chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor Caddy config into networking.caddy module

Browse source 
Move Caddy configuration from individual services to a shared
networking.caddy module. Update service modules and system config to use
the new interface. Remove redundant user definitions and old Caddy
config blocks.
This commit is contained in:
Chris Kruining 2026-03-04 09:29:36 +01:00
parent d3a394dfd9
commit 4e9ef9dc4f
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
10 changed files with 308 additions and 286 deletions
Download patch file Download diff file Expand all files Collapse all files

84
modules/nixos/services/authentication/authelia/default.nix
View file

@ -1,16 +1,36 @@
{ config, lib, pkgs, namespace, ... }: {
let config,
lib,
pkgs,
namespace,
...
}: let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption;
user = "authelia-testing"; user = "authelia-testing";
cfg = config.${namespace}.services.authentication.authelia; cfg = config.${namespace}.services.authentication.authelia;
in in {
{
options.${namespace}.services.authentication.authelia = { options.${namespace}.services.authentication.authelia = {
enable = mkEnableOption "Authelia"; enable = mkEnableOption "Authelia";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};
extraConfig = ''
(auth) {
forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
authelia authelia
]; ];
@ -112,8 +132,8 @@ in
authorization_policy = "one_factor"; authorization_policy = "one_factor";
userinfo_signed_response_alg = "none"; userinfo_signed_response_alg = "none";
consent_mode = "implicit"; consent_mode = "implicit";
scopes = [ "openid" "profile" "groups" ]; scopes = ["openid" "profile" "groups"];
redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/authelia" ]; redirect_uris = ["https://jellyfin.kruining.eu/sso/OID/redirect/authelia"];
} }
{ {
client_id = "streamarr"; client_id = "streamarr";
@ -127,8 +147,8 @@ in
authorization_policy = "one_factor"; authorization_policy = "one_factor";
userinfo_signed_response_alg = "none"; userinfo_signed_response_alg = "none";
consent_mode = "implicit"; consent_mode = "implicit";
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"];
redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; redirect_uris = ["http://localhost:3000/api/auth/oauth2/callback/authelia"];
} }
{ {
client_id = "forgejo"; client_id = "forgejo";
@ -142,10 +162,10 @@ in
authorization_policy = "one_factor"; authorization_policy = "one_factor";
userinfo_signed_response_alg = "none"; userinfo_signed_response_alg = "none";
consent_mode = "implicit"; consent_mode = "implicit";
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"];
response_types = [ "code" ]; response_types = ["code"];
grant_types = [ "authorization_code" ]; grant_types = ["authorization_code"];
redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; redirect_uris = ["http://localhost:5002/user/oauth2/authelia/callback"];
} }
]; ];
}; };
@ -195,48 +215,8 @@ in
- jellyfin-users - jellyfin-users
- admin - admin
- dev - dev
jacqueline:
disabled: false
displayname: Jacqueline Bevers
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
martijn:
disabled: false
displayname: Martijn Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
andrea:
disabled: false
displayname: Andrea Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
''; '';
}; };
}; };
services.caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};
extraConfig = ''
(auth) {
forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}; };
} }

37
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -537,7 +537,25 @@ in
}; };
in in
mkIf cfg.enable { mkIf cfg.enable {
${namespace}.services.persistance.postgresql.enable = true; ${namespace}.services = {
persistance.postgresql.enable = true;
networking.caddy = {
hosts = {
"auth.kruining.eu" = ''
reverse_proxy h2c://::1:9092
'';
};
extraConfig = ''
(auth) {
forward_auth h2c://::1:9092 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
zitadel zitadel
@ -678,23 +696,6 @@ in
} }
]; ];
}; };
caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy h2c://::1:9092
'';
};
extraConfig = ''
(auth) {
forward_auth h2c://::1:9092 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

