erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Use caddy as proxy in place of nginx-proxy-manager

Browse source
This commit is contained in:
Erwin Boskma 2023-08-10 16:43:46 +02:00
parent e7fee4d3be
commit e857fb28cb
Signed by: erwin
SSH key fingerprint: SHA256:9LmFDe1C6jSrEyqxxvX8NtJBmcbB105XoqyUZF092bg
6 changed files with 129 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -7,6 +7,7 @@ keys:
- &gitea age1jkj6xrhr3uf52hac4wlda4a8jcegha86jf5lgv58df0xunadz53qpjlpae
- &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc
- &minio age1p5hu2l0ys8z2j9rhf0xp5et2wd4222utyn3tk562ksrxmckye9dqu25f49
- &proxy age1dg4euuwvqyyuwpjm08psvehgxr5p6q76ht8k4je6z2xc2pv55vksw9ap7m
creation_rules:
- path_regex: machines/loki/[^/]+\.yaml$
key_groups:
@ -44,3 +45,9 @@ creation_rules:
- *erwin
- *erwin_horus
- *minio
- path_regex: machines/proxy/[^/]+\.ya?ml$
key_groups:
- age:
- *erwin
- *erwin_horus
- *proxy

6
flake.nix
View file

@ -78,6 +78,12 @@
inputs.rust-overlay.follows = "rust-overlay";
};
caddy-with-plugins = {
url = "github:eboskma/caddy-with-plugins";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-parts.follows = "flake-parts";
};
ha-now-playing = {
url = "git+https://git.datarift.nl/erwin/ha-now-playing.git?ref=main";
inputs.nixpkgs.follows = "nixpkgs";

18
machines/proxy/configuration.nix
View file

@ -1,5 +1,5 @@
{ self, ... }:
{ modulesPath, ... }: {
{ self, caddy-with-plugins, ... }:
{ modulesPath, pkgs, ... }: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
../../users/root
@ -15,7 +15,15 @@
enable = true;
remote-builders = true;
};
nginx-proxy-manager.enable = true;
nginx-proxy-manager.enable = false;
caddy-proxy = {
enable = true;
package = caddy-with-plugins.lib.caddyWithPackages {
inherit (pkgs) caddy buildGoModule;
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
vendorSha256 = "juhzEaAv3s8KAcyloSNotAddOqgMBqjOcTkbA15Gj/U=";
};
};
};
boot.isContainer = true;
@ -52,7 +60,9 @@
security.sudo.execWheelOnly = true;
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = { };
sops.secrets = {
caddy-env = { };
};
system.stateVersion = "21.11";
}

7
machines/proxy/hardware-configuration.nix
View file

@ -1,7 +0,0 @@
{ modulesPath
, ...
}: {
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
];
}

39
machines/proxy/secrets.yaml Normal file
View file

@ -0,0 +1,39 @@
caddy-env: ENC[AES256_GCM,data:wtnl9YIyeLa9mYywihEWGrTiFXjzyAB6eUNDTVHKVNU213zYqcoe+n1r57wtC5qNRdNeEHMi,iv:Q5qtSyIyV55omNmXFxguyslWB1lRAxQpGQlN9NKRmAE=,tag:mDJF/3jEjsS1V3Zk8cnMbQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMDh2aUZrNjFrb0FoOUN2
Q0ZYUGJUaVh0QnU4NWV1bzU3OEJNUU1iZzNRCkgxYnN4NzJnaldrSXZsY2VPM1ZF
YlR4eVlmRG9yVU1ieWJEbU13bnljV2sKLS0tIFFIODJtRFZ4SjFMbWZDZVFCMUUv
VjBpQUY2OWRpNWNpcDVXVUhTQnFvMXcKF6T0r4jS+mtmsm0oG48n8GTrIh6K6QFB
rLa2LMjqXJFv1PohM3/oRdznHKLV8sW1mr/GQ+DgNmh/8i0J1RH/vA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUDVGaTFzdTNpdkJaQ1Qw
ZGRWNHBEcHo5VHh1SXIxUHJjVHhlVWV6Y3g4CjJGTlQ2M1JXMi8wamREQ29ud0ho
anVaV2FtUkp4SGt2ZlFwSmpyMUxQclUKLS0tIDIrVGhZUkRzMG42RXFIdFVybFZO
K1FiL21YTTh5RVZ4eEZaN0FjNmZmeXcK2cC+7TXmiXlcfbYelTjqpTMBMYh255Du
g82xFVcvd404xnnrDuYp5hHFnz3D3Gg6IQoVjJv6H+t5I2x/gJiQZg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dg4euuwvqyyuwpjm08psvehgxr5p6q76ht8k4je6z2xc2pv55vksw9ap7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGM0K1FJbmdvMUJWd2wz
djBRMWxML2dBQ2ZBTjN1S0gwWDlSUytWeERnCmZteWFZRnpKcEt5aXo3R00zWUkx
RGVCdFhVYVR2RjZaZGJ0YnAvVnpBcGcKLS0tIHpUV25RcmFjMENTQWI5OVdVZ2Zz
RW5kVVdlTmxsalB1TFVRd2dUOU5kL00KP4f1FGMxnWJajfdQqeTXr1ADu6HCTcto
yUbbhHkhwS8IBUM0ETbEaY76o3y9WufAye37Lp3Vg44GN5IozURpOg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-09T22:09:02Z"
mac: ENC[AES256_GCM,data:PxSVqIFldfaMf/XGV+eHwEGZoSLDBCc+Vmgt9EMMMA9CrJLniMXdBWCfDyoIal3JOPy7RekwMHsw56D56vaX7Fe0g80/IK+xoUv8a6nrXW1T58bOuQbSliuKI3MbGHYrqDkZXr+7+A8rugg3ENwmGdunQx02CzS5v3RraCzr/L4=,iv:avU85FslUGNdLRRyCgrlfS+WvAES1MGqyJ5Yy3fUPHU=,tag:b6reWUEKxIUQNystlRRYNA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

63
modules/caddy-proxy/default.nix Normal file
View file

@ -0,0 +1,63 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.eboskma.caddy-proxy;
mkProxyHost = target: {
extraConfig = ''
reverse_proxy ${target}
tls {
dns cloudflare {env.CF_API_TOKEN}
}
'';
};
mkLocalProxyHost = target: {
extraConfig = ''
@local_or_ts {
remote_ip 10.0.0.0/24 100.64.0.0/10
}
handle @local_or_ts {
reverse_proxy ${target}
}
handle {
error "Nope." 401
}
tls {
dns cloudflare {env.CF_API_TOKEN}
}
'';
};
in
{
options.eboskma.caddy-proxy = {
enable = mkEnableOption "Caddy proxy";
package = mkPackageOption pkgs "caddy" { };
};
config = mkIf cfg.enable {
services.caddy = {
enable = true;
package = cfg.package;
email = "erwin@datarift.nl";
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
virtualHosts = {
"home.datarift.nl" = mkProxyHost "homeassistant.barn-beaver.ts.net:8123";
"drone.datarift.nl" = mkProxyHost "drone.barn-beaver.ts.net:8100";
"frigate.datarift.nl" = mkLocalProxyHost "frigate.barn-beaver.ts.net:5000";
"git.datarift.nl" = mkProxyHost "gitea.barn-beaver.ts.net:3000";
"minio.datarift.nl" = mkProxyHost "minio.barn-beaver.ts.net:9000";
"minio-admin.datarift.nl" = mkLocalProxyHost "minio.barn-beaver.ts.net:9001";
};
};
systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}