nginx->caddy

2025-06-11 19:25:44 +02:00 · 2025-06-11 19:25:44 +02:00 · b2a00d0006
commit b2a00d0006
parent f9ff89e13e
7 changed files with 42 additions and 282 deletions
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@ -4,12 +4,7 @@ let
 in
 {
  imports = [
-    ./auth.nix
-    ./conduwuit.nix
-    ./dav.nix
    ./git.nix
-    ./immich.nix
-    ./news.nix
  ];

  networking.firewall.allowedTCPPorts = [
@ -17,63 +12,53 @@ in
    443
  ];

-  services.nginx = {
+  services.caddy = {
    enable = true;
+    virtualHosts."oxapentane.com" = {
+      serverAliases = [ "www.oxapentane.com" ];
+      extraConfig = ''
+        # conduit
+        @matrix {
+            path /.well-known/matrix/*
+            path /_matrix/*
+        }

-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
+        route {
+            header /.well-known/matrix/* Access-Control-Allow-Origin *

-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+            reverse_proxy @matrix 10.89.88.16:6167

-    appendHttpConfig = ''
-      # upgrade websockets
-      map $http_upgrade $connection_upgrade_keepalive {
-        default upgrade;
-        '''      ''';
-      }
+            # file server
+            file_server {
+                root ${website}
+                index index.html
+            }
+        }
+      '';
+    };

-      ### TLS
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame
-      # add_header X-Frame-Options DENY;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
+    virtualHosts."auth.oxapentane.com".extraConfig = ''
+      reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000
    '';

-    virtualHosts."oxapentane.com" = {
-      forceSSL = true;
-      enableACME = true;
-      default = true;
-      locations."/" = {
-        root = "${website}";
-        index = "index.html";
-      };
-    };
-    virtualHosts."www.oxapentane.com" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        return = "302 https://oxapentane.com";
-      };
-    };
-  };
+    virtualHosts."dav.oxapentane.com".extraConfig = ''
+      route {
+          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000

-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "acme@oxapentane.com";
+          forward_auth 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+      }
+      reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232
+
+    '';
+
+    virtualHosts."immich.oxapentane.com".extraConfig = ''
+      reverse_proxy 10.89.88.13:2283
+    '';
+
+    virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
  };
 }