0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

nginx->caddy

Browse source
This commit is contained in:
Grisha Shipunov 2025-06-11 19:25:44 +02:00
parent f9ff89e13e
commit b2a00d0006
7 changed files with 42 additions and 282 deletions
Download patch file Download diff file Expand all files Collapse all files

36
hosts/cloud/proxy/auth.nix
View file

@ -1,36 +0,0 @@
{ ... }:
{
services.nginx.upstreams.authentik = {
servers = {
"10.89.88.11:9000" = { };
"[fd31:185d:722f::11]:9000" = { };
};
extraConfig = ''
keepalive 10;
'';
};
services.nginx.virtualHosts."auth.oxapentane.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://authentik";
extraConfig = ''
# general proxy settings
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
# authentik specifik
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
'';
};
};
}

47
hosts/cloud/proxy/conduwuit.nix
View file

@ -1,47 +0,0 @@
{ ... }:
let
proxy-conf = ''
client_max_body_size 50M;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Access-Control-Allow-Origin *;
proxy_set_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
proxy_set_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization';
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
'';
in
{
services.nginx.upstreams.conduwuit = {
servers = {
"10.89.88.16:6167" = { };
"[fd31:185d:722f::16]:6167" = { };
};
};
services.nginx.virtualHosts."oxapentane.com" = {
locations."/_matrix/" = {
proxyPass = "http://conduwuit$request_uri";
extraConfig = proxy-conf;
};
locations."/_conduwuit/" = {
proxyPass = "http://conduwuit$request_uri";
extraConfig = proxy-conf;
};
locations."/.well-known/matrix" = {
proxyPass = "http://conduwuit$request_uri";
extraConfig = proxy-conf;
};
};
}

64
hosts/cloud/proxy/dav.nix
View file

@ -1,64 +0,0 @@
{ ... }:
{
services.nginx.upstreams.radicale = {
servers = {
"10.89.88.12:5232" = { };
"[fd31:185d:722f::12]:5232" = { };
};
};
services.nginx.virtualHosts."dav.oxapentane.com" = {
forceSSL = true;
enableACME = true;
# Radicale
locations."/" = {
proxyPass = "http://radicale";
extraConfig = ''
# Radicale stuff
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
# authentik stuff
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_set_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-Remote-User $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-entitlements $authentik_entitlements;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
'';
};
locations."/outpost.goauthentik.io" = {
proxyPass = "http://authentik/outpost.goauthentik.io";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
'';
};
locations."@goauthentik_proxy_signin" = {
extraConfig = ''
internal;
proxy_set_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
'';
};
};
}

95
hosts/cloud/proxy/default.nix
View file

@ -4,12 +4,7 @@ let
in
{
imports = [
./auth.nix
./conduwuit.nix
./dav.nix
./git.nix
./immich.nix
./news.nix
];
networking.firewall.allowedTCPPorts = [
@ -17,63 +12,53 @@ in
443
];
services.nginx = {
services.caddy = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
# upgrade websockets
map $http_upgrade $connection_upgrade_keepalive {
default upgrade;
''' ''';
virtualHosts."oxapentane.com" = {
serverAliases = [ "www.oxapentane.com" ];
extraConfig = ''
# conduit
@matrix {
path /.well-known/matrix/*
path /_matrix/*
}
### TLS
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
route {
header /.well-known/matrix/* Access-Control-Allow-Origin *
reverse_proxy @matrix 10.89.88.16:6167
# file server
file_server {
root ${website}
index index.html
}
add_header Strict-Transport-Security $hsts_header;
}
'';
};
# Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
# add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
virtualHosts."auth.oxapentane.com".extraConfig = ''
reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000
'';
virtualHosts."oxapentane.com" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
root = "${website}";
index = "index.html";
};
};
virtualHosts."www.oxapentane.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
return = "302 https://oxapentane.com";
};
};
};
virtualHosts."dav.oxapentane.com".extraConfig = ''
route {
reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
security.acme = {
acceptTerms = true;
defaults.email = "acme@oxapentane.com";
forward_auth 10.89.88.11:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User
trusted_proxies 10.89.88.11 fd31:185d:722f::11
}
}
reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232
'';
virtualHosts."immich.oxapentane.com".extraConfig = ''
reverse_proxy 10.89.88.13:2283
'';
virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
};
}

32
hosts/cloud/proxy/git.nix
View file

@ -35,34 +35,6 @@
"fd31:185d:722e::1"
];
services.nginx.upstreams.forgejo = {
servers = {
"10.89.88.15:3000" = { };
"[fd31:185d:722f::15]:3000" = { };
};
};
services.nginx.virtualHosts."git.oxapentane.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://forgejo";
extraConfig = ''
client_max_body_size 50000M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
'';
};
};
services.caddy.virtualHosts."git.oxapentane.com".extraConfig =
"reverse_proxy 10.89.88.15:3000 [fd31:185d:722f::15]:3000";
}

33
hosts/cloud/proxy/immich.nix
View file

@ -1,33 +0,0 @@
{ ... }:
{
services.nginx.upstreams.immich = {
servers = {
"10.89.88.13:2283" = { };
"[fd31:185d:722f::13]:2283" = { };
};
};
services.nginx.virtualHosts."immich.oxapentane.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://immich";
extraConfig = ''
client_max_body_size 50000M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
'';
};
};
}

17
hosts/cloud/proxy/news.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
services.nginx.virtualHosts."news.oxapentane.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://10.89.88.14:8080";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
'';
};
};
}