diff --git a/clients/quadraticserver/bridges.nix b/clients/quadraticserver/bridges.nix index fa9feb4..e331ebf 100644 --- a/clients/quadraticserver/bridges.nix +++ b/clients/quadraticserver/bridges.nix @@ -65,6 +65,6 @@ in { bridgeOrigin = "https://${domain}"; }; - caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:8081"; + caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:${config.services.matrix-ooye.socket}"; }; } diff --git a/clients/quadraticserver/caddy.nix b/clients/quadraticserver/caddy.nix index 18d0395..5f63525 100644 --- a/clients/quadraticserver/caddy.nix +++ b/clients/quadraticserver/caddy.nix @@ -1,63 +1,50 @@ -{pkgs, ...}: { - networking.firewall.allowedTCPPorts = [443]; - services.caddy = { - enable = true; - email = "hen" + "ry@he" + "nryhi" + "les.c" + "om"; +{ + config, + pkgs, + lib, + ... +}: { + config = { + networking.firewall.allowedTCPPorts = [443]; + services.caddy = { + enable = true; + email = "hen" + "ry@he" + "nryhi" + "les.c" + "om"; + environmentFile = config.age.secrets."base64JwtSecret.age".path; + package = pkgs.caddy.withPlugins { + plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"]; + hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o="; + }; - package = pkgs.caddy.withPlugins { - plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"]; - hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o="; + virtualHosts = + lib.mapAttrs (domain: host: { + extraConfig = let + auth = "https://auth.federated.nexus"; + in '' + handle_errors 401 { + redir https://federated.nexus/login?redirect_uri=${auth}/bridge?redirect_uri=https://${domain}{uri} 302 + } + + route { + jwtauth { + from_cookies id_token + sign_key {$JWK_SECRET} + issuer_whitelist ${auth} + audience_whitelist proxy + } + + ${host} + } + ''; + }) + config.services.caddy.authedHosts; }; }; -} -# WAF demo -# { -# config, -# pkgs, -# lib, -# ... -# }: { -# config = { -# networking.firewall.allowedTCPPorts = [443]; -# services.caddy = { -# enable = true; -# email = "henry@henryhiles.com"; -# globalConfig = "order coraza_waf first"; -# virtualHosts = lib.mapAttrs (_: hostCfg: -# hostCfg -# // { -# extraConfig = '' -# route { -# coraza_waf { -# load_owasp_crs -# directives ` -# Include @coraza.conf-recommended -# Include @crs-setup.conf.example -# Include @owasp_crs/*.conf -# SecRuleRemoveById 920420 -# SecRuleRemoveById 911100 -# SecRuleEngine On -# ` -# } -# } -# ${hostCfg.extraConfig or ""} -# ''; -# }) -# config.services.caddy.wafHosts; -# package = pkgs.caddy.withPlugins { -# plugins = ["github.com/ggicci/caddy-jwt@v1.1.0" "github.com/corazawaf/coraza-caddy/v2@v2.1.0"]; -# hash = "sha256-1TmIs8CWMlNHF4NRqj7/W/pqRUIpcOFbJGALqPINVtk="; -# }; -# }; -# }; -# options.services.caddy.wafHosts = lib.mkOption { -# type = lib.types.attrsOf (lib.types.submodule { -# options.extraConfig = lib.mkOption { -# type = lib.types.lines; -# default = ""; -# }; -# }); -# default = {}; -# }; -# } + options.services.caddy.authedHosts = lib.mkOption { + type = lib.types.attrsOf (lib.mkOption { + type = lib.types.lines; + default = ""; + }); + default = []; + }; +} diff --git a/clients/quadraticserver/grapevine.nix b/clients/quadraticserver/grapevine.nix index 3ee3434..fb25f36 100644 --- a/clients/quadraticserver/grapevine.nix +++ b/clients/quadraticserver/grapevine.nix @@ -5,6 +5,7 @@ services = let domain = "federated.nexus"; subdomain = "matrix.${domain}"; + address = "127.0.0.3"; in { grapevine = { enable = true; @@ -25,12 +26,12 @@ listen = [ { type = "tcp"; - address = "127.0.0.3"; + inherit address; } ]; }; }; - caddy.virtualHosts."${subdomain}".extraConfig = "reverse_proxy 127.0.0.3:6167"; + caddy.virtualHosts."${subdomain}".extraConfig = "reverse_proxy ${address}:6167"; }; } diff --git a/clients/quadraticserver/redlib.nix b/clients/quadraticserver/redlib.nix new file mode 100644 index 0000000..f09315d --- /dev/null +++ b/clients/quadraticserver/redlib.nix @@ -0,0 +1,11 @@ +{config, ...}: { + services = { + redlib = { + enable = true; + address = "127.0.0.6"; + settings.THEME = "nord"; + }; + + caddy.authedHosts."auth.federated.nexus" = with config.services.redlib; "reverse_proxy ${address}:${port}"; + }; +} diff --git a/clients/quadraticserver/searxng.nix b/clients/quadraticserver/searxng.nix index 7118ee1..349aa16 100644 --- a/clients/quadraticserver/searxng.nix +++ b/clients/quadraticserver/searxng.nix @@ -1,8 +1,4 @@ -{ - config, - lib, - ... -}: { +{lib, ...}: { services = let socket = "/var/run/searx/socket"; domain = "search.federated.nexus"; @@ -105,27 +101,7 @@ }; }; - caddy = { - environmentFile = config.age.secrets."base64JwtSecret.age".path; - virtualHosts."${domain}".extraConfig = let - auth = "https://auth.federated.nexus"; - in '' - handle_errors 401 { - redir https://federated.nexus/login?redirect_uri=${auth}/bridge?redirect_uri=https://${domain}{uri} 302 - } - - route { - jwtauth { - from_cookies id_token - sign_key {$JWK_SECRET} - issuer_whitelist ${auth} - audience_whitelist proxy - } - - reverse_proxy unix/${socket} - } - ''; - }; + caddy.authedHosts."${domain}" = "reverse_proxy unix/${socket}"; }; systemd.services = let commonConfig = builtins.mapAttrs (_: value: lib.mkForce value) { diff --git a/clients/quadraticserver/vaultwarden.nix b/clients/quadraticserver/vaultwarden.nix index 0ffdbfb..05399aa 100644 --- a/clients/quadraticserver/vaultwarden.nix +++ b/clients/quadraticserver/vaultwarden.nix @@ -1,4 +1,4 @@ -{ +{config, ...}: { services = let domain = "vault.henryhiles.com"; in { @@ -12,6 +12,6 @@ }; }; - caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.2:8000"; + caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy ${config.services.vaultwarden.config.rocketAddress}:8000"; }; }