commit 5cfe24c2c536a6321103a8d63ea3d6a42db626f7 · pyrox.dev/nix

-178

systems/x86_64-linux/prefect/services/Caddyfile

···

       1
       1
       -
       {

     

       2
       2
       -
         email pyrox@pyrox.dev

     

       3
       3
       -
       }

     

       4
       4
       -
       thehedgehog.me {

     

       5
       5
       -
         redir https://pyrox.dev{uri} permanent

     

       6
       6
       -
       }

     

       7
       7
       -
       pyrox.dev {

     

       8
       8
       -
         route {

     

       9
       9
       -
           header /.well-known/matrix/* Access-Control-Allow-Origin *

     

       10
       10
       -
           reverse_proxy /.well-known/matrix/* http://100.123.15.72:6922

     

       11
       11
       -
           redir /.well-known/carddav https://cloud.pyrox.dev/.well-known/carddav temporary

     

       12
       12
       -
           redir /.well-known/caldav https://cloud.pyrox.dev/.well-known/caldav temporary

     

       13
       13
       -
           header /.well-known/openpgpkey/* Access-Control-Allow-Origin *

     

       14
       14
       -
           header /.well-known/openpgpkey/hu/* application/octet-stream

     

       15
       15
       -
           respond /.well-known/openpgpkey/*/policy 200

     

       16
       16
       -
           header /.well-known/fursona Content-Type application/json

     

       17
       17
       -
           header {

     

       18
       18
       -
             X-Content-Type-Options nosniff

     

       19
       19
       -
             Permissions-Policy accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), unload=(),

     

       20
       20
       -
             +Permissions-Policy display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(),

     

       21
       21
       -
             +Permissions-Policy gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(),

     

       22
       22
       -
             +Permissions-Policy payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(),

     

       23
       23
       -
             +Permissions-Policy sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(),

     

       24
       24
       -
             +Permissions-Policy clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=()

     

       25
       25
       -
             X-Frame-Options SAMEORIGIN

     

       26
       26
       -
             Referrer-Policy origin

     

       27
       27
       -
             -Server

     

       28
       28
       -
           }

     

       29
       29
       -
           file_server {

     

       30
       30
       -
             root /var/www/blog

     

       31
       31
       -
             hide .git

     

       32
       32
       -
             precompressed br gzip

     

       33
       33
       -
           }

     

       34
       34
       -
         }

     

       35
       35
       -
       }

     

       36
       36
       -
       

     

       37
       37
       -
       www.pyrox.dev {

     

       38
       38
       -
         redir https://pyrox.dev{uri} permanent

     

       39
       39
       -
       }

     

       40
       40
       -
       

     

       41
       41
       -
       # Authentik - Self-hosted OIDC and LDAP server

     

       42
       42
       -
       auth.pyrox.dev:443 {

     

       43
       43
       -
         reverse_proxy http://100.123.15.72:6908

     

       44
       44
       -
       }

     

       45
       45
       -
       auth.pyrox.dev:80 {

     

       46
       46
       -
         reverse_proxy http://100.123.15.72:6908

     

       47
       47
       -
       }

     

       48
       48
       -
       http://auth.pyrox.dev:389 {

     

       49
       49
       -
         reverse_proxy http://100.123.15.72:389

     

       50
       50
       -
       }

     

       51
       51
       -
       auth.pyrox.dev:636 {

     

       52
       52
       -
         reverse_proxy http://100.123.15.72:636

     

       53
       53
       -
       }

     

       54
       54
       -
       

     

       55
       55
       -
       blog.pyrox.dev {

     

       56
       56
       -
         redir https://pyrox.dev{uri} permanent

     

       57
       57
       -
       }

     

       58
       58
       -
       

     

       59
       59
       -
       # Vaultwarden - Self-Hosted Bitwarden Server

     

       60
       60
       -
       bw.pyrox.dev {

     

       61
       61
       -
         reverse_proxy 100.123.15.72:6912 {

     

       62
       62
       -
           header_up X-Real-IP {remote_host}

     

       63
       63
       -
         }

     

       64
       64
       -
       }

     

       65
       65
       -
       

     

       66
       66
       -
       cloud.pyrox.dev {

     

       67
       67
       -
         reverse_proxy http://100.123.15.72:6926

     

       68
       68
       -
       }

     

