reverse proxy stuff

2025-09-09 20:41:37 -05:00
parent 6567bb1348
commit f58006cf8a
14 changed files with 433 additions and 27 deletions
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -10,6 +10,9 @@
    # Import system utilities
    system = import ./system { inherit inputs; };
    # Import reverse proxy utilities
    reverseproxy = import ./reverseproxy { inherit inputs; };
    # Import examples
    examples = import ./examples { inherit inputs; };
  };
--- a/lib/examples/reverseproxy.nix
+++ b/lib/examples/reverseproxy.nix
@@ -0,0 +1,113 @@
 # Example usage of the reverse proxy utilities
 { inputs, lib, ... }:
 let
  inherit (lib.mjallen-lib.reverseproxy)
    mkReverseProxy
    mkReverseProxies
    templates
    middlewares
    urls
    ;
 in
 {
  # Example 1: Simple reverse proxy for a local service
  simpleProxy = mkReverseProxy {
    name = "myapp";
    subdomain = "myapp";
    url = "http://127.0.0.1:3000";
  };
  # Example 2: Authenticated service with custom middlewares
  authProxy = mkReverseProxy {
    name = "admin-panel";
    subdomain = "admin";
    url = "http://127.0.0.1:8080";
    middlewares = middlewares.authBasic;
  };
  # Example 3: Container-based service
  containerProxy = mkReverseProxy {
    name = "nextcloud";
    subdomain = "cloud";
    url = urls.container "nextcloud" 80;
    middlewares = middlewares.basic;
  };
  # Example 4: Multiple proxies at once
  multipleProxies = mkReverseProxies [
    {
      name = "grafana";
      subdomain = "grafana";
      url = urls.localhost 3000;
      middlewares = middlewares.authBasic;
    }
    {
      name = "prometheus";
      subdomain = "prometheus";
      url = urls.localhost 9090;
      middlewares = middlewares.internal;
    }
    {
      name = "alertmanager";
      subdomain = "alerts";
      url = urls.localhost 9093;
      middlewares = middlewares.authBasic;
    }
  ];
  # Example 5: Using templates for common patterns
  webappExample = templates.webapp {
    name = "webapp";
    subdomain = "app";
    port = 8080;
  };
  authWebappExample = templates.authWebapp {
    name = "secure-app";
    subdomain = "secure";
    port = 9000;
  };
  containerExample = templates.containerService {
    name = "gitea";
    subdomain = "git";
    containerName = "gitea";
    port = 3000;
  };
  internalExample = templates.internalService {
    name = "internal-api";
    subdomain = "api-internal";
    port = 8000;
  };
  # Example 6: Custom domain and advanced configuration
  customProxy = mkReverseProxy {
    name = "custom-service";
    subdomain = "custom";
    url = "http://10.0.1.100:8080";
    domain = "example.com";
    priority = 20;
    rule = "Host(`custom.example.com`) && PathPrefix(`/api`)";
    middlewares = [ "crowdsec" "whitelist-geoblock" "rate-limit" ];
  };
  # Example usage in a Traefik configuration:
  # 
  # mjallen.services.traefik = {
  #   enable = true;
  #   extraServices = multipleProxies.extraServices;
  #   extraRouters = multipleProxies.extraRouters;
  # };
  #
  # Or for individual proxies:
  #
  # mjallen.services.traefik = {
  #   enable = true;
  #   extraServices = [ simpleProxy.service ];
  #   extraRouters = [{
  #     inherit (simpleProxy.router) subdomain entryPoints middlewares;
  #     service = simpleProxy.router.service;
  #   }];
  # };
 }
--- a/lib/module/default.nix
+++ b/lib/module/default.nix
@@ -90,6 +90,14 @@ rec {
  mkBoolOpt' = mkOpt' types.bool;
  mkReverseProxyOpt = {
    enable = mkBoolOpt false "Enable reverse proxy support";
    subdomain = mkOpt types.str "" "subdomain of the service";
    middlewares = mkOpt (types.listOf types.str) [ ] "List of middlewares to use";
  };
  # Standard enable/disable patterns
  enabled = {
    enable = true;
--- a/lib/reverseproxy/default.nix
+++ b/lib/reverseproxy/default.nix
@@ -0,0 +1,153 @@
 { inputs }:
 let
  inherit (inputs.nixpkgs.lib)
    mkOption
    types
    listToAttrs
    nameValuePair
    ;
 in
 rec {
  # Create a service configuration for Traefik
  mkService = {
    name,
    url,
    loadBalancer ? { },
  }: {
    inherit name url;
    config = {
      loadBalancer = {
        servers = [{ inherit url; }];
      } // loadBalancer;
    };
  };
  # Create a router configuration for Traefik
  mkRouter = {
    subdomain,
    domain ? "mjallen.dev",
    service,
    entryPoints ? [ "websecure" ],
    middlewares ? [ "crowdsec" "whitelist-geoblock" ],
