sapphic.moe / flake
❄️ Dotfiles for our NixOS system configuration.
fork atom

refactor(services:caddy): try trusted_proxies

Chloe A 780eccc4 f27c093a

options
unified split
Changed files
+20 -1
services
caddy
default.nix
ntfy
default.nix
+18 -1
services/caddy/default.nix 
···

       
9

       
9

       
 

       
  services.caddy = {


     

       
10

       
10

       
 

       
    enable = true;


     

       
11

       
11

       
 

       
    package = pkgs.caddy.withPlugins {


     

       
12

       

       
-

       
      plugins = [ "github.com/caddy-dns/bunny@v1.2.0" ];


     

       

       
12

       
+

       
      plugins = [


     

       

       
13

       
+

       
        "github.com/caddy-dns/bunny@v1.2.0"


     

       

       
14

       
+

       
        "github.com/digilolnet/caddy-bunny-ip@v0.0.0-20250118080727-ef607b8e1644"


     

       

       
15

       
+

       
      ];


     

       
13

       
16

       
 

       
      hash = "sha256-bwffi5sWq07DVoPQGgEIN1jnvQKL6c4tFfR9AT9ThD4=";


     

       
14

       
17

       
 

       
    };


     

       
15

       
18

       
 

       
    environmentFile = config.age.secrets.caddy.path;


     

       
16

       
19

       
 

       
    globalConfig = ''


     

       
17

       
20

       
 

       
      email chloe@sapphic.moe


     

       

       
21

       
+

       
      servers {


     

       

       
22

       
+

       
        trusted_proxies bunny {


     

       

       
23

       
+

       
          interval 6h


     

       

       
24

       
+

       
          timeout 25s


     

       

       
25

       
+

       
        }


     

       

       
26

       
+

       
      }


     

       
18

       
27

       
 

       
    '';


     

       
19

       
28

       
 

       
    extraConfig = ''


     

       
20

       
29

       
 

       
      (tls_bunny) {


     
···

       
23

       
32

       
 

       
          resolvers 9.9.9.9 149.112.112.112


     

       
24

       
33

       
 

       
        }


     

       
25

       
34

       
 

       
      }


     

       

       
35

       
+

       



     

       
26

       
36

       
 

       
      (common) {


     

       
27

       
37

       
 

       
        encode zstd gzip


     

       

       
38

       
+

       
      }


     

       

       
39

       
+

       



     

       

       
40

       
+

       
      (deny_non_bunny) {


     

       

       
41

       
+

       
        @not_bunny not client_ip 127.0.0.1 ::1


     

       

       
42

       
+

       
        handle @not_bunny {


     

       

       
43

       
+

       
          abort


     

       

       
44

       
+

       
        }


     

       
28

       
45

       
 

       
      }


     

       
29

       
46

       
 

       
    '';


     

       
30

       
47

       
 

       
    logFormat = ''
+2
services/ntfy/default.nix 
···

       
33

       
33

       
 

       
  services.caddy.virtualHosts."notify.sappho.systems" = {


     

       
34

       
34

       
 

       
    extraConfig = ''


     

       
35

       
35

       
 

       
      import common


     

       

       
36

       
+

       
      import tls_bunny


     

       

       
37

       
+

       
      import deny_non_bunny


     

       
36

       
38

       
 

       



     

       
37

       
39

       
 

       
      reverse_proxy http://127.0.0.1:7070 {


     

       
38

       
40

       
 

       
        header_up X-Forwarded-Proto https