root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Anubis middleware added and working this time.

Browse source
This commit is contained in:
Root User 2026-02-14 12:12:50 +01:00
parent 0ebf6007b7
commit 9b7d1ca52d
Signed by: root
GPG key ID: 087F0A95E5766D72
1 changed files with 33 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

93
nix-system-configs/modules/system/traefik.nix
View file

@ -58,18 +58,22 @@ in {
TARGET = " "; TARGET = " ";
# Configure redirect domains - ALL domains that should be able to redirect back after challenge # Configure redirect domains - ALL domains that should be able to redirect back after challenge
REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org"; REDIRECT_DOMAINS = "prg-radio.org,anubis.prg-radio.org,git.prg-radio.org,lgbtq.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org";
# Public URL for Anubis # Public URL for Anubis
PUBLIC_URL = "https://anubis.prg-radio.org"; PUBLIC_URL = "https://anubis.prg-radio.org";
# Cookie domain for proper scoping (leading dot for all subdomains) # Cookie domain for proper scoping
COOKIE_DOMAIN = ".prg-radio.org"; COOKIE_DOMAIN = ".prg-radio.org,prg-radio.org";
# Difficulty level # Difficulty level
DIFFICULTY = 7; DIFFICULTY = 7;
#ALGOTIHM = "slow"; #ALGOTIHM = "slow";
# This prevents Anubis from looping
# See: https://github.com/TecharoHQ/anubis/issues/970
JWT_RESTRICTION_HEADER = "CF-Connecting-IP";
# Optional: serve robots.txt # Optional: serve robots.txt
SERVE_ROBOTS_TXT = true; SERVE_ROBOTS_TXT = true;
@ -79,52 +83,11 @@ in {
# Metrics on separate port # Metrics on separate port
METRICS_BIND_NETWORK = "tcp"; METRICS_BIND_NETWORK = "tcp";
METRICS_BIND = "127.0.0.1:8091"; METRICS_BIND = "127.0.0.1:8091";
};
};
# Per-service Anubis instances (reverse-proxy mode) --------------------------- SLOG_LEVEL = "DEBUG";
forgejo = {
enable = true;
settings = {
BIND_NETWORK = "tcp";
BIND = "127.0.0.1:8092";
TARGET = "http://10.1.1.4:3000"; # Forgejo backend
DIFFICULTY = 20;
SERVE_ROBOTS_TXT = true;
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
METRICS_BIND_NETWORK = "tcp";
METRICS_BIND = "127.0.0.1:8095";
};
};
/* COOKIE_SECURE = true;
wavelog = { COOKIE_SAME_SITE = "None"; # Only if Secure=true and you need cross-site
enable = true;
settings = {
BIND_NETWORK = "tcp";
BIND = "127.0.0.1:8093";
TARGET = "http://10.1.1.249:8086"; # Wavelog backend
DIFFICULTY = 20;
SERVE_ROBOTS_TXT = true;
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
METRICS_BIND_NETWORK = "tcp";
METRICS_BIND = "127.0.0.1:8096";
};
};
*/
# This part needs investigating
partdb = {
enable = true;
settings = {
BIND_NETWORK = "tcp";
BIND = "127.0.0.1:8094";
TARGET = "http://10.1.1.249:8087"; # PartDB backend
DIFFICULTY = 20;
SERVE_ROBOTS_TXT = true;
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
METRICS_BIND_NETWORK = "tcp";
METRICS_BIND = "127.0.0.1:8097";
}; };
}; };
}; };
@ -190,29 +153,39 @@ in {
} }
]; ];
http.routers = { # Traefik middlewares: Anubis forwardAuth
#anubis-api = { http.middlewares = {
# rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)"; anubisForwardAuth = {
# service = "anubis"; forwardAuth = {
# entryPoints = ["websecure"]; # point at the Anubis check endpoint (the subrequest/UI instance)
# priority = 200; address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check";
# tls = {}; };
# }; };
redirect-to-https = {
redirectScheme = {
scheme = "https";
};
};
};
http.routers = {
# Anubis router (for challenge page) # Anubis router (for challenge page)
anubis = { anubis = {
rule = "Host(`anubis.prg-radio.org`)"; rule = "Host(`anubis.prg-radio.org`)";
service = "anubis"; service = "anubis";
entryPoints = ["websecure"]; entryPoints = ["websecure"];
tls = {}; tls = {
certresolver = "acme";
};
}; };
# Protected service example: Forgejo # Protected service example: Forgejo (attach Anubis forwardAuth middleware)
forgejo = { forgejo = {
rule = "Host(`git.prg-radio.org`)"; rule = "Host(`git.prg-radio.org`)";
service = "forgejo"; service = "forgejo";
entryPoints = ["websecure"]; entryPoints = ["websecure"];
tls = {}; tls = {};
middlewares = ["anubisForwardAuth"];
}; };
# Matrix HTTP router for client requests (Element etc.) # Matrix HTTP router for client requests (Element etc.)
@ -237,6 +210,7 @@ in {
service = "partdb"; service = "partdb";
entryPoints = ["websecure"]; entryPoints = ["websecure"];
tls = {}; tls = {};
middlewares = ["anubisForwardAuth"];
}; };
}; };
@ -246,12 +220,11 @@ in {
servers = [ servers = [
{url = "http://127.0.0.1:8090";} {url = "http://127.0.0.1:8090";}
]; ];
#passHostHeader = true;
}; };
forgejo.loadBalancer = { forgejo.loadBalancer = {
servers = [ servers = [
{url = "http://127.0.0.1:8092";} {url = "http://10.1.1.4:3000";}
]; ];
}; };
matrix.loadBalancer = { matrix.loadBalancer = {
@ -267,7 +240,7 @@ in {
partdb.loadBalancer = { partdb.loadBalancer = {
servers = [ servers = [
{url = "http://127.0.0.1:8094";} {url = "http://10.1.1.249:8087";}
]; ];
}; };
}; };