96 lines
3 KiB
Nix
96 lines
3 KiB
Nix
{ inputs, ... }:
|
|
let
|
|
website = inputs.website.packages."x86_64-linux".default;
|
|
in
|
|
{
|
|
imports = [
|
|
./git.nix
|
|
];
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
virtualHosts."oxapentane.com" = {
|
|
serverAliases = [ "www.oxapentane.com" ];
|
|
extraConfig = ''
|
|
# conduit
|
|
@matrix {
|
|
path /.well-known/matrix/*
|
|
path /_matrix/*
|
|
}
|
|
|
|
route {
|
|
header /.well-known/matrix/* Access-Control-Allow-Origin *
|
|
|
|
reverse_proxy @matrix 10.89.88.16:6167
|
|
|
|
# file server
|
|
file_server {
|
|
root ${website}
|
|
index index.html
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
|
|
virtualHosts."auth.oxapentane.com".extraConfig = ''
|
|
reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000
|
|
'';
|
|
|
|
virtualHosts."dav.oxapentane.com".extraConfig = ''
|
|
route {
|
|
reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
|
|
|
|
forward_auth 10.89.88.11:9000 {
|
|
uri /outpost.goauthentik.io/auth/caddy
|
|
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User
|
|
trusted_proxies 10.89.88.11 fd31:185d:722f::11
|
|
}
|
|
}
|
|
reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232
|
|
|
|
'';
|
|
|
|
virtualHosts."immich.oxapentane.com".extraConfig = ''
|
|
reverse_proxy 10.89.88.13:2283
|
|
'';
|
|
|
|
virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
|
|
|
|
virtualHosts."music.oxapentane.com".extraConfig = ''
|
|
route {
|
|
reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
|
|
|
|
@protected not path /share/* /rest/*
|
|
forward_auth @protected 10.89.88.11:9000 {
|
|
uri /outpost.goauthentik.io/auth/caddy
|
|
copy_headers X-Authentik-Username>Remote-User
|
|
trusted_proxies 10.89.88.11 fd31:185d:722f::11
|
|
}
|
|
|
|
|
|
@subsonic path /rest/*
|
|
forward_auth @subsonic 10.89.88.11:9000 {
|
|
uri /outpost.goauthentik.io/auth/caddy
|
|
copy_headers X-Authentik-Username>Remote-User
|
|
@error status 1xx 3xx 4xx 5xx
|
|
handle_response @error {
|
|
respond <<SUBSONICERR
|
|
<subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
|
|
<error code="40" message="Invalid credentials or unsupported client"></error>
|
|
</subsonic-response>
|
|
SUBSONICERR 200
|
|
}
|
|
trusted_proxies 10.89.88.11 fd31:185d:722f::11
|
|
}
|
|
}
|
|
reverse_proxy 10.89.88.17:4533
|
|
|
|
'';
|
|
|
|
};
|
|
}
|