diff --git a/flake.lock b/flake.lock index 1a2a533..f386e80 100644 --- a/flake.lock +++ b/flake.lock @@ -299,11 +299,11 @@ ] }, "locked": { - "lastModified": 1747184352, - "narHash": "sha256-GBZulv50wztp5cgc405t1uOkxQYhSkMqeKLI+iSrlpk=", + "lastModified": 1747021744, + "narHash": "sha256-IDsM/9/tHQBlhG3tXI2fTM84AUN1uRa7JDPT1LMlGes=", "owner": "nix-community", "repo": "home-manager", - "rev": "7c1cefb98369cc85440642fdccc1c1394ca6dd2c", + "rev": "fb061f555f821fe4fb49f8f6f2a0cc3d5728bd52", "type": "github" }, "original": { diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix index dfebb89..81c0f2a 100644 --- a/hosts/falkenstein/modules/dns/default.nix +++ b/hosts/falkenstein/modules/dns/default.nix @@ -42,6 +42,14 @@ let subdomains = + let + # generate ACME challenge recorsd for every VirtualHost + genACMECNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (_label: { + subdomains._acme-challenge.CNAME = [ "challenge.acme.${domain}." ]; + }); + # fuckery to merge the generated attribute lists + mergeRecords = recordList: lib.attrsets.mapAttrs (_host: records: lib.attrsets.mergeAttrsList records) (lib.attrsets.zipAttrs recordList); + in lib.attrsets.mergeAttrsList [ rec { nuc = { @@ -60,7 +68,7 @@ let _domainkey.subdomains.rspamd.TXT = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" ]; } (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc")))) - (builtins.removeAttrs (genCNAMEs "falkenstein") ([ ":2018" "mail" "rfive.de" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc")))) + (builtins.removeAttrs (genCNAMEs "falkenstein") ([ ":2018" "mail" ])) # (mergeRecords [ # (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc")))) # (builtins.removeAttrs (genACMECNAMEs "nuc") ([ ":2018" ])) diff --git a/hosts/falkenstein/modules/mail/rspamd.nix b/hosts/falkenstein/modules/mail/rspamd.nix index fc52c0f..87223e5 100644 --- a/hosts/falkenstein/modules/mail/rspamd.nix +++ b/hosts/falkenstein/modules/mail/rspamd.nix @@ -107,7 +107,7 @@ enable = true; }; }; - caddy.virtualHosts."rspamd.vpn.${config.networking.domain}".extraConfig = '' + caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = '' # for some reason this only works with http and not with https so we send every request through our wireguard tunnel reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 diff --git a/hosts/nuc/modules/adguard/default.nix b/hosts/nuc/modules/adguard/default.nix index 0319561..193e99d 100644 --- a/hosts/nuc/modules/adguard/default.nix +++ b/hosts/nuc/modules/adguard/default.nix @@ -14,16 +14,6 @@ in }; }; services.caddy.virtualHosts."${domain}".extraConfig = '' - # for some reason this only works with http and not with https so we send every request through our wireguard tunnel - reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 - - # forward authentication to authentik - forward_auth http://nuc.vpn.rfive.de:9000 { - uri /outpost.goauthentik.io/auth/caddy - - # capitalization of the headers is important, otherwise they will be empty - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version - } reverse_proxy 127.0.0.1:${toString port} ''; } diff --git a/hosts/nuc/modules/indexing/prowlarr.nix b/hosts/nuc/modules/indexing/prowlarr.nix index de10446..4c66610 100644 --- a/hosts/nuc/modules/indexing/prowlarr.nix +++ b/hosts/nuc/modules/indexing/prowlarr.nix @@ -7,16 +7,6 @@ in enable = true; }; services.caddy.virtualHosts."${domain}".extraConfig = '' - # for some reason this only works with http and not with https so we send every request through our wireguard tunnel - reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 - - # forward authentication to authentik - forward_auth http://nuc.vpn.rfive.de:9000 { - uri /outpost.goauthentik.io/auth/caddy - - # capitalization of the headers is important, otherwise they will be empty - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version - } reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port} ''; } diff --git a/hosts/nuc/modules/indexing/radarr.nix b/hosts/nuc/modules/indexing/radarr.nix index 2b9375b..f334ce4 100644 --- a/hosts/nuc/modules/indexing/radarr.nix +++ b/hosts/nuc/modules/indexing/radarr.nix @@ -7,16 +7,6 @@ in enable = true; }; services.caddy.virtualHosts."${domain}".extraConfig = '' - # for some reason this only works with http and not with https so we send every request through our wireguard tunnel - reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 - - # forward authentication to authentik - forward_auth http://nuc.vpn.rfive.de:9000 { - uri /outpost.goauthentik.io/auth/caddy - - # capitalization of the headers is important, otherwise they will be empty - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version - } reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port} ''; } diff --git a/hosts/nuc/modules/indexing/sonarr.nix b/hosts/nuc/modules/indexing/sonarr.nix index 635e267..6c3f404 100644 --- a/hosts/nuc/modules/indexing/sonarr.nix +++ b/hosts/nuc/modules/indexing/sonarr.nix @@ -11,7 +11,8 @@ in reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 # forward authentication to authentik - forward_auth http://nuc.vpn.rfive.de:9000 { + @NoAccess not path /api* + forward_auth @NoAccess http://nuc.vpn.rfive.de:9000 { uri /outpost.goauthentik.io/auth/caddy # capitalization of the headers is important, otherwise they will be empty diff --git a/hosts/nuc/modules/torrent/default.nix b/hosts/nuc/modules/torrent/default.nix index 739a11e..38db1f9 100644 --- a/hosts/nuc/modules/torrent/default.nix +++ b/hosts/nuc/modules/torrent/default.nix @@ -126,17 +126,6 @@ in }; }; services.caddy.virtualHosts."${domain}".extraConfig = '' - # for some reason this only works with http and not with https so we send every request through our wireguard tunnel - reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 - - # forward authentication to authentik - forward_auth http://nuc.vpn.rfive.de:9000 { - uri /outpost.goauthentik.io/auth/caddy - - # capitalization of the headers is important, otherwise they will be empty - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version - } - reverse_proxy 127.0.0.1:${toString cfg.port} ''; systemd.tmpfiles.rules = [