diff --git a/modules/nixos/bundles/server.nix b/modules/nixos/bundles/server.nix index 0e0f13d..b7f4b53 100644 --- a/modules/nixos/bundles/server.nix +++ b/modules/nixos/bundles/server.nix @@ -6,6 +6,7 @@ imports = util.toImports ../features [ # keep-sorted start "bazarr" + "caddy" "copyparty" "couchdb" "firefly" @@ -16,7 +17,6 @@ "kavita" "lidarr" "miniflux" - "nginx" "ntfy-sh" "nzbget" "paperless" diff --git a/modules/nixos/features/bazarr.nix b/modules/nixos/features/bazarr.nix index 5407a2f..541235c 100644 --- a/modules/nixos/features/bazarr.nix +++ b/modules/nixos/features/bazarr.nix @@ -1,5 +1,6 @@ let port = 5017; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -10,10 +11,11 @@ in listenPort = port; }; - nginx.virtualHosts."bazarr.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."bazarr.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/caddy.nix b/modules/nixos/features/caddy.nix new file mode 100644 index 0000000..ca45981 --- /dev/null +++ b/modules/nixos/features/caddy.nix @@ -0,0 +1,28 @@ +{ + config, + ... +}: +{ + services.caddy = { + enable = true; + dataDir = "/srv/caddy"; + globalConfig = '' + auto_https disable_redirects + ''; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "festive-steed-fit@duck.com"; + certs."fi33.buzz" = { + group = config.services.caddy.group; + domain = "fi33.buzz"; + extraDomainNames = [ "*.fi33.buzz" ]; + dnsProvider = "porkbun"; + dnsPropagationCheck = true; + credentialsFile = config.age.secrets."porkbun-api".path; + }; + }; + + age.secrets."porkbun-api".file = ../../../secrets/porkbun-api.age; +} diff --git a/modules/nixos/features/copyparty.nix b/modules/nixos/features/copyparty.nix index 560df1e..bd31797 100644 --- a/modules/nixos/features/copyparty.nix +++ b/modules/nixos/features/copyparty.nix @@ -7,6 +7,7 @@ }: let port = 5000; + certloc = "/var/lib/acme/fi33.buzz"; in { imports = [ inputs.copyparty.nixosModules.default ]; @@ -33,11 +34,12 @@ in }; }; - nginx.virtualHosts."copyparty.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."copyparty.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; # secrets diff --git a/modules/nixos/features/couchdb.nix b/modules/nixos/features/couchdb.nix index d7656ee..0f0d44d 100644 --- a/modules/nixos/features/couchdb.nix +++ b/modules/nixos/features/couchdb.nix @@ -1,5 +1,6 @@ let port = 5984; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -34,10 +35,11 @@ in }; }; - nginx.virtualHosts."couchdb.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."couchdb.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/firefly.nix b/modules/nixos/features/firefly.nix index e456886..92ee22d 100644 --- a/modules/nixos/features/firefly.nix +++ b/modules/nixos/features/firefly.nix @@ -2,12 +2,15 @@ config, ... }: +let + certloc = "/var/lib/acme/fi33.buzz"; +in { services = { firefly-iii = { enable = true; dataDir = "/srv/firefly"; - group = "nginx"; + group = config.services.caddy.group; settings = { # keep-sorted start ALLOW_WEBHOOKS = "true"; @@ -28,28 +31,17 @@ } ]; - nginx.virtualHosts."firefly.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - root = "${config.services.firefly-iii.package}/public"; - locations = { - "/" = { - tryFiles = "$uri $uri/ /index.php?$query_string"; - index = "index.php"; - extraConfig = '' - sendfile off; - ''; - }; - "~ \\.php$" = { - extraConfig = '' - include ${config.services.nginx.package}/conf/fastcgi_params ; - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:${config.services.phpfpm.pools.firefly-iii.socket}; - ''; - }; - }; - }; + caddy.virtualHosts."firefly.fi33.buzz".extraConfig = '' + root * ${config.services.firefly-iii.package}/public + php_fastcgi unix//${config.services.phpfpm.pools.firefly-iii.socket} + try_files {path} {path}/ /index.php?{query} + file_server { + index index.php + } + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; age.secrets = { diff --git a/modules/nixos/features/homepage-dashboard.nix b/modules/nixos/features/homepage-dashboard.nix index aded82a..3ab99c5 100644 --- a/modules/nixos/features/homepage-dashboard.nix +++ b/modules/nixos/features/homepage-dashboard.nix @@ -38,6 +38,7 @@ let "sonarr" # keep-sorted end ]; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -376,11 +377,12 @@ in ]; }; - nginx.virtualHosts."homepage-dashboard.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."homepage-dashboard.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; # secrets diff --git a/modules/nixos/features/immich.nix b/modules/nixos/features/immich.nix index 6a0abd4..de5443f 100644 --- a/modules/nixos/features/immich.nix +++ b/modules/nixos/features/immich.nix @@ -1,5 +1,6 @@ let port = 2283; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -18,16 +19,11 @@ in } ]; - nginx = { - clientMaxBodySize = "50000M"; - virtualHosts."immich.