Merge pull request #80 from wi11-holdsworth/55

Switch to caddy

modules/nixos/bundles/server.nix

@@ -6,6 +6,7 @@
   imports = util.toImports ../features [
     # keep-sorted start
     "bazarr"
+    "caddy"
     "copyparty"
     "couchdb"
     "firefly"
@@ -16,7 +17,6 @@
     "kavita"
     "lidarr"
     "miniflux"
-    "nginx"
     "ntfy-sh"
     "nzbget"
     "paperless"

modules/nixos/features/bazarr.nix

@@ -1,5 +1,6 @@
 let
   port = 5017;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -10,10 +11,11 @@ in
       listenPort = port;
     };
 
-    nginx.virtualHosts."bazarr.fi33.buzz" = {
+    caddy.virtualHosts."bazarr.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/caddy.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  ...
+}:
+{
+  services.caddy = {
+    enable = true;
+    dataDir = "/srv/caddy";
+    globalConfig = ''
+      auto_https disable_redirects
+    '';
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "festive-steed-fit@duck.com";
+    certs."fi33.buzz" = {
+      group = config.services.caddy.group;
+      domain = "fi33.buzz";
+      extraDomainNames = [ "*.fi33.buzz" ];
+      dnsProvider = "porkbun";
+      dnsPropagationCheck = true;
+      credentialsFile = config.age.secrets."porkbun-api".path;
+    };
+  };
+
+  age.secrets."porkbun-api".file = ../../../secrets/porkbun-api.age;
+}

modules/nixos/features/copyparty.nix

@@ -7,6 +7,7 @@
 }:
 let
   port = 5000;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   imports = [ inputs.copyparty.nixosModules.default ];
@@ -33,11 +34,12 @@ in
       };
     };
 
-    nginx.virtualHosts."copyparty.fi33.buzz" = {
+    caddy.virtualHosts."copyparty.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 
   # secrets

modules/nixos/features/couchdb.nix

@@ -1,5 +1,6 @@
 let
   port = 5984;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -34,10 +35,11 @@ in
       };
     };
 
-    nginx.virtualHosts."couchdb.fi33.buzz" = {
+    caddy.virtualHosts."couchdb.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/firefly.nix

@@ -2,12 +2,15 @@
   config,
   ...
 }:
+let
+  certloc = "/var/lib/acme/fi33.buzz";
+in
 {
   services = {
     firefly-iii = {
       enable = true;
       dataDir = "/srv/firefly";
-      group = "nginx";
+      group = config.services.caddy.group;
       settings = {
         # keep-sorted start
         ALLOW_WEBHOOKS = "true";
@@ -28,29 +31,18 @@
       }
     ];
 
-    nginx.virtualHosts."firefly.fi33.buzz" = {
+    caddy.virtualHosts."firefly.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      root * ${config.services.firefly-iii.package}/public
-      useACMEHost = "fi33.buzz";
+      php_fastcgi unix//${config.services.phpfpm.pools.firefly-iii.socket}
-      root = "${config.services.firefly-iii.package}/public";
+      try_files {path} {path}/ /index.php?{query}
-      locations = {
+      file_server {
-        "/" = {
+        index index.php
-          tryFiles = "$uri $uri/ /index.php?$query_string";
+      }
-          index = "index.php";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-          extraConfig = ''
+        protocols tls1.3
-            sendfile off;
+      }
     '';
   };
-        "~ \\.php$" = {
-          extraConfig = ''
-            include ${config.services.nginx.package}/conf/fastcgi_params ;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
-            fastcgi_pass unix:${config.services.phpfpm.pools.firefly-iii.socket};
-          '';
-        };
-      };
-    };
-  };
 
   age.secrets = {
     firefly = {

modules/nixos/features/homepage-dashboard.nix

@@ -38,6 +38,7 @@ let
     "sonarr"
     # keep-sorted end
   ];
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -376,11 +377,12 @@ in
       ];
     };
 
-    nginx.virtualHosts."homepage-dashboard.fi33.buzz" = {
+    caddy.virtualHosts."homepage-dashboard.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 
   # secrets

modules/nixos/features/immich.nix

@@ -1,5 +1,6 @@
 let
   port = 2283;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -18,16 +19,11 @@ in
       }
     ];
 
