From d2d2b017b83537cdf1159c785a4c7c91c707d9cc Mon Sep 17 00:00:00 2001 From: Henry-Hiles Date: Sat, 19 Jul 2025 11:14:42 -0400 Subject: [PATCH] add waf demo --- clients/quadraticserver/caddy.nix | 51 ++++++++ flake.lock | 199 +++++++++++++----------------- 2 files changed, 139 insertions(+), 111 deletions(-) diff --git a/clients/quadraticserver/caddy.nix b/clients/quadraticserver/caddy.nix index ec91a84..4cdad67 100644 --- a/clients/quadraticserver/caddy.nix +++ b/clients/quadraticserver/caddy.nix @@ -10,3 +10,54 @@ }; }; } +# WAF demo +# { +# config, +# pkgs, +# lib, +# ... +# }: { +# config = { +# networking.firewall.allowedTCPPorts = [443]; +# services.caddy = { +# enable = true; +# email = "henry@henryhiles.com"; +# globalConfig = "order coraza_waf first"; +# virtualHosts = lib.mapAttrs (_: hostCfg: +# hostCfg +# // { +# extraConfig = '' +# route { +# coraza_waf { +# load_owasp_crs +# directives ` +# Include @coraza.conf-recommended +# Include @crs-setup.conf.example +# Include @owasp_crs/*.conf +# SecRuleRemoveById 920420 +# SecRuleRemoveById 911100 +# SecRuleEngine On +# ` +# } +# } +# ${hostCfg.extraConfig or ""} +# ''; +# }) +# config.services.caddy.wafHosts; +# package = pkgs.caddy.withPlugins { +# plugins = ["github.com/ggicci/caddy-jwt@v1.1.0" "github.com/corazawaf/coraza-caddy/v2@v2.1.0"]; +# hash = "sha256-1TmIs8CWMlNHF4NRqj7/W/pqRUIpcOFbJGALqPINVtk="; +# }; +# }; +# }; +# options.services.caddy.wafHosts = lib.mkOption { +# type = lib.types.attrsOf (lib.types.submodule { +# options.extraConfig = lib.mkOption { +# type = lib.types.lines; +# default = ""; +# }; +# }); +# default = {}; +# }; +# } + diff --git a/flake.lock b/flake.lock index bb186f7..9a0cf97 100644 --- a/flake.lock +++ b/flake.lock @@ -253,11 +253,11 @@ ] }, "locked": { - "lastModified": 1748883665, - "narHash": "sha256-R0W7uAg+BLoHjMRMQ8+oiSbTq8nkGz5RDpQ+ZfxxP3A=", + "lastModified": 1752264895, + "narHash": "sha256-1zBPE/PNAkPNUsOWFET4J0cjlvziH8DOekesDmjND+w=", "owner": "cachix", "repo": "cachix", - "rev": "f707778d902af4d62d8dd92c269f8e70de09acbe", + "rev": "47053aef762f452e816e44eb9a23fbc3827b241a", "type": "github" }, "original": { @@ -299,11 +299,11 @@ ] }, "locked": { - "lastModified": 1751075819, - "narHash": "sha256-po711J9vjNsUhlpkIAcy8bGh/249egbsqUVFcWi1Mho=", + "lastModified": 1752286006, + "narHash": "sha256-8FRVMNNRzDLzUbyxz55mzIDWIDisO9B2YL8fTmRCopY=", "owner": "linyinfeng", "repo": "commit-notifier", - "rev": "8f781a1851a17fe8f7d48467192a65f303ec5664", + "rev": "75c49e871e56ae9e43094b0fe398c3a8fd265932", "type": "github" }, "original": { @@ -545,11 +545,11 @@ ] }, "locked": { - "lastModified": 1751854533, - "narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=", + "lastModified": 1752718651, + "narHash": "sha256-PkaR0qmyP9q/MDN3uYa+RLeBA0PjvEQiM0rTDDBXkL8=", "owner": "nix-community", "repo": "disko", - "rev": "16b74a1e304197248a1bc663280f2548dbfcae3c", + "rev": "d5ad4485e6f2edcc06751df65c5e16572877db88", "type": "github" }, "original": { @@ -591,11 +591,11 @@ ] }, "locked": { - "lastModified": 1752251148, - "narHash": "sha256-LOigOhLS+DC0JUAxG8YfbHoUyOpk/CS919hce9H/YLY=", + "lastModified": 1752337423, + "narHash": "sha256-g2VYhoGgbswUx6EqhypXMQ8qbgYvqlj85GwjzuYJlFI=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "fcd9c1b4bded92ec89abe7b41cb2fdb1dd1dd370", + "rev": "f381dd05cc5685a65fec42fc0a4e34ac62e81806", "type": "github" }, "original": { @@ -636,11 +636,11 @@ "rust-analyzer-src": "rust-analyzer-src_2" }, "locked": { - "lastModified": 