From c96d8b7103fd2e4a306bf96ed43f54045b4e3409 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 23 May 2024 15:44:49 +0200 Subject: [PATCH] falkenstein: switch to caddy --- flake.lock | 30 ++++---- hosts/falkenstein/default.nix | 2 +- hosts/falkenstein/modules/caddy/default.nix | 33 +++++++++ hosts/falkenstein/modules/dns/default.nix | 4 -- hosts/falkenstein/modules/logging/default.nix | 6 +- hosts/falkenstein/modules/mail/default.nix | 15 +--- hosts/falkenstein/modules/mail/dovecot2.nix | 4 +- hosts/falkenstein/modules/mail/postfix.nix | 4 +- hosts/falkenstein/modules/mail/rspamd.nix | 11 +-- hosts/falkenstein/modules/nginx/default.nix | 70 ------------------- hosts/falkenstein/modules/purge/default.nix | 3 + .../modules/trucksimulatorbot/default.nix | 14 +++- hosts/nuc/modules/caddy/default.nix | 1 + 13 files changed, 76 insertions(+), 121 deletions(-) create mode 100644 hosts/falkenstein/modules/caddy/default.nix delete mode 100644 hosts/falkenstein/modules/nginx/default.nix diff --git a/flake.lock b/flake.lock index e4b8d04..622e309 100644 --- a/flake.lock +++ b/flake.lock @@ -312,11 +312,11 @@ ] }, "locked": { - "lastModified": 1715930644, - "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=", + "lastModified": 1716457508, + "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=", "owner": "nix-community", "repo": "home-manager", - "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d", + "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05", "type": "github" }, "original": { @@ -460,11 +460,11 @@ ] }, "locked": { - "lastModified": 1715483403, - "narHash": "sha256-WMDuQj7J5jbpXI/X/E6FZRKgBFGcaSTvYyVxPnKE6KU=", + "lastModified": 1716170277, + "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "f9027322f48b427da23746aa359a6510dfcd0228", + "rev": "e0638db3db43b582512a7de8c0f8363a162842b9", "type": "github" }, "original": { @@ -475,11 +475,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1715787315, - "narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=", + "lastModified": 1716330097, + "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5", + "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2", "type": "github" }, "original": { @@ -639,11 +639,11 @@ ] }, "locked": { - "lastModified": 1712775102, - "narHash": "sha256-kQF0HpU4Bis+Q1gE+OUJk1T3UJgDwTZc9rCDHRam9h4=", + "lastModified": 1716449531, + "narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=", "owner": "~rouven", "repo": "purge", - "rev": "2959391aa4a1438b3f27669c6930feec58171eab", + "rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80", "type": "sourcehut" }, "original": { @@ -783,11 +783,11 @@ ] }, "locked": { - "lastModified": 1712701713, - "narHash": "sha256-q++FP8VC5TTQrUa+0l2TQKmafZpDy1L3rzUynFaAn/4=", + "lastModified": 1716450661, + "narHash": "sha256-4D4Hbe0+ilkaLEux6oBI/kUIUBqCRnUtf5Oln4kTOEE=", "owner": "~rouven", "repo": "trucksimulator", - "rev": "af43589e9a0ae0f868a4eff3c738201ed1041788", + "rev": "43b44df053d484099dedc96784941f6a019f7b39", "type": "sourcehut" }, "original": { diff --git a/hosts/falkenstein/default.nix b/hosts/falkenstein/default.nix index 6be1e20..12f8398 100644 --- a/hosts/falkenstein/default.nix +++ b/hosts/falkenstein/default.nix @@ -5,12 +5,12 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ./modules/backup + ./modules/caddy ./modules/logging ./modules/dns ./modules/fail2ban ./modules/mail ./modules/networks - ./modules/nginx ./modules/pfersel ./modules/purge ./modules/trucksimulatorbot diff --git a/hosts/falkenstein/modules/caddy/default.nix b/hosts/falkenstein/modules/caddy/default.nix new file mode 100644 index 0000000..a92eb55 --- /dev/null +++ b/hosts/falkenstein/modules/caddy/default.nix @@ -0,0 +1,33 @@ +{ config, ... }: +let + # matrix homeserver discovery + matrix_domain = "matrix.