    priority ? null,
    rule ? null,
    tls ? { certResolver = "letsencrypt"; },
  }: {
    inherit subdomain service entryPoints middlewares;
    config = {
      inherit entryPoints service middlewares tls;
      rule = if rule != null then rule else "Host(`${subdomain}.${domain}`)";
    } // (if priority != null then { inherit priority; } else { });
  };
  # Create both service and router for a simple reverse proxy setup
  mkReverseProxy = {
    name,
    subdomain,
    url,
    domain ? "mjallen.dev",
    entryPoints ? [ "websecure" ],
    middlewares ? [ "crowdsec" "whitelist-geoblock" ],
    priority ? null,
    rule ? null,
    tls ? { certResolver = "letsencrypt"; },
    loadBalancer ? { },
  }: {
    service = mkService {
      inherit name url loadBalancer;
    };
    router = mkRouter {
      inherit subdomain domain entryPoints middlewares priority rule tls;
      service = name;
    };
  };
  # Convert a list of services to the format expected by Traefik module
  servicesToConfig = services:
    listToAttrs (map (service: nameValuePair service.name service.config) services);
  # Convert a list of routers to the format expected by Traefik module
  routersToConfig = routers:
    listToAttrs (map (router: nameValuePair router.subdomain router.config) routers);
  # Helper to create multiple reverse proxies at once
  mkReverseProxies = proxies:
    let
      results = map mkReverseProxy proxies;
      services = map (result: result.service) results;
      routers = map (result: result.router) results;
    in
    {
      services = servicesToConfig services;
      routers = routersToConfig routers;
      extraServices = services;
      extraRouters = map (router: {
        inherit (router) subdomain entryPoints middlewares;
        service = router.service;
      }) routers;
    };
  # Common middleware configurations
  middlewares = {
    # Authentication middleware
    auth = [ "authentik" ];
    # Basic security (default)
    basic = [ "crowdsec" "whitelist-geoblock" ];
    # Internal only access
    internal = [ "crowdsec" "whitelist-geoblock" "internal-ipallowlist" ];
    # WebSocket support
    websocket = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
    # Authenticated with basic security
    authBasic = [ "crowdsec" "whitelist-geoblock" "authentik" ];
  };
  # Common service URL builders
  urls = {
    # Local container service
    container = containerName: port: "http://\${config.containers.${containerName}.localAddress}:${toString port}";
    # Local host service
    localhost = port: "http://127.0.0.1:${toString port}";
    # Network service
    network = ip: port: "http://${ip}:${toString port}";
    # Server IP service (using your server IP pattern)
    server = port: "http://\${serverIp}:${toString port}";
  };
  # Pre-configured reverse proxy templates
  templates = {
    # Standard web application
    webapp = { name, subdomain, port, ... }@args:
      mkReverseProxy ({
        url = urls.localhost port;
        middlewares = middlewares.basic;
      } // args);
    # Authenticated web application  
    authWebapp = { name, subdomain, port, ... }@args:
      mkReverseProxy ({
        url = urls.localhost port;
        middlewares = middlewares.authBasic;
      } // args);
    # Container-based service
    containerService = { name, subdomain, containerName, port, ... }@args:
      mkReverseProxy ({
        url = urls.container containerName port;
        middlewares = middlewares.basic;
      } // args);
    # Internal-only service
    internalService = { name, subdomain, port, ... }@args:
      mkReverseProxy ({
        url = urls.localhost port;
        middlewares = middlewares.internal;
      } // args);
  };
 }
--- a/modules/home/programs/hyprland/default.nix
+++ b/modules/home/programs/hyprland/default.nix
@@ -48,7 +48,6 @@ in
      meson
      nautilus
      networkmanagerapplet
      nm-tray
      nomacs
      nwg-look
      overskride
--- a/modules/nixos/services/actual/default.nix
+++ b/modules/nixos/services/actual/default.nix
@@ -12,6 +12,14 @@ let
  hostAddress = "10.0.1.3";
  actualUserId = config.users.users.nix-apps.uid;
  actualGroupId = config.users.groups.jallen-nas.gid;
  # Create reverse proxy configuration using mkReverseProxy
  reverseProxyConfig = lib.${namespace}.mkReverseProxy {
    name = "actual";
    subdomain = cfg.reverseProxy.subdomain;
    url = "http://${cfg.localAddress}:${toString cfg.port}";
