mirror of
https://github.com/nmasur/dotfiles
synced 2024-10-19 03:49:03 +00:00
Compare commits
No commits in common. "22cba9acac6933c17b1949ce804bdd948ad8f031" and "b07a8f5e20e45f6c513f6c91e00b1444984e9f72" have entirely different histories.
22cba9acac
...
b07a8f5e20
@ -53,7 +53,6 @@ inputs.nixpkgs.lib.nixosSystem {
|
|||||||
dotfiles.enable = true;
|
dotfiles.enable = true;
|
||||||
arrs.enable = true;
|
arrs.enable = true;
|
||||||
|
|
||||||
services.bind.enable = true;
|
|
||||||
services.caddy.enable = true;
|
services.caddy.enable = true;
|
||||||
services.jellyfin.enable = true;
|
services.jellyfin.enable = true;
|
||||||
services.nextcloud.enable = true;
|
services.nextcloud.enable = true;
|
||||||
|
|||||||
@ -10,9 +10,6 @@
|
|||||||
services.avahi = {
|
services.avahi = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domainName = "local";
|
domainName = "local";
|
||||||
ipv6 = false; # Should work either way
|
|
||||||
# Resolve local hostnames using Avahi DNS
|
|
||||||
nssmdns = true;
|
|
||||||
publish = {
|
publish = {
|
||||||
enable = true;
|
enable = true;
|
||||||
addresses = true;
|
addresses = true;
|
||||||
@ -20,6 +17,10 @@
|
|||||||
workstation = true;
|
workstation = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Resolve local hostnames using Avahi DNS
|
||||||
|
services.avahi.nssmdns = true;
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,55 +0,0 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
|
|
||||||
localIp = "192.168.1.218";
|
|
||||||
localServices = [
|
|
||||||
config.hostnames.stream
|
|
||||||
config.hostnames.content
|
|
||||||
config.hostnames.books
|
|
||||||
config.hostnames.download
|
|
||||||
];
|
|
||||||
mkRecord = service: "${service} A ${localIp}";
|
|
||||||
localRecords = lib.concatLines (map mkRecord localServices);
|
|
||||||
|
|
||||||
in {
|
|
||||||
|
|
||||||
config = lib.mkIf config.services.bind.enable {
|
|
||||||
|
|
||||||
caddy.cidrAllowlist = [ "192.168.0.0/16" ];
|
|
||||||
|
|
||||||
services.bind = {
|
|
||||||
cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
|
|
||||||
forwarders = [ "1.1.1.1" "1.0.0.1" ];
|
|
||||||
ipv4Only = true;
|
|
||||||
|
|
||||||
# Use rpz zone as an override
|
|
||||||
extraOptions = ''response-policy { zone "rpz"; };'';
|
|
||||||
|
|
||||||
zones = {
|
|
||||||
rpz = {
|
|
||||||
master = true;
|
|
||||||
file = pkgs.writeText "db.rpz" ''
|
|
||||||
$TTL 60 ; 1 minute
|
|
||||||
@ IN SOA localhost. root.localhost. (
|
|
||||||
2023071800 ; serial
|
|
||||||
1h ; refresh
|
|
||||||
30m ; retry
|
|
||||||
1w ; expire
|
|
||||||
30m ; minimum ttl
|
|
||||||
)
|
|
||||||
IN NS localhost.
