mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-22 19:15:37 +00:00
Merge branch 'cloudflare-acme-dns'
This commit is contained in:
commit
f4f5f19183
@ -2,6 +2,11 @@
|
||||
|
||||
options = {
|
||||
caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
|
||||
caddy.tlsPolicies = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Caddy JSON TLS policies";
|
||||
default = [ ];
|
||||
};
|
||||
caddy.routes = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Caddy JSON routes for http servers";
|
||||
@ -26,6 +31,7 @@
|
||||
errors.routes = config.caddy.blocks;
|
||||
# logs = { }; # Uncomment to collect access logs
|
||||
};
|
||||
apps.tls.automation.policies = config.caddy.tlsPolicies;
|
||||
logging.logs.main = {
|
||||
encoder = { format = "console"; };
|
||||
writer = {
|
||||
|
@ -1,6 +1,6 @@
|
||||
# This module is necessary for hosts that are serving through Cloudflare.
|
||||
|
||||
{ config, lib, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
|
||||
@ -49,6 +49,38 @@ in {
|
||||
}];
|
||||
}];
|
||||
|
||||
# Tell Caddy to use Cloudflare DNS for ACME challenge validation
|
||||
services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
|
||||
plugins = [ "github.com/caddy-dns/cloudflare" ];
|
||||
# vendorSha256 = "sha256-K9HPZnr+hMcK5aEd1H4gEg6PXAaNrNWFvaHYm5m62JY=";
|
||||
});
|
||||
caddy.tlsPolicies = [{
|
||||
issuers = [{
|
||||
module = "acme";
|
||||
challenges = {
|
||||
dns = {
|
||||
provider = {
|
||||
name = "cloudflare";
|
||||
api_token = "{env.CF_API_TOKEN}";
|
||||
};
|
||||
resolvers = [ "1.1.1.1" ];
|
||||
};
|
||||
};
|
||||
}];
|
||||
}];
|
||||
systemd.services.caddy.serviceConfig.EnvironmentFile =
|
||||
config.secrets.cloudflareApi.dest;
|
||||
systemd.services.caddy.serviceConfig.AmbientCapabilities =
|
||||
"CAP_NET_BIND_SERVICE";
|
||||
|
||||
# API key must have access to modify Cloudflare DNS records
|
||||
secrets.cloudflareApi = {
|
||||
source = ../../../private/cloudflare-api.age;
|
||||
dest = "${config.secretsDirectory}/cloudflare-api";
|
||||
owner = "caddy";
|
||||
group = "caddy";
|
||||
};
|
||||
|
||||
# Allows Nextcloud to trust Cloudflare IPs
|
||||
services.nextcloud.config.trustedProxies = cloudflareIpRanges;
|
||||
|
||||
|
56
overlays/caddy.nix
Normal file
56
overlays/caddy.nix
Normal file
@ -0,0 +1,56 @@
|
||||
{ lib, buildGo118Module, fetchFromGitHub, plugins ? [ ] }:
|
||||
let
|
||||
goImports = lib.flip lib.concatMapStrings plugins (pkg: " _ \"${pkg}\"\n");
|
||||
goGets = lib.flip lib.concatMapStrings plugins (pkg: "go get ${pkg}\n ");
|
||||
main = ''
|
||||
package main
|
||||
import (
|
||||
caddycmd "github.com/caddyserver/caddy/v2/cmd"
|
||||
_ "github.com/caddyserver/caddy/v2/modules/standard"
|
||||
${goImports}
|
||||
)
|
||||
func main() {
|
||||
caddycmd.Main()
|
||||
}
|
||||
'';
|
||||
in buildGo118Module rec {
|
||||
pname = "caddy";
|
||||
version = "2.6.4";
|
||||
runVend = true;
|
||||
|
||||
subPackages = [ "cmd/caddy" ];
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "caddyserver";
|
||||
repo = "caddy";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256:3a3+nFHmGONvL/TyQRqgJtrSDIn0zdGy9YwhZP17mU0=";
