Refactor, add redlib

clients/quadraticserver/bridges.nix

@@ -65,6 +65,6 @@ in {
       bridgeOrigin = "https://${domain}";
     };
 
-    caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:8081";
+    caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:${config.services.matrix-ooye.socket}";
   };
 }

clients/quadraticserver/caddy.nix

@@ -1,63 +1,50 @@
-{pkgs, ...}: {
-  networking.firewall.allowedTCPPorts = [443];
-  services.caddy = {
-    enable = true;
-    email = "hen" + "ry@he" + "nryhi" + "les.c" + "om";
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  config = {
+    networking.firewall.allowedTCPPorts = [443];
+    services.caddy = {
+      enable = true;
+      email = "hen" + "ry@he" + "nryhi" + "les.c" + "om";
+      environmentFile = config.age.secrets."base64JwtSecret.age".path;
+      package = pkgs.caddy.withPlugins {
+        plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"];
+        hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o=";
+      };
 
-    package = pkgs.caddy.withPlugins {
-      plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"];
-      hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o=";
+      virtualHosts =
+        lib.mapAttrs (domain: host: {
+          extraConfig = let
+            auth = "https://auth.federated.nexus";
+          in ''
+            handle_errors 401 {
+              redir https://federated.nexus/login?redirect_uri=${auth}/bridge?redirect_uri=https://${domain}{uri} 302
+            }
+
+            route {
+              jwtauth {
+                from_cookies id_token
+                sign_key {$JWK_SECRET}
+                issuer_whitelist ${auth}
+                audience_whitelist proxy
+              }
+
+              ${host}
+            }
+          '';
+        })
+        config.services.caddy.authedHosts;
     };
   };
-}
-# WAF demo
-# {
-#   config,
-#   pkgs,
-#   lib,
-#   ...
-# }: {
-#   config = {
-#     networking.firewall.allowedTCPPorts = [443];
-#     services.caddy = {
-#       enable = true;
-#       email = "henry@henryhiles.com";
-#       globalConfig = "order coraza_waf first";
-#       virtualHosts = lib.mapAttrs (_: hostCfg:
-#         hostCfg
-#         // {
-#           extraConfig = ''
-#             route {
-#               coraza_waf {
-#                 load_owasp_crs
-#                 directives `
-#                   Include @coraza.conf-recommended
-#                   Include @crs-setup.conf.example
-#                   Include @owasp_crs/*.conf
-#                   SecRuleRemoveById 920420
-#                   SecRuleRemoveById 911100
-#                   SecRuleEngine On
-#                 `
-#               }
-#             }
-#             ${hostCfg.extraConfig or ""}
-#           '';
-#         })
-#       config.services.caddy.wafHosts;
-#       package = pkgs.caddy.withPlugins {
-#         plugins = ["github.com/ggicci/caddy-jwt@v1.1.0" "github.com/corazawaf/coraza-caddy/v2@v2.1.0"];
-#         hash = "sha256-1TmIs8CWMlNHF4NRqj7/W/pqRUIpcOFbJGALqPINVtk=";
-#       };
-#     };
-#   };
-#   options.services.caddy.wafHosts = lib.mkOption {
-#     type = lib.types.attrsOf (lib.types.submodule {
-#       options.extraConfig = lib.mkOption {
-#         type = lib.types.lines;
-#         default = "";
-#       };
-#     });
-#     default = {};
-#   };
-# }
 
+  options.services.caddy.authedHosts = lib.mkOption {
+    type = lib.types.attrsOf (lib.mkOption {
+      type = lib.types.lines;
+      default = "";
+    });
+    default = [];
+  };
+}

clients/quadraticserver/grapevine.nix

@@ -5,6 +5,7 @@
   services = let
     domain = "federated.nexus";
     subdomain = "matrix.${domain}";
+    address = "127.0.0.3";
   in {
     grapevine = {
       enable = true;
@@ -25,12 +26,12 @@
         listen = [
           {
             type = "tcp";
-            address = "127.0.0.3";
+            inherit address;
           }
         ];
       };
     };
 
-    caddy.virtualHosts."${subdomain}".extraConfig = "reverse_proxy 127.0.0.3:6167";
+    caddy.virtualHosts."${subdomain}".extraConfig = "reverse_proxy ${address}:6167";
   };
 }

clients/quadraticserver/redlib.nix

@@ -0,0 +1,11 @@
+{config, ...}: {
+  services = {
+    redlib = {
+      enable = true;
+      address = "127.0.0.6";
+      settings.THEME = "nord";
+    };
+
+    caddy.authedHosts."auth.federated.nexus" = with config.services.redlib; "reverse_proxy ${address}:${port}";
+  };
+}

clients/quadraticserver/searxng.nix

@@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{lib, ...}: {
   services = let
     socket = "/var/run/searx/socket";
     domain = "search.federated.nexus";
@@ -105,27 +101,7 @@
       };
     };
 
-    caddy = {
-      environmentFile = config.age.secrets."base64JwtSecret.age".path;
-      virtualHosts."${domain}".extraConfig = let
-        auth = "https://auth.federated.nexus";
-      in ''
-        handle_errors 401 {
-          redir https://federated.nexus/login?redirect_uri=${auth}/bridge?redirect_uri=https://${domain}{uri} 302
-        }
-
-        route {
-          jwtauth {
-            from_cookies id_token
-            sign_key {$JWK_SECRET}
-            issuer_whitelist ${auth}
-            audience_whitelist proxy
-          }
-
-          reverse_proxy unix/${socket}
-        }
-      '';
-    };
+    caddy.authedHosts."${domain}" = "reverse_proxy unix/${socket}";
   };
   systemd.services = let
     commonConfig = builtins.mapAttrs (_: value: lib.mkForce value) {

clients/quadraticserver/vaultwarden.nix

@@ -1,4 +1,4 @@
-{
+{config, ...}: {
   services = let
     domain = "vault.henryhiles.com";
   in {
@@ -12,6 +12,6 @@
       };
     };
 
-    caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.2:8000";
+    caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy ${config.services.vaultwarden.config.rocketAddress}:8000";
   };
 }