diff --git a/hosts/bro/default.nix b/hosts/bro/default.nix index 9ef5df0..cade720 100644 --- a/hosts/bro/default.nix +++ b/hosts/bro/default.nix @@ -14,7 +14,8 @@ (inputs.nixpkgs-unstable + "/nixos/modules/services/misc/cfdyndns.nix") ] ++ (with profiles; [ - caddy.rproxy + services.caddy.common + services.caddy.rproxy services.ssh ]); @@ -58,45 +59,6 @@ # Specific packages for this host hm.home.packages = with pkgs; []; - # Caddy (web server) - networking.firewall.allowedTCPPorts = [80 443]; - services.caddy = { - enable = true; - extraConfig = '' - # Rules for services behind Cloudflare proxy - (CLOUDFLARE_PROXY) { - header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} - } - - # Rules for services behind Nebula VPN (192.168.100.1/24) - (NEBULA) { - # Nebula - @not-nebula not remote_ip 192.168.100.1/24 - abort @not-nebula - } - - # Rules for services behind Authelia - (AUTHELIA) { - @not_healthchecks { - not { - method GET - path / - remote_ip 192.168.100.7 # phobos - } - } - forward_auth @not_healthchecks 192.168.100.1:9091 { - uri /api/verify?rd=https://auth.diogotc.com/ - copy_headers Remote-User Remote-Groups Remote-Name Remote-Email - } - } - - ''; - }; - users.users.caddy.extraGroups = [config.security.acme.defaults.group]; - - # Ensure nginx isn't turned on by some services (e.g. services using PHP) - services.nginx.enable = lib.mkForce false; - # ACME certificates security.acme = { acceptTerms = true; diff --git a/hosts/hera/default.nix b/hosts/hera/default.nix index 87b057d..aace3fa 100644 --- a/hosts/hera/default.nix +++ b/hosts/hera/default.nix @@ -17,6 +17,7 @@ (inputs.nixpkgs-unstable + "/nixos/modules/virtualisation/oci-containers.nix") ] ++ (with profiles; [ + services.caddy.common services.ssh ]); @@ -86,45 +87,6 @@ # Keep laptop on when lid is closed services.logind.lidSwitch = "ignore"; - # Caddy (web server) - networking.firewall.allowedTCPPorts = [80 443]; - services.caddy = { - enable = true; - extraConfig = '' - # Rules for services behind Cloudflare proxy - (CLOUDFLARE_PROXY) { - header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} - } - - # Rules for services behind Nebula VPN (192.168.100.1/24) - (NEBULA) { - # Nebula + Docker - @not-nebula not remote_ip 192.168.100.1/24 172.16.0.0/12 - abort @not-nebula - } - - # Rules for services behind Authelia - (AUTHELIA) { - @not_healthchecks { - not { - method GET - path / - remote_ip 192.168.100.7 # phobos - } - } - forward_auth @not_healthchecks 192.168.100.1:9091 { - uri /api/verify?rd=https://auth.diogotc.com/ - copy_headers Remote-User Remote-Groups Remote-Name Remote-Email - } - } - - ''; - }; - users.users.caddy.extraGroups = [config.security.acme.defaults.group]; - - # Ensure nginx isn't turned on by some services (e.g. services using PHP) - services.nginx.enable = lib.mkForce false; - # ACME certificates security.acme = { acceptTerms = true; diff --git a/hosts/phobos/default.nix b/hosts/phobos/default.nix index 2d25b3a..3a28c4c 100644 --- a/hosts/phobos/default.nix +++ b/hosts/phobos/default.nix @@ -7,6 +7,7 @@ ... }: { imports = with profiles; [ + services.caddy.common services.ssh ]; @@ -59,13 +60,6 @@ # Specific packages for this host hm.home.packages = with pkgs; []; - # Caddy (web server) - networking.firewall.allowedTCPPorts = [80 443]; - services.caddy = { - enable = true; - email = "phobos-lets-encrypt@diogotc.com"; - }; - # PostgreSQL services.postgresql.enable = true; diff --git a/profiles/services/caddy/common.nix b/profiles/services/caddy/common.nix new file mode 100644 index 0000000..df92f7d --- /dev/null +++ b/profiles/services/caddy/common.nix @@ -0,0 +1,53 @@ +# Common configuration for caddy reverse proxy +{config, lib, ...}: { + # Open firewall ports + networking.firewall.allowedTCPPorts = [80 443]; + + services.caddy = { + enable = true; + # TODO remove email once all servers have been migrated to lego (security.acme) + email = "${config.networking.hostName}-lets-encrypt@diogotc.com"; + extraConfig = '' + # Rules for services behind Cloudflare proxy + (CLOUDFLARE_PROXY) { + header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} + } + + # Rules for services behind Nebula VPN (192.168.100.1/24) + (NEBULA) { + # Nebula + Docker + @not-nebula not remote_ip 192.168.100.1/24 172.16.0.0/12 + abort @not-nebula + } + + # Rules for services behind Authelia + (AUTHELIA) { + @not_healthchecks { + not { + method GET + path / + remote_ip 192.168.100.7 # phobos + } + } + forward_auth @not_healthchecks 192.168.100.1:9091 { + uri /api/verify?rd=https://auth.diogotc.com/ + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + } + } + ''; + }; + users.users.caddy.extraGroups = [config.security.acme.defaults.group]; + + # Restrict caddy admin endpoint to the caddy user + systemd.services.caddy = { + environment = { + CADDY_ADMIN = "unix///run/caddy/caddy.sock"; + }; + serviceConfig = { + RuntimeDirectory = "caddy"; + }; + }; + + # Ensure nginx isn't turned on by some services (e.g. services using PHP) + services.nginx.enable = lib.mkForce false; +} diff --git a/profiles/caddy/rproxy.nix b/profiles/services/caddy/rproxy.nix similarity index 100% rename from profiles/caddy/rproxy.nix rename to profiles/services/caddy/rproxy.nix