Add a WAF

2025-07-17 21:39:06 -04:00 · 2025-07-17 21:39:06 -04:00 · 96c3ae2de0
commit 96c3ae2de0
parent a2453054fd
10 changed files with 84 additions and 16 deletions
--- a/clients/quadraticserver/auth.nix
+++ b/clients/quadraticserver/auth.nix
@ -16,6 +16,6 @@
      group = "caddy";
    };

-    caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy unix/${socket}";
+    caddy.wafHosts."${domain}".extraConfig = "reverse_proxy unix/${socket}";
  };
 }
--- a/clients/quadraticserver/bridges.nix
+++ b/clients/quadraticserver/bridges.nix
@ -65,6 +65,6 @@ in {
      bridgeOrigin = "https://${domain}";
    };

-    caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:8081";
+    caddy.wafHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:8081";
  };
 }
--- a/clients/quadraticserver/caddy.nix
+++ b/clients/quadraticserver/caddy.nix
@ -1,12 +1,54 @@
-{pkgs, ...}: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  config = {
    networking.firewall.allowedTCPPorts = [443];
    services.caddy = {
      enable = true;
      email = "henry@henryhiles.com";

+      globalConfig = "order coraza_waf first";
+
+      virtualHosts = lib.mapAttrs (_: hostCfg:
+        hostCfg
+        // {
+          extraConfig = ''
+            route {
+              coraza_waf {
+                load_owasp_crs
+                directives `
+                  Include @coraza.conf-recommended
+                  Include @crs-setup.conf.example
+                  Include @owasp_crs/*.conf
+
+                  SecRuleRemoveById 920420
+                  SecRuleRemoveById 911100
+                  SecRuleEngine On
+                `
+              }
+            }
+            ${hostCfg.extraConfig or ""}
+          '';
+        })
+      config.services.caddy.wafHosts;
+
      package = pkgs.caddy.withPlugins {
-      plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"];
-      hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o=";
+        plugins = ["github.com/ggicci/caddy-jwt@v1.1.0" "github.com/corazawaf/coraza-caddy/v2@v2.1.0"];
+        hash = "sha256-1TmIs8CWMlNHF4NRqj7/W/pqRUIpcOFbJGALqPINVtk=";
      };
    };
+  };
+
+  options.services.caddy.wafHosts = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.submodule {
+      options.extraConfig = lib.mkOption {
+        type = lib.types.lines;
+        default = "";
+      };
+    });
+    default = {};
+  };
 }
--- a/clients/quadraticserver/call.nix
+++ b/clients/quadraticserver/call.nix
@ -17,7 +17,7 @@
      keyFile = config.services.livekit.keyFile;
    };

-    caddy.virtualHosts."${domain}".extraConfig = ''
+    caddy.wafHosts."${domain}".extraConfig = ''
      root * ${pkgs.element-call}
      route {
      	respond /config.json `${builtins.toJSON {
--- a/clients/quadraticserver/dav.nix
+++ b/clients/quadraticserver/dav.nix
@ -15,7 +15,7 @@
      nginx = null;
    };

-    caddy.virtualHosts."${domain}".extraConfig = ''
+    caddy.wafHosts."${domain}".extraConfig = ''
      encode zstd gzip
      header {
          -Server
--- a/clients/quadraticserver/forgejo.nix
+++ b/clients/quadraticserver/forgejo.nix
@ -35,7 +35,7 @@
      };
    };

-    caddy.virtualHosts."${domain}".extraConfig = ''
+    caddy.wafHosts."${domain}".extraConfig = ''
      respond /robots.txt <<EOF
        User-agent: *
        Disallow: /*/*/archive/
--- a/clients/quadraticserver/grapevine.nix
+++ b/clients/quadraticserver/grapevine.nix
@ -31,6 +31,6 @@
      };
    };

-    caddy.virtualHosts."${subdomain}".extraConfig = "reverse_proxy 127.0.0.3:6167";
+    caddy.wafHosts."${subdomain}".extraConfig = "reverse_proxy 127.0.0.3:6167";
  };
 }
--- a/clients/quadraticserver/mailserver.nix
+++ b/clients/quadraticserver/mailserver.nix
@ -0,0 +1,26 @@
+{
+  # service = let
+  #   domain = "federated.nexus";
+  # in {
+  #   stalwart-mail = {
+  #     enable = true;
+  #     openFirewall = true;
+
+  #     settings = {};
+  #   };
+  #   caddy = {
+  #     enable = true;
+  #     wafHosts = {
+  #       "mail.example.org" = {
+  #         extraConfig = "reverse_proxy http://127.0.0.1:8080";
+  #         serverAliases = [
+  #           "mta-sts.${domain}"
+  #           "autoconfig.${domain}"
+  #           "autodiscover.${domain}"
+  #           "webadmin.${domain}"
+  #         ];
+  #       };
+  #     };
+  #   };
+  # };
+}
--- a/clients/quadraticserver/searxng.nix
+++ b/clients/quadraticserver/searxng.nix
@ -107,7 +107,7 @@

    caddy = {
      environmentFile = config.age.secrets."oidcJwtSecretEnv.age".path;
-      virtualHosts."${domain}".extraConfig = let
+      wafHosts."${domain}".extraConfig = let
        auth = "https://auth.federated.nexus";
      in ''
        handle_errors 401 {
--- a/clients/quadraticserver/vaultwarden.nix
+++ b/clients/quadraticserver/vaultwarden.nix
@ -12,6 +12,6 @@
      };
    };

-    caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.2:8000";
+    caddy.wafHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.2:8000";
  };
 }