138
modules/nixos/services/communication/matrix/default.nix
View file

@ -25,6 +25,75 @@ in {
${namespace}.services = { ${namespace}.services = {
persistance.postgresql.enable = true; persistance.postgresql.enable = true;
# virtualisation.podman.enable = true; # virtualisation.podman.enable = true;
networking.caddy = {
# globalConfig = ''
# layer4 {
# 127.0.0.1:4004
# route {
# proxy {
# upstream synapse:4004
# }
# }
# }
# 127.0.0.1:4005
# route {
# proxy {
# upstream synapse:4005
# }
# }
# }
# }
# '';
hosts = let
server = {
"m.server" = "${fqn}:443";
};
client = {
"m.homeserver".base_url = "https://${fqn}";
"m.identity_server".base_url = "https://auth.${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${domain}/livekit/jwt";
}
];
};
in {
"${domain}, darkch.at" = ''
# Route for lk-jwt-service
handle /livekit/jwt* {
uri strip_prefix /livekit/jwt
reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
handle_path /livekit/sfu* {
reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `${toJSON server}`
respond /.well-known/matrix/client `${toJSON client}`
'';
"${fqn}" = ''
reverse_proxy /_matrix/* http://::1:${toString port}
reverse_proxy /_synapse/client/* http://::1:${toString port}
'';
};
};
}; };
services = { services = {
@ -197,75 +266,6 @@ in {
]; ];
}; };
caddy = {
enable = true;
# globalConfig = ''
# layer4 {
# 127.0.0.1:4004
# route {
# proxy {
# upstream synapse:4004
# }
# }
# }
# 127.0.0.1:4005
# route {
# proxy {
# upstream synapse:4005
# }
# }
# }
# }
# '';
virtualHosts = let
server = {
"m.server" = "${fqn}:443";
};
client = {
"m.homeserver".base_url = "https://${fqn}";
"m.identity_server".base_url = "https://auth.${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${domain}/livekit/jwt";
}
];
};
in {
"${domain}, darkch.at".extraConfig = ''
# Route for lk-jwt-service
handle /livekit/jwt* {
uri strip_prefix /livekit/jwt
reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
handle_path /livekit/sfu* {
reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} {
header_up Host {host}
header_up X-Forwarded-Server {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
}
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `${toJSON server}`
respond /.well-known/matrix/client `${toJSON client}`
'';
"${fqn}".extraConfig = ''
reverse_proxy /_matrix/* http://::1:${toString port}
reverse_proxy /_synapse/client/* http://::1:${toString port}
'';
};
};
livekit = { livekit = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;

29
modules/nixos/services/development/forgejo/default.nix
View file

@ -28,6 +28,20 @@ in {
${namespace}.services = { ${namespace}.services = {
persistance.postgresql.enable = true; persistance.postgresql.enable = true;
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
networking.caddy = {
hosts = {
"${domain}" = ''
# import auth
# stupid dumb way to prevent the login page and go to zitadel instead
# be aware that this does not disable local login at all!
# rewrite /user/login /user/oauth2/Zitadel
reverse_proxy http://127.0.0.1:${toString cfg.port}
'';
};
};
}; };
environment.systemPackages = with pkgs; [forgejo]; environment.systemPackages = with pkgs; [forgejo];
@ -168,21 +182,6 @@ in {
}; };
}; };
}; };
caddy = {
enable = true;
virtualHosts = {
"${domain}".extraConfig = ''
# import auth
# stupid dumb way to prevent the login page and go to zitadel instead
# be aware that this does not disable local login at all!
# rewrite /user/login /user/oauth2/Zitadel
reverse_proxy http://127.0.0.1:${toString cfg.port}
'';
};
};
}; };
users = { users = {

17
modules/nixos/services/media/jellyfin/default.nix
View file

@ -17,6 +17,14 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts = {
"jellyfin.kruining.eu" = ''
reverse_proxy http://[::1]:8096
'';
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
jellyfin jellyfin
jellyfin-web jellyfin-web
@ -34,15 +42,6 @@ in {
user = "media"; user = "media";
group = "media"; group = "media";
}; };
caddy = {
enable = true;
virtualHosts = {
"jellyfin.kruining.eu".extraConfig = ''
reverse_proxy http://[::1]:8096
'';
};
};
}; };
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";

