diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix index d66236b..3b020d8 100644 --- a/nix-system-configs/modules/system/traefik.nix +++ b/nix-system-configs/modules/system/traefik.nix @@ -58,18 +58,22 @@ in { TARGET = " "; # Configure redirect domains - ALL domains that should be able to redirect back after challenge - REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org"; + REDIRECT_DOMAINS = "prg-radio.org,anubis.prg-radio.org,git.prg-radio.org,lgbtq.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org"; # Public URL for Anubis PUBLIC_URL = "https://anubis.prg-radio.org"; - # Cookie domain for proper scoping (leading dot for all subdomains) - COOKIE_DOMAIN = ".prg-radio.org"; + # Cookie domain for proper scoping + COOKIE_DOMAIN = ".prg-radio.org,prg-radio.org"; # Difficulty level DIFFICULTY = 7; #ALGOTIHM = "slow"; + # This prevents Anubis from looping + # See: https://github.com/TecharoHQ/anubis/issues/970 + JWT_RESTRICTION_HEADER = "CF-Connecting-IP"; + # Optional: serve robots.txt SERVE_ROBOTS_TXT = true; @@ -79,52 +83,11 @@ in { # Metrics on separate port METRICS_BIND_NETWORK = "tcp"; METRICS_BIND = "127.0.0.1:8091"; - }; - }; - # Per-service Anubis instances (reverse-proxy mode) --------------------------- - forgejo = { - enable = true; - settings = { - BIND_NETWORK = "tcp"; - BIND = "127.0.0.1:8092"; - TARGET = "http://10.1.1.4:3000"; # Forgejo backend - DIFFICULTY = 20; - SERVE_ROBOTS_TXT = true; - WEBMASTER_EMAIL = "dtu.prg@gmail.com"; - METRICS_BIND_NETWORK = "tcp"; - METRICS_BIND = "127.0.0.1:8095"; - }; - }; + SLOG_LEVEL = "DEBUG"; - /* - wavelog = { - enable = true; - settings = { - BIND_NETWORK = "tcp"; - BIND = "127.0.0.1:8093"; - TARGET = "http://10.1.1.249:8086"; # Wavelog backend - DIFFICULTY = 20; - SERVE_ROBOTS_TXT = true; - WEBMASTER_EMAIL = "dtu.prg@gmail.com"; - METRICS_BIND_NETWORK = "tcp"; - METRICS_BIND = "127.0.0.1:8096"; - }; - }; - */ - - # This part needs investigating - partdb = { - enable = true; - settings = { - BIND_NETWORK = "tcp"; - BIND = "127.0.0.1:8094"; - TARGET = "http://10.1.1.249:8087"; # PartDB backend - DIFFICULTY = 20; - SERVE_ROBOTS_TXT = true; - WEBMASTER_EMAIL = "dtu.prg@gmail.com"; - METRICS_BIND_NETWORK = "tcp"; - METRICS_BIND = "127.0.0.1:8097"; + COOKIE_SECURE = true; + COOKIE_SAME_SITE = "None"; # Only if Secure=true and you need cross-site }; }; }; @@ -190,29 +153,39 @@ in { } ]; - http.routers = { - #anubis-api = { - # rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)"; - # service = "anubis"; - # entryPoints = ["websecure"]; - # priority = 200; - # tls = {}; - # }; + # Traefik middlewares: Anubis forwardAuth + http.middlewares = { + anubisForwardAuth = { + forwardAuth = { + # point at the Anubis check endpoint (the subrequest/UI instance) + address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check"; + }; + }; + redirect-to-https = { + redirectScheme = { + scheme = "https"; + }; + }; + }; + http.routers = { # Anubis router (for challenge page) anubis = { rule = "Host(`anubis.prg-radio.org`)"; service = "anubis"; entryPoints = ["websecure"]; - tls = {}; + tls = { + certresolver = "acme"; + }; }; - # Protected service example: Forgejo + # Protected service example: Forgejo (attach Anubis forwardAuth middleware) forgejo = { rule = "Host(`git.prg-radio.org`)"; service = "forgejo"; entryPoints = ["websecure"]; tls = {}; + middlewares = ["anubisForwardAuth"]; }; # Matrix HTTP router for client requests (Element etc.) @@ -237,6 +210,7 @@ in { service = "partdb"; entryPoints = ["websecure"]; tls = {}; + middlewares = ["anubisForwardAuth"]; }; }; @@ -246,12 +220,11 @@ in { servers = [ {url = "http://127.0.0.1:8090";} ]; - #passHostHeader = true; }; forgejo.loadBalancer = { servers = [ - {url = "http://127.0.0.1:8092";} + {url = "http://10.1.1.4:3000";} ]; }; matrix.loadBalancer = { @@ -267,7 +240,7 @@ in { partdb.loadBalancer = { servers = [ - {url = "http://127.0.0.1:8094";} + {url = "http://10.1.1.249:8087";} ]; }; };