Merge pull request #63 from ryan4yin/caddy

feat: add caddy as a reverse proxy for applications
2026-03-18 07:24:10 +01:00 · 2024-02-18 11:33:15 +08:00
parent a321d2c803 5fe647c0d3
commit f1c79bbb70
7 changed files with 83 additions and 9 deletions
--- a/hosts/idols_kana/caddy.nix
+++ b/hosts/idols_kana/caddy.nix
@@ -0,0 +1,36 @@
+{useremail, ...}: {
+  services.caddy = {
+    enable = true;
+    # Reload Caddy instead of restarting it when configuration file changes.
+    enableReload = true;
+    user = "caddy"; # User account under which caddy runs.
+    dataDir = "/var/lib/caddy";
+    logDir = "/var/log/caddy";
+
+    # Additional lines of configuration appended to the global config section of the Caddyfile.
+    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
+    globalConfig = ''
+      http_port    80
+      https_port   443
+      auto_https   off
+    '';
+
+    # ACME related settings.
+    # email = useremail;
+    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
+
+    virtualHosts."http://dashy.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:4000
+    '';
+    virtualHosts."http://transmission.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9091
+    '';
+    virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3001
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}
--- a/hosts/idols_kana/oci-containers/dashy/default.nix
+++ b/hosts/idols_kana/oci-containers/dashy/default.nix
@@ -10,7 +10,7 @@
    dashy = {
      hostname = "dashy";
      image = "lissy93/dashy:latest";
-      ports = ["4000:80"];
+      ports = ["127.0.0.1:4000:80"];
      environment = {
        "NODE_ENV" = "production";
      };
--- a/hosts/idols_kana/transmission.nix
+++ b/hosts/idols_kana/transmission.nix
@@ -44,7 +44,7 @@ in {

      # rpc = Web Interface
      rpc-port = 9091;
-      rpc-bind-address = "0.0.0.0";
+      rpc-bind-address = "127.0.0.1";
      anti-brute-force-enabled = true;
      # After this amount of failed authentication attempts is surpassed,
      # the RPC server will deny any further authentication attempts until it is restarted.
--- a/hosts/idols_kana/uptime-kuma.nix
+++ b/hosts/idols_kana/uptime-kuma.nix
@@ -4,7 +4,7 @@
    enable = true;
    # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
    settings = {
-      "UPTIME_KUMA_HOST" = "0.0.0.0";
+      "UPTIME_KUMA_HOST" = "127.0.0.1";
      "UPTIME_KUMA_PORT" = "3001";
      "DATA_DIR" = "/var/lib/uptime-kuma/";
    };
--- a/hosts/idols_ruby/caddy.nix
+++ b/hosts/idols_ruby/caddy.nix
@@ -0,0 +1,36 @@
+{useremail, ...}: {
+  services.caddy = {
+    enable = true;
+    # Reload Caddy instead of restarting it when configuration file changes.
+    enableReload = true;
+    user = "caddy"; # User account under which caddy runs.
+    dataDir = "/var/lib/caddy";
+    logDir = "/var/log/caddy";
+
+    # Additional lines of configuration appended to the global config section of the Caddyfile.
+    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
+    globalConfig = ''
+      http_port    80
+      https_port   443
+      auto_https   off
+    '';
+
+    # ACME related settings.
+    # email = useremail;
+    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
+
+    virtualHosts."http://grafana.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3000
+    '';
+    virtualHosts."http://prometheus.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9090
+    '';
+    virtualHosts."http://alertmanager.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9093
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}
--- a/hosts/idols_ruby/grafana/default.nix
+++ b/hosts/idols_ruby/grafana/default.nix
@@ -11,8 +11,8 @@
    # DeclarativePlugins = with pkgs.grafanaPlugins; [ grafana-piechart-panel ];
    settings = {
      server = {
-        http_addr = "0.0.0.0";
-        http_port = 80;
+        http_addr = "127.0.0.1";
+        http_port = 3000;
        protocol = "http";
        domain = "grafana.writefo.fun";
        # Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks.
--- a/hosts/idols_ruby/prometheus/default.nix
+++ b/hosts/idols_ruby/prometheus/default.nix
@@ -7,9 +7,9 @@
  services.prometheus = {
    enable = true;
    checkConfig = true;
-    listenAddress = "0.0.0.0";
+    listenAddress = "127.0.0.1";
    port = 9090;
-    webExternalUrl = "https://prometheus.writefor.fun";
+    webExternalUrl = "http://prometheus.writefor.fun";

    extraFlags = ["--storage.tsdb.retention.time=15d"];
    # Directory below /var/lib to store Prometheus metrics data.
@@ -69,10 +69,12 @@

  services.prometheus.alertmanager = {
    enable = true;
+    listenAddress = "127.0.0.1";
+    port = 9093;
+    webExternalUrl = "http://alertmanager.writefor.fun";
    logLevel = "info";
+
    environmentFile = config.age.secrets."alertmanager.env".path;
-    webExternalUrl = "https://alertmanager.writefor.fun";
-    listenAddress = "[::1]";
    configuration = {
      global = {
        # The smarthost and SMTP sender used for mail notifications.