|
|
||||||
localhost A 127.0.0.1
|
|
||||||
${localRecords}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
|
||||||
@ -1,70 +1,55 @@
|
|||||||
{ config, pkgs, lib, ... }: {
|
{ config, pkgs, lib, ... }: {
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
caddy = {
|
caddy.tlsPolicies = lib.mkOption {
|
||||||
tlsPolicies = lib.mkOption {
|
type = lib.types.listOf lib.types.attrs;
|
||||||
type = lib.types.listOf lib.types.attrs;
|
description = "Caddy JSON TLS policies";
|
||||||
description = "Caddy JSON TLS policies";
|
default = [ ];
|
||||||
default = [ ];
|
};
|
||||||
};
|
caddy.routes = lib.mkOption {
|
||||||
routes = lib.mkOption {
|
type = lib.types.listOf lib.types.attrs;
|
||||||
type = lib.types.listOf lib.types.attrs;
|
description = "Caddy JSON routes for http servers";
|
||||||
description = "Caddy JSON routes for http servers";
|
default = [ ];
|
||||||
default = [ ];
|
};
|
||||||
};
|
caddy.blocks = lib.mkOption {
|
||||||
blocks = lib.mkOption {
|
type = lib.types.listOf lib.types.attrs;
|
||||||
type = lib.types.listOf lib.types.attrs;
|
description = "Caddy JSON error blocks for http servers";
|
||||||
description = "Caddy JSON error blocks for http servers";
|
default = [ ];
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
cidrAllowlist = lib.mkOption {
|
|
||||||
type = lib.types.listOf lib.types.str;
|
|
||||||
description = "CIDR blocks to allow for requests";
|
|
||||||
default = [ "127.0.0.1/32" ];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.services.caddy.enable {
|
config =
|
||||||
|
lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
|
||||||
|
|
||||||
# Force Caddy to 403 if not coming from allowlisted source
|
services.caddy = {
|
||||||
caddy.routes = [{
|
adapter = "''"; # Required to enable JSON
|
||||||
match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
|
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
|
||||||
handle = [{
|
apps.http.servers.main = {
|
||||||
handler = "static_response";
|
listen = [ ":443" ];
|
||||||
status_code = "403";
|
routes = config.caddy.routes;
|
||||||
}];
|
errors.routes = config.caddy.blocks;
|
||||||
}];
|
# logs = { }; # Uncomment to collect access logs
|
||||||
|
|
||||||
services.caddy = {
|
|
||||||
adapter = "''"; # Required to enable JSON
|
|
||||||
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
|
|
||||||
apps.http.servers.main = {
|
|
||||||
listen = [ ":443" ];
|
|
||||||
routes = config.caddy.routes;
|
|
||||||
errors.routes = config.caddy.blocks;
|
|
||||||
# logs = { }; # Uncomment to collect access logs
|
|
||||||
};
|
|
||||||
apps.http.servers.metrics = { }; # Enables Prometheus metrics
|
|
||||||
apps.tls.automation.policies = config.caddy.tlsPolicies;
|
|
||||||
logging.logs.main = {
|
|
||||||
encoder = { format = "console"; };
|
|
||||||
writer = {
|
|
||||||
output = "file";
|
|
||||||
filename = "${config.services.caddy.logDir}/caddy.log";
|
|
||||||
roll = true;
|
|
||||||
};
|
};
|
||||||
level = "INFO";
|
apps.http.servers.metrics = { }; # Enables Prometheus metrics
|
||||||
};
|
apps.tls.automation.policies = config.caddy.tlsPolicies;
|
||||||
});
|
logging.logs.main = {
|
||||||
|
encoder = { format = "console"; };
|
||||||
|
writer = {
|
||||||
|
output = "file";
|
||||||
|
filename = "${config.services.caddy.logDir}/caddy.log";
|
||||||
|
roll = true;
|
||||||
|
};
|
||||||
|
level = "INFO";
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||||
|
|
||||||
|
prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
|
||||||
|
|
||||||
prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -41,7 +41,13 @@ in {
|
|||||||
config = lib.mkIf config.cloudflare.enable {
|
config = lib.mkIf config.cloudflare.enable {
|
||||||
|
|
||||||
# Forces Caddy to error if coming from a non-Cloudflare IP
|
# Forces Caddy to error if coming from a non-Cloudflare IP
|
||||||
caddy.cidrAllowlist = cloudflareIpRanges;
|
caddy.routes = [{
|
||||||
|
match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
|
||||||
|
handle = [{
|
||||||
|
handler = "static_response";
|
||||||
|
status_code = "403";
|
||||||
|
}];
|
||||||
|
}];
|
||||||
|
|
||||||
# Tell Caddy to use Cloudflare DNS for ACME challenge validation
|
# Tell Caddy to use Cloudflare DNS for ACME challenge validation
|
||||||
services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
|
services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
|
||||||
|
|||||||
@ -3,7 +3,6 @@
|
|||||||
imports = [
|
imports = [
|
||||||
./arr.nix
|
./arr.nix
|
||||||
./backups.nix
|
./backups.nix
|
||||||
./bind.nix
|
|
||||||
./caddy.nix
|
./caddy.nix
|
||||||
./calibre.nix
|
./calibre.nix
|
||||||
./cloudflare-tunnel.nix
|
./cloudflare-tunnel.nix
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user