feat: server overhaul

2026-03-18 22:55:04 +02:00 · 2026-03-18 22:55:04 +02:00 · 0cd31bca40
commit 0cd31bca40
parent b82b3e64f1
6 changed files with 24 additions and 39 deletions
--- a/modules/server/caddy.nix
+++ b/modules/server/caddy.nix
@ -0,0 +1,7 @@
+{config, ...}: {
+  flake.modules.nixos.server = {...}: {
+    services.caddy.enable = config.flake.meta.web.domain.has;
+    networking.firewall.allowedTCPPorts = [80 443];
+    networking.firewall.allowedUDPPorts = [80 443];
+  };
+}
--- a/modules/server/cloudflared.nix
+++ b/modules/server/cloudflared.nix
@ -1,7 +0,0 @@
-{config, ...}: {
-  flake.modules.nixos.server = {pkgs, ...}: {
-    environment.systemPackages = [pkgs.cloudflared];
-
-    services.cloudflared.enable = config.flake.meta.web.domain.has;
-  };
-}
--- a/modules/server/copyparty.nix
+++ b/modules/server/copyparty.nix
@ -19,15 +19,11 @@ in {
    };
    sops.secrets."cloudflare/copyparty" = {};

-    services.cloudflared.tunnels = lib.mkIf config.services.cloudflared.enable {
-      "files" = {
-        credentialsFile = "/run/secrets/cloudflare/copyparty";
-        default = "http_status:404";
-        ingress = {
-          "files.${flk.meta.web.domain.domain}" = {
-            service = "http://localhost:3293";
-          };
-        };
+    services.caddy.virtualHosts = {
+      "files.${flk.meta.web.domain.domain}" = {
+        extraConfig = ''
+          reverse_proxy :3293
+        '';
      };
    };

@ -43,14 +39,7 @@ in {
        e2t = true;
        shr = "/shr";

-        xff-hdr =
-          if config.services.cloudflared.enable
-          then "cf-connecting-ip"
-          else null;
-        rproxy =
-          if config.services.cloudflared.enable
-          then 1
-          else null;
+        rproxy = 1;
      };
      accounts = {
        ilay.passwordFile = config.sops.secrets."copyparty/passwords/ilay".path;
--- a/modules/server/forgejo/forgejo.nix
+++ b/modules/server/forgejo/forgejo.nix
@ -8,15 +8,11 @@ in {
  }: {
    sops.secrets."cloudflare/git" = {};

-    services.cloudflared.tunnels = lib.mkIf config.services.cloudflared.enable {
-      "git" = {
-        credentialsFile = "/run/secrets/cloudflare/git";
-        default = "http_status:404";
-        ingress = {
-          "git.${flk.meta.web.domain.domain}" = {
-            service = "http://localhost:5675";
-          };
-        };
+    services.caddy.virtualHosts = {
+      "git.${flk.meta.web.domain.domain}" = {
+        extraConfig = ''
+          reverse_proxy :5675
+        '';
      };
    };

--- a/modules/server/ssh.nix
+++ b/modules/server/ssh.nix
@ -8,6 +8,9 @@
      };
    };

