mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-22 23:55:37 +00:00
Merge branch 'cloudflare-acme-dns'
This commit is contained in:
commit
f4f5f19183
@ -2,6 +2,11 @@
|
|||||||
|
|
||||||
options = {
|
options = {
|
||||||
caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
|
caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
|
||||||
|
caddy.tlsPolicies = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.attrs;
|
||||||
|
description = "Caddy JSON TLS policies";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
caddy.routes = lib.mkOption {
|
caddy.routes = lib.mkOption {
|
||||||
type = lib.types.listOf lib.types.attrs;
|
type = lib.types.listOf lib.types.attrs;
|
||||||
description = "Caddy JSON routes for http servers";
|
description = "Caddy JSON routes for http servers";
|
||||||
@ -26,6 +31,7 @@
|
|||||||
errors.routes = config.caddy.blocks;
|
errors.routes = config.caddy.blocks;
|
||||||
# logs = { }; # Uncomment to collect access logs
|
# logs = { }; # Uncomment to collect access logs
|
||||||
};
|
};
|
||||||
|
apps.tls.automation.policies = config.caddy.tlsPolicies;
|
||||||
logging.logs.main = {
|
logging.logs.main = {
|
||||||
encoder = { format = "console"; };
|
encoder = { format = "console"; };
|
||||||
writer = {
|
writer = {
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# This module is necessary for hosts that are serving through Cloudflare.
|
# This module is necessary for hosts that are serving through Cloudflare.
|
||||||
|
|
||||||
{ config, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
@ -49,6 +49,38 @@ in {
|
|||||||
}];
|
}];
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
# Tell Caddy to use Cloudflare DNS for ACME challenge validation
|
||||||
|
services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
|
||||||
|
plugins = [ "github.com/caddy-dns/cloudflare" ];
|
||||||
|
# vendorSha256 = "sha256-K9HPZnr+hMcK5aEd1H4gEg6PXAaNrNWFvaHYm5m62JY=";
|
||||||
|
});
|
||||||
|
caddy.tlsPolicies = [{
|
||||||
|
issuers = [{
|
||||||
|
module = "acme";
|
||||||
|
challenges = {
|
||||||
|
dns = {
|
||||||
|
provider = {
|
||||||
|
name = "cloudflare";
|
||||||
|
api_token = "{env.CF_API_TOKEN}";
|
||||||
|
};
|
||||||
|
resolvers = [ "1.1.1.1" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
}];
|
||||||
|
systemd.services.caddy.serviceConfig.EnvironmentFile =
|
||||||
|
config.secrets.cloudflareApi.dest;
|
||||||
|
systemd.services.caddy.serviceConfig.AmbientCapabilities =
|
||||||
|
"CAP_NET_BIND_SERVICE";
|
||||||
|
|
||||||
|
# API key must have access to modify Cloudflare DNS records
|
||||||
|
secrets.cloudflareApi = {
|
||||||
|
source = ../../../private/cloudflare-api.age;
|
||||||
|
dest = "${config.secretsDirectory}/cloudflare-api";
|
||||||
|
owner = "caddy";
|
||||||
|
group = "caddy";
|
||||||
|
};
|
||||||
|
|
||||||
# Allows Nextcloud to trust Cloudflare IPs
|
# Allows Nextcloud to trust Cloudflare IPs
|
||||||
services.nextcloud.config.trustedProxies = cloudflareIpRanges;
|
services.nextcloud.config.trustedProxies = cloudflareIpRanges;
|
||||||
|
|
||||||
|
56
overlays/caddy.nix
Normal file
56
overlays/caddy.nix
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
{ lib, buildGo118Module, fetchFromGitHub, plugins ? [ ] }:
|
||||||
|
let
|
||||||
|
goImports = lib.flip lib.concatMapStrings plugins (pkg: " _ \"${pkg}\"\n");
|
||||||
|
goGets = lib.flip lib.concatMapStrings plugins (pkg: "go get ${pkg}\n ");
|
||||||
|
main = ''
|
||||||
|
package main
|
||||||
|
import (
|
||||||
|
caddycmd "github.com/caddyserver/caddy/v2/cmd"
|
||||||
|
_ "github.com/caddyserver/caddy/v2/modules/standard"
|
||||||
|
${goImports}
|
||||||
|
)
|
||||||
|
func main() {
|
||||||
|
caddycmd.Main()
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
in buildGo118Module rec {
|
||||||
|
pname = "caddy";
|
||||||
|
version = "2.6.4";
|
||||||
|
runVend = true;
|
||||||
|
|
||||||
|
subPackages = [ "cmd/caddy" ];
