-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor: add common caddy configuration profile
Additionally, prevent the caddy admin endpoint from being exposed to localhost.
- Loading branch information
1 parent
f46cede
commit 38a75c9
Showing
5 changed files
with
57 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# Common configuration for caddy reverse proxy | ||
{config, lib, ...}: { | ||
# Open firewall ports | ||
networking.firewall.allowedTCPPorts = [80 443]; | ||
|
||
services.caddy = { | ||
enable = true; | ||
# TODO remove email once all servers have been migrated to lego (security.acme) | ||
email = "${config.networking.hostName}-lets-encrypt@diogotc.com"; | ||
extraConfig = '' | ||
# Rules for services behind Cloudflare proxy | ||
(CLOUDFLARE_PROXY) { | ||
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} | ||
} | ||
# Rules for services behind Nebula VPN (192.168.100.1/24) | ||
(NEBULA) { | ||
# Nebula + Docker | ||
@not-nebula not remote_ip 192.168.100.1/24 172.16.0.0/12 | ||
abort @not-nebula | ||
} | ||
# Rules for services behind Authelia | ||
(AUTHELIA) { | ||
@not_healthchecks { | ||
not { | ||
method GET | ||
path / | ||
remote_ip 192.168.100.7 # phobos | ||
} | ||
} | ||
forward_auth @not_healthchecks 192.168.100.1:9091 { | ||
uri /api/verify?rd=https://auth.diogotc.com/ | ||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email | ||
} | ||
} | ||
''; | ||
}; | ||
users.users.caddy.extraGroups = [config.security.acme.defaults.group]; | ||
|
||
# Restrict caddy admin endpoint to the caddy user | ||
systemd.services.caddy = { | ||
environment = { | ||
CADDY_ADMIN = "unix///run/caddy/caddy.sock"; | ||
}; | ||
serviceConfig = { | ||
RuntimeDirectory = "caddy"; | ||
}; | ||
}; | ||
|
||
# Ensure nginx isn't turned on by some services (e.g. services using PHP) | ||
services.nginx.enable = lib.mkForce false; | ||
} |
File renamed without changes.