root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Try middle ware again

Browse source
This commit is contained in:
Root User 2026-02-14 00:37:51 +01:00
parent 40f02be01c
commit 4d65b091ac
Signed by: root
GPG key ID: 087F0A95E5766D72
1 changed files with 26 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

79
nix-system-configs/modules/system/traefik.nix
View file

@ -46,25 +46,26 @@ in {
# Configure Anubis service
services.anubis = {
# Use a single shared Anubis instance (redirect mode) so cookie + challenge
# state is consistent across all protected services.
instances = {
"" = {
shared = {
enable = true;
settings = {
# Bind to TCP instead of Unix socket for Docker-style integration
BIND_NETWORK = "tcp";
BIND = "127.0.0.1:8090";
# Empty TARGET for redirect mode
# Redirect mode (Anubis will issue challenges & redirects)
TARGET = " ";
# Configure redirect domains - ALL domains that should be able to redirect back after challenge
# Which domains are allowed to be redirected back to
REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org";
# Public URL for Anubis
# Public URL for this Anubis instance
PUBLIC_URL = "https://anubis.prg-radio.org";
# Cookie domain for proper scoping (leading dot for all subdomains)
COOKIE_DOMAIN = ".prg-radio.org";
# Use bare domain for cookie scoping (modern browsers prefer no leading dot)
COOKIE_DOMAIN = "prg-radio.org";
# Difficulty level
DIFFICULTY = 7;
@ -81,52 +82,6 @@ in {
METRICS_BIND = "127.0.0.1:8091";
};
};
# Per-service Anubis instances (reverse-proxy mode) ---------------------------
forgejo = {
enable = true;
settings = {
BIND_NETWORK = "tcp";
BIND = "127.0.0.1:8092";
TARGET = "http://10.1.1.4:3000"; # Forgejo backend
DIFFICULTY = 20;
SERVE_ROBOTS_TXT = true;
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
METRICS_BIND_NETWORK = "tcp";
METRICS_BIND = "127.0.0.1:8095";
};
};
/*
wavelog = {
enable = true;
settings = {
BIND_NETWORK = "tcp";
BIND = "127.0.0.1:8093";
TARGET = "http://10.1.1.249:8086"; # Wavelog backend
DIFFICULTY = 20;
SERVE_ROBOTS_TXT = true;
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
METRICS_BIND_NETWORK = "tcp";
METRICS_BIND = "127.0.0.1:8096";
};
};
*/
# This part needs investigating
partdb = {
enable = true;
settings = {
BIND_NETWORK = "tcp";
BIND = "127.0.0.1:8094";
TARGET = "http://10.1.1.249:8087"; # PartDB backend
DIFFICULTY = 20;
SERVE_ROBOTS_TXT = true;
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
METRICS_BIND_NETWORK = "tcp";
METRICS_BIND = "127.0.0.1:8097";
};
};
};
};
@ -190,6 +145,20 @@ in {
}
];
# ForwardAuth middleware so a single Anubis instance can protect many services
http.middlewares = lib.mkForce (lib.mkMerge [ (lib.optionalAttrs true {
anubis = {
forwardAuth = {
address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check";
trustForwardHeader = true;
# Ensure Traefik forwards Set-Cookie from Anubis back to the client
authResponseHeaders = [ "Set-Cookie" ];
# Forward original host and proto so Anubis computes redirects correctly
authRequestHeaders = [ "X-Forwarded-Host" "X-Forwarded-Proto" ];
};
};
}) ]);
http.routers = {
#anubis-api = {
# rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)";
@ -212,6 +181,8 @@ in {
rule = "Host(`git.prg-radio.org`)";
service = "forgejo";
entryPoints = ["websecure"];
# Protect via shared Anubis using forwardAuth
middlewares = ["anubis"];
tls = {};
};
@ -236,6 +207,8 @@ in {
rule = "Host(`partdb.prg-radio.org`)";
service = "partdb";
entryPoints = ["websecure"];
# Protect via shared Anubis using forwardAuth
middlewares = ["anubis"];
tls = {};
};
};