       69
       69
       -
       

     

       70
       70
       -
       # Deemix - download music from Deezer

     

       71
       71
       -
       deemix.pyrox.dev {

     

       72
       72
       -
         reverse_proxy http://100.123.15.72:6907

     

       73
       73
       -
       }

     

       74
       74
       -
       

     

       75
       75
       -
       # Gitea(Forgejo) - Self-hosted Git forge

     

       76
       76
       -
       git.pyrox.dev {

     

       77
       77
       -
         reverse_proxy http://100.123.15.72:6904

     

       78
       78
       -
       }

     

       79
       79
       -
       

     

       80
       80
       -
       library.pyrox.dev {

     

       81
       81
       -
         reverse_proxy http://100.123.15.72:6921

     

       82
       82
       -
       }

     

       83
       83
       -
       

     

       84
       84
       -
       mail.pyrox.dev {

     

       85
       85
       -
       }

     

       86
       86
       -
       

     

       87
       87
       -
       # Cinny: Elegant matrix client

     

       88
       88
       -
       # Also has Dendrite for matrix server

     

       89
       89
       -
       matrix.pyrox.dev {

     

       90
       90
       -
         @index {

     

       91
       91
       -
           not path /index.html

     

       92
       92
       -
           not path /public/*

     

       93
       93
       -
           not path /assets/*

     

       94
       94
       -
           not path /config.json

     

       95
       95
       -
           not path /manifest.json

     

       96
       96
       -
           not path /pdf.worker.min.js

     

       97
       97
       -
           not path /olm.wasm

     

       98
       98
       -
           path /*

     

       99
       99
       -
         }

     

       100
       100
       -
         handle /_matrix/* {

     

       101
       101
       -
           reverse_proxy http://100.123.15.72:6922

     

       102
       102
       -
         }

     

       103
       103
       -
         handle {

     

       104
       104
       -
           root * /var/www/cinny/dist/

     

       105
       105
       -
           redir /*/olm.wasm /olm.wasm

     

       106
       106
       -
           redir @index /index.html

     

       107
       107
       -
           file_server

     

       108
       108
       -
         }

     

       109
       109
       -
       }

     

       110
       110
       -
       

     

       111
       111
       -
       # Jellyfin - Self-hosted media server

     

       112
       112
       -
       media.pyrox.dev {

     

       113
       113
       -
         @blocked not remote_ip 100.64.0.0/10 private_ranges

     

       114
       114
       -
         reverse_proxy http://100.123.15.72:8096

     

       115
       115
       -
         handle /metrics* {

     

       116
       116
       -
           respond @blocked "Access Denied" 403

     

       117
       117
       -
         }

     

       118
       118
       -
       }

     

       119
       119
       -
       

     

       120
       120
       -
       mta-sts.pyrox.dev {

     

       121
       121
       -
         header Content-Type text/plain; charset=utf-8

     

       122
       122
       -
         respond /.well-known/mta-sts.txt <<END

     

       123
       123
       -
             version: STSv1

     

       124
       124
       -
             mode: enforce

     

       125
       125
       -
             mx: mail.pyrox.dev

     

       126
       126
       -
             mx:mail2.pyrox.dev

     

       127
       127
       -
             max_age: 2419200

     

       128
       128
       -
             END 200

     

       129
       129
       -
       }

     

       130
       130
       -
       

     

       131
       131
       -
       office.pyrox.dev {

     

       132
       132
       -
         reverse_proxy http://100.123.15.72:6927

     

       133
       133
       -
       }

     

       134
       134
       -
       

     

       135
       135
       -
       # Miniflux

     

       136
       136
       -
       rss.pyrox.dev {

     

       137
       137
       -
         reverse_proxy http://100.123.15.72:6903

     

       138
       138
       -
       }

     

       139
       139
       -
       

     

       140
       140
       -
       # Iceshrimp

     

       141
       141
       -
       soc.pyrox.dev {

     

       142
       142
       -
         reverse_proxy http://100.123.15.72:6923

     

       143
       143
       -
       }

     

       144
       144
       -
       

     

       145
       145
       -
       # Grafana - stats dashboard

     

       146
       146
       -
       stats.pyrox.dev {

     

       147
       147
       -
         reverse_proxy http://100.123.15.72:6914

     

