feat: reverse proxy all services via caddy

2023-12-30 19:14:02 -07:00 · 2023-12-30 19:14:02 -07:00 · f4029e6197
parent 17ab5f7472
commit f4029e6197
2 changed files with 56 additions and 17 deletions
--- a/agenix-config-module.nix
+++ b/agenix-config-module.nix
@ -1,3 +1,7 @@
 {
-  age.secrets.samsehu_DUCK_DNS_TOKEN.file = ./secrets/samsehu_DUCK_DNS_TOKEN.age;
+  age.secrets.samsehu_DUCK_DNS_TOKEN = {
+    file = ./secrets/samsehu_DUCK_DNS_TOKEN.age;
+    owner = "dynamicdns";
+    group = "dynamicdns";
+  };
 }
--- a/configuration.nix
+++ b/configuration.nix
@ -65,14 +65,18 @@
  services.cockpit = {
    enable = true;
    openFirewall = true;
+    settings = {
+      WebService = {
+        Origins = "https://cockpit.samsehu.perli.casa wss://cockpit.samsehu.perli.casa";
+        ProtocolHeader = "X-Forwarded-Proto";
+        LoginTo = false;
+      };
+    };
  };

  services.udisks2.enable = true;

-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-  };
+  services.jellyfin.enable = true;

  services.blocky = {
    enable = true;
@ -114,6 +118,10 @@

  services.forgejo = {
    enable = true;
+    settings = {
+      server.ROOT_URL = "https://git.samsehu.perli.casa/";
+      server.HTTP_ADDR = "127.0.0.1";
+    };
  };

  services.lldap = {
@ -124,6 +132,7 @@
      ldap_user_dn = "admin";
      # Default administrator password
      ldap_user_pass = "extending pulsate nastily";
+      http_host = "127.0.0.1";
    };
  };

@ -137,7 +146,7 @@
  systemd.services.dynamic-dns-updater = {
    serviceConfig.User = "dynamicdns";
    path = [ pkgs.curl ];
-    script = "curl -o ~/duck.log --url-query domains=samsehuperli --url-query token@${config.age.secrets.samsehu_DUCK_DNS_TOKEN.path} https://www.duckdns.org/update";
+    script = "curl --silent --url-query domains=samsehuperli --url-query token@${config.age.secrets.samsehu_DUCK_DNS_TOKEN.path} https://www.duckdns.org/update";
    startAt = "hourly";
  };
  systemd.timers.dynamic-dns-updater = {
@ -147,9 +156,41 @@
  # Reverse proxy with Caddy
  services.caddy = {
    enable = true;
-    virtualHosts."samsehu.perli.casa".extraConfig = ''
-      respond "Hello, world!"
+    globalConfig = ''
+      email "fresh.car0178@geemili.xyz"
    '';
+
+    virtualHosts."lldap.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:17170
+    '';
+
+    virtualHosts."headscale.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:64639
+    '';
+
+    virtualHosts."cockpit.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:9090
+    '';
+
+    virtualHosts."git.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:3000
+    '';
+
+    virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:8096
+    '';
+  };
+
+  # Headscale for access to the network while away from home
+  services.headscale = {
+    enable = true;
+    settings = {
+      server_url = "https://headscale.samsehu.perli.casa";
+      listen_addr = "127.0.0.1:64639";
+      metrics_listen_addr = "127.0.0.1:64640";
+      tls_cert_path = null;
+      tls_key_path = null;
+    };
  };

  # Enable automatic upgrades
@ -177,19 +218,13 @@
    # Caddy HTTP and HTTPS
    80
    443
-
-    # Forgejo web interface
-    3000
-
-    # lldap LDAP
-    3890
-
-    # lldap HTTP; user login and administration
-    17170
  ];
  networking.firewall.allowedUDPPorts = [
    # Blocky DNS
    53
+
+    # Headscale UDP port for STUN protocol
+    3478
  ];

  # Use systemd-resolved and set networkmanager to allow mdns