diff --git a/hosts/oracle/default.nix b/hosts/oracle/default.nix index cb6f239..977b2c9 100644 --- a/hosts/oracle/default.nix +++ b/hosts/oracle/default.nix @@ -77,6 +77,7 @@ nixpkgs.lib.nixosSystem { ../../modules/services/calibre.nix ../../modules/services/jellyfin.nix ../../modules/services/nextcloud.nix + ../../modules/services/cloudflare.nix ../../modules/services/transmission.nix ../../modules/services/prometheus.nix ../../modules/gaming/minecraft-server.nix diff --git a/modules/services/caddy.nix b/modules/services/caddy.nix index 02c8f00..017abd8 100644 --- a/modules/services/caddy.nix +++ b/modules/services/caddy.nix @@ -5,6 +5,11 @@ type = lib.types.listOf lib.types.attrs; description = "Caddy JSON routes for http servers"; }; + caddyBlocks = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + description = "Caddy JSON error blocks for http servers"; + default = [ ]; + }; }; config = { @@ -16,45 +21,7 @@ apps.http.servers.main = { listen = [ ":443" ]; routes = config.caddyRoutes; - errors.routes = [{ - match = [{ - not = [{ - remote_ip.ranges = [ - - # Cloudflare IPv4: https://www.cloudflare.com/ips-v4 - "173.245.48.0/20" - "103.21.244.0/22" - "103.22.200.0/22" - "103.31.4.0/22" - "141.101.64.0/18" - "108.162.192.0/18" - "190.93.240.0/20" - "188.114.96.0/20" - "197.234.240.0/22" - "198.41.128.0/17" - "162.158.0.0/15" - "104.16.0.0/13" - "104.24.0.0/14" - "172.64.0.0/13" - "131.0.72.0/22" - - # Cloudflare IPv6: https://www.cloudflare.com/ips-v6 - "2400:cb00::/32" - "2606:4700::/32" - "2803:f800::/32" - "2405:b500::/32" - "2405:8100::/32" - "2a06:98c0::/29" - "2c0f:f248::/32" - - ]; - }]; - }]; - handle = [{ - handler = "static_response"; - abort = true; - }]; - }]; + errors.routes = config.caddyBlocks; }; }); diff --git a/modules/services/cloudflare.nix b/modules/services/cloudflare.nix new file mode 100644 index 0000000..a743886 --- /dev/null +++ b/modules/services/cloudflare.nix @@ -0,0 +1,56 @@ +# This module is necessary for hosts that are serving through Cloudflare. + +{ ... }: + +let + + cloudflareIpRanges = [ + + # Cloudflare IPv4: https://www.cloudflare.com/ips-v4 + "173.245.48.0/20" + "103.21.244.0/22" + "103.22.200.0/22" + "103.31.4.0/22" + "141.101.64.0/18" + "108.162.192.0/18" + "190.93.240.0/20" + "188.114.96.0/20" + "197.234.240.0/22" + "198.41.128.0/17" + "162.158.0.0/15" + "104.16.0.0/13" + "104.24.0.0/14" + "172.64.0.0/13" + "131.0.72.0/22" + + # Cloudflare IPv6: https://www.cloudflare.com/ips-v6 + "2400:cb00::/32" + "2606:4700::/32" + "2803:f800::/32" + "2405:b500::/32" + "2405:8100::/32" + "2a06:98c0::/29" + "2c0f:f248::/32" + + ]; + +in { + + imports = [ ./caddy.nix ]; + + config = { + + # Forces Caddy to error if coming from a non-Cloudflare IP + caddyBlocks = [{ + match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }]; + handle = [{ + handler = "static_response"; + abort = true; + }]; + }]; + + # Allows Nextcloud to trust Cloudflare IPs + services.nextcloud.config.trustedProxies = cloudflareIpRanges; + + }; +} diff --git a/modules/services/jellyfin.nix b/modules/services/jellyfin.nix index 0f69c85..b09d36b 100644 --- a/modules/services/jellyfin.nix +++ b/modules/services/jellyfin.nix @@ -20,20 +20,8 @@ }]; # Create videos directory, allow anyone in Jellyfin group to manage it - systemd.services.videos-library = { - wantedBy = [ "jellyfin.service" ]; - requiredBy = [ "jellyfin.service" ]; - before = [ "jellyfin.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = let videosDirectory = "/var/videos"; - in '' - mkdir --parents --mode 0755 ${videosDirectory} - chown jellyfin:jellyfin ${videosDirectory} - ''; - }; + systemd.tmpfiles.rules = + [ "d /var/lib/jellyfin/library 0775 jellyfin jellyfin" ]; }; diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 40a3a2c..9288d24 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -2,8 +2,8 @@ let - adminpassFile = "/var/lib/nextcloud/creds"; - backupS3File = "/var/lib/nextcloud/backup-creds"; + adminpassFile = "${config.services.nextcloud.datadir}/creds"; + backupS3File = "${config.services.nextcloud.datadir}/backup-creds"; in { @@ -45,35 +45,6 @@ in { config = { adminpassFile = adminpassFile; extraTrustedDomains = [ config.nextcloudServer ]; - trustedProxies = [ - - # Cloudflare IPv4: https://www.cloudflare.com/ips-v4 - "173.245.48.0/20" - "103.21.244.0/22" - "103.22.200.0/22" - "103.31.4.0/22" - "141.101.64.0/18" - "108.162.192.0/18" - "190.93.240.0/20" - "188.114.96.0/20" - "197.234.240.0/22" - "198.41.128.0/17" - "162.158.0.0/15" - "104.16.0.0/13" - "104.24.0.0/14" - "172.64.0.0/13" - "131.0.72.0/22" - - # Cloudflare IPv6: https://www.cloudflare.com/ips-v6 - "2400:cb00::/32" - "2606:4700::/32" - "2803:f800::/32" - "2405:b500::/32" - "2405:8100::/32" - "2a06:98c0::/29" - "2c0f:f248::/32" - - ]; }; }; @@ -125,7 +96,7 @@ in { enable = true; settings = { dbs = [{ - path = "/var/lib/nextcloud/data/nextcloud.db"; + path = "${config.services.nextcloud.datadir}/data/nextcloud.db"; replicas = [{ url = "s3://${config.backupS3.bucket}.${config.backupS3.endpoint}/nextcloud";