picard caddy

2024-01-04 15:21:40 +01:00 · 2024-01-04 15:21:40 +01:00 · 40dcdceef4
commit 40dcdceef4
parent 4299c9ff93
3 changed files with 215 additions and 71 deletions
--- a/hm-imports/vscode/default.nix
+++ b/hm-imports/vscode/default.nix
@ -24,6 +24,8 @@ in

        # tomoki1207.pdf # reenable when latex workshop goes

+        marketplace.johnpapa.vscode-peacock # colors per workspace
+

        # Language Support 
        ## markdown/latex
--- a/hosts/picard/custom-caddy.nix
+++ b/hosts/picard/custom-caddy.nix
@ -0,0 +1,107 @@
+# see https://github.com/NixOS/nixpkgs/pull/259275
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, gnused
+, nixosTests
+, caddy
+, testers
+, installShellFiles
+, externalPlugins ? [ ]
+, vendorHash ? "sha256-YNcQtjPGQ0XMSog+sWlH4lG/QdbdI0Lyh/fUGqQUFaY="
+}:
+
+let
+  attrsToModules = attrs:
+    builtins.map ({ name, repo, version }: "${repo}") attrs;
+  attrsToSources = attrs:
+    builtins.map ({ name, repo, version }: "${repo}@${version}") attrs;
+in
+buildGoModule rec {
+  pname = "caddy";
+  version = "2.7.5";
+
+  dist = fetchFromGitHub {
+    owner = "caddyserver";
+    repo = "dist";
+    rev = "v${version}";
+    hash = "sha256-aZ7hdAZJH1PvrX9GQLzLquzzZG3LZSKOvt7sWQhTiR8=";
+  };
+
+  src = fetchFromGitHub {
+    owner = "caddyserver";
+    repo = "caddy";
+    rev = "v${version}";
+    hash = "sha256-0IZZ7mkEzZI2Y8ed//m0tbBQZ0YcCXA0/b10ntNIXUk=";
+  };
+
+  inherit vendorHash;
+
+  subPackages = [ "cmd/caddy" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}"
+  ];
+
+  nativeBuildInputs = [ gnused installShellFiles ];
+
+  modBuildPhase = ''
+    for module in ${builtins.toString (attrsToModules externalPlugins)}; do
+      sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go
+    done
+    for plugin in ${builtins.toString (attrsToSources externalPlugins)}; do
+      go get $plugin
+    done
+
+    go generate
+    go mod vendor
+  '';
+
+  modInstallPhase = ''
+    mv -t vendor go.mod go.sum
+    cp -r --reflink=auto vendor "$out"
+  '';
+
+  preBuild = ''
+    chmod -R u+w vendor
+    [ -f vendor/go.mod ] && mv -t . vendor/go.{mod,sum}
+    go generate
+
+    for module in ${builtins.toString (attrsToModules externalPlugins)}; do
+      sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go
+    done
+  '';
+
+  postInstall = ''
+    install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system
+
+    substituteInPlace $out/lib/systemd/system/caddy.service --replace "/usr/bin/caddy" "$out/bin/caddy"
+    substituteInPlace $out/lib/systemd/system/caddy-api.service --replace "/usr/bin/caddy" "$out/bin/caddy"
+
+    $out/bin/caddy manpage --directory manpages
+    installManPage manpages/*
+
+    installShellCompletion --cmd caddy \
+      --bash <($out/bin/caddy completion bash) \
+      --fish <($out/bin/caddy completion fish) \
+      --zsh <($out/bin/caddy completion zsh)
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) caddy;
+    version = testers.testVersion {
+      command = "${caddy}/bin/caddy version";
+      package = caddy;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://caddyserver.com";
+    description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS";
+    license = licenses.asl20;
+    mainProgram = "caddy";
+    maintainers = with maintainers; [ Br1ght0ne emilylange techknowlogick ];
+  };
+}
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@ -63,78 +63,113 @@
    };
  } // (lib.my.findOutTlsConfig "xyno.space" config);

-  services.lolpizza2.enable = true;

