mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

chore: add caddy common defaults

Browse source
This commit is contained in:
oddlama 2023-06-17 23:46:15 +02:00
parent 9ed52a253c
commit b682db7173
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 35 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/ward/microvms/grafana/default.nix
View file

@ -14,7 +14,7 @@ in {
]; ];
networking.nftables.firewall.rules = lib.mkForce { networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [3001]; sentinel-to-local.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
}; };
age.secrets.grafana-secret-key = { age.secrets.grafana-secret-key = {
@ -40,9 +40,10 @@ in {
services.caddy.virtualHosts.${grafanaDomain} = { services.caddy.virtualHosts.${grafanaDomain} = {
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
extraConfig = '' extraConfig = ''
encode zstd gzip import common
reverse_proxy { reverse_proxy {
to http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port} to http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}
header_up X-Real-IP {remote_host}
} }
''; '';
}; };

8
hosts/ward/microvms/kanidm/default.nix
View file

@ -8,13 +8,14 @@
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}"; kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
kanidmPort = 8300;
in { in {
imports = [ imports = [
../../../../modules/proxy-via-sentinel.nix ../../../../modules/proxy-via-sentinel.nix
]; ];
networking.nftables.firewall.rules = lib.mkForce { networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [8300]; sentinel-to-local.allowedTCPPorts = [kanidmPort];
}; };
age.secrets."kanidm-self-signed.crt" = { age.secrets."kanidm-self-signed.crt" = {
@ -35,9 +36,10 @@ in {
services.caddy.virtualHosts.${kanidmDomain} = { services.caddy.virtualHosts.${kanidmDomain} = {
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain;
extraConfig = '' extraConfig = ''
encode zstd gzip import common
reverse_proxy { reverse_proxy {
to https://${config.services.kanidm.serverSettings.bindaddress} to https://${config.services.kanidm.serverSettings.bindaddress}
header_up X-Real-IP {remote_host}
transport http { transport http {
tls_insecure_skip_verify tls_insecure_skip_verify
} }
@ -54,7 +56,7 @@ in {
origin = "https://${kanidmDomain}"; origin = "https://${kanidmDomain}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path; tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path; tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300"; bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}";
trust_x_forward_for = true; trust_x_forward_for = true;
}; };
}; };

8
hosts/ward/microvms/loki/default.nix
View file

@ -13,7 +13,7 @@ in {
]; ];
networking.nftables.firewall.rules = lib.mkForce { networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [3100]; sentinel-to-local.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
}; };
nodes.sentinel = { nodes.sentinel = {
@ -22,8 +22,7 @@ in {
age.secrets.loki-basic-auth-hashes = { age.secrets.loki-basic-auth-hashes = {
rekeyFile = ./secrets/loki-basic-auth-hashes.age; rekeyFile = ./secrets/loki-basic-auth-hashes.age;
generator = { generator = {
# Dependencies are added by the nodes that define passwords using # Dependencies are added by the nodes that define passwords (using distributed-config).
# distributed-config.
script = { script = {
pkgs, pkgs,
lib, lib,
@ -50,13 +49,14 @@ in {
services.caddy.virtualHosts.${lokiDomain} = { services.caddy.virtualHosts.${lokiDomain} = {
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
extraConfig = '' extraConfig = ''
encode zstd gzip import common
skip_log skip_log
basicauth { basicauth {
import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path} import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}
} }
reverse_proxy { reverse_proxy {
to http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port} to http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}
header_up X-Real-IP {remote_host}
} }
''; '';
}; };

23
modules/extra.nix
View file

@ -48,6 +48,29 @@ in {
extraDomainNames = ["*.${domain}"]; extraDomainNames = ["*.${domain}"];
}); });
# Sensible defaults for caddy
services.caddy = mkIf config.services.caddy.enable {
globalConfig = ''
(common) {
encode zstd gzip
header {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
# Remove unnecessary information and remove Last-Modified in favor of ETag
-Server
-X-Powered-By
-Last-Modified
}
}
'';
};
# Sensible defaults for nginx # Sensible defaults for nginx
services.nginx = mkIf config.services.nginx.enable { services.nginx = mkIf config.services.nginx.enable {
recommendedBrotliSettings = true; recommendedBrotliSettings = true;