From 614c722f6ac19f75949beb81e667ddb451194b3a Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Thu, 19 Mar 2026 13:28:17 -0500
Subject: [PATCH 1/2] security (mcentire): Add Caddy access logs to Crowdsec

---
 services/caddy.nix         | 15 +++++++++++++++
 systems/linux/mcentire.nix |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 services/caddy.nix

diff --git a/services/caddy.nix b/services/caddy.nix
new file mode 100644
index 0000000..2f80550
--- /dev/null
+++ b/services/caddy.nix
@@ -0,0 +1,15 @@
+{ config, ... }: {
+  services.caddy = {
+    enable = true;
+    logFormat = "level INFO";
+  };
+
+  services.crowdsec = {
+    localConfig.acquisitions = [{
+      filenames = [ "${config.services.caddy.logDir}/*.log" ];
+      labels.type = "caddy";
+    }];
+
+    hub.parsers = [ "crowdsecurity/caddy-logs" ];
+  };
+}
diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix
index cf01a65..95cb563 100644
--- a/systems/linux/mcentire.nix
+++ b/systems/linux/mcentire.nix
@@ -5,6 +5,7 @@
     ./hardware-configuration/mcentire.nix
     ./../../modules/podman-secrets.nix
     ./../../services/borgmatic.nix
+    ./../../services/caddy.nix
     ./../../services/crowdsec.nix
     ./../../services/authentik.nix
     ./../../services/audiobookshelf.nix
@@ -67,7 +68,6 @@
   services = {
     openssh.enable = true;
     tailscale.enable = true;
-    caddy.enable = true;
 
     # Do not "enable" database services, but include the package configuration
     # so that borgmatic does not freak out about unset variables

From fd50d5d088bd1d5953c5dc1c0891c8706ece9aba Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Thu, 19 Mar 2026 13:59:49 -0500
Subject: [PATCH 2/2] security (vaultwarden): Add hardened reverse proxy config

---
 services/vaultwarden.nix | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix
index 51949ba..22562a0 100644
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@@ -36,7 +36,28 @@ in {
   };
 
   services.caddy.virtualHosts."vault.millironx.com".extraConfig = ''
-    reverse_proxy http://127.0.0.1:${port}
+    # See <https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples>
+    encode zstd gzip
+    header / {
+    	Strict-Transport-Security "max-age=31536000;"
+    	X-XSS-Protection "0"
+    	X-Frame-Options "DENY"
+    	X-Robots-Tag "noindex, nofollow"
+    	X-Content-Type-Options "nosniff"
+    	-Server
+    	-X-Powered-By
+    	-Last-Modified
+    }
+
+    @admin {
+      path /admin*
+      not remote_ip private_ranges 100.64.0.0/10
+    }
+    respond @admin "Access denied to remote clients. Use localhost or VPN." 403
+
+    reverse_proxy http://127.0.0.1:${port} {
+      header_up X-Real-IP {remote_host}
+    }
   '';
 
   users.users."${user}" = {