1752216262, - "narHash": "sha256-OO7SPN6DfXK8TG62AKWHUYc6D8kVNaKgAStGhDBEcBc=", + "lastModified": 1752302273, + "narHash": "sha256-xXZ0JkrpcpSgeuhezJZV2T+7gHcYCo39ogc55c4FyRw=", "owner": "nix-community", "repo": "fenix", - "rev": "1b96480284e9b3f76fb1f68dc2be246c8ae90e13", + "rev": "910743660778c55917959d64980bf046f52142ef", "type": "github" }, "original": { @@ -652,11 +652,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1748383148, - "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", + "lastModified": 1752677629, + "narHash": "sha256-ze2bcq5RSasEwvT6PR8EMedF4o8RoBtVB5ny6Jd9tA4=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", + "rev": "15ac3dfeaf828a9336e7e199123f8020cf04f440", "type": "github" }, "original": { @@ -848,11 +848,11 @@ ] }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1751413152, + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", "type": "github" }, "original": { @@ -1195,11 +1195,11 @@ ] }, "locked": { - "lastModified": 1751824240, - "narHash": "sha256-aDDC0CHTlL7QDKWWhdbEgVPK6KwWt+ca0QkmHYZxMzI=", + "lastModified": 1752814804, + "narHash": "sha256-irfg7lnfEpJY+3Cffkluzp2MTVw1Uq9QGxFp6qadcXI=", "owner": "nix-community", "repo": "home-manager", - "rev": "fd9e55f5fac45a26f6169310afca64d56b681935", + "rev": "d0300c8808e41da81d6edfc202f3d3833c157daf", "type": "github" }, "original": { @@ -1216,11 +1216,11 @@ ] }, "locked": { - "lastModified": 1752246954, - "narHash": "sha256-c1Rq5Hc4WZLKj1RkmjLFCcX4QHBwrL+DIZNMEHno7DU=", + "lastModified": 1752286566, + "narHash": "sha256-A4nftqiNz2bNihz0bKY94Hq/6ydR6UQOcGioeL7iymY=", "owner": "nix-community", "repo": "home-manager", - "rev": "e90b28967cacc64de7fb8742314ed0d7d12f47c6", + "rev": "392ddb642abec771d63688c49fa7bcbb9d2a5717", "type": "github" }, "original": { @@ -1315,11 +1315,11 @@ ] }, "locked": { - "lastModified": 1752228483, - "narHash": "sha256-5yzlcgDV7o3fdrt2101fE/9VxB71NbKtF+IbTS3iNe0=", + "lastModified": 1752315036, + "narHash": "sha256-8nJ9tYKmUu3cq2b+GTHUsvosNZrkcJ8S8TTjOJXh0O8=", "owner": "xddxdd", "repo": "nur-packages", - "rev": "17c3910b363bd32df0458ee3ae63144657ef76f0", + "rev": "e63b8f669b39dbbc417be40fee645cf64cb77e15", "type": "github" }, "original": { @@ -1406,11 +1406,11 @@ ] }, "locked": { - "lastModified": 1752238174, - "narHash": "sha256-8Of4X7L8vnHNtC27+FL3i0KGYK9VqLYGey9WjbVzATU=", + "lastModified": 1752285416, + "narHash": "sha256-dwIY/usIu9d+eFEw/37SbNmcBplAuB5GWs5tc0xuCQQ=", "owner": "linyinfeng", "repo": "nur-packages", - "rev": "5dea91448e25a515208aac5743b43dcfa3daf49e", + "rev": "1e823957ea11e14e6d7f76eb927cd74199d5db6e", "type": "github" }, "original": { @@ -1509,11 +1509,11 @@ ] }, "locked": { - "lastModified": 1751647353, - "narHash": "sha256-vh586RBnVW/jOGkorg9GvT07uxGnE5rjH/uE/4ZugRM=", + "lastModified": 1752251870, + "narHash": "sha256-mdYdCaEHfrV5RacRG91fuROEeE//ElcmH10XDI07tOQ=", "owner": "linyinfeng", "repo": "mc-config-nuc", - "rev": "423039d75fdbc13fdfcda253129e79a93097338e", + "rev": "2e0c8147b049ec34f89fc6ea907560386d34094e", "type": "github" }, "original": { @@ -1563,11 +1563,11 @@ ] }, "locked": { - "lastModified": 1752199133, - "narHash": "sha256-cSlbaQGu94liy+/N1YJQmoRG8ZJoLkgP8tymyMmhD/4=", + "lastModified": 1752285580, + "narHash": "sha256-OfUvcz+1LEc/V9vte/10tTS6RLhUNJ+QyKmgjj7C1pc=", "owner": "ninlives", "repo": "minecraft.nix", - "rev": "73d0552089a3650d884838ef543517c2847f4897", + "rev": "e231a13c4a048d3650527fff28d87f06f8632c1a", "type": "github" }, "original": { @@ -1633,11 +1633,11 @@ "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1752078530, - "narHash": "sha256-TrRmlYdhWcadWvBpDjB9Xlry4uT4ZUIO46d+o5tjtCQ=", + "lastModified": 1752291616, + "narHash": "sha256-zpPFo4cgr5tOy8DCLIoD++idsKjnzgVPnBeZLmazYc4=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "d231d92313192d4d0c78d6ef04167fed9dee87cf", + "rev": "30962469e2e8fb93c3672ee605316b89b8e9a198", "type": "github" }, "original": { @@ -1843,11 +1843,11 @@ ] }, "locked": { - "lastModified": 1751774635, - "narHash": "sha256-DuOznGdgMxeSlPpUu6Wkq0ZD5e2Cfv9XRZeZlHWMd1s=", + "lastModified": 1752305182, + "narHash": "sha256-6i4Q68G7wzNq1m2+l3lJUYgGZ9PwULvSVJpRSTTC46o=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "85686025ba6d18df31cc651a91d5adef63378978", + "rev": "ad29e2961dd0d58372384563bf00d510fc9f2e15", "type": "github" }, "original": { @@ -2150,11 +2150,11 @@ }, "nixpkgs-latest": { "locked": { - "lastModified": 1752250779, - "narHash": "sha256-bCYMUyfHfGL8+4rNxWJARawldVUzD2Zs/7bt5yIQqSE=", + "lastModified": 1752336159, + "narHash": "sha256-mthHgsgpRZ+VwS+AcDyoHs25QqOZBHZtrr8BJ52QvV8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a4fd72001ab44553fe601934a350ac5bcfea4f79", + "rev": "aca3b8acd1f6bc0d0e5a16acb34e054fb033bfd1", "type": "github" }, "original": { @@ -2228,11 +2228,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1751943650, - "narHash": "sha256-7orTnNqkGGru8Je6Un6mq1T8YVVU/O5kyW4+f9C1mZQ=", + "lastModified": 1752162966, + "narHash": "sha256-3MxxkU8ZXMHXcbFz7UE4M6qnIPTYGcE/7EMqlZNnVDE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "88983d4b665fb491861005137ce2b11a9f89f203", + "rev": "10e687235226880ed5e9f33f1ffa71fe60f2638a", "type": "github" }, "original": { @@ -2244,11 +2244,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1752206449, - "narHash": "sha256-NVAbC/s4CupABWGXF8M9mDiVw/n0YCftxwc1KatVjDk=", + "lastModified": 1752298176, + "narHash": "sha256-wY7/8k5mJbljXxBUX1bDHFVUcMrWdrDT8FNDrcPwLbA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1bd4d0d4a678d48b63eb18f457d74df2fcee6c69", + "rev": "d3807bc34e7d086b4754e1c842505570e23f9d01", "type": "github" }, "original": { @@ -2260,11 +2260,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", + "lastModified": 1752687322, + "narHash": "sha256-RKwfXA4OZROjBTQAl9WOZQFm7L8Bo93FQwSJpAiSRvo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", + "rev": "6e987485eb2c77e5dcc5af4e3c70843711ef9251", "type": "github" }, "original": { @@ -2283,15 +2283,14 @@ "nixpkgs": [ "stylix", "nixpkgs" - ], - "treefmt-nix": "treefmt-nix_3" + ] }, "locked": { - "lastModified": 1748730660, - "narHash": "sha256-5LKmRYKdPuhm8j5GFe3AfrJL8dd8o57BQ34AGjJl1R0=", + "lastModified": 1751906969, + "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", "owner": "nix-community", "repo": "NUR", - "rev": "2c0bc52fe14681e9ef60e3553888c4f086e46ecb", + "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", "type": "github" }, "original": { @@ -2419,11 +2418,11 @@ "flake": false, "locked": { "host": "gitlab.postmarketos.org", - "lastModified": 1752231397, - "narHash": "sha256-ttjVpoDehT5r/79BAhGxfy9ZPSC4uKsT4nz9Q57F/dc=", + "lastModified": 1752334735, + "narHash": "sha256-LRF8l6a3HrXdfWer+RWAQE356daYGnAKR/eLsEvcDDE=", "owner": "postmarketOS", "repo": "pmaports", - "rev": "3620e3713e047f3a7c56d54ac8de135434548ebe", + "rev": "bb57bd6b80450101be2fdf8ecbc609ea53ed03d7", "type": "gitlab" }, "original": { @@ -2522,11 +2521,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1751899529, - "narHash": "sha256-Ze/69a2jN/zsgVj87zNEaT0RwJRhhDJFm5kE9jY1vsY=", + "lastModified": 