From 50032d438362cc1d205d537f21351159afa75336 Mon Sep 17 00:00:00 2001 From: Adithya Nair Date: Sun, 27 Oct 2024 20:50:37 +0530 Subject: [PATCH] all: use ACME DNS challenge only for internal domains --- hosts/layne/services/apps/jackett.nix | 7 ++++++- hosts/layne/services/apps/jellyfin.nix | 4 +++- hosts/layne/services/apps/radarr.nix | 7 ++++++- hosts/layne/services/apps/readarr.nix | 7 ++++++- hosts/layne/services/apps/sonarr.nix | 7 ++++++- hosts/layne/services/apps/transmission.nix | 3 ++- hosts/rico0/services/default.nix | 11 ++++++++++- hosts/rico1/services/apps/alertmanager.nix | 3 ++- hosts/rico1/services/apps/blocky.nix | 3 ++- hosts/rico1/services/apps/grafana.nix | 3 ++- hosts/rico1/services/apps/loki/default.nix | 3 ++- hosts/rico1/services/apps/prometheus.nix | 3 ++- hosts/shared/caddy-helpers.nix | 6 ++++++ hosts/shared/caddy.nix | 3 +-- hosts/shared/prometheus-exporters.nix | 3 ++- 15 files changed, 58 insertions(+), 15 deletions(-) diff --git a/hosts/layne/services/apps/jackett.nix b/hosts/layne/services/apps/jackett.nix index 21dedda..7306fb5 100644 --- a/hosts/layne/services/apps/jackett.nix +++ b/hosts/layne/services/apps/jackett.nix @@ -1,7 +1,12 @@ -_: { +_: +let + inherit (import ../../../shared/caddy-helpers.nix) tlsDNSChallenge; +in +{ services = { caddy.virtualHosts."jackett.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:9117 ''; }; diff --git a/hosts/layne/services/apps/jellyfin.nix b/hosts/layne/services/apps/jellyfin.nix index f4d55c2..3c9c171 100644 --- a/hosts/layne/services/apps/jellyfin.nix +++ b/hosts/layne/services/apps/jellyfin.nix @@ -1,6 +1,6 @@ _: let - inherit (import ../../../shared/caddy-helpers.nix) logFormat; + inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge; domainName = "watch.acomputer.lol"; in { @@ -10,12 +10,14 @@ in "jellyfin.local.adtya.xyz" = { logFormat = logFormat "jellyfin.local.adtya.xyz"; extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:8096 ''; }; "jellyfin.labs.adtya.xyz" = { logFormat = logFormat "jellyfin.labs.adtya.xyz"; extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:8096 ''; }; diff --git a/hosts/layne/services/apps/radarr.nix b/hosts/layne/services/apps/radarr.nix index 8c5ddd9..5150335 100644 --- a/hosts/layne/services/apps/radarr.nix +++ b/hosts/layne/services/apps/radarr.nix @@ -1,7 +1,12 @@ -_: { +_: +let + inherit (import ../../../shared/caddy-helpers.nix) tlsDNSChallenge; +in +{ services = { caddy.virtualHosts."radarr.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:7878 ''; }; diff --git a/hosts/layne/services/apps/readarr.nix b/hosts/layne/services/apps/readarr.nix index 48d0ebc..deae058 100644 --- a/hosts/layne/services/apps/readarr.nix +++ b/hosts/layne/services/apps/readarr.nix @@ -1,7 +1,12 @@ -_: { +_: +let + inherit (import ../../../shared/caddy-helpers.nix) tlsDNSChallenge; +in +{ services = { caddy.virtualHosts."readarr.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:8787 ''; }; diff --git a/hosts/layne/services/apps/sonarr.nix b/hosts/layne/services/apps/sonarr.nix index af57505..4ec1ab8 100644 --- a/hosts/layne/services/apps/sonarr.nix +++ b/hosts/layne/services/apps/sonarr.nix @@ -1,7 +1,12 @@ -_: { +_: +let + inherit (import ../../../shared/caddy-helpers.nix) tlsDNSChallenge; +in +{ services = { caddy.virtualHosts."sonarr.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:8989 ''; }; diff --git a/hosts/layne/services/apps/transmission.nix b/hosts/layne/services/apps/transmission.nix index 1890a61..c5ac98e 100644 --- a/hosts/layne/services/apps/transmission.nix +++ b/hosts/layne/services/apps/transmission.nix @@ -1,6 +1,6 @@ { pkgs, ... }: let - inherit (import ../../../shared/caddy-helpers.nix) logFormat; + inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge; in { services = { @@ -8,6 +8,7 @@ in virtualHosts."transmission.labs.adtya.xyz" = { logFormat = logFormat "transmission.labs.adtya.xyz"; extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:9091 ''; }; diff --git a/hosts/rico0/services/default.nix b/hosts/rico0/services/default.nix index d2e5b00..bc930c1 100644 --- a/hosts/rico0/services/default.nix +++ b/hosts/rico0/services/default.nix @@ -1,4 +1,8 @@ -_: { +_: +let + inherit (import ../../shared/caddy-helpers.nix) tlsDNSChallenge; +in +{ imports = [ ./apps ./btrfs.nix @@ -11,26 +15,31 @@ _: { virtualHosts = { "gateway.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 192.168.0.1:80 ''; }; "ap1.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 192.168.1.1:80 ''; }; "ap2.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 192.168.1.2:80 ''; }; "switch.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 192.168.1.3:80 ''; }; "frp.labs.adtya.xyz" = { extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 10.10.10.1:7500 ''; }; diff --git a/hosts/rico1/services/apps/alertmanager.nix b/hosts/rico1/services/apps/alertmanager.nix index cbffd4b..642da24 100644 --- a/hosts/rico1/services/apps/alertmanager.nix +++ b/hosts/rico1/services/apps/alertmanager.nix @@ -1,6 +1,6 @@ _: let - inherit (import ../../../shared/caddy-helpers.nix) logFormat; + inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge; domainName = "alertmanager.labs.adtya.xyz"; in { @@ -9,6 +9,7 @@ in virtualHosts."${domainName}" = { logFormat = logFormat "${domainName}"; extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:9093 ''; }; diff --git a/hosts/rico1/services/apps/blocky.nix b/hosts/rico1/services/apps/blocky.nix index df22fe4..96f557a 100644 --- a/hosts/rico1/services/apps/blocky.nix +++ b/hosts/rico1/services/apps/blocky.nix @@ -1,6 +1,6 @@ { pkgs, ... }: let - inherit (import ../../../shared/caddy-helpers.nix) logFormat; + inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge; domainName = "blocky.labs.adtya.xyz"; in { @@ -20,6 +20,7 @@ in virtualHosts."${domainName}" = { logFormat = logFormat domainName; extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:8080 ''; }; diff --git a/hosts/rico1/services/apps/grafana.nix b/hosts/rico1/services/apps/grafana.nix index 4e4c3e6..622f6db 100644 --- a/hosts/rico1/services/apps/grafana.nix +++ b/hosts/rico1/services/apps/grafana.nix @@ -1,6 +1,6 @@ _: let - inherit (import ../../../shared/caddy-helpers.nix) logFormat; + inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge; domainName = "grafana.labs.adtya.xyz"; in { @@ -9,6 +9,7 @@ in virtualHosts."${domainName}" = { logFormat = logFormat domainName; extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:9091 ''; }; diff --git a/hosts/rico1/services/apps/loki/default.nix b/hosts/rico1/services/apps/loki/default.nix index 7683d81..ba82b48 100644 --- a/hosts/rico1/services/apps/loki/default.nix +++ b/hosts/rico1/services/apps/loki/default.nix @@ -1,6 +1,6 @@ _: let - inherit (import ../../../../shared/caddy-helpers.nix) logFormat; + inherit (import ../../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge; domainName = "loki.labs.adtya.xyz"; in { @@ -9,6 +9,7 @@ in virtualHosts."${domainName}" = { logFormat = logFormat domainName; extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:3100 ''; }; diff --git a/hosts/rico1/services/apps/prometheus.nix b/hosts/rico1/services/apps/prometheus.nix index dcb845a..adaafa3 100644 --- a/hosts/rico1/services/apps/prometheus.nix +++ b/hosts/rico1/services/apps/prometheus.nix @@ -1,6 +1,6 @@ _: let - inherit (import ../../../shared/caddy-helpers.nix) logFormat; + inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge; domainName = "prometheus.labs.adtya.xyz"; in { @@ -9,6 +9,7 @@ in virtualHosts."${domainName}" = { logFormat = logFormat domainName; extraConfig = '' + ${tlsDNSChallenge} reverse_proxy 127.0.0.1:9090 ''; }; diff --git a/hosts/shared/caddy-helpers.nix b/hosts/shared/caddy-helpers.nix index 2344ebc..53dcb87 100644 --- a/hosts/shared/caddy-helpers.nix +++ b/hosts/shared/caddy-helpers.nix @@ -4,4 +4,10 @@ format json level DEBUG ''; + + tlsDNSChallenge = '' + tls { + dns digitalocean {env.DO_API_TOKEN} + } + ''; } diff --git a/hosts/shared/caddy.nix b/hosts/shared/caddy.nix index 7e1389a..4aed177 100644 --- a/hosts/shared/caddy.nix +++ b/hosts/shared/caddy.nix @@ -17,9 +17,8 @@ in package = inputs.caddy.packages.${pkgs.system}.caddy; email = "admin@acomputer.lol"; globalConfig = '' - acme_dns digitalocean {env.DO_API_TOKEN} servers { - trusted_proxies static private_ranges 10.10.10.0/24 fd7c:585c:c4ae::0/64 + trusted_proxies static private_ranges 10.10.10.0/24 client_ip_headers X-Forwarded-For X-Real-IP metrics } diff --git a/hosts/shared/prometheus-exporters.nix b/hosts/shared/prometheus-exporters.nix index ab7cfd8..55275bf 100644 --- a/hosts/shared/prometheus-exporters.nix +++ b/hosts/shared/prometheus-exporters.nix @@ -1,6 +1,6 @@ { lib, config, ... }: let - inherit (import ./caddy-helpers.nix) logFormat; + inherit (import ./caddy-helpers.nix) logFormat tlsDNSChallenge; in { services = { @@ -12,6 +12,7 @@ in virtualHosts."${vHost}" = { logFormat = logFormat vHost; extraConfig = '' + ${tlsDNSChallenge} metrics /caddy-metrics handle /metrics { reverse_proxy ${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}