diff --git a/clients/quadraticserver/auth.nix b/clients/quadraticserver/auth.nix index 714052e..dd4f1b5 100644 --- a/clients/quadraticserver/auth.nix +++ b/clients/quadraticserver/auth.nix @@ -16,6 +16,6 @@ group = "caddy"; }; - caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy unix/${socket}"; + caddy.wafHosts."${domain}".extraConfig = "reverse_proxy unix/${socket}"; }; } diff --git a/clients/quadraticserver/bridges.nix b/clients/quadraticserver/bridges.nix index b344fb3..655fb8e 100644 --- a/clients/quadraticserver/bridges.nix +++ b/clients/quadraticserver/bridges.nix @@ -65,6 +65,6 @@ in { bridgeOrigin = "https://${domain}"; }; - caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:8081"; + caddy.wafHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:8081"; }; } diff --git a/clients/quadraticserver/caddy.nix b/clients/quadraticserver/caddy.nix index ec91a84..09a746d 100644 --- a/clients/quadraticserver/caddy.nix +++ b/clients/quadraticserver/caddy.nix @@ -1,12 +1,54 @@ -{pkgs, ...}: { - networking.firewall.allowedTCPPorts = [443]; - services.caddy = { - enable = true; - email = "henry@henryhiles.com"; +{ + config, + pkgs, + lib, + ... +}: { + config = { + networking.firewall.allowedTCPPorts = [443]; + services.caddy = { + enable = true; + email = "henry@henryhiles.com"; - package = pkgs.caddy.withPlugins { - plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"]; - hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o="; + globalConfig = "order coraza_waf first"; + + virtualHosts = lib.mapAttrs (_: hostCfg: + hostCfg + // { + extraConfig = '' + route { + coraza_waf { + load_owasp_crs + directives ` + Include @coraza.conf-recommended + Include @crs-setup.conf.example + Include @owasp_crs/*.conf + + SecRuleRemoveById 920420 + SecRuleRemoveById 911100 + SecRuleEngine On + ` + } + } + ${hostCfg.extraConfig or ""} + ''; + }) + config.services.caddy.wafHosts; + + package = pkgs.caddy.withPlugins { + plugins = ["github.com/ggicci/caddy-jwt@v1.1.0" "github.com/corazawaf/coraza-caddy/v2@v2.1.0"]; + hash = "sha256-1TmIs8CWMlNHF4NRqj7/W/pqRUIpcOFbJGALqPINVtk="; + }; }; }; + + options.services.caddy.wafHosts = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options.extraConfig = lib.mkOption { + type = lib.types.lines; + default = ""; + }; + }); + default = {}; + }; } diff --git a/clients/quadraticserver/call.nix b/clients/quadraticserver/call.nix index 54df1d8..d46ece9 100644 --- a/clients/quadraticserver/call.nix +++ b/clients/quadraticserver/call.nix @@ -17,7 +17,7 @@ keyFile = config.services.livekit.keyFile; }; - caddy.virtualHosts."${domain}".extraConfig = '' + caddy.wafHosts."${domain}".extraConfig = '' root * ${pkgs.element-call} route { respond /config.json `${builtins.toJSON { diff --git a/clients/quadraticserver/dav.nix b/clients/quadraticserver/dav.nix index d099f91..5e9bd75 100644 --- a/clients/quadraticserver/dav.nix +++ b/clients/quadraticserver/dav.nix @@ -15,7 +15,7 @@ nginx = null; }; - caddy.virtualHosts."${domain}".extraConfig = '' + caddy.wafHosts."${domain}".extraConfig = '' encode zstd gzip header { -Server diff --git a/clients/quadraticserver/forgejo.nix b/clients/quadraticserver/forgejo.nix index ab3ebe0..3a9b4bf 100644 --- a/clients/quadraticserver/forgejo.nix +++ b/clients/quadraticserver/forgejo.nix @@ -35,7 +35,7 @@ }; }; - caddy.virtualHosts."${domain}".extraConfig = '' + caddy.wafHosts."${domain}".extraConfig = '' respond /robots.txt <