chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor Caddy config into networking.caddy module

Browse source 
Move Caddy configuration from individual services to a shared
networking.caddy module. Update service modules and system config to use
the new interface. Remove redundant user definitions and old Caddy
config blocks.
This commit is contained in:
Chris Kruining 2026-03-04 09:29:36 +01:00
parent d3a394dfd9
commit 4e9ef9dc4f
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
10 changed files with 308 additions and 286 deletions
Download patch file Download diff file Expand all files Collapse all files

68
modules/nixos/services/authentication/authelia/default.nix
View file

@ -1,16 +1,36 @@
{ config, lib, pkgs, namespace, ... }: {
let config,
lib,
pkgs,
namespace,
...
}: let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption;
user = "authelia-testing"; user = "authelia-testing";
cfg = config.${namespace}.services.authentication.authelia; cfg = config.${namespace}.services.authentication.authelia;
in in {
{
options.${namespace}.services.authentication.authelia = { options.${namespace}.services.authentication.authelia = {
enable = mkEnableOption "Authelia"; enable = mkEnableOption "Authelia";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};
extraConfig = ''
(auth) {
forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
authelia authelia
]; ];
@ -195,48 +215,8 @@ in
- jellyfin-users - jellyfin-users
- admin - admin
- dev - dev
jacqueline:
disabled: false
displayname: Jacqueline Bevers
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
martijn:
disabled: false
displayname: Martijn Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
andrea:
disabled: false
displayname: Andrea Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
''; '';
}; };
}; };
services.caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};
extraConfig = ''
(auth) {
forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}; };
} }

37
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -537,7 +537,25 @@ in
}; };
in in
mkIf cfg.enable { mkIf cfg.enable {
${namespace}.services.persistance.postgresql.enable = true; ${namespace}.services = {
persistance.postgresql.enable = true;
networking.caddy = {
hosts = {
"auth.kruining.eu" = ''
reverse_proxy h2c://::1:9092
'';
};
extraConfig = ''
(auth) {
forward_auth h2c://::1:9092 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
zitadel zitadel
@ -678,23 +696,6 @@ in
} }
]; ];
}; };
caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy h2c://::1:9092
'';
};
extraConfig = ''
(auth) {
forward_auth h2c://::1:9092 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

138
modules/nixos/services/communication/matrix/default.nix
View file

@ -25,6 +25,75 @@ in {
${namespace}.services = { ${namespace}.services = {
persistance.postgresql.enable = true; persistance.postgresql.enable = true;
# virtualisation.podman.enable = true; # virtualisation.podman.enable = true;
networking.caddy = {
# globalConfig = ''
# layer4 {
# 127.0.0.1:4004
# route {
# proxy {
# upstream synapse:4004
# }
# }
# }
# 127.0.0.1:4005
# route {
# proxy {
# upstream synapse:4005
# }
# }
# }
# }
# '';
hosts = let
server = {
"m.server" = "${fqn}:443";
};
client = {
"m.homeserver".base_url = "https://${fqn}";
"m.identity_server".base_url = "https://auth.${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${domain}/livekit/jwt";
}
];
};
in {
"${domain}, darkch.at" = ''
# Route for lk-jwt-service
handle /livekit/jwt* {
uri strip_prefix /livekit/jwt
reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
handle_path /livekit/sfu* {
reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `${toJSON server}`
respond /.well-known/matrix/client `${toJSON client}`
'';
"${fqn}" = ''
reverse_proxy /_matrix/* http://::1:${toString port}
reverse_proxy /_synapse/client/* http://::1:${toString port}
'';
};
};
}; };
services = { services = {
@ -197,75 +266,6 @@ in {
]; ];
}; };
caddy = {
enable = true;
# globalConfig = ''
# layer4 {
# 127.0.0.1:4004
# route {
# proxy {
# upstream synapse:4004
# }
# }
# }
# 127.0.0.1:4005
# route {
# proxy {
# upstream synapse:4005
# }
# }
# }
# }
# '';
virtualHosts = let
server = {
"m.server" = "${fqn}:443";
};
client = {
"m.homeserver".base_url = "https://${fqn}";
"m.identity_server".base_url = "https://auth.${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${domain}/livekit/jwt";
}
];
};
in {
"${domain}, darkch.at".extraConfig = ''
# Route for lk-jwt-service
handle /livekit/jwt* {
uri strip_prefix /livekit/jwt
reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
handle_path /livekit/sfu* {
reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `${toJSON server}`
respond /.well-known/matrix/client `${toJSON client}`
'';
"${fqn}".extraConfig = ''
reverse_proxy /_matrix/* http://::1:${toString port}
reverse_proxy /_synapse/client/* http://::1:${toString port}
'';
};
};
livekit = { livekit = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;

29
modules/nixos/services/development/forgejo/default.nix
View file

@ -28,6 +28,20 @@ in {
${namespace}.services = { ${namespace}.services = {
persistance.postgresql.enable = true; persistance.postgresql.enable = true;
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
networking.caddy = {
hosts = {
"${domain}" = ''
# import auth
# stupid dumb way to prevent the login page and go to zitadel instead
# be aware that this does not disable local login at all!
# rewrite /user/login /user/oauth2/Zitadel
reverse_proxy http://127.0.0.1:${toString cfg.port}
'';
};
};
}; };
environment.systemPackages = with pkgs; [forgejo]; environment.systemPackages = with pkgs; [forgejo];
@ -168,21 +182,6 @@ in {
}; };
}; };
}; };
caddy = {
enable = true;
virtualHosts = {
"${domain}".extraConfig = ''
# import auth
# stupid dumb way to prevent the login page and go to zitadel instead
# be aware that this does not disable local login at all!
# rewrite /user/login /user/oauth2/Zitadel
reverse_proxy http://127.0.0.1:${toString cfg.port}
'';
};
};
}; };
users = { users = {