       148
       148
       -
       }

     

       149
       149
       -
       

     

       150
       150
       -
       # Yourmother.website - The best rick-roll URL, period

     

       151
       151
       -
       yourmother.website {

     

       152
       152
       -
         header Content-Type text/html

     

       153
       153
       -
         respond 200 {

     

       154
       154
       -
           body `<!DOCTYPE html>

     

       155
       155
       -
           <html>

     

       156
       156
       -
           <head>

     

       157
       157
       -
           <meta http-equiv="Refresh" content="0; url=https://youtube.com/watch?v=oHg5SJYRHA0" />

     

       158
       158
       -
           </head>

     

       159
       159
       -
           </html>`

     

       160
       160
       -
         }

     

       161
       161
       -
       }

     

       162
       162
       -
       

     

       163
       163
       -
       plan.cs2a.club {

     

       164
       164
       -
         reverse_proxy http://100.123.15.72:6929

     

       165
       165
       -
       }

     

       166
       166
       -
       

     

       167
       167
       -
       # OpenPGP Key

     

       168
       168
       -
       openpgpkey.thehedgehog.me, openpgpkey.pyrox.dev {

     

       169
       169
       -
         respond /.well-known/openpgpkey/{labels.1}.{labels.0}/policy 200

     

       170
       170
       -
         header Access-Control-Allow-Origin *

     

       171
       171
       -
         header /.well-known/openpgpkey/{labels.1}.{labels.0}/hu/* Content-Type application/octet-stream

     

       172
       172
       -
         file_server {

     

       173
       173
       -
           root /var/www/blog/

     

       174
       174
       -
         }

     

       175
       175
       -
       }

     

       176
       176
       -
       :6899 {

     

       177
       177
       -
         metrics /metrics

     

       178
       178
       -
       }

+166 -4

systems/x86_64-linux/prefect/services/caddy.nix

···

       1
       1
       -
       { pkgs, ... }:

     

       2
       2
       -
       {

     

       1
       1
       +
       { pkgs, lib, ... }: let

     

       2
       2
       +
         pns = lib.py.data.services;

     

       3
       3
       +
         marvin = lib.py.data.hosts.marvin.ts.ip4;

     

       4
       4
       +
         reverseProxyToMarvin = port: {

     

       5
       5
       +
         extraConfig = ''

     

       6
       6
       +
           reverse_proxy http://${marvin}:${toString port}

     

       7
       7
       +
         '';

     

       8
       8
       +
         };

     

       9
       9
       +
         # Hosts that are just a reverse proxy declaration and nothing else

     

       10
       10
       +
         simpleHosts = [

     

       11
       11
       +
           "nextcloud"

     

       12
       12
       +
           "nextcloud-office"

     

       13
       13
       +
           "git"

     

       14
       14
       +
           "miniflux"

     

       15
       15
       +
           "iceshrimp"

     

       16
       16
       +
           "grafana"

     

       17
       17
       +
           "deemix"

     

       18
       18
       +
           "planka"

     

       19
       19
       +
         ];

     

       20
       20
       +
       

     

       21
       21
       +
         simpleHostAttrs = lib.mapAttrs' (name: value: lib.nameValuePair "${pns.${name}.extUrl}" (reverseProxyToMarvin (toString pns.${value}.port)))

     

       22
       22
       +
           (lib.genAttrs simpleHosts (name: name));

     

       23
       23
       +
       in {

     

       3
       24
        
         services.caddy = {

     

       4
       25
        
           enable = true;

     

       5
       26
        
           package = pkgs.caddy.withPlugins {

     
···

       9
       30
        
             ];

     

       10
       31
        
             hash = "sha256-nfBjtwqn7UOGRr5Aqy0y1u9AYhWU9TLjbdhZ9uAwtHY=";

     

       11
       32
        
           };

     

       12
       12
       -
           configFile = ./Caddyfile;

     

       13
       13
       -
           adapter = "caddyfile";

     

       33
       33
       +
           email = "pyrox@pyrox.dev";

     

       34
       34
       +
           virtualHosts = {

     

       35
       35
       +
             # Just get TLS certs for mailserver

     

       36
       36
       +
             "mail.pyrox.dev" = {};

     

       37
       37
       +
             # Redirect old domains -> pyrox.dev

     

       38
       38
       +
             "blog.pyrox.dev" = {

     

