfg.enable {
${namespace}.services.networking.caddy.hosts = {
"vault.kruining.eu" = ''
encode zstd gzip
handle_path /admin {
respond 401 {
close
}
}
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
};
systemd.tmpfiles.rules = [
"d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
];
@ -150,25 +166,6 @@ in {
}
];
};
caddy = {
enable = true;
virtualHosts = {
"vault.kruining.eu".extraConfig = ''
encode zstd gzip
handle_path /admin {
respond 401 {
close
}
}
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
};
};
};
sops = {

164
packages/studio/default.nix
View file

@ -1,105 +1,109 @@
{ pkgs, inputs }: let
{
pkgs,
inputs,
}: let
inherit (builtins) fetchurl;
inherit (pkgs) makeDesktopItem copyDesktopItems wineWowPackages;
inherit (pkgs) makeDesktopItem copyDesktopItems wineWow64Packages;
inherit (inputs.erosanix.lib.x86_64-linux) mkWindowsAppNoCC makeDesktopIcon copyDesktopIcons;
wine = wineWowPackages.base;
in mkWindowsAppNoCC rec {
inherit wine;
wine = wineWow64Packages.base;
in
mkWindowsAppNoCC rec {
inherit wine;
pname = "studio";
version = "2.25.4";
pname = "studio";
version = "2.25.4";
src = fetchurl {
url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe";
sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v";
};
src = fetchurl {
url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe";
sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v";
};
enableMonoBootPrompt = false;
dontUnpack = true;
enableMonoBootPrompt = false;
dontUnpack = true;
wineArch = "win64";
enableInstallNotification = true;
wineArch = "win64";
enableInstallNotification = true;
fileMap = {
"$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io";
"$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink";
};
fileMap = {
"$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io";
"$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink";
};
fileMapDuringAppInstall = false;
fileMapDuringAppInstall = false;
persistRegistry = false;
persistRuntimeLayer = true;
inputHashMethod = "version";
persistRegistry = false;
persistRuntimeLayer = true;
inputHashMethod = "version";
# Can be used to precisely select the Direct3D implementation.
#
# | enableVulkan | rendererOverride | Direct3D implementation |
# |--------------|------------------|-------------------------|
# | false | null | OpenGL |
# | true | null | Vulkan (DXVK) |
# | * | dxvk-vulkan | Vulkan (DXVK) |
# | * | wine-opengl | OpenGL |
# | * | wine-vulkan | Vulkan (VKD3D) |
enableVulkan = false;
rendererOverride = null;
# Can be used to precisely select the Direct3D implementation.
#
# | enableVulkan | rendererOverride | Direct3D implementation |
# |--------------|------------------|-------------------------|
# | false | null | OpenGL |
# | true | null | Vulkan (DXVK) |
# | * | dxvk-vulkan | Vulkan (DXVK) |
# | * | wine-opengl | OpenGL |
# | * | wine-vulkan | Vulkan (VKD3D) |
enableVulkan = false;
rendererOverride = null;
enableHUD = false;
enableHUD = false;
enabledWineSymlinks = { };
graphicsDriver = "auto";
inhibitIdle = false;
enabledWineSymlinks = {};
graphicsDriver = "auto";
inhibitIdle = false;
nativeBuildInputs = [ copyDesktopIcons copyDesktopItems ];
nativeBuildInputs = [copyDesktopIcons copyDesktopItems];
winAppInstall = ''
wine64 ${src}
winAppInstall = ''
wine64 ${src}
wineserver -W
wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f
'';
wineserver -W
wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f
'';
winAppPreRun = ''
wineserver -W
wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f
'';
winAppPreRun = ''
wineserver -W
wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f
'';
winAppRun = ''
wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS"
'';
winAppRun = ''
wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS"
'';
winAppPostRun = "";
installPhase = ''
runHook preInstall
winAppPostRun = "";
installPhase = ''
runHook preInstall
ln -s $out/bin/.launcher $out/bin/${pname}
ln -s $out/bin/.launcher $out/bin/${pname}
runHook postInstall
'';
runHook postInstall
'';
desktopItems = [
(makeDesktopItem {
mimeTypes = [];
desktopItems = [
(makeDesktopItem {
mimeTypes = [];
name = pname;
exec = pname;
icon = pname;
desktopName = "Bricklink studio";
genericName = "Lego creation app";
categories = [];
})
];
desktopIcon = makeDesktopIcon {
name = pname;
exec = pname;
icon = pname;
desktopName = "Bricklink studio";
genericName = "Lego creation app";
categories = [];
})
];
src = ./studio.png;
};
desktopIcon = makeDesktopIcon {
name = pname;
src = ./studio.png;
};
meta = {
description = "App for creating lego builds";
homepage = "https://www.bricklink.com/v3/studio/main.page";
license = "";
maintainers = [];
platforms = [ "x86_64-linux" ];
};
}
meta = {
description = "App for creating lego builds";
homepage = "https://www.bricklink.com/v3/studio/main.page";
license = "";
maintainers = [];
platforms = ["x86_64-linux"];
};
}

21
systems/x86_64-linux/ulmo/default.nix
View file

@ -27,17 +27,6 @@
};
};
# Expose amarht cloud stuff like this until I have a proper solution
services.caddy.virtualHosts = {
"auth.amarth.cloud".extraConfig = ''
reverse_proxy http://192.168.1.223:9092
'';
"amarth.cloud".extraConfig = ''
reverse_proxy http://192.168.1.223:8080
'';
};
# virtualisation = {
# containers.enable = true;
# podman = {
@ -204,6 +193,16 @@
development.forgejo.enable = true;
networking.ssh.enable = true;
networking.caddy.hosts = {
# Expose amarht cloud stuff like this until I have a proper solution
"auth.amarth.cloud" = ''
reverse_proxy http://192.168.1.223:9092
'';
"amarth.cloud" = ''
reverse_proxy http://192.168.1.223:8080
'';
};
media.enable = true;
media.glance.enable = true;