website: caddy cloudflare package

2024-12-02 18:55:35 +11:00 · 2024-12-02 18:55:35 +11:00 · a9ef09a8a4
commit a9ef09a8a4
parent c096dc295a
5 changed files with 95 additions and 25 deletions
--- a/modules/nixos/server/options.nix
+++ b/modules/nixos/server/options.nix
@ -24,7 +24,10 @@ in {
    };

    webserver = {
-      caddy.enable = mkEnableOption "";
+      caddy = {
+        enable = mkEnableOption "";
+        cloudflare.enable = mkEnableOption "";
+      };
    };
    database = {
      postgresql.enable = mkEnableOption "";
--- a/modules/nixos/server/services/website/default.nix
+++ b/modules/nixos/server/services/website/default.nix
@ -15,7 +15,10 @@
  };
 in {
  config = mkIf (elem "website" services) {
-    ooknet.server.webserver.caddy.enable = true;
+    ooknet.server.webserver.caddy = {
+      enable = true;
+      cloudflare.enable = true;
+    };
    systemd.tmpfiles.settings.websiteDirs = {
      "/var/www"."d" = websitePermissions;
      "/var/www/ooknet.org"."d" = websitePermissions;
@ -45,29 +48,31 @@ in {
    };

    # using caddy because it makes my life easy
-    services.caddy.virtualHosts = {
-      "ooknet.org".extraConfig =
-        # sh
-        ''
-          encode zstd gzip
+    services.caddy = {
+      virtualHosts = {
+        "ooknet.org".extraConfig =
+          # sh
+          ''
+            encode zstd gzip

-          header {
-            Strict-Transport-Security "max-age=31536000;"
-            X-XSS-Protection "1; mode=block"
-            X-Frame-Options "DENY"
-            X-Content-Type-Options "nosniff"
-            -Server
+            header {
+              Strict-Transport-Security "max-age=31536000;"
+              X-XSS-Protection "1; mode=block"
+              X-Frame-Options "DENY"
+              X-Content-Type-Options "nosniff"
+              -Server


-            Referrer-Policy: no-referrer
-          }
+              Referrer-Policy "no-referrer"
+            }

-          root * /var/www/ooknet.org/
-          file_server
+            root * /var/www/ooknet.org/
+            file_server
+          '';
+        "www.ooknet.org".extraConfig = ''
+          redir https://ooknet.org{uri} permanent
        '';
-      "www.ooknet.org".extraConfig = ''
-        redir https://ooknet.org{uri}
-      '';
+      };
    };
  };
 }
--- a/modules/nixos/server/webserver/caddy.nix
+++ b/modules/nixos/server/webserver/caddy.nix
@ -1,16 +1,31 @@
 {
  config,
  lib,
+  self',
  ...
 }: let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkMerge;
  inherit (config.ooknet.server.webserver) caddy;
 in {
  config = mkIf caddy.enable {
    users.groups.www = {};
-    services.caddy = {
-      enable = true;
-      group = "www";
-    };
+    services.caddy = mkMerge [
+      {
+        enable = true;
+        group = "www";
+      }
+
+      (mkIf caddy.cloudflare.enable {
+        package = self'.packages.caddy-with-cloudflare;
+        globalConfig = ''
+          servers {
+            trusted_proxies cloudflare {
+            interval 12h
+            timeout 15s
+            }
+          }
+        '';
+      })
+    ];
  };
 }
--- a/outputs/pkgs/caddy-with-cloudflare/default.nix
+++ b/outputs/pkgs/caddy-with-cloudflare/default.nix
@ -0,0 +1,46 @@
+{
+  buildGoModule,
+  cacert,
+  go,
+  lib,
+  stdenv,
+  xcaddy,
+  caddy,
+}:
+caddy.override {
+  buildGoModule = args:
+    buildGoModule (args
+      // {
+        src = stdenv.mkDerivation rec {
+          pname = "caddy-using-xcaddy-${xcaddy.version}";
+          inherit (caddy) version;
+          dontUnpack = true;
+          dontFixup = true;
+          nativeBuildInputs = [cacert go];
+          plugins = [
+            "github.com/WeidiDeng/caddy-cloudflare-ip"
+          ];
+          configurePhase = ''
+            export GOCACHE=$TMPDIR/go-cache
+            export GOPATH="$TMPDIR/go"
+            export XCADDY_SKIP_BUILD=1
+          '';
+          buildPhase = ''
+            ${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${
+              lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins
+            }
+            cd buildenv*
+            go mod vendor
+          '';
+          installPhase = ''
+            cp -r --reflink=auto . $out
+          '';
+          outputHash = "sha256-O3QWqgQtLOifsibyB0/UKricEGAx/3NhSjGbgu8+qgY=";
+          outputHashMode = "recursive";
+        };
+        subPackages = ["."];
+        ldflags = ["-s" "-w"];
+        vendorHash = null;
+      });
+}
+
--- a/outputs/pkgs/default.nix
+++ b/outputs/pkgs/default.nix
@ -8,6 +8,7 @@
      repopack = callPackage ./repopack {};
      live-buds-cli = callPackage ./live-buds-cli {};
      website = callPackage ./website {};
+      caddy-with-cloudflare = callPackage ./caddy-with-cloudflare {};

      ook-vim = mkNeovim pkgs [ook-vim-config];
    };