29
modules/nixos/services/media/nextcloud/default.nix
View file

@ -1,11 +1,15 @@
{ config, lib, pkgs, namespace, ... }: {
let config,
lib,
pkgs,
namespace,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption; inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str; inherit (lib.types) str;
cfg = config.${namespace}.services.media.nextcloud; cfg = config.${namespace}.services.media.nextcloud;
in in {
{
options.${namespace}.services.media.nextcloud = { options.${namespace}.services.media.nextcloud = {
enable = mkEnableOption "Nextcloud"; enable = mkEnableOption "Nextcloud";
@ -21,6 +25,14 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services.networking.caddy = {
hosts."cloud.kruining.eu" = ''
php_fastcgi unix//run/phpfpm/nextcloud.sock {
env front_controller_active true
}
'';
};
users = { users = {
users.${cfg.user} = { users.${cfg.user} = {
isSystemUser = true; isSystemUser = true;
@ -75,14 +87,5 @@ in
# startServices = true; # startServices = true;
# }; # };
services.caddy = {
enable = true;
virtualHosts."cloud.kruining.eu".extraConfig = ''
php_fastcgi unix//run/phpfpm/nextcloud.sock {
env front_controller_active true
}
'';
};
}; };
} }

40
modules/nixos/services/networking/caddy/default.nix Normal file
View file

@ -0,0 +1,40 @@
{
config,
pkgs,
lib,
namespace,
...
}: let
inherit (builtins) length;
inherit (lib) mkIf mkEnableOption mkOption types attrNames mapAttrs;
cfg = config.${namespace}.services.networking.caddy;
hasHosts = (cfg.hosts |> attrNames |> length) > 0;
in {
options.${namespace}.services.networking.caddy = {
enable = mkEnableOption "enable caddy" // {default = true;};
hosts = mkOption {
type = types.attrsOf types.str;
};
extraConfig = mkOption {
type = types.str;
};
};
config = mkIf hasHosts {
services.caddy = {
enable = cfg.enable;
package = pkgs.caddy.withPlugins {
plugins = ["https://github.com/corazawaf/coraza-caddy@2.1.0"];
hash = lib.fakeHash;
};
virtualHosts =
cfg.hosts
|> mapAttrs (host: extraConfig: {inherit extraConfig;});
};
};
}

35
modules/nixos/services/security/vaultwarden/default.nix
View file

@ -91,6 +91,22 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services.networking.caddy.hosts = {
"vault.kruining.eu" = ''
encode zstd gzip
handle_path /admin {
respond 401 {
close
}
}
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
]; ];
@ -150,25 +166,6 @@ in {
} }
]; ];
}; };
caddy = {
enable = true;
virtualHosts = {
"vault.kruining.eu".extraConfig = ''
encode zstd gzip
handle_path /admin {
respond 401 {
close
}
}
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
};
};
}; };
sops = { sops = {