+    networking.firewall.allowedTCPPorts = [22];
+    networking.firewall.allowedUDPPorts = [22];
+
    users.users.${config.flake.meta.user.name} = {
      openssh.authorizedKeys.keys = [
        config.flake.meta.user.ssh_key
--- a/secrets.yaml
+++ b/secrets.yaml
@ -4,9 +4,6 @@ copyparty:
    passwords:
        ilay: ENC[AES256_GCM,data:BIh+FIdvKg8=,iv:q+aCn2f2/Y2TbQc5pR2buEO0DSAj7Bq3Zvyjv1cf30Y=,tag:zaSse7VCTdEd6jo5JEiZsA==,type:str]
        ron: ENC[AES256_GCM,data:8sw3Sf158A==,iv:9EyFYAxoFMGYijQ93lDOjSoaP/RHMtphlhto14ofXq0=,tag:T2MvVxUXnlx+yZyH0znZsA==,type:str]
-cloudflare:
-    copyparty: ENC[AES256_GCM,data:SK8qhyjIiOsKzZsnh8W8/BRJmbHoLA6rCGGUzKb9ucbTiiCUhfnaR7A/0SSKKecrMwTmuCos0WnEUe0ixGWJcHncEoLpMyAQMfmL81wbyfDhkxrEjc77aSRomAqM9X/jWg3ocp4oxKKUkEfnnKUqkv4vse+J/lBZjlOoTtwiPoJ1V/GL2JKru/f/LoERQqCEaAqMnQeXJyi/5pf4wPCKLbRQxZ1LCmxeyMMRU0FgOQ==,iv:HqAmQR1SMd4D3uf0eSCfKBCO61mM/Zdfiv/RBlaiJkc=,tag:7ESjgrqkG9RWDAmV/2wGdA==,type:str]
-    git: ENC[AES256_GCM,data:QxpLDjVsPiIxSKq6hWUOBS0wWxZ2ccLmSYQA64U3n+Y42Uuaf92pJHt3CQ2ZSaIXWbgpVotln/vBexRA1RH4ZpF5vwyYX1XUwCisv3qdkS/P4/kZIt8TtdvYV1pVwxZRqm58aA0L4ZuNk0q5a1tscrXtLVJ2+uvF9we6Oloz5uMA+XCBwzkqo6Ucbc/47gbUPTRSzMRpY1n8ma71NiensFn0lGtyWfB7TW26pLbSVg==,iv:mZmufTufxBuRkE0YNBwRNV4Shq1Uq2r+MzsNuzPkzQI=,tag:igtKa2VSLBjY9eKWONoKOg==,type:str]
 forgejo:
    token: ENC[AES256_GCM,data:3bsyRuBeK7+Blph3YUFB92b1pWgLcSUjy5j+2KfigaFubHs6c26zAEuH0bKBZg==,iv:lAJWyZlaV1hP6W6Y2ZkMfFFACcGjnHW/pNuXgPSOLlU=,tag:POmNl8JIidEoHhnjaqqz4A==,type:str]
 openclaw:
@ -41,7 +38,7 @@ sops:
            MFp0UW1HSW9MbmppcHlNM25CaFhqOWcKppF0dE4YNh+mN1tyZju4zxM6ZFBSKx9U
            cGYtUemtt4s9ko3hPt8ZM/ysKOeZgnYoeG7QQnwSoF3F+/gurvb0Bg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-27T21:30:21Z"
-    mac: ENC[AES256_GCM,data:42D8He2GuUGDh5AIOomKt9EV/qU5vTSQrDvvarMzAlPaW3RBcDCBTbwA41Vz7raQJf/EvtU/2D2rQ6U4Pjdlc9rzctSlAesZPgPdbjtfcbNUylxExh0CEgKaeVcCKOQ+Bi7ZzLGiQewRdnxeihEiOkxS0LHyzHyEcOxqN1A/uGw=,iv:UgwHroeJIWos20+SpnBCvcmwnyF5O7P1d7n07UAwzAA=,tag:wRegPCgl5RY8o+e7IGqELA==,type:str]
+    lastmodified: "2026-03-18T20:55:00Z"
+    mac: ENC[AES256_GCM,data:5tUwCWDZWMyqLQ2F1z+wEmlANN4j+sI8ijcfXn78fEKX2bl9dnNy5BHipRdduiToL3TeIwXYObfems2C2S+SjJtBwdBN23BHZsq89JswE5+0BssW9LvFJ7a0bnfHQ50Zh/L4Ae49m88ge0ma0fXbO2IiSIC1cpKm62pMgeqnEDY=,iv:OcXj3ls5pm7/lOUyhbbtbfuGT7NP23BL70uBRmGTVc0=,tag:o4WHDK8puizf99Uu/Gwt4Q==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.1