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "caddyserver";
|
||||||
|
repo = "caddy";
|
||||||
|
rev = "v${version}";
|
||||||
|
sha256 = "sha256:3a3+nFHmGONvL/TyQRqgJtrSDIn0zdGy9YwhZP17mU0=";
|
||||||
|
};
|
||||||
|
|
||||||
|
vendorSha256 = "sha256:CrHqJcJ0knX+txQ5qvzW4JrU8vfi3FO3M/xtislIC1M=";
|
||||||
|
|
||||||
|
overrideModAttrs = (_: {
|
||||||
|
preBuild = ''
|
||||||
|
echo '${main}' > cmd/caddy/main.go
|
||||||
|
${goGets}
|
||||||
|
'';
|
||||||
|
postInstall = "cp go.sum go.mod $out/ && ls $out/";
|
||||||
|
});
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
echo '${main}' > cmd/caddy/main.go
|
||||||
|
cat cmd/caddy/main.go
|
||||||
|
'';
|
||||||
|
|
||||||
|
postConfigure = ''
|
||||||
|
cp vendor/go.sum ./
|
||||||
|
cp vendor/go.mod ./
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
homepage = "https://caddyserver.com";
|
||||||
|
description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
|
||||||
|
license = licenses.asl20;
|
||||||
|
maintainers = with maintainers; [ Br1ght0ne techknowlogick ];
|
||||||
|
};
|
||||||
|
}
|
@ -1,25 +1,25 @@
|
|||||||
diff --git a/cps/__init__.py b/cps/__init__.py
|
diff --git a/cps/__init__.py b/cps/__init__.py
|
||||||
index 1ba1f778..da0bc718 100644
|
index 269e4aca..e2b828a9 100644
|
||||||
--- a/cps/__init__.py
|
--- a/cps/__init__.py
|
||||||
+++ b/cps/__init__.py
|
+++ b/cps/__init__.py
|
||||||
@@ -100,7 +100,6 @@ updater_thread = Updater()
|
@@ -150,7 +150,6 @@ def create_app():
|
||||||
def create_app():
|
|
||||||
lm.login_view = 'web.login'
|
lm.login_view = 'web.login'
|
||||||
lm.anonymous_user = ub.Anonymous
|
lm.anonymous_user = ub.Anonymous
|
||||||
- lm.session_protection = 'strong'
|
- lm.session_protection = 'strong' if config.config_session == 1 else "basic"
|
||||||
|
|
||||||
if csrf:
|
db.CalibreDB.update_config(config)
|
||||||
csrf.init_app(app)
|
db.CalibreDB.setup_db(config.config_calibre_dir, cli_param.settings_path)
|
||||||
diff --git a/cps/admin.py b/cps/admin.py
|
diff --git a/cps/admin.py b/cps/admin.py
|
||||||
index 09a553b4..5c646e46 100644
|
index 20c58aac..99d2ad19 100644
|
||||||
--- a/cps/admin.py
|
--- a/cps/admin.py
|
||||||
+++ b/cps/admin.py
|
+++ b/cps/admin.py
|
||||||
@@ -104,8 +104,6 @@ def before_request():
|
@@ -101,8 +101,6 @@ def admin_required(f):
|
||||||
# make remember me function work
|
|
||||||
if current_user.is_authenticated:
|
@admi.before_app_request
|
||||||
confirm_login()
|
def before_request():
|
||||||
- if not ub.check_user_session(current_user.id, flask_session.get('_id')) and 'opds' not in request.path:
|
- if not ub.check_user_session(current_user.id, flask_session.get('_id')) and 'opds' not in request.path:
|
||||||
- logout_user()
|
- logout_user()
|
||||||
g.constants = constants
|
g.constants = constants
|
||||||
g.user = current_user
|
g.google_site_verification = os.getenv('GOOGLE_SITE_VERIFICATION','')
|
||||||
g.allow_registration = config.config_public_reg
|
g.allow_registration = config.config_public_reg
|
||||||
|
13
private/cloudflare-api.age
Normal file
13
private/cloudflare-api.age
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyByWGJS
|
||||||
|
SmJlSVhZcUx5Y3JhVXYxUVhUbmp2QjNXeUxYL1EwNThJelRoTVNvCjFsU0gyaWNJ
|
||||||
|
SEJpNVpYWm1TL24yeHNLaWNIdU9FdWw2d3p6UVVMSEYwT28KLT4gc3NoLWVkMjU1
|
||||||
|
MTkgWXlTVU1RIEV4NU1sOENFK1NvUWlZL1NmUCtUM2RRQmd1c2pnb3p6V3Bsc3pC
|
||||||
|
UVdYV3cKYmFkR0EwNVpRbzJBb2Z4RmpXSGVyK3BkLzd6TTMvQWRRK3BtRXZDUjVZ
|
||||||
|
UQotPiBzc2gtZWQyNTUxOSBuanZYNUEgMG9rU0lzTU1iV1grOTNzZS85cldQZGE5
|
||||||
|
Ym9nVkRvNC9OMUFBbStNT1BBOApucnl1Z0w1Y1RRU3grS0Z0TjNNRXcwVnVqeDFF
|
||||||
|
VGc3Mm93UFc0YXoweVBBCi0tLSBvTnpCc3hBVU81dkpBRzV2L3NWTlZaV2QxUVNZ
|
||||||
|
KzJwcUI2QUl2NEY0R1p3CmDvQwsKrtmTJliCxHv+LSoIV8jYpQJ7I2LJSH9uP89N
|
||||||
|
+7wbAwGjv/Uxk7gnMn5EqQuFKZeOl8LLhKEprmVqVZqlkgbpaaaWud/4xNKu9v5h
|
||||||
|
lWuY1sYd
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
Loading…
Reference in New Issue
Block a user