${config.networking.domain}"; + serverConfig = { + "m.server" = "${matrix_domain}:443"; + }; + clientConfig = { + "m.homeserver" = { + base_url = "https://${matrix_domain}"; + # server_name = config.networking.domain; + }; + "org.matrix.msc3575.proxy" = { + url = "https://${matrix_domain}"; + }; + }; +in +{ + services.caddy = { + enable = true; + email = "ca@${config.networking.domain}"; + logFormat = "format console"; + virtualHosts."${config.networking.domain}".extraConfig = '' + file_server browse + root * /srv/web/${config.networking.domain} + respond /.well-known/matrix/client ${builtins.toJSON clientConfig} + respond /.well-known/matrix/server ${builtins.toJSON serverConfig} + ''; + }; + systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; +} diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix index b54fd05..8ef92f1 100644 --- a/hosts/falkenstein/modules/dns/default.nix +++ b/hosts/falkenstein/modules/dns/default.nix @@ -36,9 +36,7 @@ let subdomains = let getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts); - getVirtualHostsNginx = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts); genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); - genCNAMEsNginx = hostname: lib.attrsets.genAttrs (getVirtualHostsNginx hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); in lib.attrsets.mergeAttrsList [ rec { @@ -56,9 +54,7 @@ let } (genCNAMEs "nuc") - (genCNAMEsNginx "nuc") (builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ]) - (builtins.removeAttrs (genCNAMEsNginx "falkenstein") [ "mail" ]) ]; }); in diff --git a/hosts/falkenstein/modules/logging/default.nix b/hosts/falkenstein/modules/logging/default.nix index c242396..d184177 100644 --- a/hosts/falkenstein/modules/logging/default.nix +++ b/hosts/falkenstein/modules/logging/default.nix @@ -19,15 +19,11 @@ weekly rotate 156 } - "/var/log/nginx/*.log" { + "/var/log/caddy/*.log" { compress delaycompress weekly - postrotate - [ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid` - endscript rotate 26 - su nginx nginx } ''; } diff --git a/hosts/falkenstein/modules/mail/default.nix b/hosts/falkenstein/modules/mail/default.nix index d91831e..9f54ca3 100644 --- a/hosts/falkenstein/modules/mail/default.nix +++ b/hosts/falkenstein/modules/mail/default.nix @@ -8,17 +8,6 @@ in ./dovecot2.nix ./rspamd.nix ]; - security.acme.certs."${domain}" = { - reloadServices = [ - "postfix.service" - "dovecot2.service" - ]; - }; - - services.nginx.virtualHosts = { - "${domain}" = { - enableACME = true; - forceSSL = true; - }; - }; + # acquire certificates + services.caddy.virtualHosts."${domain}".extraConfig = ""; } diff --git a/hosts/falkenstein/modules/mail/dovecot2.nix b/hosts/falkenstein/modules/mail/dovecot2.nix index 256cde2..ab2d049 100644 --- a/hosts/falkenstein/modules/mail/dovecot2.nix +++ b/hosts/falkenstein/modules/mail/dovecot2.nix @@ -14,8 +14,8 @@ in enableQuota = false; enableLmtp = true; mailLocation = "maildir:/var/mail/%n"; - sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; - sslServerKey = "/var/lib/acme/${hostname}/key.pem"; + sslServerCert = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.crt"; + sslServerKey = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.key"; protocols = [ "imap" "sieve" ]; mailPlugins = { globally.enable = [ "listescape" ]; diff --git a/hosts/falkenstein/modules/mail/postfix.nix b/hosts/falkenstein/modules/mail/postfix.nix index cbc6856..fb060b1 100644 --- a/hosts/falkenstein/modules/mail/postfix.nix +++ b/hosts/falkenstein/modules/mail/postfix.nix @@ -33,8 +33,8 @@ in origin = "${domain}"; destination = [ "${hostname}" "${domain}" "localhost" ]; networks = [ "127.0.0.1" ]; - sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; - sslKey = "/var/lib/acme/${hostname}/key.pem"; + sslCert = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.crt"; + sslKey = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.key"; config = { # home_mailbox = "Maildir/"; smtp_helo_name = config.networking.fqdn; diff --git a/hosts/falkenstein/modules/mail/rspamd.nix b/hosts/falkenstein/modules/mail/rspamd.nix index 1d119c0..d2ce916 100644 --- a/hosts/falkenstein/modules/mail/rspamd.nix +++ b/hosts/falkenstein/modules/mail/rspamd.nix @@ -38,14 +38,9 @@ enable = true; }; }; - nginx.virtualHosts."rspamd.