From e3bf73e96e1d24547f45c7c09e917c173cba8614 Mon Sep 17 00:00:00 2001 From: Christine Elisabeth Koppel Date: Sat, 14 Feb 2026 00:40:14 +0100 Subject: [PATCH] Bring back the current solution again. --- nix-system-configs/modules/system/traefik.nix | 79 +++++++++++++------ 1 file changed, 53 insertions(+), 26 deletions(-) diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix index 3fd1070..d66236b 100644 --- a/nix-system-configs/modules/system/traefik.nix +++ b/nix-system-configs/modules/system/traefik.nix @@ -46,26 +46,25 @@ in { # Configure Anubis service services.anubis = { - # Use a single shared Anubis instance (redirect mode) so cookie + challenge - # state is consistent across all protected services. instances = { - shared = { + "" = { enable = true; settings = { + # Bind to TCP instead of Unix socket for Docker-style integration BIND_NETWORK = "tcp"; BIND = "127.0.0.1:8090"; - # Redirect mode (Anubis will issue challenges & redirects) + # Empty TARGET for redirect mode TARGET = " "; - # Which domains are allowed to be redirected back to + # Configure redirect domains - ALL domains that should be able to redirect back after challenge REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org"; - # Public URL for this Anubis instance + # Public URL for Anubis PUBLIC_URL = "https://anubis.prg-radio.org"; - # Use bare domain for cookie scoping (modern browsers prefer no leading dot) - COOKIE_DOMAIN = "prg-radio.org"; + # Cookie domain for proper scoping (leading dot for all subdomains) + COOKIE_DOMAIN = ".prg-radio.org"; # Difficulty level DIFFICULTY = 7; @@ -82,6 +81,52 @@ in { METRICS_BIND = "127.0.0.1:8091"; }; }; + + # Per-service Anubis instances (reverse-proxy mode) --------------------------- + forgejo = { + enable = true; + settings = { + BIND_NETWORK = "tcp"; + BIND = "127.0.0.1:8092"; + TARGET = "http://10.1.1.4:3000"; # Forgejo backend + DIFFICULTY = 20; + SERVE_ROBOTS_TXT = true; + WEBMASTER_EMAIL = "dtu.prg@gmail.com"; + METRICS_BIND_NETWORK = "tcp"; + METRICS_BIND = "127.0.0.1:8095"; + }; + }; + + /* + wavelog = { + enable = true; + settings = { + BIND_NETWORK = "tcp"; + BIND = "127.0.0.1:8093"; + TARGET = "http://10.1.1.249:8086"; # Wavelog backend + DIFFICULTY = 20; + SERVE_ROBOTS_TXT = true; + WEBMASTER_EMAIL = "dtu.prg@gmail.com"; + METRICS_BIND_NETWORK = "tcp"; + METRICS_BIND = "127.0.0.1:8096"; + }; + }; + */ + + # This part needs investigating + partdb = { + enable = true; + settings = { + BIND_NETWORK = "tcp"; + BIND = "127.0.0.1:8094"; + TARGET = "http://10.1.1.249:8087"; # PartDB backend + DIFFICULTY = 20; + SERVE_ROBOTS_TXT = true; + WEBMASTER_EMAIL = "dtu.prg@gmail.com"; + METRICS_BIND_NETWORK = "tcp"; + METRICS_BIND = "127.0.0.1:8097"; + }; + }; }; }; @@ -145,20 +190,6 @@ in { } ]; - # ForwardAuth middleware so a single Anubis instance can protect many services - http.middlewares = lib.mkForce (lib.mkMerge [ (lib.optionalAttrs true { - anubis = { - forwardAuth = { - address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check"; - trustForwardHeader = true; - # Ensure Traefik forwards Set-Cookie from Anubis back to the client - authResponseHeaders = [ "Set-Cookie" ]; - # Forward original host and proto so Anubis computes redirects correctly - authRequestHeaders = [ "X-Forwarded-Host" "X-Forwarded-Proto" ]; - }; - }; - }) ]); - http.routers = { #anubis-api = { # rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)"; @@ -181,8 +212,6 @@ in { rule = "Host(`git.prg-radio.org`)"; service = "forgejo"; entryPoints = ["websecure"]; - # Protect via shared Anubis using forwardAuth - middlewares = ["anubis"]; tls = {}; }; @@ -207,8 +236,6 @@ in { rule = "Host(`partdb.prg-radio.org`)"; service = "partdb"; entryPoints = ["websecure"]; - # Protect via shared Anubis using forwardAuth - middlewares = ["anubis"]; tls = {}; }; };