-    nginx = {
+    caddy.virtualHosts."immich.fi33.buzz".extraConfig = ''
-      clientMaxBodySize = "50000M";
+      reverse_proxy localhost:${toString port}
-      virtualHosts."immich.fi33.buzz" = {
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-        forceSSL = true;
+        protocols tls1.3
-        useACMEHost = "fi33.buzz";
+      }
-        locations."/" = {
+    '';
-          proxyPass = "http://[::1]:${toString port}";
-          proxyWebsockets = true;
-        };
-      };
-    };
   };
 }

modules/nixos/features/jellyfin.nix

@@ -1,5 +1,6 @@
 let
   port = 8096;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -9,11 +10,12 @@ in
       group = "srv";
     };
 
-    nginx.virtualHosts."jellyfin.fi33.buzz" = {
+    caddy.virtualHosts."jellyfin.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 
   # use intel iGP

modules/nixos/features/karakeep.nix

@@ -1,5 +1,6 @@
 let
   port = 5014;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -11,10 +12,11 @@ in
       };
     };
 
-    nginx.virtualHosts."karakeep.fi33.buzz" = {
+    caddy.virtualHosts."karakeep.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/kavita.nix

@@ -4,6 +4,7 @@
 }:
 let
   port = 5015;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -14,11 +15,12 @@ in
       tokenKeyFile = config.age.secrets.kavita.path;
     };
 
-    nginx.virtualHosts."kavita.fi33.buzz" = {
+    caddy.virtualHosts."kavita.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 
   age.secrets.kavita.file = ../../../secrets/kavita.age;

modules/nixos/features/lidarr.nix

@@ -1,5 +1,6 @@
 let
   port = 5012;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -12,10 +13,11 @@ in
       group = "srv";
     };
 
-    nginx.virtualHosts."lidarr.fi33.buzz" = {
+    caddy.virtualHosts."lidarr.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/miniflux.nix

@@ -4,6 +4,7 @@
 }:
 let
   port = 5010;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -25,11 +26,12 @@ in
       }
     ];
 
-    nginx.virtualHosts."miniflux.fi33.buzz" = {
+    caddy.virtualHosts."miniflux.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 
   age.secrets."miniflux-creds".file = ../../../secrets/miniflux-creds.age;

modules/nixos/features/ntfy-sh.nix

@@ -1,5 +1,6 @@
 let
   port = 5002;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -12,13 +13,11 @@ in
       };
     };
 
-    nginx.virtualHosts."ntfy-sh.fi33.buzz" = {
+    caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/" = {
+        protocols tls1.3
-        proxyPass = "http://localhost:${toString port}";
+      }
-        proxyWebsockets = true;
+    '';
-      };
-    };
   };
 }

modules/nixos/features/nzbget.nix

@@ -4,6 +4,7 @@
 }:
 let
   port = 5018;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -16,11 +17,12 @@ in
       group = "srv";
     };
 
-    nginx.virtualHosts."nzbget.fi33.buzz" = {
+    caddy.virtualHosts."nzbget.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 
   environment.systemPackages = with pkgs; [ unrar ];

modules/nixos/features/paperless.nix

@@ -4,6 +4,7 @@
 }:
 let
   port = 5013;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -29,11 +30,12 @@ in
       ];
     };
 
-    nginx.virtualHosts."paperless.fi33.buzz" = {
+caddy.virtualHosts."paperless.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 
   age.secrets."paperless" = {

modules/nixos/features/prowlarr.nix

@@ -1,5 +1,6 @@
 let
   port = 5009;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -11,12 +12,11 @@ in
       };
     };
 
-    nginx = {
+    caddy.virtualHosts."prowlarr.fi33.buzz".extraConfig = ''
-      virtualHosts."prowlarr.fi33.buzz" = {
+      reverse_proxy localhost:${toString port}
-        forceSSL = true;
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-        useACMEHost = "fi33.buzz";
+        protocols tls1.3
-        locations."/".proxyPass = "http://localhost:${toString port}";
+      }
-      };
+    '';
-    };
   };
 }

modules/nixos/features/qbittorrent.nix

@@ -1,5 +1,6 @@
 let
   port = 5005;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -13,10 +14,11 @@ in
       ];
     };
 
-    nginx.virtualHosts."qbittorrent.fi33.buzz" = {
+    caddy.virtualHosts."qbittorrent.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/qui.nix

