root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add Anubis service configuration and middleware for protection.

Browse source
This commit is contained in:
Root User 2026-02-13 19:54:05 +01:00
parent 4d361588fa
commit a1ed41e31a
Signed by: root
GPG key ID: 087F0A95E5766D72
2 changed files with 86 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

72
nix-system-configs/modules/system/traefik.nix
View file

@ -44,6 +44,43 @@ in {
local.userDescription = "NixOS PRG Traefik Service"; local.userDescription = "NixOS PRG Traefik Service";
local.address = "10.1.1.250"; local.address = "10.1.1.250";
# Configure Anubis service
services.anubis = {
instances."" = {
enable = true;
settings = {
# Bind to TCP instead of Unix socket for Docker-style integration
BIND_NETWORK = "tcp";
BIND = "127.0.0.1:8090";
# Empty TARGET for redirect mode
TARGET = " ";
# Configure redirect domains
REDIRECT_DOMAINS = "prg-radio.org";
# Public URL for Anubis
PUBLIC_URL = "https://anubis.prg-radio.org";
# Cookie domain for proper scoping
COOKIE_DOMAIN = "prg-radio.org";
# Difficulty level
DIFFICULTY = 8;
# Optional: serve robots.txt
SERVE_ROBOTS_TXT = true;
# Optional: webmaster email for error pages
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
# Metrics on separate port
METRICS_BIND_NETWORK = "tcp";
METRICS_BIND = "127.0.0.1:8091";
};
};
};
services.traefik = { services.traefik = {
enable = true; enable = true;
group = "acme"; group = "acme";
@ -103,13 +140,35 @@ in {
keyFile = "/var/lib/acme/prg-radio.org/key.pem"; keyFile = "/var/lib/acme/prg-radio.org/key.pem";
} }
]; ];
# Define Anubis middleware
http.middlewares = {
anubis = {
forwardAuth = {
address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check";
trustForwardHeader = true;
};
};
};
http.routers = { http.routers = {
# Anubis router (for challenge page)
anubis = {
rule = "Host(`anubis.prg-radio.org`)";
service = "anubis";
entryPoints = ["websecure"];
tls = {};
};
# Protected service example: Forgejo
forgejo = { forgejo = {
rule = "Host(`git.prg-radio.org`)"; rule = "Host(`git.prg-radio.org`)";
service = "forgejo"; service = "forgejo";
entryPoints = ["websecure"]; entryPoints = ["websecure"];
middlewares = ["anubis"]; # Add Anubis protection
tls = {}; tls = {};
}; };
# Matrix HTTP router for client requests (Element etc.) # Matrix HTTP router for client requests (Element etc.)
matrix = { matrix = {
rule = "Host(`lgbtq.prg-radio.org`)"; rule = "Host(`lgbtq.prg-radio.org`)";
@ -117,21 +176,34 @@ in {
entryPoints = ["websecure"]; entryPoints = ["websecure"];
tls = {}; tls = {};
}; };
# Protected service: Wavelog
wavelog = { wavelog = {
rule = "Host(`wavelog.prg-radio.org`)"; rule = "Host(`wavelog.prg-radio.org`)";
service = "wavelog"; service = "wavelog";
entryPoints = ["websecure"]; entryPoints = ["websecure"];
middlewares = ["anubis"]; # Add Anubis protection
tls = {}; tls = {};
}; };
# Protected service: PartDB (remove middleware)
partdb = { partdb = {
rule = "Host(`partdb.prg-radio.org`)"; rule = "Host(`partdb.prg-radio.org`)";
service = "partdb"; service = "partdb";
middlewares = ["anubis"]; # Add Anubis protection
entryPoints = ["websecure"]; entryPoints = ["websecure"];
tls = {}; tls = {};
}; };
}; };
http.services = { http.services = {
# Anubis service
anubis.loadBalancer = {
servers = [
{url = "http://127.0.0.1:8090";}
];
};
forgejo.loadBalancer = { forgejo.loadBalancer = {
servers = [ servers = [
{url = "http://10.1.1.4:3000";} {url = "http://10.1.1.4:3000";}