From b232f0a2c8339bf02034f85a3be683c0badd3f4c Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Mon, 10 Jun 2024 10:59:31 +0200 Subject: [PATCH] saga: Add caddy --- machines/saga/configuration.nix | 44 ++++++++++++++++++++++----------- machines/saga/secrets.yaml | 5 ++-- 2 files changed, 33 insertions(+), 16 deletions(-) diff --git a/machines/saga/configuration.nix b/machines/saga/configuration.nix index eb31f82..28083a0 100644 --- a/machines/saga/configuration.nix +++ b/machines/saga/configuration.nix @@ -1,5 +1,6 @@ -{ self, ... }: +{ self, caddy-with-plugins, ... }: { + pkgs, modulesPath, lib, config, @@ -22,6 +23,16 @@ enable = true; server = true; }; + caddy-proxy = { + enable = true; + package = caddy-with-plugins.packages.${pkgs.system}.caddy-with-cloudflare; + proxyHosts = [ + { + externalHostname = "saga.datarift.nl"; + proxyAddress = "localhost:3000"; + } + ]; + }; nix-common = { enable = true; remote-builders = true; @@ -48,25 +59,29 @@ firewall.trustedInterfaces = [ "tailscale0" ]; }; - systemd.network = { - enable = true; + systemd = { + network = { + enable = true; - wait-online.anyInterface = true; + wait-online.anyInterface = true; - networks = { - "40-eth0" = { - matchConfig = { - Name = "eth0"; - }; + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; - networkConfig = { - Address = "10.0.0.212/24"; - Gateway = "10.0.0.1"; - DNS = "10.0.0.206"; - DHCP = "no"; + networkConfig = { + Address = "10.0.0.212/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; }; }; }; + + services.logrotate-checkconf.enable = false; }; security = { @@ -80,6 +95,7 @@ sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { + caddy-env = { }; metrics_ca = { owner = config.systemd.services.prometheus.serviceConfig.User; }; diff --git a/machines/saga/secrets.yaml b/machines/saga/secrets.yaml index 2c47519..5ba0bc0 100644 --- a/machines/saga/secrets.yaml +++ b/machines/saga/secrets.yaml @@ -2,6 +2,7 @@ metrics_cert: ENC[AES256_GCM,data:hxI6B6h1eOaHlYpUeHcsXMAEPZwuKpAgZ9gYkkqK73guUy metrics_key: ENC[AES256_GCM,data:fGpIg3k/PBcq4dVdLL5oNEdbrPTFarDAi9QLw7ViEfzG4jdxOec8rdFNtECX3IdtGIFZ7VtLd7hTISYrklafBqYMyBw0y3dxmbQaG7CQoIPoxnoJlbwAxofjfgFyVa69V6/o1mvCBfw3Tv8akRQel+3lTTB7RgqBsd+JNjiIsrC5r4JAr6KJCkKKLbNJZ79W1PGdKb2VEeVwGmdfWcvKz4TN6Za4cwhc51IAnZBH+2QnNNCYM6JnT0LVIzERS6ljF8MOb2Xmaqb9w6QxxTLX4nheEceWpOMLc71nIGtMSsU+SiRiZtHEdcUsDGBUdriqQ2mP5Q10Yz0K0u1wqXiLiz/wfeFGIvRPNOpP/b/cSFQSp494ZnMdO2bsnXOKQNFVBkkIO2jvB2SOlIJwC329n9vG,iv:jktiYgPJluYrQOpOOTwwpQ9SDJVvsO4lEwDe+l2cn3Q=,tag:rduGq7/XVShG9SqQeWl19g==,type:str] metrics_ca: ENC[AES256_GCM,data:nMocCNsco+iYrrZbJxuoWhQ5ytDyy+JjaRTbalTof4CPK3CtWpu2KhHhVJNN+XaThns3jzBEjEDyuPqhb27CaUG871Z8O8BGAEtYWUa886sIdgPgOkL3rsDCELxnnEkCKIcyfu3DZFIcs+hWQGOVQ3KBY44dpwJzm5xm/PbbpiPo7QawAzEhOynmRz1eN+At+aDgBNMRJ9fWg5qaImf6iFL804M7q6mjVAOopvL+I5vMAn4FODWWn93Vm0edHWjhIDb2NHuwSL0WRdt74GMES+ZPvBjpnGsMFteCC1sWGuAMY9S78V54+o95Ijf6j8yzPadyayZb51K2/qGWas/wpaQlmva2mQvv/y1jpDfewLt4ZstzqCamVhhXzZfguf7F+MpbEGpNUl7SvCnS6BtNU7XCaV5bEp8vTKfhYVh+/AqBPYG2BpLB0N/Q198/nTkW82CgP1V4BJ8HD8FiWympZjhLjdglkMZ3h1u9k6VQIAZ9kQS3B60kKBq1mWhDVmZmNTSMf85zfV48XrBPF/ttCfCjd33gxopok5OLMZqVHNKY4PxCLI6e5FKOwwEmrzf6MffGiDWZWMgTaz3OM+d9Yv8yjNDeboGb6TGRn4yXfKlcsl4mYZi+C3IJ0BkmUA9BXaLXhhWKl/e5Xs5Ajtgf3fwSVEgsQ8G3kC2OQT0qoIMKx37K4YmABYVFx0qcJy2diQ3ZoFmvGAwvYb5vKtlyJHnbDz6OyXWfYc1UkAG4mtHNMrsgSL7ruju4QvIeZPwXDsNazI9R3dWaLbnz041JQNRvA0Kpwg3LxHaf4D0Ln7nBokEmvRycuBXljPk35B3CuGoj2qnCJzx057MTQoX/UKtQ/KRbGP0Dmmu+s1cH9dHw8l3ya+zZEKBJHt2w7rmmMiYVXMetjoPIHevePumDeXFRyCvU3mWwj7xUtzbrpTwY0zSYi5brdMRe4NBtmYJsMmH7Jgc+HOgtbm8MC++FApxiKpV2,iv:08lM7WQLcnuC7DvTZ1999sOojo9l35gAZpp4oIMuJBY=,tag:YW0xjTJkycV7xJHZuhE0uQ==,type:str] grafana-oauth2-secret: ENC[AES256_GCM,data:D4f/MxiIGaeKD5DNXiCLg2IeFMX0TAkxIR1BY+1z89w=,iv:XNrRSwipAbpQFnXG94zke28gTL22zNf/HfGriChaRgA=,tag:6tsqNc68wHujtlmV4plwPQ==,type:str] +caddy-env: ENC[AES256_GCM,data:ntuUzIevCFYT6pUmVzcbvaHTdCIhpdtlYHhQynojNI77JqnF3o/OJVugXI0O4DqRLVkzaKcQ,iv:XqWjxR1PrwN/pO3Nh/TLdDlpcm2QfdVIVCACfrsCwEk=,tag:d8FFJ+P4hFrNp/tBckPteQ==,type:str] sops: kms: [] gcp_kms: [] @@ -35,8 +36,8 @@ sops: K1FHaGVOQlo2cjBTQ3ZIYXZ5ZzNsNlEKLZWrUkNXTv8ECwXz1aPdnrpMs6r9Q+yI k5rFkaa+ylIk4OqouKRxxlNFdgcdqqYdZEqLrfuLnamzr6LNaoL1dQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-29T15:40:45Z" - mac: ENC[AES256_GCM,data:+gH5ZcPlJ1ESdo93Td9BfuMKB1la18ER8OnA65/WERL5bjFai0GRjLxUGOLiJF5ApIj1JMfoqd08awvS8xUVM/4zccYXTeHtngVw2Ra9q3wcvFK4VzQ7kIO0btd6+YSdGGFpWLwBvErsn1yUs67sl69qr4qz0BxMrFn3zac3aQU=,iv:4fxThNrDrOsNNSykVVEmAHfl2VpcZVA58E5lZ+krEpE=,tag:RFigNQQzcZBMiCky5nL3Wg==,type:str] + lastmodified: "2024-06-10T09:03:14Z" + mac: ENC[AES256_GCM,data:5M837MDd/9ZPyoczsKQ0UJVtFxcX+DsKxZplsZgQA2iKhgzKtWsrz/HciYUnDsYqlTswDWPZhcMpEAhzozUxuKJEoWswmwuKAEBLn5zb6fcvy3H8oMDELR/e3IFZ+5dpxeaWrJwx2mXHdk/aW1AiWjtSpcNlNlF1QM8oFvwjlbA=,iv:h+uRWTlMZlkatS6zBLa9znGb77o8oPA2KC2C/rrVnGw=,tag:8/hTW2BDdTN8V36gSXFMEg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1