sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add customizable caddy package (with plugin support)

Browse source
This commit is contained in:
oddlama 2023-06-05 01:14:46 +02:00
parent c5a863ce51
commit 6f84594c87
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
9 changed files with 90 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

4
flake.nix
View file

@ -125,9 +125,7 @@
pkgs = import nixpkgs { pkgs = import nixpkgs {
localSystem = system; localSystem = system;
config.allowUnfree = true; config.allowUnfree = true;
overlays = [ overlays = [microvm.overlay] ++ import ./pkgs/default.nix;
microvm.overlay
];
}; };
apps = apps =

21
hosts/sentinel/acme.nix Normal file
View file

@ -0,0 +1,21 @@
{config, ...}: let
inherit (config.repo.secrets.local) acme;
in {
rekey.secrets.acme-credentials = {
file = ./secrets/acme-credentials.age;
mode = "440";
group = "acme";
};
security.acme = {
acceptTerms = true;
defaults = {
inherit (acme) email;
credentialsFile = config.rekey.secrets.acme-credentials.path;
dnsProvider = "cloudflare";
dnsPropagationCheck = true;
reloadServices = ["nginx"];
};
};
extra.acme.wildcardDomains = acme.domains;
}

32
hosts/sentinel/caddy.nix
View file

@ -2,30 +2,12 @@
config, config,
lib, lib,
nodes, nodes,
pkgs,
... ...
}: let }: let
inherit (config.repo.secrets.local) acme personalDomain; inherit (config.repo.secrets.local) acme personalDomain;
in { in {
networking.domain = personalDomain; users.groups.acme.members = ["caddy"];
rekey.secrets.acme-credentials = {
file = ./secrets/acme-credentials.age;
mode = "440";
group = "acme";
};
security.acme = {
acceptTerms = true;
defaults = {
inherit (acme) email;
credentialsFile = config.rekey.secrets.acme-credentials.path;
dnsProvider = "cloudflare";
dnsPropagationCheck = true;
reloadServices = ["nginx"];
};
};
extra.acme.wildcardDomains = acme.domains;
users.groups.acme.members = ["nginx"];
rekey.secrets."dhparams.pem" = { rekey.secrets."dhparams.pem" = {
file = ./secrets/dhparams.pem.age; file = ./secrets/dhparams.pem.age;
@ -41,5 +23,15 @@ in {
lokiDomain = "loki.${personalDomain}"; lokiDomain = "loki.${personalDomain}";
lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port; lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
in { in {
enable = true;
package = pkgs.caddy.withPackages {
plugins = [
{
name = "github.com/greenpau/caddy-security";
version = "v1.1.18";
}
];
vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
};
}; };
} }

3
hosts/sentinel/default.nix
View file

@ -12,7 +12,8 @@
./fs.nix ./fs.nix
./net.nix ./net.nix
#./nginx.nix ./acme.nix
./caddy.nix ./caddy.nix
#./nginx.nix
]; ];
} }

1
hosts/sentinel/net.nix
View file

@ -5,6 +5,7 @@
... ...
}: { }: {
networking.hostId = config.repo.secrets.local.networking.hostId; networking.hostId = config.repo.secrets.local.networking.hostId;
networking.domain = config.repo.secrets.local.personalDomain;
boot.initrd.systemd.network = { boot.initrd.systemd.network = {
enable = true; enable = true;

2
hosts/sentinel/nginx.nix
View file

@ -6,8 +6,6 @@
}: let }: let
inherit (config.repo.secrets.local) acme personalDomain; inherit (config.repo.secrets.local) acme personalDomain;
in { in {
networking.domain = personalDomain;
rekey.secrets.acme-credentials = { rekey.secrets.acme-credentials = {
file = ./secrets/acme-credentials.age; file = ./secrets/acme-credentials.age;
mode = "440"; mode = "440";

1
hosts/ward/default.nix
View file

@ -234,6 +234,7 @@ in {
lib, lib,
config, config,
parentNodeName, parentNodeName,
utils,
... ...
}: { }: {
rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno"; rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";

49
pkgs/caddy.nix Normal file
View file

@ -0,0 +1,49 @@
final: prev: let
inherit
(final.lib)
escapeShellArg
concatMapStrings
flatten
flip
;
make-custom-caddy = {
plugins,
vendorHash,
}: let
caddyPatchMain =
flip concatMapStrings plugins
({name, ...}: "sed -i '/plug in Caddy modules here/a \\\\t_ \"${name}\"' cmd/caddy/main.go\n");
caddyPatchGoGet =
flip concatMapStrings plugins
({
name,
version,
}: "go get ${escapeShellArg name}@${escapeShellArg version}\n");
in
prev.caddy.override {
buildGoModule = args:
prev.buildGoModule (args
// {
inherit vendorHash;
passthru.plugins = plugins;
overrideModAttrs = _: {
preBuild = caddyPatchGoGet;
postInstall = "cp go.mod go.sum $out/";
};
postPatch = caddyPatchMain;
postConfigure = "cp vendor/go.mod vendor/go.sum .";
});
};
in {
# Example usage:
# caddy.withPackages {
# plugins = [
# { name = "github.com/greenpau/caddy-security"; version = "v1.1.18"; }
# ];
# vendorHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
# }
caddy = prev.caddy.overrideAttrs (_: {passthru.withPackages = make-custom-caddy;});
}

3
pkgs/default.nix Normal file
View file

@ -0,0 +1,3 @@
[
(import ./caddy.nix)
]