       39
       39
       +
               serverAliases = ["www.pyrox.dev" "thehedgehog.me"];

     

       40
       40
       +
               extraConfig = ''

     

       41
       41
       +
                 redir https://pyrox.dev{uri} permanent

     

       42
       42
       +
               '';

     

       43
       43
       +
             };

     

       44
       44
       +
             "pyrox.dev" = {

     

       45
       45
       +
               extraConfig = ''

     

       46
       46
       +
                 route {

     

       47
       47
       +
                   header /.well-known/matrix/* Access-Control-Allow-Origin *

     

       48
       48
       +
                   reverse_proxy /.well-known/matrix/* http://100.123.15.72:6922

     

       49
       49
       +
                   redir /.well-known/carddav https://cloud.pyrox.dev/.well-known/carddav temporary

     

       50
       50
       +
                   redir /.well-known/caldav https://cloud.pyrox.dev/.well-known/caldav temporary

     

       51
       51
       +
                   header /.well-known/openpgpkey/* Access-Control-Allow-Origin *

     

       52
       52
       +
                   header /.well-known/openpgpkey/hu/* application/octet-stream

     

       53
       53
       +
                   respond /.well-known/openpgpkey/*/policy 200

     

       54
       54
       +
                   header /.well-known/fursona Content-Type application/json

     

       55
       55
       +
                   header {

     

       56
       56
       +
                     X-Content-Type-Options nosniff

     

       57
       57
       +
                     Permissions-Policy accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), unload=(),

     

       58
       58
       +
                     +Permissions-Policy display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(),

     

       59
       59
       +
                     +Permissions-Policy gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(),

     

       60
       60
       +
                     +Permissions-Policy payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(),

     

       61
       61
       +
                     +Permissions-Policy sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(),

     

       62
       62
       +
                     +Permissions-Policy clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=()

     

       63
       63
       +
                     X-Frame-Options SAMEORIGIN

     

       64
       64
       +
                     Referrer-Policy origin

     

       65
       65
       +
                     -Server

     

       66
       66
       +
                   }

     

       67
       67
       +
                   file_server {

     

       68
       68
       +
                     root /var/www/blog

     

       69
       69
       +
                     hide .git

     

       70
       70
       +
                     precompressed br gzip

     

       71
       71
       +
                   }

     

       72
       72
       +
                 }

     

       73
       73
       +
               '';

     

       74
       74
       +
             };

     

       75
       75
       +
       

     

       76
       76
       +
             # Authentik

     

       77
       77
       +
             "${pns.authentik.extUrl}:443" = reverseProxyToMarvin pns.authentik.port;

     

       78
       78
       +
             "${pns.authentik.extUrl}:80" = reverseProxyToMarvin pns.authentik.port;

     

       79
       79
       +
             "http://${pns.authentik.extUrl}:389" = reverseProxyToMarvin 389;

     

       80
       80
       +
             "${pns.authentik.extUrl}:636" = reverseProxyToMarvin 636;

     

       81
       81
       +
       

     

       82
       82
       +
             # Vaultwarden

     

       83
       83
       +
             ${pns.vaultwarden.extUrl} = {

     

       84
       84
       +
               extraConfig = ''

     

       85
       85
       +
                 header / {

     

       86
       86
       +
                   Strict-Transport-Security "max-age=31536000;"

     

       87
       87
       +
                   X-XSS-Protection "0"

     

       88
       88
       +
                   X-Frame-Options "DENY"

     

       89
       89
       +
                   X-Robots-Tag "noindex, nofollow"

     

       90
       90
       +
                   X-Content-Type-Options "nosniff"

     

       91
       91
       +
                   -Server

     

       92
       92
       +
                   -X-Powered-By

     

       93
       93
       +
                   -Last-Modified

     

       94
       94
       +
                 }

     

       95
       95
       +
                 reverse_proxy ${marvin}:${toString pns.vaultwarden.port} {

     

       96
       96
       +
                   header_up X-Real-IP {remote_host}

     

       97
       97
       +
                 }

     

       98
       98
       +
               '';

     

       99
       99
       +
             };

     

       100
       100
       +
       

     

       101
       101
       +
             # Cinny + Conduit

     

       102
       102
       +
             ${pns.matrix-server.extUrl} = {

     

