diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix index 630e577..b83185a 100644 --- a/hosts/ward/microvms/grafana/default.nix +++ b/hosts/ward/microvms/grafana/default.nix @@ -14,7 +14,7 @@ in { ]; networking.nftables.firewall.rules = lib.mkForce { - sentinel-to-local.allowedTCPPorts = [3001]; + sentinel-to-local.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; }; age.secrets.grafana-secret-key = { @@ -40,9 +40,10 @@ in { services.caddy.virtualHosts.${grafanaDomain} = { useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain; extraConfig = '' - encode zstd gzip + import common reverse_proxy { to http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port} + header_up X-Real-IP {remote_host} } ''; }; diff --git a/hosts/ward/microvms/kanidm/default.nix b/hosts/ward/microvms/kanidm/default.nix index 5bfa3d8..8272ce9 100644 --- a/hosts/ward/microvms/kanidm/default.nix +++ b/hosts/ward/microvms/kanidm/default.nix @@ -8,13 +8,14 @@ }: let sentinelCfg = nodes.sentinel.config; kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}"; + kanidmPort = 8300; in { imports = [ ../../../../modules/proxy-via-sentinel.nix ]; networking.nftables.firewall.rules = lib.mkForce { - sentinel-to-local.allowedTCPPorts = [8300]; + sentinel-to-local.allowedTCPPorts = [kanidmPort]; }; age.secrets."kanidm-self-signed.crt" = { @@ -35,9 +36,10 @@ in { services.caddy.virtualHosts.${kanidmDomain} = { useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain; extraConfig = '' - encode zstd gzip + import common reverse_proxy { to https://${config.services.kanidm.serverSettings.bindaddress} + header_up X-Real-IP {remote_host} transport http { tls_insecure_skip_verify } @@ -54,7 +56,7 @@ in { origin = "https://${kanidmDomain}"; tls_chain = config.age.secrets."kanidm-self-signed.crt".path; tls_key = config.age.secrets."kanidm-self-signed.key".path; - bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300"; + bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}"; trust_x_forward_for = true; }; }; diff --git a/hosts/ward/microvms/loki/default.nix b/hosts/ward/microvms/loki/default.nix index a25d9bd..373a216 100644 --- a/hosts/ward/microvms/loki/default.nix +++ b/hosts/ward/microvms/loki/default.nix @@ -13,7 +13,7 @@ in { ]; networking.nftables.firewall.rules = lib.mkForce { - sentinel-to-local.allowedTCPPorts = [3100]; + sentinel-to-local.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port]; }; nodes.sentinel = { @@ -22,8 +22,7 @@ in { age.secrets.loki-basic-auth-hashes = { rekeyFile = ./secrets/loki-basic-auth-hashes.age; generator = { - # Dependencies are added by the nodes that define passwords using - # distributed-config. + # Dependencies are added by the nodes that define passwords (using distributed-config). script = { pkgs, lib, @@ -50,13 +49,14 @@ in { services.caddy.virtualHosts.${lokiDomain} = { useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain; extraConfig = '' - encode zstd gzip + import common skip_log basicauth { import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path} } reverse_proxy { to http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port} + header_up X-Real-IP {remote_host} } ''; }; diff --git a/modules/extra.nix b/modules/extra.nix index df22176..71c371d 100644 --- a/modules/extra.nix +++ b/modules/extra.nix @@ -48,6 +48,29 @@ in { extraDomainNames = ["*.${domain}"]; }); + # Sensible defaults for caddy + services.caddy = mkIf config.services.caddy.enable { + globalConfig = '' + (common) { + encode zstd gzip + + header { + # Enable HTTP Strict Transport Security (HSTS) + Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; + + X-XSS-Protection "1; mode=block" + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + + # Remove unnecessary information and remove Last-Modified in favor of ETag + -Server + -X-Powered-By + -Last-Modified + } + } + ''; + }; + # Sensible defaults for nginx services.nginx = mkIf config.services.nginx.enable { recommendedBrotliSettings = true;