    middlewares = cfg.reverseProxy.middlewares;
  };
 in
 {
  imports = [ ./options.nix ];
@@ -98,19 +106,23 @@ in
        };
    };
-    services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable {
+    # services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable {
-      services.actual.loadBalancer.servers = [
+    #   services.actual.loadBalancer.servers = [
-        {
+    #     {
-          url = "http://${cfg.localAddress}:${toString cfg.port}";
+    #       url = "http://${cfg.localAddress}:${toString cfg.port}";
-        }
+    #     }
-      ];
+    #   ];
-      routers.actual = {
+    #   routers.actual = {
-        entryPoints = [ "websecure" ];
+    #     entryPoints = [ "websecure" ];
-        rule = "Host(`${cfg.reverseProxy.host}`)";
+    #     rule = "Host(`${cfg.reverseProxy.host}`)";
-        service = "actual";
+    #     service = "actual";
-        middlewares = cfg.reverseProxy.middlewares;
+    #     middlewares = cfg.reverseProxy.middlewares;
-        tls.certResolver = "letsencrypt";
+    #     tls.certResolver = "letsencrypt";
-      };
+    #   };
    # };
    ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
      reverseProxies = [ reverseProxyConfig ];
    };
    networking = {
--- a/modules/nixos/services/actual/options.nix
+++ b/modules/nixos/services/actual/options.nix
@@ -1,6 +1,6 @@
 { lib, namespace, ... }:
 let
-  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+  inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
 in
 with lib;
 {
@@ -13,13 +13,6 @@ with lib;
    dataDir = mkOpt types.str "" "Path to the data dir";
-    reverseProxy = {
+    reverseProxy = mkReverseProxyOpt;
      enable = mkBoolOpt false "Enable reverse proxy support";
      host = mkOpt types.str "" "Address of the proxy";
      middlewares = with types; mkOpt (listOf str) [ ] "List of middlewares to use";
    };
  };
 }
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@@ -1,6 +1,7 @@
 {
  config,
  lib,
  pkgs,
  namespace,
  ...
 }:
@@ -18,6 +19,10 @@ let
  nextcloudPortExtHttp = 9988;
  nextcloudPortExtHttps = 9943;
  onlyofficePortExt = 9943;
  nextcloudPhotos = pkgs.${namespace}.photos;
  nextcloudPdfViewer = pkgs.${namespace}.pdfviewer;
  nextcloudAssist = pkgs.${namespace}.assistant;
 in
 {
  imports = [ ./options.nix ];
@@ -83,13 +88,34 @@ in
              # datadir = "/data";
              database.createLocally = true;
              hostName = "cloud.mjallen.dev";
-              appstoreEnable = true;
+              appstoreEnable = false;
              caching.redis = true;
              configureRedis = true;
              enableImagemagick = true;
              https = true;
              secretFile = secretsFile;
              extraApps = {
                inherit (pkgs.nextcloud31Packages.apps) app_api
                                                        bookmarks
                                                        mail 
                                                        calendar 
                                                        contacts
                                                        integration_openai
                                                        integration_paperless
                                                        maps
                                                        oidc_login
                                                        onlyoffice
                                                        previewgenerator
                                                        recognize
                                                        richdocuments
                                                        user_oidc;
                inherit nextcloudPhotos
                        nextcloudPdfViewer
                        nextcloudAssist;
              };
              config = {
                adminuser = "mjallen";
                adminpassFile = adminpass;
--- a/modules/nixos/services/traefik/default.nix
+++ b/modules/nixos/services/traefik/default.nix
@@ -8,6 +8,48 @@ with lib;
 let
  cfg = config.${namespace}.services.traefik;
  # Process extraServices into service configurations
  extraServiceConfigs = 
    let
      makeService = service: nameValuePair service.name {
        loadBalancer.servers = [
          {
            url = service.url;
          }
        ];
      };
    in