-  services.nginx.virtualHosts."8001.ragon.xyz" = {
-    useACMEHost = "ragon.xyz";
-    forceSSL = true;
-    locations."/".proxyPass = "http://[::1]:8001";
-  };
-  services.nginx.virtualHosts."lolpizza.ragon.xyz" = {
-    useACMEHost = "ragon.xyz";
-    forceSSL = true;
-    locations."/".proxyPass = "http://[::1]${config.services.lolpizza2.listen}";
+  services.caddy = {
+    enable = true;
+    package = (pkgs.callPackage ./custom-caddy.nix {
+      externalPlugins = [
+        { name = "dns-desec"; repo = "github.com/caddy-dns/desec"; version = "e1e64971fe34c29ce3f4176464adb84d6890aa50"; }
+      ];
+      vendorHash = lib.fakeSha256;
+    });
+    extraConfig = ''
+      acme_dns desec {TOKEN}
+    '';
+    virtualHosts."*.ragon.xyz".extraConfig = ''
+      @8081 host 8081.ragon.xyz
+      handle @8081 {
+        reverse_proxy http://[::1]:8081
+      }
+      @lolpizza host lolpizza.ragon.xyz
+      handle @lolpizza {
+        reverse_proxy http://[::1]${config.services.lolpizza2.listen}
+      }
+      @files host files.ragon.xyz
+      handle @files {
+        encode zstd gzip
+        root /srv/www
+        file_server browse
+      }
+      @bw host bw.ragon.xyz
+      handle @bw {
+        reverse_proxy http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
+      }
+
+      handle {
+        abort
+      }
+    '';
+    virtualHosts."xyno.space".extraConfig =
+      let
+        fqdn = "matrix.xyno.space";
+        wkServer = { "m.server" = "${fqdn}:443"; };
+        wkClient = {
+          "m.homeserver" = { "base_url" = "https://${fqdn}"; };
+          "m.identity_server" = { "base_url" = "https://vector.im"; };
+          # "org.matrix.msc3575.proxy" = { "url" = "https://slidingsync.ragon.xyz"; };
+        };
+      in
+      ''
+        encode zstd gzip
+        handle /.well-known/matrix/server {
+           header Content-Type "application/json"
+           respond "${builtins.toJSON wkServer}"
+        }
+        handle /.well-known/matrix/client {
+           header Content-Type "application/json"
+           header Access-Control-Allow-Origin "*"
+           respond "${builtins.toJSON wkClient}"
+        }
+        handle /gyakapyukawfyuokfgwtyutf.js {
+           rewrite * /js/plausible.outbound-links.js
+           reverse_proxy http://[::1]:${toString config.services.plausible.server.port}
+        }
+        handle /api/event {
+          reverse_proxy http://[::1]:${toString config.services.plausible.server.port}
+        }
+
+        reverse_proxy http://[::1]${config.services.xynoblog.listen}
+      '';
+    virtualHosts."*.xyno.space".extraConfig = ''
+      @stats host stats.xyno.space
+      handle @stats {
+        reverse_proxy http://[::1]${toString config.services.plausible.server.port}
+      }
+      @matrix host matrix.xyno.space
+      handle @matrix {
+        handle /_matrix/* /notifications /_synapse/client/* /health {
+          reverse_proxy http://192.168.100.11:8008
+        }
+      }
+      handle {
+        abort
+      }
+    '';
+    virtualHosts."*.xyno.systems".extraConfig = ''
+      @md host md.xyno.systems
+      handle @md {
+        reverse_proxy http://[::1]${toString config.services.hedgedoc.settings.port}
+      }
+      @sso host sso.xyno.systems
+      handle @sso {
+        reverse_proxy http://[::1]:${toString config.services.authelia.instances.main.settings.server.port}
+      }
+      handle {
+        abort
+      }
+    '';
+    virtualHosts."xyno.systems".extraConfig = ''
+      redir https://xyno.space{uri}
+    '';
+    virtualHosts."graph.czi.dating".extraConfig = ''
+      redir https://graph-czi-dating-s8tan-01d008685713bd0312de3223b3b980279b0ca590.fspages.org{uri}
+    '';
+    virtualHosts."czi.dating".extraConfig = ''
+      redir https://foss-ag.de{uri}
+    '';
  };

-  services.nginx.virtualHosts."xyno.systems" = {
-    locations."/".return = "307 https://xyno.space$request_uri";
-  } // (lib.my.findOutTlsConfig "xyno.systems" config);
-
-  services.nginx.virtualHosts."graph.czi.dating" = {
-    locations."/".return = "307 https://graph-czi-dating-s8tan-01d008685713bd0312de3223b3b980279b0ca590.fspages.org$request_uri";
-    forceSSL = true;
-    enableACME = true;
-  };
-  services.nginx.virtualHosts."czi.dating" = {
-    locations."/".return = "307 https://foss-ag.de$request_uri";
-    forceSSL = true;
-    enableACME = true;
-  };
-
-  security.acme.certs."xyno.space" = {
-    dnsProvider = "ionos";
-    dnsResolver = "1.1.1.1:53";
-    group = "nginx";
-    extraDomainNames = [
-      "*.xyno.space"
-    ];
-    credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
-  };
  ragon.agenix.secrets."desec" = { };
-  security.acme.certs."xyno.systems" = {
-    dnsProvider = "desec";
-    dnsResolver = "1.1.1.1:53";
-    group = "nginx";
-    extraDomainNames = [
-      "*.xyno.systems"
-    ];
-    credentialsFile = "${config.age.secrets.desec.path}";
-  };
-
-  services.nginx.appendHttpConfig = ''
-    map $remote_addr $ip_anonym1 {
-     default 0.0.0;
-     "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
-     "~(?P<ip>[^:]+:[^:]+):" $ip;
-    }
-
-    map $remote_addr $ip_anonym2 {
-     default .0;
-     "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
-     "~(?P<ip>[^:]+:[^:]+):" ::;
-    }
-
-    map $ip_anonym1$ip_anonym2 $ip_anonymized {
-     default 0.0.0.0;
-     "~(?P<ip>.*)" $ip;
-    }
-
-    log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
-       '"$request" $status $body_bytes_sent '
-       '"$http_referer" "$http_user_agent"';
-
-    access_log /var/log/nginx/access.log anonymized;
-  '';

  ragon.agenix.secrets."picardResticPassword" = { };
  ragon.agenix.secrets."picardResticSSHKey" = { };
@ -178,6 +213,7 @@
    })
  ];
  services.xynoblog.enable = true;
+  services.lolpizza2.enable = true;
  programs.mosh.enable = true;
  ragon = {
    cli.enable = true;
@ -189,13 +225,12 @@
      ssh.enable = true;
      msmtp.enable = true;
      bitwarden.enable = true;
-      gitlab.enable = false; # TODO gitlab-runner
-      synapse.enable = true;
+      synapse.enable = false;
      tailscale.enable = true;
      hedgedoc.enable = true;
      authelia.enable = true;
      ts3.enable = true;
-      nginx.enable = true;
+      nginx.enable = false;
      nginx.domain = "ragon.xyz";
      nginx.domains = [ "xyno.space" "xyno.systems" "czi.dating" ];
    };