diff options
Diffstat (limited to 'machines/nixos/x86_64-linux/do-rproxy')
4 files changed, 54 insertions, 0 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index eab4a07..d10c656 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -39,6 +39,7 @@ "${self}/profiles/network/firewall.nix" "${self}/profiles/services/podman.nix" "${self}/profiles/programs/fish.nix" + ./profiles/caddy.nix ]; # do not use DHCP, as DigitalOcean provisions IPs using cloud-init diff --git a/machines/nixos/x86_64-linux/do-rproxy/home.nix b/machines/nixos/x86_64-linux/do-rproxy/home.nix new file mode 100644 index 0000000..8f0935e --- /dev/null +++ b/machines/nixos/x86_64-linux/do-rproxy/home.nix @@ -0,0 +1,6 @@ +{ self, ... }: +{ + imports = [ + "${self}/home/programs/bat.nix" + ]; +} diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix new file mode 100644 index 0000000..7fab370 --- /dev/null +++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix @@ -0,0 +1,44 @@ +{ config, ... }: +{ + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + security.acme = { + acceptTerms = true; + defaults.email = "franck@fcuny.net"; + certs = { + "code.fcuny.net" = { + domain = "code.fcuny.net"; + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1"; + reloadServices = [ "caddy.service" ]; + credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path; + }; + }; + }; + + services.caddy = { + enable = true; + email = "franck@fcuny.net"; + globalConfig = '' + metrics { + per_host + } + admin :2019 { + origins 127.0.0.1 10.100.0.0/24 + } + ''; + virtualHosts = { + forgejo = { + hostName = "code.fcuny.net"; + useACMEHost = "code.fcuny.net"; + extraConfig = '' + respond /metrics 403 + reverse_proxy 10.100.0.40:3000 + ''; + }; + }; + }; +} diff --git a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix index 9116a9f..e2444e2 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix @@ -2,6 +2,9 @@ { age = { secrets = { + cloudflare-caddy = { + file = "${self}/secrets/cloudflare-caddy.age"; + }; wireguard = { file = "${self}/secrets/do/wireguard.age"; }; |