os/hosts/nougat-2/caddy.nix

142 lines
3.7 KiB
Nix

{
config,
lib,
pkgs,
self,
...
}: let
pubsolarDomain = import ./pubsolar-domain.nix;
in {
networking.networkmanager.unmanaged = ["interface-name:ve-caddy"];
networking.nat = {
enable = true;
internalInterfaces = ["ve-caddy"];
externalInterface = "enp0s31f6";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
containers.caddy = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.102.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
forwardPorts = [
{
containerPort = 443;
hostPort = 443;
protocol = "tcp";
}
{
containerPort = 80;
hostPort = 80;
protocol = "tcp";
}
];
bindMounts = {
"/srv/www/" = {
hostPath = "/data/www/";
isReadOnly = false;
};
};
config = {
services.caddy = {
enable = lib.mkForce true;
group = "hakkonaut";
email = "admins@pub.solar";
globalConfig = lib.mkForce ''
auto_https off
'';
acmeCA = null;
virtualHosts = {
"dashboard.nougat-2.b12f.io" = {
extraConfig = ''
reverse_proxy :2019
'';
};
"www.b12f.io" = {
extraConfig = ''
redir https://pub.solar{uri}
'';
};
"mail.b12f.io" = {
extraConfig = ''
redir / /realms/pub.solar/account temporary
reverse_proxy :8080
'';
};
"${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
# PubSolarOS images
handle /os/download/* {
root * /srv/www
file_server /os/download/* browse
}
# serve base domain pub.solar for mastodon.pub.solar
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
handle /.well-known/host-meta {
redir https://mastodon.${pubsolarDomain}{uri}
}
# pub.solar website
handle {
root * /srv/www/pub.solar
try_files {path}.html {path}
file_server
}
# minimal error handling, respond with status code and text
handle_errors {
respond "{http.error.status_code} {http.error.status_text}"
}
'';
};
"www.${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir https://${pubsolarDomain}{uri}
'';
};
"auth.${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir / /realms/${pubsolarDomain}/account temporary
reverse_proxy 192.168.103.0:8080
'';
};
"git.${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir /user/login /user/oauth2/keycloak temporary
reverse_proxy 192.168.101.0:3000
'';
};
"ci.${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy 192.168.101.0:8080
'';
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
};
};
}