@@ -7,6 +7,7 @@
 }:
 let
   port = 5019;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   environment.systemPackages = [ pkgs.qui ];
@@ -22,9 +23,10 @@ in
     };
   };
 
-  services.nginx.virtualHosts."qui.fi33.buzz" = {
+  services.caddy.virtualHosts."qui.fi33.buzz".extraConfig = ''
-    forceSSL = true;
+    reverse_proxy localhost:${toString port}
-    useACMEHost = "fi33.buzz";
+    tls ${certloc}/cert.pem ${certloc}/key.pem {
-    locations."/".proxyPass = "http://localhost:${toString port}";
+      protocols tls1.3
-  };
+    }
+  '';
 }

modules/nixos/features/radarr.nix

@@ -1,5 +1,6 @@
 let
   port = 5007;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -12,10 +13,11 @@ in
       group = "srv";
     };
 
-    nginx.virtualHosts."radarr.fi33.buzz" = {
+    caddy.virtualHosts."radarr.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/radicale.nix

@@ -4,6 +4,7 @@
 }:
 let
   port = 5003;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -27,11 +28,12 @@ in
       };
     };
 
-    nginx.virtualHosts."radicale.fi33.buzz" = {
+    caddy.virtualHosts."radicale.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 
   # secrets

modules/nixos/features/readarr.nix

@@ -1,5 +1,6 @@
 let
   port = 5016;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -12,10 +13,11 @@ in
       group = "srv";
     };
 
-    nginx.virtualHosts."readarr.fi33.buzz" = {
+    caddy.virtualHosts."readarr.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/sonarr.nix

@@ -1,5 +1,6 @@
 let
   port = 5006;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -12,10 +13,11 @@ in
       group = "srv";
     };
 
-    nginx.virtualHosts."sonarr.fi33.buzz" = {
+    caddy.virtualHosts."sonarr.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/syncthing.nix

@@ -40,6 +40,7 @@ let
       }
     ) (builtins.filter (deviceSet: deviceSet.device != hostName) devicesList)
   );
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -66,10 +67,11 @@ in
       else
         null;
 
-    nginx.virtualHosts."syncthing.fi33.buzz" = {
+    caddy.virtualHosts."syncthing.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy http://localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }

modules/nixos/features/upbank2firefly.nix

@@ -5,6 +5,7 @@
 }:
 let
   port = 5021;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   virtualisation.oci-containers = {
@@ -48,11 +49,12 @@ in
     };
   };
 
-  services.nginx.virtualHosts."upbank2firefly.fi33.buzz" = {
+  services.caddy.virtualHosts."upbank2firefly.fi33.buzz".extraConfig = ''
-    forceSSL = true;
+    reverse_proxy localhost:${toString port}
-    useACMEHost = "fi33.buzz";
+    tls ${certloc}/cert.pem ${certloc}/key.pem {
-    locations."/".proxyPass = "http://localhost:${toString port}";
+      protocols tls1.3
-  };
+    }
+  '';
 
   age.secrets.upbank2firefly.file = ../../../secrets/upbank2firefly.age;
 }

modules/nixos/features/vaultwarden.nix

@@ -4,6 +4,7 @@
 }:
 let
   port = 5001;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -22,14 +23,12 @@ in
       };
     };
 
-    nginx.virtualHosts."vaultwarden.fi33.buzz" = {
+    caddy.virtualHosts."vaultwarden.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/" = {
+        protocols tls1.3
-        proxyPass = "http://localhost:${toString port}";
+      }
-        proxyWebsockets = true;
+    '';
-      };
-    };
   };
 
   age.secrets."vaultwarden-admin" = {

modules/templates/web-feature.nix

@@ -1,5 +1,6 @@
 let
   port = 0000;
+  certloc = "/var/lib/acme/fi33.buzz";
 in
 {
   services = {
@@ -19,10 +20,11 @@ in
     #   ];
     # };
 
-    nginx.virtualHosts."feature.fi33.buzz" = {
+    caddy.virtualHosts."feature.fi33.buzz".extraConfig = ''
-      forceSSL = true;
+      reverse_proxy localhost:${toString port}
-      useACMEHost = "fi33.buzz";
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
-      locations."/".proxyPass = "http://localhost:${toString port}";
+        protocols tls1.3
-    };
+      }
+    '';
   };
 }