164
packages/studio/default.nix
View file

@ -1,105 +1,109 @@
{ pkgs, inputs }: let {
pkgs,
inputs,
}: let
inherit (builtins) fetchurl; inherit (builtins) fetchurl;
inherit (pkgs) makeDesktopItem copyDesktopItems wineWowPackages; inherit (pkgs) makeDesktopItem copyDesktopItems wineWow64Packages;
inherit (inputs.erosanix.lib.x86_64-linux) mkWindowsAppNoCC makeDesktopIcon copyDesktopIcons; inherit (inputs.erosanix.lib.x86_64-linux) mkWindowsAppNoCC makeDesktopIcon copyDesktopIcons;
wine = wineWowPackages.base; wine = wineWow64Packages.base;
in mkWindowsAppNoCC rec { in
inherit wine; mkWindowsAppNoCC rec {
inherit wine;
pname = "studio"; pname = "studio";
version = "2.25.4"; version = "2.25.4";
src = fetchurl { src = fetchurl {
url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe"; url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe";
sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v"; sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v";
}; };
enableMonoBootPrompt = false; enableMonoBootPrompt = false;
dontUnpack = true; dontUnpack = true;
wineArch = "win64"; wineArch = "win64";
enableInstallNotification = true; enableInstallNotification = true;
fileMap = { fileMap = {
"$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io"; "$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io";
"$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink"; "$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink";
}; };
fileMapDuringAppInstall = false; fileMapDuringAppInstall = false;
persistRegistry = false; persistRegistry = false;
persistRuntimeLayer = true; persistRuntimeLayer = true;
inputHashMethod = "version"; inputHashMethod = "version";
# Can be used to precisely select the Direct3D implementation. # Can be used to precisely select the Direct3D implementation.
# #
# | enableVulkan | rendererOverride | Direct3D implementation | # | enableVulkan | rendererOverride | Direct3D implementation |
# |--------------|------------------|-------------------------| # |--------------|------------------|-------------------------|
# | false | null | OpenGL | # | false | null | OpenGL |
# | true | null | Vulkan (DXVK) | # | true | null | Vulkan (DXVK) |
# | * | dxvk-vulkan | Vulkan (DXVK) | # | * | dxvk-vulkan | Vulkan (DXVK) |
# | * | wine-opengl | OpenGL | # | * | wine-opengl | OpenGL |
# | * | wine-vulkan | Vulkan (VKD3D) | # | * | wine-vulkan | Vulkan (VKD3D) |
enableVulkan = false; enableVulkan = false;
rendererOverride = null; rendererOverride = null;
enableHUD = false; enableHUD = false;
enabledWineSymlinks = { }; enabledWineSymlinks = {};
graphicsDriver = "auto"; graphicsDriver = "auto";
inhibitIdle = false; inhibitIdle = false;
nativeBuildInputs = [ copyDesktopIcons copyDesktopItems ]; nativeBuildInputs = [copyDesktopIcons copyDesktopItems];
winAppInstall = '' winAppInstall = ''
wine64 ${src} wine64 ${src}
wineserver -W wineserver -W
wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f
''; '';
winAppPreRun = '' winAppPreRun = ''
wineserver -W wineserver -W
wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f
''; '';
winAppRun = '' winAppRun = ''
wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS" wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS"
''; '';
winAppPostRun = ""; winAppPostRun = "";
installPhase = '' installPhase = ''
runHook preInstall runHook preInstall
ln -s $out/bin/.launcher $out/bin/${pname} ln -s $out/bin/.launcher $out/bin/${pname}
runHook postInstall runHook postInstall
''; '';
desktopItems = [ desktopItems = [
(makeDesktopItem { (makeDesktopItem {
mimeTypes = []; mimeTypes = [];
name = pname;
exec = pname;
icon = pname;
desktopName = "Bricklink studio";
genericName = "Lego creation app";
categories = [];
})
];
desktopIcon = makeDesktopIcon {
name = pname; name = pname;
exec = pname; src = ./studio.png;
icon = pname; };
desktopName = "Bricklink studio";
genericName = "Lego creation app";
categories = [];
})
];
desktopIcon = makeDesktopIcon { meta = {
name = pname; description = "App for creating lego builds";
src = ./studio.png; homepage = "https://www.bricklink.com/v3/studio/main.page";
}; license = "";
maintainers = [];
meta = { platforms = ["x86_64-linux"];
description = "App for creating lego builds"; };
homepage = "https://www.bricklink.com/v3/studio/main.page"; }
license = "";
maintainers = [];
platforms = [ "x86_64-linux" ];
};
}

21
systems/x86_64-linux/ulmo/default.nix
View file

@ -27,17 +27,6 @@
}; };
}; };
# Expose amarht cloud stuff like this until I have a proper solution
services.caddy.virtualHosts = {
"auth.amarth.cloud".extraConfig = ''
reverse_proxy http://192.168.1.223:9092
'';
"amarth.cloud".extraConfig = ''
reverse_proxy http://192.168.1.223:8080
'';
};
# virtualisation = { # virtualisation = {
# containers.enable = true; # containers.enable = true;
# podman = { # podman = {
@ -204,6 +193,16 @@
development.forgejo.enable = true; development.forgejo.enable = true;
networking.ssh.enable = true; networking.ssh.enable = true;
networking.caddy.hosts = {
# Expose amarht cloud stuff like this until I have a proper solution
"auth.amarth.cloud" = ''
reverse_proxy http://192.168.1.223:9092
'';
"amarth.cloud" = ''
reverse_proxy http://192.168.1.223:8080
'';
};
media.enable = true; media.enable = true;
media.glance.enable = true; media.glance.enable = true;