${config.networking.domain}" = { - locations = { - "/" = { - proxyPass = "http://127.0.0.1:11334"; - proxyWebsockets = true; - }; - }; - }; + caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = '' + reverse_proxy 127.0.0.1:11334 + ''; }; systemd = { services.rspamd-dmarc-report = { diff --git a/hosts/falkenstein/modules/nginx/default.nix b/hosts/falkenstein/modules/nginx/default.nix deleted file mode 100644 index a763ed5..0000000 --- a/hosts/falkenstein/modules/nginx/default.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - # set default options for virtualHosts - options = with lib; { - services.nginx.virtualHosts = mkOption { - type = types.attrsOf (types.submodule - ({ name, ... }: { - enableACME = true; - forceSSL = true; - # enable http3 for all hosts - quic = true; - http3 = true; - # split up nginx access logs per vhost - extraConfig = '' - access_log /var/log/nginx/${name}_access.log; - error_log /var/log/nginx/${name}_error.log; - add_header Alt-Svc 'h3=":443"; ma=86400'; - ''; - }) - ); - }; - }; - config = - let - # matrix homeserver discovery - matrix_domain = "matrix.${config.networking.domain}"; - serverConfig = { - "m.server" = "${matrix_domain}:443"; - }; - clientConfig = { - "m.homeserver" = { - base_url = "https://${matrix_domain}"; - # server_name = config.networking.domain; - }; - "org.matrix.msc3575.proxy" = { - url = "https://${matrix_domain}"; - }; - }; - mkWellKnown = data: '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; - in - { - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; - services.nginx = { - enable = true; - package = pkgs.nginxQuic; - recommendedTlsSettings = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - virtualHosts."${config.networking.domain}" = { - root = "/srv/web/${config.networking.domain}"; - locations = { - "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - }; - }; - }; - security.acme = { - acceptTerms = true; - defaults = { - email = "rouven@${config.networking.domain}"; - }; - }; - }; -} diff --git a/hosts/falkenstein/modules/purge/default.nix b/hosts/falkenstein/modules/purge/default.nix index c2c264a..ae6a662 100644 --- a/hosts/falkenstein/modules/purge/default.nix +++ b/hosts/falkenstein/modules/purge/default.nix @@ -15,4 +15,7 @@ in tokenFile = config.age.secrets.purge.path; }; }; + services.caddy.virtualHosts."${domain}".extraConfig = '' + reverse_proxy unix//run/purge/app.sock + ''; } diff --git a/hosts/falkenstein/modules/trucksimulatorbot/default.nix b/hosts/falkenstein/modules/trucksimulatorbot/default.nix index 54cf707..b910134 100644 --- a/hosts/falkenstein/modules/trucksimulatorbot/default.nix +++ b/hosts/falkenstein/modules/trucksimulatorbot/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, trucksimulatorbot, ... }: let domain = "trucks.${config.networking.domain}"; in @@ -24,4 +24,16 @@ in ]; ensureDatabases = [ "trucksimulator" ]; }; + # reverse_proxy unix//run/trucksimulator/app.sock + services.caddy.virtualHosts."${domain}".extraConfig = '' + redir /invite https://discord.com/api/oauth2/authorize?client_id=831052837353816066&permissions=262144&scope=bot%20applications.commands + handle /docs* { + file_server browse + root * ${trucksimulatorbot.packages.x86_64-linux.docs} + } + route /images* { + uri strip_prefix /images + reverse_proxy unix//run/trucksimulator/images.sock + } + ''; } diff --git a/hosts/nuc/modules/caddy/default.nix b/hosts/nuc/modules/caddy/default.nix index b940576..563ad7b 100644 --- a/hosts/nuc/modules/caddy/default.nix +++ b/hosts/nuc/modules/caddy/default.nix @@ -5,6 +5,7 @@ email = "ca@${config.networking.domain}"; logFormat = "format console"; }; + systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 443 ]; }