sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: add caddy common defaults

Browse source
This commit is contained in:
oddlama 2023-06-17 23:46:15 +02:00
parent 9ed52a253c
commit b682db7173
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 35 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

8
hosts/ward/microvms/kanidm/default.nix
View file

@ -8,13 +8,14 @@
}: let
sentinelCfg = nodes.sentinel.config;
kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
kanidmPort = 8300;
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [8300];
sentinel-to-local.allowedTCPPorts = [kanidmPort];
};
age.secrets."kanidm-self-signed.crt" = {
@ -35,9 +36,10 @@ in {
services.caddy.virtualHosts.${kanidmDomain} = {
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain;
extraConfig = ''
encode zstd gzip
import common
reverse_proxy {
to https://${config.services.kanidm.serverSettings.bindaddress}
header_up X-Real-IP {remote_host}
transport http {
tls_insecure_skip_verify
}
@ -54,7 +56,7 @@ in {
origin = "https://${kanidmDomain}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}";
trust_x_forward_for = true;
};
};