titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3d8e47689c699610886cc2f88372c97a0c08dc9b
server-config/services/caddy.nix

150 lines
3.9 KiB
Nix
Raw Blame History

{
config,
service_configs,
pkgs,
lib,
inputs,
...
}:
let
theme = pkgs.fetchFromGitHub {
owner = "kaiiiz";
repo = "hugo-theme-monochrome";
rev = "d17e05715e91f41a842f2656e6bdd70cba73de91";
sha256 = "h9I2ukugVrldIC3SXefS0L3R245oa+TuRChOCJJgF24=";
};
hugo-neko = pkgs.fetchFromGitHub {
owner = "ystepanoff";
repo = "hugo-neko";
rev = "5a50034acbb1ae0cec19775af64e7167ca22725e";
sha256 = "VLwr4zEeFQU/b+vj0XTLSuEiosuNFu2du4uud7m8bnw=";
};
hugoWebsite = pkgs.stdenv.mkDerivation {
pname = "hugo-site";
version = "0.1";
src = inputs.website;
nativeBuildInputs = with pkgs; [
hugo
go
git
];
installPhase = ''
rm -fr themes/theme modules/hugo-neko
cp -r ${theme} themes/theme
cp -r ${hugo-neko} modules/hugo-neko
hugo --minify -d $out;
'';
};
newDomain = service_configs.https.domain;
oldDomain = service_configs.https.old_domain;
in
{
imports = [
(lib.serviceMountWithZpool "caddy" service_configs.zpool_ssds [
config.services.caddy.dataDir
])
];
services.caddy = {
enable = true;
email = "titaniumtown@proton.me";
# Enable on-demand TLS for old domain redirects
# Certs are issued dynamically when subdomains are accessed
globalConfig = ''
on_demand_tls {
ask http://localhost:9123/check
}
'';
# Internal endpoint to validate on-demand TLS requests
# Only allows certs for *.${oldDomain}
extraConfig = ''
http://localhost:9123 {
@allowed expression {query.domain}.endsWith(".${oldDomain}") || {query.domain} == "${oldDomain}" || {query.domain} == "www.${oldDomain}"
respond @allowed 200
respond 403
}
'';
virtualHosts = {
${newDomain} = {
extraConfig = ''
root * ${hugoWebsite}
file_server browse
'';
serverAliases = [ "www.${newDomain}" ];
};
# Redirect old domain (bare + www) to new domain
${oldDomain} = {
extraConfig = ''
redir https://${newDomain}{uri} permanent
'';
serverAliases = [ "www.${oldDomain}" ];
};
# Wildcard redirect for all old domain subdomains
# Uses on-demand TLS - certs issued automatically on first request
"*.${oldDomain}" = {
extraConfig = ''
tls {
on_demand
}
# {labels.2} extracts subdomain from *.gardling.com
redir https://{labels.2}.${newDomain}{uri} permanent
'';
};
};
};
systemd.tmpfiles.rules = [
"d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
];
systemd.packages = with pkgs; [ nssTools ];
networking.firewall.allowedTCPPorts = [
service_configs.ports.https
# http (but really acmeCA challenges)
service_configs.ports.http
];
networking.firewall.allowedUDPPorts = [
service_configs.ports.https
];
# Protect Caddy basic auth endpoints from brute force attacks
services.fail2ban.jails.caddy-auth = {
enabled = true;
settings = {
backend = "auto";
port = "http,https";
logpath = "/var/log/caddy/access-*.log";
# defaults: maxretry=5, findtime=10m, bantime=10m
# Ignore local network IPs - NAT hairpinning causes all LAN traffic to
# appear from the router IP (192.168.1.1). Banning it blocks all internal access.
ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
};
filter.Definition = {
# Only match 401s where an Authorization header was actually sent.
# Without this, the normal HTTP Basic Auth challenge-response flow
# (browser probes without credentials, gets 401, then resends with
# credentials) counts every page visit as a "failure."
failregex = ''^.*"remote_ip":"<HOST>".*"Authorization":\["REDACTED"\].*"status":401.*$'';
ignoreregex = "";
datepattern = ''"ts":{Epoch}\.'';
};
};
}
Reference in New Issue View Git Blame Copy Permalink