refactor: add common caddy configuration profile

Additionally, prevent the caddy admin endpoint from being exposed to localhost.
diogotcorreia · Apr 30, 2024 · 38a75c9 · 38a75c9
1 parent f46cede
commit 38a75c9
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 86 deletions.
diff --git a/hosts/bro/default.nix b/hosts/bro/default.nix
@@ -14,7 +14,8 @@
       (inputs.nixpkgs-unstable + "/nixos/modules/services/misc/cfdyndns.nix")
     ]
     ++ (with profiles; [
-      caddy.rproxy
+      services.caddy.common
+      services.caddy.rproxy
       services.ssh
     ]);
 
@@ -58,45 +59,6 @@
   # Specific packages for this host
   hm.home.packages = with pkgs; [];
 
-  # Caddy (web server)
-  networking.firewall.allowedTCPPorts = [80 443];
-  services.caddy = {
-    enable = true;
-    extraConfig = ''
-      # Rules for services behind Cloudflare proxy
-      (CLOUDFLARE_PROXY) {
-        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
-      }
-
-      # Rules for services behind Nebula VPN (192.168.100.1/24)
-      (NEBULA) {
-        # Nebula
-        @not-nebula not remote_ip 192.168.100.1/24
-        abort @not-nebula
-      }
-
-      # Rules for services behind Authelia
-      (AUTHELIA) {
-        @not_healthchecks {
-          not {
-            method GET
-            path /
-            remote_ip 192.168.100.7 # phobos
-          }
-        }
-        forward_auth @not_healthchecks 192.168.100.1:9091 {
-          uri /api/verify?rd=https://auth.diogotc.com/
-          copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
-        }
-      }
-
-    '';
-  };
-  users.users.caddy.extraGroups = [config.security.acme.defaults.group];
-
-  # Ensure nginx isn't turned on by some services (e.g. services using PHP)
-  services.nginx.enable = lib.mkForce false;
-
   # ACME certificates
   security.acme = {
     acceptTerms = true;

diff --git a/hosts/hera/default.nix b/hosts/hera/default.nix
@@ -17,6 +17,7 @@
       (inputs.nixpkgs-unstable + "/nixos/modules/virtualisation/oci-containers.nix")
     ]
     ++ (with profiles; [
+      services.caddy.common
       services.ssh
     ]);
 
@@ -86,45 +87,6 @@
   # Keep laptop on when lid is closed
   services.logind.lidSwitch = "ignore";
 
-  # Caddy (web server)
-  networking.firewall.allowedTCPPorts = [80 443];
-  services.caddy = {
-    enable = true;
-    extraConfig = ''
-      # Rules for services behind Cloudflare proxy
-      (CLOUDFLARE_PROXY) {
-        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
-      }
-
-      # Rules for services behind Nebula VPN (192.168.100.1/24)
-      (NEBULA) {
-        # Nebula + Docker
-        @not-nebula not remote_ip 192.168.100.1/24 172.16.0.0/12
-        abort @not-nebula
-      }
-
-      # Rules for services behind Authelia
-      (AUTHELIA) {
-        @not_healthchecks {
-          not {
-            method GET
-            path /
-            remote_ip 192.168.100.7 # phobos
-          }
-        }
-        forward_auth @not_healthchecks 192.168.100.1:9091 {
-          uri /api/verify?rd=https://auth.diogotc.com/
-          copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
-        }
-      }
-
-    '';
-  };
-  users.users.caddy.extraGroups = [config.security.acme.defaults.group];
-
-  # Ensure nginx isn't turned on by some services (e.g. services using PHP)
-  services.nginx.enable = lib.mkForce false;
-
   # ACME certificates
   security.acme = {
     acceptTerms = true;

diff --git a/hosts/phobos/default.nix b/hosts/phobos/default.nix
@@ -7,6 +7,7 @@
   ...
 }: {
   imports = with profiles; [
+    services.caddy.common
     services.ssh
   ];
 
@@ -59,13 +60,6 @@
   # Specific packages for this host
   hm.home.packages = with pkgs; [];
 
-  # Caddy (web server)
-  networking.firewall.allowedTCPPorts = [80 443];
-  services.caddy = {
-    enable = true;
-    email = "phobos-lets-encrypt@diogotc.com";
-  };
-
   # PostgreSQL
   services.postgresql.enable = true;
 

diff --git a/profiles/services/caddy/common.nix b/profiles/services/caddy/common.nix
@@ -0,0 +1,53 @@
+# Common configuration for caddy reverse proxy
+{config, lib, ...}: {
+  # Open firewall ports
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  services.caddy = {
+    enable = true;
+    # TODO remove email once all servers have been migrated to lego (security.acme)
+    email = "${config.networking.hostName}-lets-encrypt@diogotc.com";
+    extraConfig = ''
+      # Rules for services behind Cloudflare proxy
+      (CLOUDFLARE_PROXY) {
+        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+      }
+
+      # Rules for services behind Nebula VPN (192.168.100.1/24)
+      (NEBULA) {
+        # Nebula + Docker
+        @not-nebula not remote_ip 192.168.100.1/24 172.16.0.0/12
+        abort @not-nebula
+      }
+
+      # Rules for services behind Authelia
+      (AUTHELIA) {
+        @not_healthchecks {
+          not {
+            method GET
+            path /
+            remote_ip 192.168.100.7 # phobos
+          }
+        }
+        forward_auth @not_healthchecks 192.168.100.1:9091 {
+          uri /api/verify?rd=https://auth.diogotc.com/
+          copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+        }
+      }
+    '';
+  };
+  users.users.caddy.extraGroups = [config.security.acme.defaults.group];
+
+  # Restrict caddy admin endpoint to the caddy user
+  systemd.services.caddy = {
+    environment = {
+      CADDY_ADMIN = "unix///run/caddy/caddy.sock";
+    };
+    serviceConfig = {
+      RuntimeDirectory = "caddy";
+    };
+  };
+
+  # Ensure nginx isn't turned on by some services (e.g. services using PHP)
+  services.nginx.enable = lib.mkForce false;
+}
diff --git a/profiles/caddy/rproxy.nix → profiles/services/caddy/rproxy.nix b/profiles/caddy/rproxy.nix → profiles/services/caddy/rproxy.nix