From 657ae1385e7151d1fccebf87befb86a30471b8ee Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Tue, 21 May 2024 18:44:04 +0200 Subject: [PATCH] nuc: switch to caddy --- hosts/falkenstein/modules/dns/default.nix | 6 ++- hosts/nuc/default.nix | 4 +- hosts/nuc/modules/authentik/default.nix | 13 ++++--- hosts/nuc/modules/cache/default.nix | 8 ++-- hosts/nuc/modules/caddy/default.nix | 10 +++++ hosts/nuc/modules/keycloak/default.nix | 43 ---------------------- hosts/nuc/modules/matrix/default.nix | 45 +++++++++++++---------- hosts/nuc/modules/seafile/default.nix | 29 ++++++--------- hosts/nuc/modules/vaultwarden/default.nix | 8 ++-- shared/zsh.nix | 1 + 10 files changed, 69 insertions(+), 98 deletions(-) create mode 100644 hosts/nuc/modules/caddy/default.nix delete mode 100644 hosts/nuc/modules/keycloak/default.nix diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix index 0447cf2..b54fd05 100644 --- a/hosts/falkenstein/modules/dns/default.nix +++ b/hosts/falkenstein/modules/dns/default.nix @@ -35,8 +35,10 @@ let subdomains = let - getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts); + getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts); + getVirtualHostsNginx = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts); genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); + genCNAMEsNginx = hostname: lib.attrsets.genAttrs (getVirtualHostsNginx hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); in lib.attrsets.mergeAttrsList [ rec { @@ -54,7 +56,9 @@ let } (genCNAMEs "nuc") + (genCNAMEsNginx "nuc") (builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ]) + (builtins.removeAttrs (genCNAMEsNginx "falkenstein") [ "mail" ]) ]; }); in diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index c6f8ffc..5f950c3 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -8,7 +8,6 @@ ./modules/networks ./modules/adguard ./modules/backup - # ./modules/keycloak ./modules/jellyfin ./modules/cache ./modules/matrix @@ -16,7 +15,8 @@ ./modules/seafile ./modules/torrent ./modules/vaultwarden - ./modules/nginx + # ./modules/nginx + ./modules/caddy ./modules/indexing ]; diff --git a/hosts/nuc/modules/authentik/default.nix b/hosts/nuc/modules/authentik/default.nix index 6001fb9..6354bec 100644 --- a/hosts/nuc/modules/authentik/default.nix +++ b/hosts/nuc/modules/authentik/default.nix @@ -9,10 +9,13 @@ in services.authentik = { enable = true; environmentFile = config.age.secrets.authentik.path; - nginx = { - enable = true; - enableACME = true; - host = domain; - }; + # nginx = { + # enable = true; + # enableACME = true; + # host = domain; + # }; }; + services.caddy.virtualHosts."${domain}".extraConfig = '' + reverse_proxy localhost:9000 + ''; } diff --git a/hosts/nuc/modules/cache/default.nix b/hosts/nuc/modules/cache/default.nix index 7d50632..12e47b3 100644 --- a/hosts/nuc/modules/cache/default.nix +++ b/hosts/nuc/modules/cache/default.nix @@ -10,9 +10,7 @@ in enable = true; secretKeyFile = config.age.secrets.cache.path; }; - services.nginx.virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.nix-serve.port}"; - }; - }; + services.caddy.virtualHosts."${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.nix-serve.port} + ''; } diff --git a/hosts/nuc/modules/caddy/default.nix b/hosts/nuc/modules/caddy/default.nix new file mode 100644 index 0000000..b940576 --- /dev/null +++ b/hosts/nuc/modules/caddy/default.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + services.caddy = { + enable = true; + email = "ca@${config.networking.domain}"; + logFormat = "format console"; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; +} diff --git a/hosts/nuc/modules/keycloak/default.nix b/hosts/nuc/modules/keycloak/default.nix deleted file mode 100644 index 0ace24b..0000000 --- a/hosts/nuc/modules/keycloak/default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, ... }: -let - domain = "auth.