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/" = { - proxyPass = "http://[::1]:${toString port}"; - proxyWebsockets = true; - }; - }; - }; + caddy.virtualHosts."immich.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/jellyfin.nix b/modules/nixos/features/jellyfin.nix index a4490be..9fab896 100644 --- a/modules/nixos/features/jellyfin.nix +++ b/modules/nixos/features/jellyfin.nix @@ -1,5 +1,6 @@ let port = 8096; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -9,11 +10,12 @@ in group = "srv"; }; - nginx.virtualHosts."jellyfin.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."jellyfin.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; # use intel iGP diff --git a/modules/nixos/features/karakeep.nix b/modules/nixos/features/karakeep.nix index 09f8163..cebc5f8 100644 --- a/modules/nixos/features/karakeep.nix +++ b/modules/nixos/features/karakeep.nix @@ -1,5 +1,6 @@ let port = 5014; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -11,10 +12,11 @@ in }; }; - nginx.virtualHosts."karakeep.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."karakeep.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/kavita.nix b/modules/nixos/features/kavita.nix index c62259e..bbb2322 100644 --- a/modules/nixos/features/kavita.nix +++ b/modules/nixos/features/kavita.nix @@ -4,6 +4,7 @@ }: let port = 5015; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -14,11 +15,12 @@ in tokenKeyFile = config.age.secrets.kavita.path; }; - nginx.virtualHosts."kavita.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."kavita.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; age.secrets.kavita.file = ../../../secrets/kavita.age; diff --git a/modules/nixos/features/lidarr.nix b/modules/nixos/features/lidarr.nix index 0b6fb4b..78aa609 100644 --- a/modules/nixos/features/lidarr.nix +++ b/modules/nixos/features/lidarr.nix @@ -1,5 +1,6 @@ let port = 5012; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -12,10 +13,11 @@ in group = "srv"; }; - nginx.virtualHosts."lidarr.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."lidarr.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/miniflux.nix b/modules/nixos/features/miniflux.nix index 10c4eeb..82aeeb5 100644 --- a/modules/nixos/features/miniflux.nix +++ b/modules/nixos/features/miniflux.nix @@ -4,6 +4,7 @@ }: let port = 5010; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -25,11 +26,12 @@ in } ]; - nginx.virtualHosts."miniflux.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."miniflux.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; age.secrets."miniflux-creds".file = ../../../secrets/miniflux-creds.age; diff --git a/modules/nixos/features/ntfy-sh.nix b/modules/nixos/features/ntfy-sh.nix index d5a70e8..e53a792 100644 --- a/modules/nixos/features/ntfy-sh.nix +++ b/modules/nixos/features/ntfy-sh.nix @@ -1,5 +1,6 @@ let port = 5002; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -12,13 +13,11 @@ in }; }; - nginx.virtualHosts."ntfy-sh.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/" = { - proxyPass = "http://localhost:${toString port}"; - proxyWebsockets = true; - }; - }; + caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/nzbget.nix b/modules/nixos/features/nzbget.nix index ff6f7d5..ba469f2 100644 --- a/modules/nixos/features/nzbget.nix +++ b/modules/nixos/features/nzbget.nix @@ -4,6 +4,7 @@ }: let port = 5018; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -16,11 +17,12 @@ in group = "srv"; }; - nginx.virtualHosts."nzbget.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."nzbget.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; environment.systemPackages = with pkgs; [ unrar ]; diff --git a/modules/nixos/features/paperless.nix b/modules/nixos/features/paperless.nix index 6b61e35..01bc88d 100644 --- a/modules/nixos/features/paperless.nix +++ b/modules/nixos/features/paperless.nix @@ -4,6 +4,7 @@ }: let port = 5013; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -29,11 +30,12 @@ in ]; }; - nginx.virtualHosts."paperless.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; +caddy.virtualHosts."paperless.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; age.secrets."paperless" = { diff --git a/modules/nixos/features/prowlarr.nix b/modules/nixos/features/prowlarr.nix index 9fbb8e6..23e090f 100644 --- a/modules/nixos/features/prowlarr.nix +++ b/modules/nixos/features/prowlarr.nix @@ -1,5 +1,6 @@ let port = 5009; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -11,12 +12,11 @@ in }; }; - nginx = { - virtualHosts."prowlarr.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; - }; + caddy.virtualHosts."prowlarr.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/qbittorrent.nix b/modules/nixos/features/qbittorrent.nix index f4e8d54..577f0c9 100644 --- a/modules/nixos/features/qbittorrent.nix +++ b/modules/nixos/features/qbittorrent.nix @@ -1,5 +1,6 @@ let port = 5005; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -13,10 +14,11 @@ in ]; }; - nginx.virtualHosts."qbittorrent.