Add Anubis service configuration and middleware for protection.

2026-02-13 19:54:05 +01:00 · 2026-02-13 19:54:05 +01:00 · a1ed41e31a
commit a1ed41e31a
parent 4d361588fa
2 changed files with 86 additions and 14 deletions
--- a/nix-system-configs/modules/system/forgejo.nix
+++ b/nix-system-configs/modules/system/forgejo.nix
@ -28,7 +28,7 @@

  # Package local Jost OTF files from the repository into the Nix store so
  # they can be installed into the Forgejo custom assets directory.
-  jostFonts = pkgs.runCommand "jost-fonts" { src = ../styling/forgejo/Jost/OpenType; } ''
+  jostFonts = pkgs.runCommand "jost-fonts" {src = ../styling/forgejo/Jost/OpenType;} ''
    mkdir -p $out/fonts
    cp -a $src/*.otf $out/fonts/
  '';
@ -175,12 +175,12 @@ in {
    # Fallback: one-shot systemd service to copy custom assets on activation (works even if tmpfiles isn't applied or for live testing)
    systemd.services."forgejo-custom-files" = {
      description = "Install Forgejo custom templates and assets into customDir";
-      after = [ "network.target" ];
+      after = ["network.target"];
      serviceConfig = {
        Type = "oneshot";
        # Use bash -c to run a compact copy/install script that ensures dirs exist and files are owned by forgejo
        #           cp -a ${toString ../styling/forgejo/home.tmpl} ${config.services.forgejo.customDir}/templates/home.tmpl; \
-        ExecStart = ''${pkgs.bash}/bin/bash -c "set -eu; \
+        ExecStart = ''          ${pkgs.bash}/bin/bash -c "set -eu; \
                    install -d -m0755 -o forgejo -g forgejo ${config.services.forgejo.customDir}/public/assets/fonts; \
                    install -d -m0755 -o forgejo -g forgejo ${config.services.forgejo.customDir}/public/assets/css; \
                    install -d -m0755 -o forgejo -g forgejo ${config.services.forgejo.customDir}/templates/custom; \
@ -192,7 +192,7 @@ in {
                    cp -a ${toString ../styling/PRG_logo.png} ${config.services.forgejo.customDir}/public/assets/img/logo.png || true; \
                    chown -R forgejo:forgejo ${config.services.forgejo.customDir}"'';
      };
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = ["multi-user.target"];
    };

    # Open ports in the firewall.
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@ -44,6 +44,43 @@ in {
    local.userDescription = "NixOS PRG Traefik Service";
    local.address = "10.1.1.250";

+    # Configure Anubis service
+    services.anubis = {
+      instances."" = {
+        enable = true;
+        settings = {
+          # Bind to TCP instead of Unix socket for Docker-style integration
+          BIND_NETWORK = "tcp";
+          BIND = "127.0.0.1:8090";
+
+          # Empty TARGET for redirect mode
+          TARGET = " ";
+
+          # Configure redirect domains
+          REDIRECT_DOMAINS = "prg-radio.org";
+
+          # Public URL for Anubis
+          PUBLIC_URL = "https://anubis.prg-radio.org";
+
+          # Cookie domain for proper scoping
+          COOKIE_DOMAIN = "prg-radio.org";
+
+          # Difficulty level
+          DIFFICULTY = 8;
+
+          # Optional: serve robots.txt
+          SERVE_ROBOTS_TXT = true;
+
+          # Optional: webmaster email for error pages
+          WEBMASTER_EMAIL = "dtu.prg@gmail.com";
+
+          # Metrics on separate port
+          METRICS_BIND_NETWORK = "tcp";
+          METRICS_BIND = "127.0.0.1:8091";
+        };
+      };
+    };
+
    services.traefik = {
      enable = true;
      group = "acme";
@ -103,13 +140,35 @@ in {
            keyFile = "/var/lib/acme/prg-radio.org/key.pem";
          }
        ];
+
+        # Define Anubis middleware
+        http.middlewares = {
+          anubis = {
+            forwardAuth = {
+              address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check";
+              trustForwardHeader = true;
+            };
+          };
+        };
+
        http.routers = {
+          # Anubis router (for challenge page)
+          anubis = {
+            rule = "Host(`anubis.prg-radio.org`)";
+            service = "anubis";
+            entryPoints = ["websecure"];
+            tls = {};
+          };
+
+          # Protected service example: Forgejo
          forgejo = {
            rule = "Host(`git.prg-radio.org`)";
            service = "forgejo";
            entryPoints = ["websecure"];
+            middlewares = ["anubis"]; # Add Anubis protection
            tls = {};
          };
+
          # Matrix HTTP router for client requests (Element etc.)
          matrix = {
            rule = "Host(`lgbtq.prg-radio.org`)";
@ -117,21 +176,34 @@ in {
            entryPoints = ["websecure"];
            tls = {};
          };
+
+          # Protected service: Wavelog
          wavelog = {
            rule = "Host(`wavelog.prg-radio.org`)";
            service = "wavelog";
            entryPoints = ["websecure"];
+            middlewares = ["anubis"]; # Add Anubis protection
            tls = {};
          };

+          # Protected service: PartDB (remove middleware)
          partdb = {
            rule = "Host(`partdb.prg-radio.org`)";
            service = "partdb";
+            middlewares = ["anubis"]; # Add Anubis protection
            entryPoints = ["websecure"];
            tls = {};
          };
        };
+
        http.services = {
+          # Anubis service
+          anubis.loadBalancer = {
+            servers = [
+              {url = "http://127.0.0.1:8090";}
+            ];
+          };
+
          forgejo.loadBalancer = {
            servers = [
              {url = "http://10.1.1.4:3000";}