${config.networking.domain}"; -in -{ - age.secrets.keycloak = { - file = ../../../../secrets/nuc/keycloak/db.age; - }; - services.keycloak = { - enable = true; - settings = { - http-port = 8084; - https-port = 19000; - hostname = domain; - # proxy-headers = "forwarded"; - proxy = "edge"; - }; - database = { - # host = "/var/run/postgresql/.s.PGSQL.5432"; - # useSSL = false; - # createLocally = false; - passwordFile = config.age.secrets.keycloak.path; - }; - initialAdminPassword = "plschangeme"; - }; - # services.postgresql = { - # enable = true; - # ensureUsers = [ - # { - # name = "keycloak"; - # ensureDBOwnership = true; - # } - # ]; - # ensureDatabases = [ "keycloak" ]; - # }; - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}"; - }; - }; -} diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix index 3f7c639..0b8d08e 100644 --- a/hosts/nuc/modules/matrix/default.nix +++ b/hosts/nuc/modules/matrix/default.nix @@ -32,6 +32,7 @@ in matrix-synapse = { enable = true; configureRedisLocally = true; + enableRegistrationScript = false; extraConfigFiles = [ config.age.secrets."matrix/shared".path ]; log = { root.level = "WARNING"; @@ -41,10 +42,9 @@ in server_name = config.networking.domain; listeners = [{ - port = 8008; - bind_addresses = [ "::1" ]; + path = "/run/matrix-synapse/server.sock"; + mode = "666"; type = "http"; - tls = false; x_forwarded = true; resources = [{ names = [ "client" "federation" ]; @@ -57,29 +57,24 @@ in enable = true; settings = { SYNCV3_SERVER = "https://${domain}"; + SYNCV3_BINDADDR = "/run/matrix-sliding-sync/server.sock"; }; environmentFile = config.age.secrets."matrix/sync".path; }; - nginx = { - recommendedProxySettings = true; + caddy = { virtualHosts = { # synapse - "${domain}" = { - # locations."/".extraConfig = "return 404;"; - - # # proxy to synapse - # locations."/_matrix".proxyPass = "http://[::1]:8008"; - locations."/".proxyPass = "http://[::1]:8008"; - locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)".proxyPass = "http://localhost:8009"; - # locations."/_synapse/client".proxyPass = "http://[::1]:8008"; - }; - + "${domain}".extraConfig = '' + reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock + reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock + reverse_proxy unix//run/matrix-synapse/server.sock + ''; # element - "${domainClient}" = { - root = pkgs.element-web.override { + "${domainClient}".extraConfig = '' + root '${pkgs.element-web.override { conf = { default_server_config = { inherit (clientConfig) "m.homeserver"; @@ -87,13 +82,23 @@ in }; disable_3pid_login = true; }; - }; - }; + }}' + ''; }; }; }; - systemd.services.matrix-synapse.after = [ "matrix-synapse-pgsetup.service" ]; + systemd.services.matrix-synapse = { + after = [ "matrix-synapse-pgsetup.service" ]; + serviceConfig = { + RuntimeDirectory = "matrix-synapse"; + }; + }; + systemd.services.matrix-sliding-sync = { + serviceConfig = { + RuntimeDirectory = "matrix-sliding-sync"; + }; + }; systemd.services.matrix-synapse-pgsetup = { description = "Prepare Synapse postgres database"; diff --git a/hosts/nuc/modules/seafile/default.nix b/hosts/nuc/modules/seafile/default.nix index 6653c0c..d231495 100644 --- a/hosts/nuc/modules/seafile/default.nix +++ b/hosts/nuc/modules/seafile/default.nix @@ -31,21 +31,16 @@ in } ''; }; - services.nginx.virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://unix:/run/seahub/gunicorn.sock"; - }; - locations."/seafhttp" = { - proxyPass = "http://127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port}"; - extraConfig = '' - rewrite ^/seafhttp(.*)$ $1 break; - ''; - }; - locations."/media" = { - root = pkgs.seahub; - }; - locations."/accounts/login" = { - return = "301 /oauth/login"; - }; - }; + services.caddy.virtualHosts."${domain}".extraConfig = '' + redir /accounts/login /oauth/login + reverse_proxy unix//run/seahub/gunicorn.sock + route /media/* { + root '${pkgs.seahub}' + } + + route /seafhttp/* { + uri strip_prefix /seafhttp + reverse_proxy 127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port} + } + ''; } diff --git a/hosts/nuc/modules/vaultwarden/default.nix b/hosts/nuc/modules/vaultwarden/default.nix index fe0ac59..5a7e07f 100644 --- a/hosts/nuc/modules/vaultwarden/default.nix +++ b/hosts/nuc/modules/vaultwarden/default.nix @@ -29,9 +29,7 @@ in ]; ensureDatabases = [ "vaultwarden" ]; }; - services.nginx.virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}"; - }; - }; + services.caddy.virtualHosts."${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.vaultwarden.config.rocketPort} + ''; } diff --git a/shared/zsh.nix b/shared/zsh.nix index 08e66c3..d62b914 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -9,6 +9,7 @@ trash-cli nix-output-monitor iperf + jq ]; users.defaultUserShell = pkgs.zsh; programs.fzf = {