diff --git a/hosts/cloud/proxy/auth.nix b/hosts/cloud/proxy/auth.nix deleted file mode 100644 index c8700f0..0000000 --- a/hosts/cloud/proxy/auth.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ ... }: -{ - services.nginx.upstreams.authentik = { - servers = { - "10.89.88.11:9000" = { }; - "[fd31:185d:722f::11]:9000" = { }; - }; - extraConfig = '' - keepalive 10; - ''; - }; - - services.nginx.virtualHosts."auth.oxapentane.com" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://authentik"; - extraConfig = '' - # general proxy settings - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - # authentik specifik - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade_keepalive; - ''; - }; - }; -} diff --git a/hosts/cloud/proxy/conduwuit.nix b/hosts/cloud/proxy/conduwuit.nix deleted file mode 100644 index 97ba4a3..0000000 --- a/hosts/cloud/proxy/conduwuit.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ ... }: -let - proxy-conf = '' - client_max_body_size 50M; - proxy_buffering off; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Access-Control-Allow-Origin *; - proxy_set_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS'; - proxy_set_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization'; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - ''; - -in -{ - services.nginx.upstreams.conduwuit = { - servers = { - "10.89.88.16:6167" = { }; - "[fd31:185d:722f::16]:6167" = { }; - }; - }; - - services.nginx.virtualHosts."oxapentane.com" = { - locations."/_matrix/" = { - proxyPass = "http://conduwuit$request_uri"; - extraConfig = proxy-conf; - }; - locations."/_conduwuit/" = { - proxyPass = "http://conduwuit$request_uri"; - extraConfig = proxy-conf; - }; - locations."/.well-known/matrix" = { - proxyPass = "http://conduwuit$request_uri"; - extraConfig = proxy-conf; - }; - }; -} diff --git a/hosts/cloud/proxy/dav.nix b/hosts/cloud/proxy/dav.nix deleted file mode 100644 index 6f00943..0000000 --- a/hosts/cloud/proxy/dav.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ ... }: -{ - services.nginx.upstreams.radicale = { - servers = { - "10.89.88.12:5232" = { }; - "[fd31:185d:722f::12]:5232" = { }; - }; - }; - - services.nginx.virtualHosts."dav.oxapentane.com" = { - forceSSL = true; - enableACME = true; - # Radicale - locations."/" = { - proxyPass = "http://radicale"; - extraConfig = '' - # Radicale stuff - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade_keepalive; - - # authentik stuff - auth_request /outpost.goauthentik.io/auth/nginx; - error_page 401 = @goauthentik_proxy_signin; - auth_request_set $auth_cookie $upstream_http_set_cookie; - proxy_set_header Set-Cookie $auth_cookie; - - # translate headers from the outposts back to the actual upstream - auth_request_set $authentik_username $upstream_http_x_authentik_username; - auth_request_set $authentik_groups $upstream_http_x_authentik_groups; - auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements; - auth_request_set $authentik_email $upstream_http_x_authentik_email; - auth_request_set $authentik_name $upstream_http_x_authentik_name; - auth_request_set $authentik_uid $upstream_http_x_authentik_uid; - - proxy_set_header X-authentik-username $authentik_username; - proxy_set_header X-Remote-User $authentik_username; - proxy_set_header X-authentik-groups $authentik_groups; - proxy_set_header X-authentik-entitlements $authentik_entitlements; - proxy_set_header X-authentik-email $authentik_email; - proxy_set_header X-authentik-name $authentik_name; - proxy_set_header X-authentik-uid $authentik_uid; - ''; - }; - - locations."/outpost.goauthentik.io" = { - proxyPass = "http://authentik/outpost.goauthentik.io"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header Set-Cookie $auth_cookie; - auth_request_set $auth_cookie $upstream_http_set_cookie; - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - ''; - }; - locations."