       103
       103
       +
               extraConfig = ''

     

       104
       104
       +
                 handle /_matrix/* {

     

       105
       105
       +
                   reverse_proxy http://100.123.15.72:6922

     

       106
       106
       +
                 }

     

       107
       107
       +
                 @nativeRouter not file {path} /

     

       108
       108
       +
                 handle {

     

       109
       109
       +
                   rewrite @nativeRouter {http.matchers.file.relative}

     

       110
       110
       +
                   root * /var/www/cinny/dist

     

       111
       111
       +
                   file_server

     

       112
       112
       +
                 }

     

       113
       113
       +
               '';

     

       114
       114
       +
             };

     

       115
       115
       +
       

     

       116
       116
       +
             # Jellyfin

     

       117
       117
       +
             ${pns.jellyfin.extUrl} = {

     

       118
       118
       +
               extraConfig = ''

     

       119
       119
       +
                 @blocked not remote_ip 100.64.0.0/10 private_ranges

     

       120
       120
       +
                 reverse_proxy http://${marvin}:${toString pns.jellyfin.port}

     

       121
       121
       +
                 handle /metrics* {

     

       122
       122
       +
                   respond @blocked "Access Denied" 403

     

       123
       123
       +
                 }

     

       124
       124
       +
               '';

     

       125
       125
       +
             };

     

       126
       126
       +
       

     

       127
       127
       +
             # MTA-STS Setup for mailserver

     

       128
       128
       +
             "mta-sts.pyrox.dev" = {

     

       129
       129
       +
               extraConfig = ''

     

       130
       130
       +
                 header Content-Type text/plain; charset=utf-8

     

       131
       131
       +
                 respond /.well-known/mta-sts.txt <<END

     

       132
       132
       +
                     version: STSv1

     

       133
       133
       +
                     mode: enforce

     

       134
       134
       +
                     mx: mail.pyrox.dev

     

       135
       135
       +
                     mx:mail2.pyrox.dev

     

       136
       136
       +
                     max_age: 2419200

     

       137
       137
       +
                     END 200

     

       138
       138
       +
               '';

     

       139
       139
       +
             };

     

       140
       140
       +
       

     

       141
       141
       +
             # Yourmother.website

     

       142
       142
       +
             "yourmother.website" = {

     

       143
       143
       +
               extraConfig = ''

     

       144
       144
       +
                 header Content-Type text/html

     

       145
       145
       +
                 respond 200 {

     

       146
       146
       +
                   body `<!DOCTYPE html>

     

       147
       147
       +
                   <html>

     

       148
       148
       +
                   <head>

     

       149
       149
       +
                   <meta http-equiv="Refresh" content="0; url=https://youtube.com/watch?v=oHg5SJYRHA0" />

     

       150
       150
       +
                   </head>

     

       151
       151
       +
                   </html>`

     

       152
       152
       +
                 }

     

       153
       153
       +
               '';

     

       154
       154
       +
             };

     

       155
       155
       +
       

     

       156
       156
       +
             # OpenPGP WKD stuff

     

       157
       157
       +
             "openpgpkey.pyrox.dev" = {

     

       158
       158
       +
               serverAliases = [ "openpgpkey.thehedgehog.me" ];

     

       159
       159
       +
               extraConfig = ''

     

       160
       160
       +
                 respond /.well-known/openpgpkey/{labels.1}.{labels.0}/policy 200

     

       161
       161
       +
                 header Access-Control-Allow-Origin *

     

       162
       162
       +
                 header /.well-known/openpgpkey/{labels.1}.{labels.0}/hu/* Content-Type application/octet-stream

     

       163
       163
       +
                 file_server {

     

       164
       164
       +
                   root /var/www/blog/

     

       165
       165
       +
                 }

     

       166
       166
       +
               '';

     

       167
       167
       +
             };

     

       168
       168
       +
       

     

       169
       169
       +
             # Metrics

     

       170
       170
       +
             ":6899" = {

     

       171
       171
       +
               extraConfig = ''

     

       172
       172
       +
                 metrics /metrics

     

       173
       173
       +
               '';

     

       174
       174
       +
             };

     

       175
       175
       +
           } // simpleHostAttrs;

     

       14
       176
        
         };

     

       15
       177
        
         systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

     

       16
       178
        
         systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";