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."qbittorrent.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/qui.nix b/modules/nixos/features/qui.nix index f7392f5..8c34edf 100644 --- a/modules/nixos/features/qui.nix +++ b/modules/nixos/features/qui.nix @@ -7,6 +7,7 @@ }: let port = 5019; + certloc = "/var/lib/acme/fi33.buzz"; in { environment.systemPackages = [ pkgs.qui ]; @@ -22,9 +23,10 @@ in }; }; - services.nginx.virtualHosts."qui.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + services.caddy.virtualHosts."qui.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; } diff --git a/modules/nixos/features/radarr.nix b/modules/nixos/features/radarr.nix index 8cbcc4c..30063eb 100644 --- a/modules/nixos/features/radarr.nix +++ b/modules/nixos/features/radarr.nix @@ -1,5 +1,6 @@ let port = 5007; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -12,10 +13,11 @@ in group = "srv"; }; - nginx.virtualHosts."radarr.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."radarr.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/radicale.nix b/modules/nixos/features/radicale.nix index 6ced520..73155e6 100644 --- a/modules/nixos/features/radicale.nix +++ b/modules/nixos/features/radicale.nix @@ -4,6 +4,7 @@ }: let port = 5003; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -27,11 +28,12 @@ in }; }; - nginx.virtualHosts."radicale.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."radicale.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; # secrets diff --git a/modules/nixos/features/readarr.nix b/modules/nixos/features/readarr.nix index 4f8e419..42a884b 100644 --- a/modules/nixos/features/readarr.nix +++ b/modules/nixos/features/readarr.nix @@ -1,5 +1,6 @@ let port = 5016; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -12,10 +13,11 @@ in group = "srv"; }; - nginx.virtualHosts."readarr.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."readarr.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/sonarr.nix b/modules/nixos/features/sonarr.nix index f0d0a26..691b4b8 100644 --- a/modules/nixos/features/sonarr.nix +++ b/modules/nixos/features/sonarr.nix @@ -1,5 +1,6 @@ let port = 5006; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -12,10 +13,11 @@ in group = "srv"; }; - nginx.virtualHosts."sonarr.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."sonarr.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/syncthing.nix b/modules/nixos/features/syncthing.nix index fb1539e..d9624c3 100644 --- a/modules/nixos/features/syncthing.nix +++ b/modules/nixos/features/syncthing.nix @@ -40,6 +40,7 @@ let } ) (builtins.filter (deviceSet: deviceSet.device != hostName) devicesList) ); + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -66,10 +67,11 @@ in else null; - nginx.virtualHosts."syncthing.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."syncthing.fi33.buzz".extraConfig = '' + reverse_proxy http://localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; } diff --git a/modules/nixos/features/upbank2firefly.nix b/modules/nixos/features/upbank2firefly.nix index fbf18f4..e711bb8 100644 --- a/modules/nixos/features/upbank2firefly.nix +++ b/modules/nixos/features/upbank2firefly.nix @@ -5,6 +5,7 @@ }: let port = 5021; + certloc = "/var/lib/acme/fi33.buzz"; in { virtualisation.oci-containers = { @@ -48,11 +49,12 @@ in }; }; - services.nginx.virtualHosts."upbank2firefly.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + services.caddy.virtualHosts."upbank2firefly.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; age.secrets.upbank2firefly.file = ../../../secrets/upbank2firefly.age; } diff --git a/modules/nixos/features/vaultwarden.nix b/modules/nixos/features/vaultwarden.nix index 2ffb556..be8cb7a 100644 --- a/modules/nixos/features/vaultwarden.nix +++ b/modules/nixos/features/vaultwarden.nix @@ -4,6 +4,7 @@ }: let port = 5001; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -22,14 +23,12 @@ in }; }; - nginx.virtualHosts."vaultwarden.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/" = { - proxyPass = "http://localhost:${toString port}"; - proxyWebsockets = true; - }; - }; + caddy.virtualHosts."vaultwarden.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; age.secrets."vaultwarden-admin" = { diff --git a/modules/templates/web-feature.nix b/modules/templates/web-feature.nix index 6240e4e..8fa5ed6 100644 --- a/modules/templates/web-feature.nix +++ b/modules/templates/web-feature.nix @@ -1,5 +1,6 @@ let port = 0000; + certloc = "/var/lib/acme/fi33.buzz"; in { services = { @@ -19,10 +20,11 @@ in # ]; # }; - nginx.virtualHosts."feature.fi33.buzz" = { - forceSSL = true; - useACMEHost = "fi33.buzz"; - locations."/".proxyPass = "http://localhost:${toString port}"; - }; + caddy.virtualHosts."feature.fi33.buzz".extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; }; }