chore: add caddy common defaults

hosts/ward/microvms/grafana/default.nix

@@ -14,7 +14,7 @@ in {
   ];
 
   networking.nftables.firewall.rules = lib.mkForce {
-    sentinel-to-local.allowedTCPPorts = [3001];
+    sentinel-to-local.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
   };
 
   age.secrets.grafana-secret-key = {
@@ -40,9 +40,10 @@ in {
     services.caddy.virtualHosts.${grafanaDomain} = {
       useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
       extraConfig = ''
-        encode zstd gzip
+        import common
         reverse_proxy {
           to http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}
+          header_up X-Real-IP {remote_host}
         }
       '';
     };

hosts/ward/microvms/kanidm/default.nix

@@ -8,13 +8,14 @@
 }: let
   sentinelCfg = nodes.sentinel.config;
   kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
+  kanidmPort = 8300;
 in {
   imports = [
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
   networking.nftables.firewall.rules = lib.mkForce {
-    sentinel-to-local.allowedTCPPorts = [8300];
+    sentinel-to-local.allowedTCPPorts = [kanidmPort];
   };
 
   age.secrets."kanidm-self-signed.crt" = {
@@ -35,9 +36,10 @@ in {
     services.caddy.virtualHosts.${kanidmDomain} = {
       useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain;
       extraConfig = ''
-        encode zstd gzip
+        import common
         reverse_proxy {
           to https://${config.services.kanidm.serverSettings.bindaddress}
+          header_up X-Real-IP {remote_host}
           transport http {
             tls_insecure_skip_verify
           }
@@ -54,7 +56,7 @@ in {
       origin = "https://${kanidmDomain}";
       tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
       tls_key = config.age.secrets."kanidm-self-signed.key".path;
-      bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
+      bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}";
       trust_x_forward_for = true;
     };
   };

hosts/ward/microvms/loki/default.nix

@@ -13,7 +13,7 @@ in {
   ];
 
   networking.nftables.firewall.rules = lib.mkForce {
-    sentinel-to-local.allowedTCPPorts = [3100];
+    sentinel-to-local.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
   };
 
   nodes.sentinel = {
@@ -22,8 +22,7 @@ in {
     age.secrets.loki-basic-auth-hashes = {
       rekeyFile = ./secrets/loki-basic-auth-hashes.age;
       generator = {
-        # Dependencies are added by the nodes that define passwords using
-        # distributed-config.
+        # Dependencies are added by the nodes that define passwords (using distributed-config).
         script = {
           pkgs,
           lib,
@@ -50,13 +49,14 @@ in {
     services.caddy.virtualHosts.${lokiDomain} = {
       useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
       extraConfig = ''
-        encode zstd gzip
+        import common
         skip_log
         basicauth {
           import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}
         }
         reverse_proxy {
           to http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}
+          header_up X-Real-IP {remote_host}
         }
       '';
     };

modules/extra.nix

@@ -48,6 +48,29 @@ in {
       extraDomainNames = ["*.${domain}"];
     });
 
+    # Sensible defaults for caddy
+    services.caddy = mkIf config.services.caddy.enable {
+      globalConfig = ''
+        (common) {
+          encode zstd gzip
+
+          header {
+            # Enable HTTP Strict Transport Security (HSTS)
+            Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+
+            X-XSS-Protection "1; mode=block"
+            X-Frame-Options "DENY"
+            X-Content-Type-Options "nosniff"
+
+            # Remove unnecessary information and remove Last-Modified in favor of ETag
+            -Server
+            -X-Powered-By
+            -Last-Modified
+          }
+        }
+      '';
+    };
+
     # Sensible defaults for nginx
     services.nginx = mkIf config.services.nginx.enable {
       recommendedBrotliSettings = true;