1752830985, + "narHash": "sha256-DDOoKKX9XRyHaTGPOd+Fe9b6fp2QVwuXnqfKs9VpgZs=", "owner": "wamserma", "repo": "flake-programs-sqlite", - "rev": "527944f812daf16a8295f75a0d3e84dd679646e6", + "rev": "aa86c1bd59ec767d29da4705ee4168e239b079a2", "type": "github" }, "original": { @@ -2618,11 +2617,11 @@ "rust-analyzer-src_2": { "flake": false, "locked": { - "lastModified": 1752182378, - "narHash": "sha256-bKzsGh+1AWSpL2Q2/0FKgNchTJOmYpQH2BS9dCyKXaI=", + "lastModified": 1752262373, + "narHash": "sha256-eRDeo/hVnf958ESWy8qV/jZj4ZRbFXsmMdw1cnI57dE=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "e2c8cefa63bd4cafb66978867c0f1ec2ba14bb03", + "rev": "a489123e806ceadfdc5568bf9609b0468f5a2e6a", "type": "github" }, "original": { @@ -2661,11 +2660,11 @@ ] }, "locked": { - "lastModified": 1752201818, - "narHash": "sha256-d8KczaVT8WFEZdWg//tMAbv8EDyn2YTWcJvSY8gqKBU=", + "lastModified": 1752288212, + "narHash": "sha256-f2PMqtf61mWAM11QoIfGv3hjD2AsJrij4FCzftepuaE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "bd8f8329780b348fedcd37b53dbbee48c08c496d", + "rev": "678296525a4cce249c608749b171d0b2ceb8b2ff", "type": "github" }, "original": { @@ -2799,11 +2798,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1751914048, - "narHash": "sha256-xHO3xlw35tCC0f3pN3osPNjgwwwAgusTuZk5iC8oDiE=", + "lastModified": 1752750082, + "narHash": "sha256-NoVAqy+Wj4tgkvrYB8zWncl8Z6Hb80aX3t/TYGdsfaM=", "owner": "danth", "repo": "stylix", - "rev": "bf0ef81c8fcc30c32db9dab32d379f8d9db835e4", + "rev": "03699ed214f6e8195bc7199d6ae3aeccf9732b08", "type": "github" }, "original": { @@ -2938,11 +2937,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1748180480, - "narHash": "sha256-7n0XiZiEHl2zRhDwZd/g+p38xwEoWtT0/aESwTMXWG4=", + "lastModified": 1750770351, + "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=", "owner": "tinted-theming", "repo": "schemes", - "rev": "87d652edd26f5c0c99deda5ae13dfb8ece2ffe31", + "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a", "type": "github" }, "original": { @@ -2954,11 +2953,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1748740859, - "narHash": "sha256-OEM12bg7F4N5WjZOcV7FHJbqRI6jtCqL6u8FtPrlZz4=", + "lastModified": 1751159871, + "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "57d5f9683ff9a3b590643beeaf0364da819aedda", + "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c", "type": "github" }, "original": { @@ -2970,11 +2969,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1725758778, - "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=", + "lastModified": 1751158968, + "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9", + "rev": "86a470d94204f7652b906ab0d378e4231a5b3384", "type": "github" }, "original": { @@ -3025,28 +3024,6 @@ "type": "github" } }, - "treefmt-nix_3": { - "inputs": { - "nixpkgs": [ - "stylix", - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733222881, - "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49717b5af6f80172275d47a418c9719a31a78b53", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "utils": { "locked": { "lastModified": 1678901627, @@ -3079,11 +3056,11 @@ }, "wrapper-manager": { "locked": { - "lastModified": 1750605920, - "narHash": "sha256-H7aKzVWtX2Efp8DwCuMrZex+IiXII2/PF5rO+Mu5oYU=", + "lastModified": 1751998186, + "narHash": "sha256-np2RxS8tRz/jGfUSYKxzg7cCi4dS8PL8gutLZfPMbIY=", "owner": "viperML", "repo": "wrapper-manager", - "rev": "238d49c10383cd1db56d694bff9d573684c71526", + "rev": "8ad2484b485acad0632cb0af15b5eb704e3c1d0a", "type": "github" }, "original": {