@goauthentik_proxy_signin" = { - extraConfig = '' - internal; - proxy_set_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$request_uri; - ''; - }; - }; -} diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix index e233e65..9994da4 100644 --- a/hosts/cloud/proxy/default.nix +++ b/hosts/cloud/proxy/default.nix @@ -4,12 +4,7 @@ let in { imports = [ - ./auth.nix - ./conduwuit.nix - ./dav.nix ./git.nix - ./immich.nix - ./news.nix ]; networking.firewall.allowedTCPPorts = [ @@ -17,63 +12,53 @@ in 443 ]; - services.nginx = { + services.caddy = { enable = true; + virtualHosts."oxapentane.com" = { + serverAliases = [ "www.oxapentane.com" ]; + extraConfig = '' + # conduit + @matrix { + path /.well-known/matrix/* + path /_matrix/* + } - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; + route { + header /.well-known/matrix/* Access-Control-Allow-Origin * - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + reverse_proxy @matrix 10.89.88.16:6167 - appendHttpConfig = '' - # upgrade websockets - map $http_upgrade $connection_upgrade_keepalive { - default upgrade; - ''' '''; - } + # file server + file_server { + root ${website} + index index.html + } + } + ''; + }; - ### TLS - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - # add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; + virtualHosts."auth.oxapentane.com".extraConfig = '' + reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000 ''; - virtualHosts."oxapentane.com" = { - forceSSL = true; - enableACME = true; - default = true; - locations."/" = { - root = "${website}"; - index = "index.html"; - }; - }; - virtualHosts."www.oxapentane.com" = { - forceSSL = true; - enableACME = true; - locations."/" = { - return = "302 https://oxapentane.com"; - }; - }; - }; + virtualHosts."dav.oxapentane.com".extraConfig = '' + route { + reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000 - security.acme = { - acceptTerms = true; - defaults.email = "acme@oxapentane.com"; + forward_auth 10.89.88.11:9000 { + uri /outpost.goauthentik.io/auth/caddy + copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User + trusted_proxies 10.89.88.11 fd31:185d:722f::11 + } + } + reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232 + + ''; + + virtualHosts."immich.oxapentane.com".extraConfig = '' + reverse_proxy 10.89.88.13:2283 + ''; + + virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080"; }; } diff --git a/hosts/cloud/proxy/git.nix b/hosts/cloud/proxy/git.nix index ac53f4c..6986f80 100644 --- a/hosts/cloud/proxy/git.nix +++ b/hosts/cloud/proxy/git.nix @@ -35,34 +35,6 @@ "fd31:185d:722e::1" ]; - services.nginx.upstreams.forgejo = { - servers = { - "10.89.88.15:3000" = { }; - "[fd31:185d:722f::15]:3000" = { }; - }; - }; - - services.nginx.virtualHosts."git.oxapentane.com" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://forgejo"; - extraConfig = '' - client_max_body_size 50000M; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - ''; - }; - }; + services.caddy.virtualHosts."git.oxapentane.com".extraConfig = + "reverse_proxy 10.89.88.15:3000 [fd31:185d:722f::15]:3000"; } diff --git a/hosts/cloud/proxy/immich.nix b/hosts/cloud/proxy/immich.nix deleted file mode 100644 index 93e62d2..0000000 --- a/hosts/cloud/proxy/immich.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: -{ - services.nginx.upstreams.immich = { - servers = { - "10.89.88.13:2283" = { }; - "[fd31:185d:722f::13]:2283" = { }; - }; - }; - - services.nginx.virtualHosts."immich.oxapentane.com" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://immich"; - extraConfig = '' - client_max_body_size 50000M; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - ''; - }; - }; -} diff --git a/hosts/cloud/proxy/news.nix b/hosts/cloud/proxy/news.nix deleted file mode 100644 index 3bbfda2..0000000 --- a/hosts/cloud/proxy/news.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."news.oxapentane.com" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://10.89.88.14:8080"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - ''; - }; - }; -}