From 4e9ef9dc4f7df619478012bd5c813050417f8567 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 4 Mar 2026 09:29:36 +0100 Subject: [PATCH] Refactor Caddy config into networking.caddy module Move Caddy configuration from individual services to a shared networking.caddy module. Update service modules and system config to use the new interface. Remove redundant user definitions and old Caddy config blocks. --- .../authentication/authelia/default.nix | 84 ++++----- .../authentication/zitadel/default.nix | 37 ++-- .../services/communication/matrix/default.nix | 138 +++++++-------- .../services/development/forgejo/default.nix | 29 ++-- .../nixos/services/media/jellyfin/default.nix | 17 +- .../services/media/nextcloud/default.nix | 29 ++-- .../services/networking/caddy/default.nix | 40 +++++ .../services/security/vaultwarden/default.nix | 35 ++-- packages/studio/default.nix | 164 +++++++++--------- systems/x86_64-linux/ulmo/default.nix | 21 ++- 10 files changed, 308 insertions(+), 286 deletions(-) create mode 100644 modules/nixos/services/networking/caddy/default.nix diff --git a/modules/nixos/services/authentication/authelia/default.nix b/modules/nixos/services/authentication/authelia/default.nix index 9990003..7aea103 100644 --- a/modules/nixos/services/authentication/authelia/default.nix +++ b/modules/nixos/services/authentication/authelia/default.nix @@ -1,16 +1,36 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkIf mkEnableOption; user = "authelia-testing"; cfg = config.${namespace}.services.authentication.authelia; -in -{ +in { options.${namespace}.services.authentication.authelia = { enable = mkEnableOption "Authelia"; }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy = { + hosts = { + "auth.kruining.eu".extraConfig = '' + reverse_proxy http://127.0.0.1:9091 + ''; + }; + extraConfig = '' + (auth) { + forward_auth http://127.0.0.1:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; + }; + environment.systemPackages = with pkgs; [ authelia ]; @@ -112,8 +132,8 @@ in authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = [ "openid" "profile" "groups" ]; - redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/authelia" ]; + scopes = ["openid" "profile" "groups"]; + redirect_uris = ["https://jellyfin.kruining.eu/sso/OID/redirect/authelia"]; } { client_id = "streamarr"; @@ -127,8 +147,8 @@ in authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; - redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; + scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"]; + redirect_uris = ["http://localhost:3000/api/auth/oauth2/callback/authelia"]; } { client_id = "forgejo"; @@ -142,10 +162,10 @@ in authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" ]; - redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; + scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"]; + response_types = ["code"]; + grant_types = ["authorization_code"]; + redirect_uris = ["http://localhost:5002/user/oauth2/authelia/callback"]; } ]; }; @@ -195,48 +215,8 @@ in - jellyfin-users - admin - dev - - jacqueline: - disabled: false - displayname: Jacqueline Bevers - password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 - groups: - - jellyfin-users - - martijn: - disabled: false - displayname: Martijn Kruining - password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 - groups: - - jellyfin-users - - andrea: - disabled: false - displayname: Andrea Kruining - password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 - groups: - - jellyfin-users ''; }; }; - - services.caddy = { - enable = true; - virtualHosts = { - "auth.kruining.eu".extraConfig = '' - reverse_proxy http://127.0.0.1:9091 - ''; - }; - extraConfig = '' - (auth) { - forward_auth http://127.0.0.1:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index aaf64f6..082330e 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -537,7 +537,25 @@ in }; in mkIf cfg.enable { - ${namespace}.services.persistance.postgresql.enable = true; + ${namespace}.services = { + persistance.postgresql.enable = true; + + networking.caddy = { + hosts = { + "auth.kruining.eu" = '' + reverse_proxy h2c://::1:9092 + ''; + }; + extraConfig = '' + (auth) { + forward_auth h2c://::1:9092 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; + }; + }; environment.systemPackages = with pkgs; [ zitadel @@ -678,23 +696,6 @@ in } ]; }; - - caddy = { - enable = true; - virtualHosts = { - "auth.kruining.eu".extraConfig = '' - reverse_proxy h2c://::1:9092 - ''; - }; - extraConfig = '' - (auth) { - forward_auth h2c://::1:9092 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 8bb79fe..21fe777 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -25,6 +25,75 @@ in { ${namespace}.services = { persistance.postgresql.enable = true; # virtualisation.podman.enable = true; + + networking.caddy = { + # globalConfig = '' + # layer4 { + # 127.0.0.1:4004 + # route { + # proxy { + # upstream synapse:4004 + # } + # } + # } + # 127.0.0.1:4005 + # route { + # proxy { + # upstream synapse:4005 + # } + # } + # } + # } + # ''; + hosts = let + server = { + "m.server" = "${fqn}:443"; + }; + client = { + "m.homeserver".base_url = "https://${fqn}"; + "m.identity_server".base_url = "https://auth.${domain}"; + "org.matrix.msc3575.proxy".url = "https://${domain}"; + "org.matrix.msc4143.rtc_foci" = [ + { + type = "livekit"; + livekit_service_url = "https://${domain}/livekit/jwt"; + } + ]; + }; + in { + "${domain}, darkch.at" = '' + # Route for lk-jwt-service + handle /livekit/jwt* { + uri strip_prefix /livekit/jwt + reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} { + header_up Host {host} + header_up X-Forwarded-Server {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + } + + handle_path /livekit/sfu* { + reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} { + header_up Host {host} + header_up X-Forwarded-Server {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + } + + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `${toJSON server}` + respond /.well-known/matrix/client `${toJSON client}` + ''; + + "${fqn}" = '' + reverse_proxy /_matrix/* http://::1:${toString port} + reverse_proxy /_synapse/client/* http://::1:${toString port} + ''; + }; + }; }; services = { @@ -197,75 +266,6 @@ in { ]; }; - caddy = { - enable = true; - # globalConfig = '' - # layer4 { - # 127.0.0.1:4004 - # route { - # proxy { - # upstream synapse:4004 - # } - # } - # } - # 127.0.0.1:4005 - # route { - # proxy { - # upstream synapse:4005 - # } - # } - # } - # } - # ''; - virtualHosts = let - server = { - "m.server" = "${fqn}:443"; - }; - client = { - "m.homeserver".base_url = "https://${fqn}"; - "m.identity_server".base_url = "https://auth.${domain}"; - "org.matrix.msc3575.proxy".url = "https://${domain}"; - "org.matrix.msc4143.rtc_foci" = [ - { - type = "livekit"; - livekit_service_url = "https://${domain}/livekit/jwt"; - } - ]; - }; - in { - "${domain}, darkch.at".extraConfig = '' - # Route for lk-jwt-service - handle /livekit/jwt* { - uri strip_prefix /livekit/jwt - reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} { - header_up Host {host} - header_up X-Forwarded-Server {host} - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - } - } - - handle_path /livekit/sfu* { - reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} { - header_up Host {host} - header_up X-Forwarded-Server {host} - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - } - } - - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - respond /.well-known/matrix/server `${toJSON server}` - respond /.well-known/matrix/client `${toJSON client}` - ''; - "${fqn}".extraConfig = '' - reverse_proxy /_matrix/* http://::1:${toString port} - reverse_proxy /_synapse/client/* http://::1:${toString port} - ''; - }; - }; - livekit = { enable = true; openFirewall = true; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index dfae9f0..f190b0c 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -28,6 +28,20 @@ in { ${namespace}.services = { persistance.postgresql.enable = true; virtualisation.podman.enable = true; + + networking.caddy = { + hosts = { + "${domain}" = '' + # import auth + + # stupid dumb way to prevent the login page and go to zitadel instead + # be aware that this does not disable local login at all! + # rewrite /user/login /user/oauth2/Zitadel + + reverse_proxy http://127.0.0.1:${toString cfg.port} + ''; + }; + }; }; environment.systemPackages = with pkgs; [forgejo]; @@ -168,21 +182,6 @@ in { }; }; }; - - caddy = { - enable = true; - virtualHosts = { - "${domain}".extraConfig = '' - # import auth - - # stupid dumb way to prevent the login page and go to zitadel instead - # be aware that this does not disable local login at all! - # rewrite /user/login /user/oauth2/Zitadel - - reverse_proxy http://127.0.0.1:${toString cfg.port} - ''; - }; - }; }; users = { diff --git a/modules/nixos/services/media/jellyfin/default.nix b/modules/nixos/services/media/jellyfin/default.nix index d4323f3..de19896 100644 --- a/modules/nixos/services/media/jellyfin/default.nix +++ b/modules/nixos/services/media/jellyfin/default.nix @@ -17,6 +17,14 @@ in { }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy = { + hosts = { + "jellyfin.kruining.eu" = '' + reverse_proxy http://[::1]:8096 + ''; + }; + }; + environment.systemPackages = with pkgs; [ jellyfin jellyfin-web @@ -34,15 +42,6 @@ in { user = "media"; group = "media"; }; - - caddy = { - enable = true; - virtualHosts = { - "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://[::1]:8096 - ''; - }; - }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud/default.nix index 14d6863..06904c6 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud/default.nix @@ -1,11 +1,15 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media.nextcloud; -in -{ +in { options.${namespace}.services.media.nextcloud = { enable = mkEnableOption "Nextcloud"; @@ -21,6 +25,14 @@ in }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy = { + hosts."cloud.kruining.eu" = '' + php_fastcgi unix//run/phpfpm/nextcloud.sock { + env front_controller_active true + } + ''; + }; + users = { users.${cfg.user} = { isSystemUser = true; @@ -75,14 +87,5 @@ in # startServices = true; # }; - - services.caddy = { - enable = true; - virtualHosts."cloud.kruining.eu".extraConfig = '' - php_fastcgi unix//run/phpfpm/nextcloud.sock { - env front_controller_active true - } - ''; - }; }; } diff --git a/modules/nixos/services/networking/caddy/default.nix b/modules/nixos/services/networking/caddy/default.nix new file mode 100644 index 0000000..b70f7ae --- /dev/null +++ b/modules/nixos/services/networking/caddy/default.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + lib, + namespace, + ... +}: let + inherit (builtins) length; + inherit (lib) mkIf mkEnableOption mkOption types attrNames mapAttrs; + + cfg = config.${namespace}.services.networking.caddy; + hasHosts = (cfg.hosts |> attrNames |> length) > 0; +in { + options.${namespace}.services.networking.caddy = { + enable = mkEnableOption "enable caddy" // {default = true;}; + + hosts = mkOption { + type = types.attrsOf types.str; + }; + + extraConfig = mkOption { + type = types.str; + }; + }; + + config = mkIf hasHosts { + services.caddy = { + enable = cfg.enable; + + package = pkgs.caddy.withPlugins { + plugins = ["https://github.com/corazawaf/coraza-caddy@2.1.0"]; + hash = lib.fakeHash; + }; + + virtualHosts = + cfg.hosts + |> mapAttrs (host: extraConfig: {inherit extraConfig;}); + }; + }; +} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 07f7058..7dce380 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -91,6 +91,22 @@ in { }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy.hosts = { + "vault.kruining.eu" = '' + encode zstd gzip + + handle_path /admin { + respond 401 { + close + } + } + + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { + header_up X-Real-IP {remote_host} + } + ''; + }; + systemd.tmpfiles.rules = [ "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; @@ -150,25 +166,6 @@ in { } ]; }; - - caddy = { - enable = true; - virtualHosts = { - "vault.kruining.eu".extraConfig = '' - encode zstd gzip - - handle_path /admin { - respond 401 { - close - } - } - - reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { - header_up X-Real-IP {remote_host} - } - ''; - }; - }; }; sops = { diff --git a/packages/studio/default.nix b/packages/studio/default.nix index 84610a3..1e6b457 100644 --- a/packages/studio/default.nix +++ b/packages/studio/default.nix @@ -1,105 +1,109 @@ -{ pkgs, inputs }: let +{ + pkgs, + inputs, +}: let inherit (builtins) fetchurl; - inherit (pkgs) makeDesktopItem copyDesktopItems wineWowPackages; + inherit (pkgs) makeDesktopItem copyDesktopItems wineWow64Packages; inherit (inputs.erosanix.lib.x86_64-linux) mkWindowsAppNoCC makeDesktopIcon copyDesktopIcons; - wine = wineWowPackages.base; -in mkWindowsAppNoCC rec { - inherit wine; + wine = wineWow64Packages.base; +in + mkWindowsAppNoCC rec { + inherit wine; - pname = "studio"; - version = "2.25.4"; + pname = "studio"; + version = "2.25.4"; - src = fetchurl { - url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe"; - sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v"; - }; + src = fetchurl { + url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe"; + sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v"; + }; - enableMonoBootPrompt = false; - dontUnpack = true; + enableMonoBootPrompt = false; + dontUnpack = true; - wineArch = "win64"; - enableInstallNotification = true; + wineArch = "win64"; + enableInstallNotification = true; - fileMap = { - "$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io"; - "$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink"; - }; + fileMap = { + "$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io"; + "$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink"; + }; - fileMapDuringAppInstall = false; + fileMapDuringAppInstall = false; - persistRegistry = false; - persistRuntimeLayer = true; - inputHashMethod = "version"; + persistRegistry = false; + persistRuntimeLayer = true; + inputHashMethod = "version"; - # Can be used to precisely select the Direct3D implementation. - # - # | enableVulkan | rendererOverride | Direct3D implementation | - # |--------------|------------------|-------------------------| - # | false | null | OpenGL | - # | true | null | Vulkan (DXVK) | - # | * | dxvk-vulkan | Vulkan (DXVK) | - # | * | wine-opengl | OpenGL | - # | * | wine-vulkan | Vulkan (VKD3D) | - enableVulkan = false; - rendererOverride = null; + # Can be used to precisely select the Direct3D implementation. + # + # | enableVulkan | rendererOverride | Direct3D implementation | + # |--------------|------------------|-------------------------| + # | false | null | OpenGL | + # | true | null | Vulkan (DXVK) | + # | * | dxvk-vulkan | Vulkan (DXVK) | + # | * | wine-opengl | OpenGL | + # | * | wine-vulkan | Vulkan (VKD3D) | + enableVulkan = false; + rendererOverride = null; - enableHUD = false; + enableHUD = false; - enabledWineSymlinks = { }; - graphicsDriver = "auto"; - inhibitIdle = false; + enabledWineSymlinks = {}; + graphicsDriver = "auto"; + inhibitIdle = false; - nativeBuildInputs = [ copyDesktopIcons copyDesktopItems ]; + nativeBuildInputs = [copyDesktopIcons copyDesktopItems]; - winAppInstall = '' - wine64 ${src} + winAppInstall = '' + wine64 ${src} - wineserver -W - wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f - ''; + wineserver -W + wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f + ''; - winAppPreRun = '' - wineserver -W - wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f - ''; + winAppPreRun = '' + wineserver -W + wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f + ''; - winAppRun = '' - wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS" - ''; + winAppRun = '' + wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS" + ''; - winAppPostRun = ""; - installPhase = '' - runHook preInstall + winAppPostRun = ""; + installPhase = '' + runHook preInstall - ln -s $out/bin/.launcher $out/bin/${pname} + ln -s $out/bin/.launcher $out/bin/${pname} - runHook postInstall - ''; + runHook postInstall + ''; - desktopItems = [ - (makeDesktopItem { - mimeTypes = []; + desktopItems = [ + (makeDesktopItem { + mimeTypes = []; + name = pname; + exec = pname; + icon = pname; + desktopName = "Bricklink studio"; + genericName = "Lego creation app"; + categories = []; + }) + ]; + + desktopIcon = makeDesktopIcon { name = pname; - exec = pname; - icon = pname; - desktopName = "Bricklink studio"; - genericName = "Lego creation app"; - categories = []; - }) - ]; + src = ./studio.png; + }; - desktopIcon = makeDesktopIcon { - name = pname; - src = ./studio.png; - }; - - meta = { - description = "App for creating lego builds"; - homepage = "https://www.bricklink.com/v3/studio/main.page"; - license = ""; - maintainers = []; - platforms = [ "x86_64-linux" ]; - }; -} + meta = { + description = "App for creating lego builds"; + homepage = "https://www.bricklink.com/v3/studio/main.page"; + license = ""; + maintainers = []; + platforms = ["x86_64-linux"]; + }; + } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7440933..43a5760 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -27,17 +27,6 @@ }; }; - # Expose amarht cloud stuff like this until I have a proper solution - services.caddy.virtualHosts = { - "auth.amarth.cloud".extraConfig = '' - reverse_proxy http://192.168.1.223:9092 - ''; - - "amarth.cloud".extraConfig = '' - reverse_proxy http://192.168.1.223:8080 - ''; - }; - # virtualisation = { # containers.enable = true; # podman = { @@ -204,6 +193,16 @@ development.forgejo.enable = true; networking.ssh.enable = true; + networking.caddy.hosts = { + # Expose amarht cloud stuff like this until I have a proper solution + "auth.amarth.cloud" = '' + reverse_proxy http://192.168.1.223:9092 + ''; + + "amarth.cloud" = '' + reverse_proxy http://192.168.1.223:8080 + ''; + }; media.enable = true; media.glance.enable = true;