From 5fe647c0d37d4ca23fc73b1c18824d6a5a7b6ce1 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Sun, 18 Feb 2024 11:01:44 +0800 Subject: [PATCH] feat: add caddy as a reverse proxy for applications --- hosts/idols_kana/caddy.nix | 36 +++++++++++++++++++ .../oci-containers/dashy/default.nix | 2 +- hosts/idols_kana/transmission.nix | 2 +- hosts/idols_kana/uptime-kuma.nix | 2 +- hosts/idols_ruby/caddy.nix | 36 +++++++++++++++++++ hosts/idols_ruby/grafana/default.nix | 4 +-- hosts/idols_ruby/prometheus/default.nix | 10 +++--- 7 files changed, 83 insertions(+), 9 deletions(-) create mode 100644 hosts/idols_kana/caddy.nix create mode 100644 hosts/idols_ruby/caddy.nix diff --git a/hosts/idols_kana/caddy.nix b/hosts/idols_kana/caddy.nix new file mode 100644 index 00000000..33ef7d4a --- /dev/null +++ b/hosts/idols_kana/caddy.nix @@ -0,0 +1,36 @@ +{useremail, ...}: { + services.caddy = { + enable = true; + # Reload Caddy instead of restarting it when configuration file changes. + enableReload = true; + user = "caddy"; # User account under which caddy runs. + dataDir = "/var/lib/caddy"; + logDir = "/var/log/caddy"; + + # Additional lines of configuration appended to the global config section of the Caddyfile. + # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values. + globalConfig = '' + http_port 80 + https_port 443 + auto_https off + ''; + + # ACME related settings. + # email = useremail; + # acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; + + virtualHosts."http://dashy.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:4000 + ''; + virtualHosts."http://transmission.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:9091 + ''; + virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:3001 + ''; + }; + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/hosts/idols_kana/oci-containers/dashy/default.nix b/hosts/idols_kana/oci-containers/dashy/default.nix index b979f01c..49338144 100644 --- a/hosts/idols_kana/oci-containers/dashy/default.nix +++ b/hosts/idols_kana/oci-containers/dashy/default.nix @@ -10,7 +10,7 @@ dashy = { hostname = "dashy"; image = "lissy93/dashy:latest"; - ports = ["4000:80"]; + ports = ["127.0.0.1:4000:80"]; environment = { "NODE_ENV" = "production"; }; diff --git a/hosts/idols_kana/transmission.nix b/hosts/idols_kana/transmission.nix index 30b1855b..6cd67203 100644 --- a/hosts/idols_kana/transmission.nix +++ b/hosts/idols_kana/transmission.nix @@ -44,7 +44,7 @@ in { # rpc = Web Interface rpc-port = 9091; - rpc-bind-address = "0.0.0.0"; + rpc-bind-address = "127.0.0.1"; anti-brute-force-enabled = true; # After this amount of failed authentication attempts is surpassed, # the RPC server will deny any further authentication attempts until it is restarted. diff --git a/hosts/idols_kana/uptime-kuma.nix b/hosts/idols_kana/uptime-kuma.nix index 1c48af3b..b7ba46e2 100644 --- a/hosts/idols_kana/uptime-kuma.nix +++ b/hosts/idols_kana/uptime-kuma.nix @@ -4,7 +4,7 @@ enable = true; # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables settings = { - "UPTIME_KUMA_HOST" = "0.0.0.0"; + "UPTIME_KUMA_HOST" = "127.0.0.1"; "UPTIME_KUMA_PORT" = "3001"; "DATA_DIR" = "/var/lib/uptime-kuma/"; }; diff --git a/hosts/idols_ruby/caddy.nix b/hosts/idols_ruby/caddy.nix new file mode 100644 index 00000000..cf304bd9 --- /dev/null +++ b/hosts/idols_ruby/caddy.nix @@ -0,0 +1,36 @@ +{useremail, ...}: { + services.caddy = { + enable = true; + # Reload Caddy instead of restarting it when configuration file changes. + enableReload = true; + user = "caddy"; # User account under which caddy runs. + dataDir = "/var/lib/caddy"; + logDir = "/var/log/caddy"; + + # Additional lines of configuration appended to the global config section of the Caddyfile. + # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values. + globalConfig = '' + http_port 80 + https_port 443 + auto_https off + ''; + + # ACME related settings. + # email = useremail; + # acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; + + virtualHosts."http://grafana.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:3000 + ''; + virtualHosts."http://prometheus.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:9090 + ''; + virtualHosts."http://alertmanager.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:9093 + ''; + }; + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/hosts/idols_ruby/grafana/default.nix b/hosts/idols_ruby/grafana/default.nix index 29c26153..9f17431c 100644 --- a/hosts/idols_ruby/grafana/default.nix +++ b/hosts/idols_ruby/grafana/default.nix @@ -11,8 +11,8 @@ # DeclarativePlugins = with pkgs.grafanaPlugins; [ grafana-piechart-panel ]; settings = { server = { - http_addr = "0.0.0.0"; - http_port = 80; + http_addr = "127.0.0.1"; + http_port = 3000; protocol = "http"; domain = "grafana.writefo.fun"; # Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks. diff --git a/hosts/idols_ruby/prometheus/default.nix b/hosts/idols_ruby/prometheus/default.nix index 1f67f4b8..798a4987 100644 --- a/hosts/idols_ruby/prometheus/default.nix +++ b/hosts/idols_ruby/prometheus/default.nix @@ -7,9 +7,9 @@ services.prometheus = { enable = true; checkConfig = true; - listenAddress = "0.0.0.0"; + listenAddress = "127.0.0.1"; port = 9090; - webExternalUrl = "https://prometheus.writefor.fun"; + webExternalUrl = "http://prometheus.writefor.fun"; extraFlags = ["--storage.tsdb.retention.time=15d"]; # Directory below /var/lib to store Prometheus metrics data. @@ -69,10 +69,12 @@ services.prometheus.alertmanager = { enable = true; + listenAddress = "127.0.0.1"; + port = 9093; + webExternalUrl = "http://alertmanager.writefor.fun"; logLevel = "info"; + environmentFile = config.age.secrets."alertmanager.env".path; - webExternalUrl = "https://alertmanager.writefor.fun"; - listenAddress = "[::1]"; configuration = { global = { # The smarthost and SMTP sender used for mail notifications.