Anubis middleware added and working this time.

2026-02-14 12:12:50 +01:00 · 2026-02-14 12:12:50 +01:00 · 9b7d1ca52d
commit 9b7d1ca52d
parent 0ebf6007b7
1 changed files with 33 additions and 60 deletions
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@ -58,18 +58,22 @@ in {
            TARGET = " ";

            # Configure redirect domains - ALL domains that should be able to redirect back after challenge
-            REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org";
+            REDIRECT_DOMAINS = "prg-radio.org,anubis.prg-radio.org,git.prg-radio.org,lgbtq.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org";

            # Public URL for Anubis
            PUBLIC_URL = "https://anubis.prg-radio.org";

-            # Cookie domain for proper scoping (leading dot for all subdomains)
-            COOKIE_DOMAIN = ".prg-radio.org";
+            # Cookie domain for proper scoping
+            COOKIE_DOMAIN = ".prg-radio.org,prg-radio.org";

            # Difficulty level
            DIFFICULTY = 7;
            #ALGOTIHM = "slow";

+            # This prevents Anubis from looping
+            # See: https://github.com/TecharoHQ/anubis/issues/970
+            JWT_RESTRICTION_HEADER = "CF-Connecting-IP";
+
            # Optional: serve robots.txt
            SERVE_ROBOTS_TXT = true;

@ -79,52 +83,11 @@ in {
            # Metrics on separate port
            METRICS_BIND_NETWORK = "tcp";
            METRICS_BIND = "127.0.0.1:8091";
-          };
-        };

-        # Per-service Anubis instances (reverse-proxy mode) ---------------------------
-        forgejo = {
-          enable = true;
-          settings = {
-            BIND_NETWORK = "tcp";
-            BIND = "127.0.0.1:8092";
-            TARGET = "http://10.1.1.4:3000"; # Forgejo backend
-            DIFFICULTY = 20;
-            SERVE_ROBOTS_TXT = true;
-            WEBMASTER_EMAIL = "dtu.prg@gmail.com";
-            METRICS_BIND_NETWORK = "tcp";
-            METRICS_BIND = "127.0.0.1:8095";
-          };
-        };
+            SLOG_LEVEL = "DEBUG";

-        /*
-        wavelog = {
-          enable = true;
-          settings = {
-            BIND_NETWORK = "tcp";
-            BIND = "127.0.0.1:8093";
-            TARGET = "http://10.1.1.249:8086"; # Wavelog backend
-            DIFFICULTY = 20;
-            SERVE_ROBOTS_TXT = true;
-            WEBMASTER_EMAIL = "dtu.prg@gmail.com";
-            METRICS_BIND_NETWORK = "tcp";
-            METRICS_BIND = "127.0.0.1:8096";
-          };
-        };
-        */
-
-        # This part needs investigating
-        partdb = {
-          enable = true;
-          settings = {
-            BIND_NETWORK = "tcp";
-            BIND = "127.0.0.1:8094";
-            TARGET = "http://10.1.1.249:8087"; # PartDB backend
-            DIFFICULTY = 20;
-            SERVE_ROBOTS_TXT = true;
-            WEBMASTER_EMAIL = "dtu.prg@gmail.com";
-            METRICS_BIND_NETWORK = "tcp";
-            METRICS_BIND = "127.0.0.1:8097";
+            COOKIE_SECURE = true;
+            COOKIE_SAME_SITE = "None"; # Only if Secure=true and you need cross-site
          };
        };
      };
@ -190,29 +153,39 @@ in {
          }
        ];

-        http.routers = {
-          #anubis-api = {
-          #  rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)";
-          #  service = "anubis";
-          #   entryPoints = ["websecure"];
-          #  priority = 200;
-          #   tls = {};
-          # };
+        # Traefik middlewares: Anubis forwardAuth
+        http.middlewares = {
+          anubisForwardAuth = {
+            forwardAuth = {
+              # point at the Anubis check endpoint (the subrequest/UI instance)
+              address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check";
+            };
+          };
+          redirect-to-https = {
+            redirectScheme = {
+              scheme = "https";
+            };
+          };
+        };

+        http.routers = {
          # Anubis router (for challenge page)
          anubis = {
            rule = "Host(`anubis.prg-radio.org`)";
            service = "anubis";
            entryPoints = ["websecure"];
-            tls = {};
+            tls = {
+              certresolver = "acme";
+            };
          };

-          # Protected service example: Forgejo
+          # Protected service example: Forgejo (attach Anubis forwardAuth middleware)
          forgejo = {
            rule = "Host(`git.prg-radio.org`)";
            service = "forgejo";
            entryPoints = ["websecure"];
            tls = {};
+            middlewares = ["anubisForwardAuth"];
          };

          # Matrix HTTP router for client requests (Element etc.)
@ -237,6 +210,7 @@ in {
            service = "partdb";
            entryPoints = ["websecure"];
            tls = {};
+            middlewares = ["anubisForwardAuth"];
          };
        };

@ -246,12 +220,11 @@ in {
            servers = [
              {url = "http://127.0.0.1:8090";}
            ];
-            #passHostHeader = true;
          };

          forgejo.loadBalancer = {
            servers = [
-              {url = "http://127.0.0.1:8092";}
+              {url = "http://10.1.1.4:3000";}
            ];
          };
          matrix.loadBalancer = {
@ -267,7 +240,7 @@ in {

          partdb.loadBalancer = {
            servers = [
-              {url = "http://127.0.0.1:8094";}
+              {url = "http://10.1.1.249:8087";}
            ];
          };
        };