|
||||
};
|
||||
|
||||
vendorSha256 = "sha256:CrHqJcJ0knX+txQ5qvzW4JrU8vfi3FO3M/xtislIC1M=";
|
||||
|
||||
overrideModAttrs = (_: {
|
||||
preBuild = ''
|
||||
echo '${main}' > cmd/caddy/main.go
|
||||
${goGets}
|
||||
'';
|
||||
postInstall = "cp go.sum go.mod $out/ && ls $out/";
|
||||
});
|
||||
|
||||
postPatch = ''
|
||||
echo '${main}' > cmd/caddy/main.go
|
||||
cat cmd/caddy/main.go
|
||||
'';
|
||||
|
||||
postConfigure = ''
|
||||
cp vendor/go.sum ./
|
||||
cp vendor/go.mod ./
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://caddyserver.com";
|
||||
description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ Br1ght0ne techknowlogick ];
|
||||
};
|
||||
}
|
@ -1,25 +1,25 @@
|
||||
diff --git a/cps/__init__.py b/cps/__init__.py
|
||||
index 1ba1f778..da0bc718 100644
|
||||
index 269e4aca..e2b828a9 100644
|
||||
--- a/cps/__init__.py
|
||||
+++ b/cps/__init__.py
|
||||
@@ -100,7 +100,6 @@ updater_thread = Updater()
|
||||
def create_app():
|
||||
@@ -150,7 +150,6 @@ def create_app():
|
||||
|
||||
lm.login_view = 'web.login'
|
||||
lm.anonymous_user = ub.Anonymous
|
||||
- lm.session_protection = 'strong'
|
||||
- lm.session_protection = 'strong' if config.config_session == 1 else "basic"
|
||||
|
||||
if csrf:
|
||||
csrf.init_app(app)
|
||||
db.CalibreDB.update_config(config)
|
||||
db.CalibreDB.setup_db(config.config_calibre_dir, cli_param.settings_path)
|
||||
diff --git a/cps/admin.py b/cps/admin.py
|
||||
index 09a553b4..5c646e46 100644
|
||||
index 20c58aac..99d2ad19 100644
|
||||
--- a/cps/admin.py
|
||||
+++ b/cps/admin.py
|
||||
@@ -104,8 +104,6 @@ def before_request():
|
||||
# make remember me function work
|
||||
if current_user.is_authenticated:
|
||||
confirm_login()
|
||||
@@ -101,8 +101,6 @@ def admin_required(f):
|
||||
|
||||
@admi.before_app_request
|
||||
def before_request():
|
||||
- if not ub.check_user_session(current_user.id, flask_session.get('_id')) and 'opds' not in request.path:
|
||||
- logout_user()
|
||||
g.constants = constants
|
||||
g.user = current_user
|
||||
g.google_site_verification = os.getenv('GOOGLE_SITE_VERIFICATION','')
|
||||
g.allow_registration = config.config_public_reg
|
||||
|
13
private/cloudflare-api.age
Normal file
13
private/cloudflare-api.age
Normal file
@ -0,0 +1,13 @@
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyByWGJS
|
||||
SmJlSVhZcUx5Y3JhVXYxUVhUbmp2QjNXeUxYL1EwNThJelRoTVNvCjFsU0gyaWNJ
|
||||
SEJpNVpYWm1TL24yeHNLaWNIdU9FdWw2d3p6UVVMSEYwT28KLT4gc3NoLWVkMjU1
|
||||
MTkgWXlTVU1RIEV4NU1sOENFK1NvUWlZL1NmUCtUM2RRQmd1c2pnb3p6V3Bsc3pC
|
||||
UVdYV3cKYmFkR0EwNVpRbzJBb2Z4RmpXSGVyK3BkLzd6TTMvQWRRK3BtRXZDUjVZ
|
||||
UQotPiBzc2gtZWQyNTUxOSBuanZYNUEgMG9rU0lzTU1iV1grOTNzZS85cldQZGE5
|
||||
Ym9nVkRvNC9OMUFBbStNT1BBOApucnl1Z0w1Y1RRU3grS0Z0TjNNRXcwVnVqeDFF
|
||||
VGc3Mm93UFc0YXoweVBBCi0tLSBvTnpCc3hBVU81dkpBRzV2L3NWTlZaV2QxUVNZ
|
||||
KzJwcUI2QUl2NEY0R1p3CmDvQwsKrtmTJliCxHv+LSoIV8jYpQJ7I2LJSH9uP89N
|
||||
+7wbAwGjv/Uxk7gnMn5EqQuFKZeOl8LLhKEprmVqVZqlkgbpaaaWud/4xNKu9v5h
|
||||
lWuY1sYd
|
||||
-----END AGE ENCRYPTED FILE-----
|
Loading…
Reference in New Issue
Block a user