Bring back the current solution again.
This commit is contained in:
parent
4d65b091ac
commit
e3bf73e96e
GPG key ID:
087F0A95E5766D72
1 changed files with 53 additions and 26 deletions
|
|
@ -46,26 +46,25 @@ in {
|
||||||
|
|
||||||
# Configure Anubis service
|
# Configure Anubis service
|
||||||
services.anubis = {
|
services.anubis = {
|
||||||
# Use a single shared Anubis instance (redirect mode) so cookie + challenge
|
|
||||||
# state is consistent across all protected services.
|
|
||||||
instances = {
|
instances = {
|
||||||
shared = {
|
"" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
# Bind to TCP instead of Unix socket for Docker-style integration
|
||||||
BIND_NETWORK = "tcp";
|
BIND_NETWORK = "tcp";
|
||||||
BIND = "127.0.0.1:8090";
|
BIND = "127.0.0.1:8090";
|
||||||
|
|
||||||
# Redirect mode (Anubis will issue challenges & redirects)
|
# Empty TARGET for redirect mode
|
||||||
TARGET = " ";
|
TARGET = " ";
|
||||||
|
|
||||||
# Which domains are allowed to be redirected back to
|
# Configure redirect domains - ALL domains that should be able to redirect back after challenge
|
||||||
REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org";
|
REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org";
|
||||||
|
|
||||||
# Public URL for this Anubis instance
|
# Public URL for Anubis
|
||||||
PUBLIC_URL = "https://anubis.prg-radio.org";
|
PUBLIC_URL = "https://anubis.prg-radio.org";
|
||||||
|
|
||||||
# Use bare domain for cookie scoping (modern browsers prefer no leading dot)
|
# Cookie domain for proper scoping (leading dot for all subdomains)
|
||||||
COOKIE_DOMAIN = "prg-radio.org";
|
COOKIE_DOMAIN = ".prg-radio.org";
|
||||||
|
|
||||||
# Difficulty level
|
# Difficulty level
|
||||||
DIFFICULTY = 7;
|
DIFFICULTY = 7;
|
||||||
|
|
@ -82,6 +81,52 @@ in {
|
||||||
METRICS_BIND = "127.0.0.1:8091";
|
METRICS_BIND = "127.0.0.1:8091";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Per-service Anubis instances (reverse-proxy mode) ---------------------------
|
||||||
|
forgejo = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
BIND_NETWORK = "tcp";
|
||||||
|
BIND = "127.0.0.1:8092";
|
||||||
|
TARGET = "http://10.1.1.4:3000"; # Forgejo backend
|
||||||
|
DIFFICULTY = 20;
|
||||||
|
SERVE_ROBOTS_TXT = true;
|
||||||
|
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
|
||||||
|
METRICS_BIND_NETWORK = "tcp";
|
||||||
|
METRICS_BIND = "127.0.0.1:8095";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
wavelog = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
BIND_NETWORK = "tcp";
|
||||||
|
BIND = "127.0.0.1:8093";
|
||||||
|
TARGET = "http://10.1.1.249:8086"; # Wavelog backend
|
||||||
|
DIFFICULTY = 20;
|
||||||
|
SERVE_ROBOTS_TXT = true;
|
||||||
|
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
|
||||||
|
METRICS_BIND_NETWORK = "tcp";
|
||||||
|
METRICS_BIND = "127.0.0.1:8096";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
*/
|
||||||
|
|
||||||
|
# This part needs investigating
|
||||||
|
partdb = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
BIND_NETWORK = "tcp";
|
||||||
|
BIND = "127.0.0.1:8094";
|
||||||
|
TARGET = "http://10.1.1.249:8087"; # PartDB backend
|
||||||
|
DIFFICULTY = 20;
|
||||||
|
SERVE_ROBOTS_TXT = true;
|
||||||
|
WEBMASTER_EMAIL = "dtu.prg@gmail.com";
|
||||||
|
METRICS_BIND_NETWORK = "tcp";
|
||||||
|
METRICS_BIND = "127.0.0.1:8097";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -145,20 +190,6 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
# ForwardAuth middleware so a single Anubis instance can protect many services
|
|
||||||
http.middlewares = lib.mkForce (lib.mkMerge [ (lib.optionalAttrs true {
|
|
||||||
anubis = {
|
|
||||||
forwardAuth = {
|
|
||||||
address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check";
|
|
||||||
trustForwardHeader = true;
|
|
||||||
# Ensure Traefik forwards Set-Cookie from Anubis back to the client
|
|
||||||
authResponseHeaders = [ "Set-Cookie" ];
|
|
||||||
# Forward original host and proto so Anubis computes redirects correctly
|
|
||||||
authRequestHeaders = [ "X-Forwarded-Host" "X-Forwarded-Proto" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}) ]);
|
|
||||||
|
|
||||||
http.routers = {
|
http.routers = {
|
||||||
#anubis-api = {
|
#anubis-api = {
|
||||||
# rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)";
|
# rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)";
|
||||||
|
|
@ -181,8 +212,6 @@ in {
|
||||||
rule = "Host(`git.prg-radio.org`)";
|
rule = "Host(`git.prg-radio.org`)";
|
||||||
service = "forgejo";
|
service = "forgejo";
|
||||||
entryPoints = ["websecure"];
|
entryPoints = ["websecure"];
|
||||||
# Protect via shared Anubis using forwardAuth
|
|
||||||
middlewares = ["anubis"];
|
|
||||||
tls = {};
|
tls = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -207,8 +236,6 @@ in {
|
||||||
rule = "Host(`partdb.prg-radio.org`)";
|
rule = "Host(`partdb.prg-radio.org`)";
|
||||||
service = "partdb";
|
service = "partdb";
|
||||||
entryPoints = ["websecure"];
|
entryPoints = ["websecure"];
|
||||||
# Protect via shared Anubis using forwardAuth
|
|
||||||
middlewares = ["anubis"];
|
|
||||||
tls = {};
|
tls = {};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue