feat: add caddy as a reverse proxy for applications

hosts/idols_kana/caddy.nix

@@ -0,0 +1,36 @@
+{useremail, ...}: {
+  services.caddy = {
+    enable = true;
+    # Reload Caddy instead of restarting it when configuration file changes.
+    enableReload = true;
+    user = "caddy"; # User account under which caddy runs.
+    dataDir = "/var/lib/caddy";
+    logDir = "/var/log/caddy";
+
+    # Additional lines of configuration appended to the global config section of the Caddyfile.
+    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
+    globalConfig = ''
+      http_port    80
+      https_port   443
+      auto_https   off
+    '';
+
+    # ACME related settings.
+    # email = useremail;
+    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
+
+    virtualHosts."http://dashy.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:4000
+    '';
+    virtualHosts."http://transmission.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9091
+    '';
+    virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3001
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}

hosts/idols_kana/oci-containers/dashy/default.nix

@@ -10,7 +10,7 @@
     dashy = {
       hostname = "dashy";
       image = "lissy93/dashy:latest";
-      ports = ["4000:80"];
+      ports = ["127.0.0.1:4000:80"];
       environment = {
         "NODE_ENV" = "production";
       };

hosts/idols_kana/transmission.nix

@@ -44,7 +44,7 @@ in {
 
       # rpc = Web Interface
       rpc-port = 9091;
-      rpc-bind-address = "0.0.0.0";
+      rpc-bind-address = "127.0.0.1";
       anti-brute-force-enabled = true;
       # After this amount of failed authentication attempts is surpassed,
       # the RPC server will deny any further authentication attempts until it is restarted.

hosts/idols_kana/uptime-kuma.nix

@@ -4,7 +4,7 @@
     enable = true;
     # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
     settings = {
-      "UPTIME_KUMA_HOST" = "0.0.0.0";
+      "UPTIME_KUMA_HOST" = "127.0.0.1";
       "UPTIME_KUMA_PORT" = "3001";
       "DATA_DIR" = "/var/lib/uptime-kuma/";
     };

hosts/idols_ruby/caddy.nix

@@ -0,0 +1,36 @@
+{useremail, ...}: {
+  services.caddy = {
+    enable = true;
+    # Reload Caddy instead of restarting it when configuration file changes.
+    enableReload = true;
+    user = "caddy"; # User account under which caddy runs.
+    dataDir = "/var/lib/caddy";
+    logDir = "/var/log/caddy";
+
+    # Additional lines of configuration appended to the global config section of the Caddyfile.
+    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
+    globalConfig = ''
+      http_port    80
+      https_port   443
+      auto_https   off
+    '';
+
+    # ACME related settings.
+    # email = useremail;
+    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
+
+    virtualHosts."http://grafana.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3000
+    '';
+    virtualHosts."http://prometheus.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9090
+    '';
+    virtualHosts."http://alertmanager.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9093
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}

hosts/idols_ruby/grafana/default.nix

@@ -11,8 +11,8 @@
     # DeclarativePlugins = with pkgs.grafanaPlugins; [ grafana-piechart-panel ];
     settings = {
       server = {
-        http_addr = "0.0.0.0";
+        http_addr = "127.0.0.1";
-        http_port = 80;
+        http_port = 3000;
         protocol = "http";
         domain = "grafana.writefo.fun";
         # Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks.

hosts/idols_ruby/prometheus/default.nix

@@ -7,9 +7,9 @@
   services.prometheus = {
     enable = true;
     checkConfig = true;
-    listenAddress = "0.0.0.0";
+    listenAddress = "127.0.0.1";
     port = 9090;
-    webExternalUrl = "https://prometheus.writefor.fun";
+    webExternalUrl = "http://prometheus.writefor.fun";
 
     extraFlags = ["--storage.tsdb.retention.time=15d"];
     # Directory below /var/lib to store Prometheus metrics data.
@@ -69,10 +69,12 @@
 
   services.prometheus.alertmanager = {
     enable = true;
+    listenAddress = "127.0.0.1";
+    port = 9093;
+    webExternalUrl = "http://alertmanager.writefor.fun";
     logLevel = "info";
+
     environmentFile = config.age.secrets."alertmanager.env".path;
-    webExternalUrl = "https://alertmanager.writefor.fun";
-    listenAddress = "[::1]";
     configuration = {
       global = {
         # The smarthost and SMTP sender used for mail notifications.