diff --git a/ops/nixos/lib/fup.nix b/ops/nixos/lib/fup.nix index ebab7c1bdb..ecbe52250d 100644 --- a/ops/nixos/lib/fup.nix +++ b/ops/nixos/lib/fup.nix @@ -13,34 +13,17 @@ in }; }; - config = let - nginxListen = (map (addr: { - inherit addr; - port = 80; - ssl = false; - }) config.my.fup.listen) ++ (map (addr: { - inherit addr; - port = 443; - ssl = true; - }) config.my.fup.listen); - in { + config = { my.vault.acmeCertificates."p.lukegb.com" = { hostnames = [ "p.lukegb.com" ]; - nginxVirtualHosts = [ "p.lukegb.com" ]; + caddyVirtualHosts = [ "p.lukegb.com" ]; }; - services.nginx = { - enable = lib.mkDefault true; + services.caddy = { virtualHosts."p.lukegb.com" = { - listen = nginxListen; - forceSSL = true; - locations."/" = { - proxyPass = "http://unix:${sock}"; - extraConfig = '' - proxy_redirect off; - client_max_body_size 0; - proxy_buffering off; - ''; - }; + extraConfig = '' + ${lib.optionalString (config.my.fup.listen != []) "bind ${lib.concatStringsSep " " config.my.fup.listen}"} + reverse_proxy unix/${sock} + ''; }; }; @@ -51,8 +34,8 @@ in listenStreams = [ sock ]; wantedBy = [ "sockets.target" ]; socketConfig = { - SocketUser = config.services.nginx.user; - SocketGroup = config.services.nginx.group; + SocketUser = config.services.caddy.user; + SocketGroup = config.services.caddy.group; SocketMode = "0700"; }; }; diff --git a/ops/nixos/lib/secretsmgr-acme.nix b/ops/nixos/lib/secretsmgr-acme.nix index b5e6cc1598..2029751af0 100644 --- a/ops/nixos/lib/secretsmgr-acme.nix +++ b/ops/nixos/lib/secretsmgr-acme.nix @@ -43,6 +43,11 @@ in default = []; description = "List of nginx virtual hosts to apply SSL to."; }; + caddyVirtualHosts = mkOption { + type = listOf str; + default = []; + description = "List of caddy virtual hosts to apply SSL to."; + }; group = mkOption { type = str; default = if isNginx then "nginx" else "acme"; @@ -71,15 +76,20 @@ in config = mkIf config.my.vault.secretsmgr.acmeCertificates.enable { services.nginx = optionalAttrs config.my.vault.enable { - virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: let - fullchain = fullchainPath certData; - chain = chainPath certData; - key = keyPath certData; - in map (hostName: lib.nameValuePair hostName { - sslCertificate = mkDefault (fullchainPath certData); - sslCertificateKey = mkDefault (keyPath certData); - sslTrustedCertificate = mkDefault (chainPath certData); - }) certData.nginxVirtualHosts) acmeCertificates); + virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: + map (hostName: lib.nameValuePair hostName { + sslCertificate = mkDefault (fullchainPath certData); + sslCertificateKey = mkDefault (keyPath certData); + sslTrustedCertificate = mkDefault (chainPath certData); + }) certData.nginxVirtualHosts) acmeCertificates); + }; + services.caddy = optionalAttrs config.my.vault.enable { + virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: + map (hostName: lib.nameValuePair hostName { + extraConfig = lib.mkBefore '' + tls ${fullchainPath certData} ${keyPath certData} + ''; + }) certData.caddyVirtualHosts) acmeCertificates); }; my.vault.secretsmgr.groups = mkAfter allGroups; diff --git a/ops/nixos/rexxar/default.nix b/ops/nixos/rexxar/default.nix index 3fae753527..0ae95341db 100644 --- a/ops/nixos/rexxar/default.nix +++ b/ops/nixos/rexxar/default.nix @@ -13,6 +13,7 @@ ../lib/hackyplayer.nix ../lib/emfminiserv.nix ../lib/seaweedfs.nix + ../lib/fup.nix ]; # Otherwise _this_ machine won't enumerate things properly. @@ -502,5 +503,7 @@ ReadOnlyPaths = lib.mkAfter [ "/var/lib/acme" ]; }; + my.fup.listen = []; + system.stateVersion = "24.05"; } diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix index c2ceda99b6..dcb0b987a2 100644 --- a/ops/vault/cfg/config.nix +++ b/ops/vault/cfg/config.nix @@ -89,7 +89,6 @@ my.servers.bvm-prosody.apps = [ "turn" ]; my.servers.bvm-heptapod.apps = [ "gitlab-runner" ]; my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ]; - my.servers.blade-tuvok.apps = [ "fup" ]; my.servers.bvm-netbox.apps = [ "netbox" ]; - my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ]; + my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" ]; }