    listToAttrs (map makeService cfg.extraServices);
  # Process extraRouters into router configurations
  extraRouterConfigs = 
    let
      makeRouter = router: nameValuePair router.subdomain {
        entryPoints = router.entryPoints;
        rule = "Host(`${router.subdomain}.${domain}`)";
        service = router.service;
        middlewares = router.middlewares ++ [
          "crowdsec"
          "whitelist-geoblock"
        ];
        tls.certResolver = "letsencrypt";
      };
    in
    listToAttrs (map makeRouter cfg.extraRouters);
  # Process reverseProxies into service and router configurations
  reverseProxyServiceConfigs = 
    let
      makeService = reverseProxy: nameValuePair reverseProxy.service.name reverseProxy.service.config;
    in
    listToAttrs (map makeService cfg.reverseProxies);
  reverseProxyRouterConfigs = 
    let
      makeRouter = reverseProxy: nameValuePair reverseProxy.router.subdomain reverseProxy.router.config;
    in
    listToAttrs (map makeRouter cfg.reverseProxies);
  domain = "mjallen.dev";
  serverIp = "10.0.1.3";
@@ -318,7 +360,7 @@ in
                url = paperlessUrl;
              }
            ];
-          };
+          } // extraServiceConfigs // reverseProxyServiceConfigs;
          routers = {
            auth = {
@@ -447,7 +489,7 @@ in
              ];
              tls.certResolver = "letsencrypt";
            };
-          };
+          } // extraRouterConfigs // reverseProxyRouterConfigs;
        };
      };
    };
--- a/modules/nixos/services/traefik/options.nix
+++ b/modules/nixos/services/traefik/options.nix
@@ -1,7 +1,34 @@
 { lib, namespace, ... }:
 with lib;
 let
  inherit (lib.${namespace}) mkOpt mkBoolOpt;
 in
 {
  options.${namespace}.services.traefik = {
    enable = mkEnableOption "enable traefik";
    extraServices = mkOpt (types.listOf (types.submodule {
          options = {
            name = mkOpt types.str "" "Name of the service";
            url = mkOpt types.str "http://localhost:8080" "Url of the service";
          };
        })) [ ] "List of extra services to forward";
    extraRouters = mkOpt (types.listOf (types.submodule {
          options = {
            entryPoints = mkOpt (types.listOf types.str) [ "websecure" ] "Entrypoint";
            subdomain = mkOpt types.str "" "subdomain of the service";
            service = mkOpt types.str "" "name of the service";
            middlewares = mkOpt (types.listOf (types.enum [
                              "authentik"
                              "onlyoffice-websocket"
                              "crowdsec"
                              "whitelist-geoblock"
                              "internal-ipallowlist"
                            ])) [ ] "List of middlewares to enable";
          };
        })) [ ] "List of extra services to forward";
    reverseProxies = mkOpt (types.listOf types.attrs) [ ] "List of reverse proxy configurations from mkReverseProxy";
  };
 }
--- a/packages/nextcloud/assistant/default.nix
+++ b/packages/nextcloud/assistant/default.nix
@@ -0,0 +1,10 @@
 {
  fetchNextcloudApp,
  ...
 }:
 fetchNextcloudApp {
  name = "assistant";
  sha256 = "sha256-kW2rbgfhCg4RHp/RW+L1vuoyVXOp5r4Mc1VdI0g5cXA=";
  url = "https://github.com/nextcloud/assistant/archive/refs/tags/v2.8.0.tar.gz";
  license = "agpl3Only";
 }
--- a/packages/nextcloud/pdfviewer/default.nix
+++ b/packages/nextcloud/pdfviewer/default.nix
@@ -0,0 +1,10 @@
 {
  fetchNextcloudApp,
  ...
 }:
 fetchNextcloudApp {
  name = "files_pdfviewer";
  sha256 = "sha256-TeNOzRczeXK15DURrZ5al0cvXhRj7+y1VA4axPROvD4=";
  url = "https://github.com/nextcloud/files_pdfviewer/archive/refs/tags/v31.0.8.tar.gz";
  license = "agpl3Only";
 }
--- a/packages/nextcloud/photos/default.nix
+++ b/packages/nextcloud/photos/default.nix
@@ -0,0 +1,10 @@
 {
  fetchNextcloudApp,
  ...
 }:
 fetchNextcloudApp {
  name = "photos";
  sha256 = "sha256-F2hh/0RlLG2zcEatfd4fejRV0i2hMkwONM4P7nhdh18=";
  url = "https://github.com/nextcloud/photos/archive/refs/tags/v31.0.8.tar.gz";
  license = "agpl3Only";
 }
--- a/systems/x86_64-linux/jallen-nas/apps.nix
+++ b/systems/x86_64-linux/jallen-nas/apps.nix
@@ -21,7 +21,7 @@
        dataDir = "/media/nas/main/nix-app-data/actual";
        reverseProxy = {
          enable = true;
-          host = "actual.mjallen.dev";
+          subdomain = "actual";
          middlewares = [
            "crowdsec"
            "whitelist-geoblock"