feat: move configuration of reverse proxy closer to site definition

2025-04-04 20:14:30 -03:00
parent 8c3ad684cd
commit a2f074a3b5
3 changed files with 30 additions and 80 deletions
--- a/capytal/caddy.nix
+++ b/capytal/caddy.nix
@@ -1,80 +0,0 @@
-{config, ...}: let
-  secrets = config.spacestation-secrets.lesser;
-in {
-  imports = [];
-
-  services.caddy.enable = true;
-  services.caddy.xcaddy.enable = true;
-  services.caddy.email = secrets.capytal.caddy.email;
-  services.caddy.extraConfig = ''
-    (capytal_env) {
-      tls {
-        dns cloudflare {
-          zone_token {env.CAPYTAL_CF_ZONE_TOKEN}
-          api_token {env.CAPYTAL_CF_API_TOKEN}
-        }
-      }
-    }
-    (home_env) {
-      tls {
-        dns cloudflare {
-          zone_token {env.HOME_CF_ZONE_TOKEN}
-          api_token {env.HOME_CF_API_TOKEN}
-        }
-      }
-    }
-  '';
-  services.caddy.virtualHosts = with builtins; let
-    caddyCfg = secrets.capytal.caddy;
-    setConfig = c: let
-      reverse_proxy =
-        if (c ? ip && c ? port)
-        then "reverse_proxy ${c.ip}:${toString c.port}"
-        else if c ? port
-        then "reverse_proxy ${caddyCfg.defaultIp}:${toString c.port}"
-        else "";
-
-      redir =
-        if c ? redir
-        then "redir ${c.redir}"
-        else "";
-
-      auth =
-        if c ? auth
-        then ''
-          basic_auth {
-          ${
-            concatStringsSep "\n" (map (v: "${v.user} ${v.passwd}") c.auth)
-          }
-          }
-        ''
-        else "";
-    in {
-      extraConfig = ''
-        ${reverse_proxy}
-        ${redir}
-        ${auth}
-        import ${
-          if c ? env
-          then c.env
-          else "capytal_env"
-        }
-      '';
-    };
-    hosts = listToAttrs (map (v: {
-        name = v.pattern;
-        value = setConfig v.config;
-      })
-      caddyCfg.hosts);
-  in
-    hosts;
-  systemd.services.caddy.serviceConfig = {
-    AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-    EnvironmentFile = config.sops.secrets."caddy/capytal/env".path;
-  };
-
-  networking.firewall.allowedTCPPorts = [
-    80
-    433
-  ];
-}
--- a/capytal/network.nix
+++ b/capytal/network.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  pkgs-unstable,
+  ...
+}: {
+  imports = [];
+
+  services.caddy.enable = true;
+  services.caddy.virtualHosts = let
+    forgejo-port = config.services.forgejo.settings.server.HTTP_PORT;
+  in {
+    ":${toString (forgejo-port + 10)}" = {
+      extraConfig = ''
+        reverse_proxy http://localhost${config.services.anubis.instances."forgejo".bind} {
+          header_up X-Real-Ip {remote_host}
+        }
+      '';
+    };
+  };
+}
--- a/capytal/websites.nix
+++ b/capytal/websites.nix
@@ -12,10 +12,20 @@
    enable = true;
    port = 7010;
  };
+  services.caddy.virtualHosts.":${toString (config.services.capytalcc.web.port + 1)}" = {
+    extraConfig = ''
+      reverse_proxy http://localhost:${toString config.services.capytalcc.web.port}
+    '';
+  };

  services.keikos.web = {
    enable = true;
    port = 7030;
    envFile = config.sops.secrets."keiko/envFile".path;
  };
+  services.caddy.virtualHosts.":${toString (config.services.keikos.web.port + 1)}" = {
+    extraConfig = ''
+      reverse_proxy http://localhost:${toString config.services.keikos.web.port}
+    '';
+  };
 }