diff --git a/services/caddy.nix b/services/caddy.nix new file mode 100644 index 0000000..2f80550 --- /dev/null +++ b/services/caddy.nix @@ -0,0 +1,15 @@ +{ config, ... }: { + services.caddy = { + enable = true; + logFormat = "level INFO"; + }; + + services.crowdsec = { + localConfig.acquisitions = [{ + filenames = [ "${config.services.caddy.logDir}/*.log" ]; + labels.type = "caddy"; + }]; + + hub.parsers = [ "crowdsecurity/caddy-logs" ]; + }; +} diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 51949ba..22562a0 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -36,7 +36,28 @@ in { }; services.caddy.virtualHosts."vault.millironx.com".extraConfig = '' - reverse_proxy http://127.0.0.1:${port} + # See + encode zstd gzip + header / { + Strict-Transport-Security "max-age=31536000;" + X-XSS-Protection "0" + X-Frame-Options "DENY" + X-Robots-Tag "noindex, nofollow" + X-Content-Type-Options "nosniff" + -Server + -X-Powered-By + -Last-Modified + } + + @admin { + path /admin* + not remote_ip private_ranges 100.64.0.0/10 + } + respond @admin "Access denied to remote clients. Use localhost or VPN." 403 + + reverse_proxy http://127.0.0.1:${port} { + header_up X-Real-IP {remote_host} + } ''; users.users."${user}" = { diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix index cf01a65..95cb563 100644 --- a/systems/linux/mcentire.nix +++ b/systems/linux/mcentire.nix @@ -5,6 +5,7 @@ ./hardware-configuration/mcentire.nix ./../../modules/podman-secrets.nix ./../../services/borgmatic.nix + ./../../services/caddy.nix ./../../services/crowdsec.nix ./../../services/authentik.nix ./../../services/audiobookshelf.nix @@ -67,7 +68,6 @@ services = { openssh.enable = true; tailscale.enable = true; - caddy.enable = true; # Do not "enable" database services, but include the package configuration # so that borgmatic does not freak out about unset variables