website: caddy cloudflare package

2024-12-02 18:55:35 +11:00 · 2024-12-02 18:55:35 +11:00 · a9ef09a8a4
commit a9ef09a8a4
parent c096dc295a
5 changed files with 95 additions and 25 deletions
--- a/modules/nixos/server/options.nix
+++ b/modules/nixos/server/options.nix
@ -24,7 +24,10 @@ in {
    };

    webserver = {
-      caddy.enable = mkEnableOption "";
+      caddy = {
+        enable = mkEnableOption "";
+        cloudflare.enable = mkEnableOption "";
+      };
    };
    database = {
      postgresql.enable = mkEnableOption "";
--- a/modules/nixos/server/services/website/default.nix
+++ b/modules/nixos/server/services/website/default.nix
@ -15,7 +15,10 @@
  };
 in {
  config = mkIf (elem "website" services) {
-    ooknet.server.webserver.caddy.enable = true;
+    ooknet.server.webserver.caddy = {
+      enable = true;
+      cloudflare.enable = true;
+    };
    systemd.tmpfiles.settings.websiteDirs = {
      "/var/www"."d" = websitePermissions;
      "/var/www/ooknet.org"."d" = websitePermissions;
@ -45,29 +48,31 @@ in {
    };

    # using caddy because it makes my life easy
-    services.caddy.virtualHosts = {
-      "ooknet.org".extraConfig =
-        # sh
-        ''
-          encode zstd gzip
+    services.caddy = {
+      virtualHosts = {
+        "ooknet.org".extraConfig =
+          # sh
+          ''
+            encode zstd gzip

-          header {
-            Strict-Transport-Security "max-age=31536000;"
-            X-XSS-Protection "1; mode=block"
-            X-Frame-Options "DENY"
-            X-Content-Type-Options "nosniff"
-            -Server
+            header {
+              Strict-Transport-Security "max-age=31536000;"
+              X-XSS-Protection "1; mode=block"
+              X-Frame-Options "DENY"
+              X-Content-Type-Options "nosniff"
+              -Server


-            Referrer-Policy: no-referrer
-          }
+              Referrer-Policy "no-referrer"
+            }

-          root * /var/www/ooknet.org/
-          file_server
+            root * /var/www/ooknet.org/
+            file_server
+          '';
+        "www.ooknet.org".extraConfig = ''
+          redir https://ooknet.org{uri} permanent
        '';
-      "www.ooknet.org".extraConfig = ''
-        redir https://ooknet.org{uri}
-      '';
+      };
    };
  };
 }
--- a/modules/nixos/server/webserver/caddy.nix
+++ b/modules/nixos/server/webserver/caddy.nix
@ -1,16 +1,31 @@
 {
  config,
  lib,
+  self',
  ...
 }: let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkMerge;
  inherit (config.ooknet.server.webserver) caddy;
 in {
  config = mkIf caddy.enable {
    users.groups.www = {};
-    services.caddy = {
-      enable = true;
-      group = "www";
-    };
+    services.caddy = mkMerge [
+      {
+        enable = true;
+        group = "www";
+      }
+
+      (mkIf caddy.cloudflare.enable {
+        package = self'.packages.caddy-with-cloudflare;
+        globalConfig = ''
+          servers {
+            trusted_proxies cloudflare {
+            interval 12h
+            timeout 15s
+            }
+          }
+        '';
+      })
+    ];
  };
 }