forked from mirrors_public/oddlama_nix-config
feat: add customizable caddy package (with plugin support)
This commit is contained in:
oddlama
parent
c5a863ce51
commit
6f84594c87
9 changed files with 90 additions and 26 deletions
|
|
@ -125,9 +125,7 @@
|
|||
pkgs = import nixpkgs {
|
||||
localSystem = system;
|
||||
config.allowUnfree = true;
|
||||
overlays = [
|
||||
microvm.overlay
|
||||
];
|
||||
overlays = [microvm.overlay] ++ import ./pkgs/default.nix;
|
||||
};
|
||||
|
||||
apps =
|
||||
|
|
|
|||
21
hosts/sentinel/acme.nix
Normal file
21
hosts/sentinel/acme.nix
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
{config, ...}: let
|
||||
inherit (config.repo.secrets.local) acme;
|
||||
in {
|
||||
rekey.secrets.acme-credentials = {
|
||||
file = ./secrets/acme-credentials.age;
|
||||
mode = "440";
|
||||
group = "acme";
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
inherit (acme) email;
|
||||
credentialsFile = config.rekey.secrets.acme-credentials.path;
|
||||
dnsProvider = "cloudflare";
|
||||
dnsPropagationCheck = true;
|
||||
reloadServices = ["nginx"];
|
||||
};
|
||||
};
|
||||
extra.acme.wildcardDomains = acme.domains;
|
||||
}
|
||||
|
|
@ -2,30 +2,12 @@
|
|||
config,
|
||||
lib,
|
||||
nodes,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (config.repo.secrets.local) acme personalDomain;
|
||||
in {
|
||||
networking.domain = personalDomain;
|
||||
|
||||
rekey.secrets.acme-credentials = {
|
||||
file = ./secrets/acme-credentials.age;
|
||||
mode = "440";
|
||||
group = "acme";
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
inherit (acme) email;
|
||||
credentialsFile = config.rekey.secrets.acme-credentials.path;
|
||||
dnsProvider = "cloudflare";
|
||||
dnsPropagationCheck = true;
|
||||
reloadServices = ["nginx"];
|
||||
};
|
||||
};
|
||||
extra.acme.wildcardDomains = acme.domains;
|
||||
users.groups.acme.members = ["nginx"];
|
||||
users.groups.acme.members = ["caddy"];
|
||||
|
||||
rekey.secrets."dhparams.pem" = {
|
||||
file = ./secrets/dhparams.pem.age;
|
||||
|
|
@ -41,5 +23,15 @@ in {
|
|||
lokiDomain = "loki.${personalDomain}";
|
||||
lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
|
||||
in {
|
||||
enable = true;
|
||||
package = pkgs.caddy.withPackages {
|
||||
plugins = [
|
||||
{
|
||||
name = "github.com/greenpau/caddy-security";
|
||||
version = "v1.1.18";
|
||||
}
|
||||
];
|
||||
vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,8 @@
|
|||
|
||||
./fs.nix
|
||||
./net.nix
|
||||
#./nginx.nix
|
||||
./acme.nix
|
||||
./caddy.nix
|
||||
#./nginx.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@
|
|||
...
|
||||
}: {
|
||||
networking.hostId = config.repo.secrets.local.networking.hostId;
|
||||
networking.domain = config.repo.secrets.local.personalDomain;
|
||||
|
||||
boot.initrd.systemd.network = {
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -6,8 +6,6 @@
|
|||
}: let
|
||||
inherit (config.repo.secrets.local) acme personalDomain;
|
||||
in {
|
||||
networking.domain = personalDomain;
|
||||
|
||||
rekey.secrets.acme-credentials = {
|
||||
file = ./secrets/acme-credentials.age;
|
||||
mode = "440";
|
||||
|
|
|
|||
|
|
@ -234,6 +234,7 @@ in {
|
|||
lib,
|
||||
config,
|
||||
parentNodeName,
|
||||
utils,
|
||||
...
|
||||
}: {
|
||||
rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
|
||||
|
|
|
|||
49
pkgs/caddy.nix
Normal file
49
pkgs/caddy.nix
Normal file
|
|
@ -0,0 +1,49 @@
|
|||
final: prev: let
|
||||
inherit
|
||||
(final.lib)
|
||||
escapeShellArg
|
||||
concatMapStrings
|
||||
flatten
|
||||
flip
|
||||
;
|
||||
|
||||
make-custom-caddy = {
|
||||
plugins,
|
||||
vendorHash,
|
||||
}: let
|
||||
caddyPatchMain =
|
||||
flip concatMapStrings plugins
|
||||
({name, ...}: "sed -i '/plug in Caddy modules here/a \\\\t_ \"${name}\"' cmd/caddy/main.go\n");
|
||||
caddyPatchGoGet =
|
||||
flip concatMapStrings plugins
|
||||
({
|
||||
name,
|
||||
version,
|
||||
}: "go get ${escapeShellArg name}@${escapeShellArg version}\n");
|
||||
in
|
||||
prev.caddy.override {
|
||||
buildGoModule = args:
|
||||
prev.buildGoModule (args
|
||||
// {
|
||||
inherit vendorHash;
|
||||
passthru.plugins = plugins;
|
||||
|
||||
overrideModAttrs = _: {
|
||||
preBuild = caddyPatchGoGet;
|
||||
postInstall = "cp go.mod go.sum $out/";
|
||||
};
|
||||
|
||||
postPatch = caddyPatchMain;
|
||||
postConfigure = "cp vendor/go.mod vendor/go.sum .";
|
||||
});
|
||||
};
|
||||
in {
|
||||
# Example usage:
|
||||
# caddy.withPackages {
|
||||
# plugins = [
|
||||
# { name = "github.com/greenpau/caddy-security"; version = "v1.1.18"; }
|
||||
# ];
|
||||
# vendorHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
|
||||
# }
|
||||
caddy = prev.caddy.overrideAttrs (_: {passthru.withPackages = make-custom-caddy;});
|
||||
}
|
||||
3
pkgs/default.nix
Normal file
3
pkgs/default.nix
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
[
|
||||
(import ./caddy.nix)
|
||||
]
|
||||
Loading…
Add table
Add a link
Reference in a new issue