chore: add caddy common defaults

2025-10-11 07:10:39 +02:00 · 2023-06-17 23:46:15 +02:00 · 2023-06-17 23:46:15 +02:00 · b682db7173
commit b682db7173
parent 9ed52a253c
4 changed files with 35 additions and 9 deletions
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -14,7 +14,7 @@ in {
  ];

  networking.nftables.firewall.rules = lib.mkForce {
-    sentinel-to-local.allowedTCPPorts = [3001];
+    sentinel-to-local.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
  };

  age.secrets.grafana-secret-key = {
@ -40,9 +40,10 @@ in {
    services.caddy.virtualHosts.${grafanaDomain} = {
      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
      extraConfig = ''
-        encode zstd gzip
+        import common
        reverse_proxy {
          to http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}
+          header_up X-Real-IP {remote_host}
        }
      '';
    };
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -8,13 +8,14 @@
 }: let
  sentinelCfg = nodes.sentinel.config;
  kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
+  kanidmPort = 8300;
 in {
  imports = [
    ../../../../modules/proxy-via-sentinel.nix
  ];

  networking.nftables.firewall.rules = lib.mkForce {
-    sentinel-to-local.allowedTCPPorts = [8300];
+    sentinel-to-local.allowedTCPPorts = [kanidmPort];
  };

  age.secrets."kanidm-self-signed.crt" = {
@ -35,9 +36,10 @@ in {
    services.caddy.virtualHosts.${kanidmDomain} = {
      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain;
      extraConfig = ''
-        encode zstd gzip
+        import common
        reverse_proxy {
          to https://${config.services.kanidm.serverSettings.bindaddress}
+          header_up X-Real-IP {remote_host}
          transport http {
            tls_insecure_skip_verify
          }
@ -54,7 +56,7 @@ in {
      origin = "https://${kanidmDomain}";
      tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
      tls_key = config.age.secrets."kanidm-self-signed.key".path;
-      bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
+      bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}";
      trust_x_forward_for = true;
    };
  };
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -13,7 +13,7 @@ in {
  ];

  networking.nftables.firewall.rules = lib.mkForce {
-    sentinel-to-local.allowedTCPPorts = [3100];
+    sentinel-to-local.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
  };

  nodes.sentinel = {
@ -22,8 +22,7 @@ in {
    age.secrets.loki-basic-auth-hashes = {
      rekeyFile = ./secrets/loki-basic-auth-hashes.age;
      generator = {
-        # Dependencies are added by the nodes that define passwords using
-        # distributed-config.
+        # Dependencies are added by the nodes that define passwords (using distributed-config).
        script = {
          pkgs,
          lib,
@ -50,13 +49,14 @@ in {
    services.caddy.virtualHosts.${lokiDomain} = {
      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
      extraConfig = ''
-        encode zstd gzip
+        import common
        skip_log
        basicauth {
          import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}
        }
        reverse_proxy {
          to http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}
+          header_up X-Real-IP {remote_host}
        }
      '';
    };