17
modules/nixos/services/media/jellyfin/default.nix
View file

@ -17,6 +17,14 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts = {
"jellyfin.kruining.eu" = ''
reverse_proxy http://[::1]:8096
'';
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
jellyfin jellyfin
jellyfin-web jellyfin-web
@ -34,15 +42,6 @@ in {
user = "media"; user = "media";
group = "media"; group = "media";
}; };
caddy = {
enable = true;
virtualHosts = {
"jellyfin.kruining.eu".extraConfig = ''
reverse_proxy http://[::1]:8096
'';
};
};
}; };
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";

29
modules/nixos/services/media/nextcloud/default.nix
View file

@ -1,11 +1,15 @@
{ config, lib, pkgs, namespace, ... }: {
let config,
lib,
pkgs,
namespace,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption; inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str; inherit (lib.types) str;
cfg = config.${namespace}.services.media.nextcloud; cfg = config.${namespace}.services.media.nextcloud;
in in {
{
options.${namespace}.services.media.nextcloud = { options.${namespace}.services.media.nextcloud = {
enable = mkEnableOption "Nextcloud"; enable = mkEnableOption "Nextcloud";
@ -21,6 +25,14 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts."cloud.kruining.eu" = ''
php_fastcgi unix//run/phpfpm/nextcloud.sock {
env front_controller_active true
}
'';
};
users = { users = {
users.${cfg.user} = { users.${cfg.user} = {
isSystemUser = true; isSystemUser = true;
@ -75,14 +87,5 @@ in
# startServices = true; # startServices = true;
# }; # };
services.caddy = {
enable = true;
virtualHosts."cloud.kruining.eu".extraConfig = ''
php_fastcgi unix//run/phpfpm/nextcloud.sock {
env front_controller_active true
}
'';
};
}; };
} }

40
modules/nixos/services/networking/caddy/default.nix Normal file
View file

@ -0,0 +1,40 @@
{
config,
pkgs,
lib,
namespace,
...
}: let
inherit (builtins) length;
inherit (lib) mkIf mkEnableOption mkOption types attrNames mapAttrs;
cfg = config.${namespace}.services.networking.caddy;
hasHosts = (cfg.hosts |> attrNames |> length) > 0;
in {
options.${namespace}.services.networking.caddy = {
enable = mkEnableOption "enable caddy" // {default = true;};
hosts = mkOption {
type = types.attrsOf types.str;
};
extraConfig = mkOption {
type = types.str;
};
};
config = mkIf hasHosts {
services.caddy = {
enable = cfg.enable;
package = pkgs.caddy.withPlugins {
plugins = ["https://github.com/corazawaf/coraza-caddy@2.1.0"];
hash = lib.fakeHash;
};
virtualHosts =
cfg.hosts
|> mapAttrs (host: extraConfig: {inherit extraConfig;});
};
};
}

35
modules/nixos/services/security/vaultwarden/default.nix
View file

@ -91,6 +91,22 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services.networking.caddy.hosts = {
"vault.kruining.eu" = ''
encode zstd gzip
handle_path /admin {
respond 401 {
close
}
}
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
]; ];
@ -150,25 +166,6 @@ in {
} }
]; ];
}; };
caddy = {
enable = true;
virtualHosts = {
"vault.kruining.eu".extraConfig = ''
encode zstd gzip
handle_path /admin {
respond 401 {
close
}
}
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
};
};
}; };
sops = { sops = {

12
packages/studio/default.nix
View file

@ -1,10 +1,14 @@
{ pkgs, inputs }: let {
pkgs,
inputs,
}: let
inherit (builtins) fetchurl; inherit (builtins) fetchurl;
inherit (pkgs) makeDesktopItem copyDesktopItems wineWowPackages; inherit (pkgs) makeDesktopItem copyDesktopItems wineWow64Packages;
inherit (inputs.erosanix.lib.x86_64-linux) mkWindowsAppNoCC makeDesktopIcon copyDesktopIcons; inherit (inputs.erosanix.lib.x86_64-linux) mkWindowsAppNoCC makeDesktopIcon copyDesktopIcons;
wine = wineWowPackages.base; wine = wineWow64Packages.base;
in mkWindowsAppNoCC rec { in
mkWindowsAppNoCC rec {
inherit wine; inherit wine;
pname = "studio"; pname = "studio";

21
systems/x86_64-linux/ulmo/default.nix
View file

@ -27,17 +27,6 @@
}; };
}; };
# Expose amarht cloud stuff like this until I have a proper solution
services.caddy.virtualHosts = {
"auth.amarth.cloud".extraConfig = ''
reverse_proxy http://192.168.1.223:9092
'';
"amarth.cloud".extraConfig = ''
reverse_proxy http://192.168.1.223:8080
'';
};
# virtualisation = { # virtualisation = {
# containers.enable = true; # containers.enable = true;
# podman = { # podman = {
@ -204,6 +193,16 @@
development.forgejo.enable = true; development.forgejo.enable = true;
networking.ssh.enable = true; networking.ssh.enable = true;
networking.caddy.hosts = {
# Expose amarht cloud stuff like this until I have a proper solution
"auth.amarth.cloud" = ''
reverse_proxy http://192.168.1.223:9092
'';
"amarth.cloud" = ''
reverse_proxy http://192.168.1.223:8080
'';
};
media.enable = true; media.enable = true;
media.glance.enable = true; media.glance.enable = true;