Build Caddy with cloudflare as overlay

2024-10-07 22:03:39 +02:00 · 2024-10-07 22:03:39 +02:00 · 7d2ce03dc3
commit 7d2ce03dc3
parent abfd06a50d
5 changed files with 95 additions and 3 deletions
--- a/flake.lock
+++ b/flake.lock
@ -241,6 +241,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1726463316,
+        "narHash": "sha256-gI9kkaH0ZjakJOKrdjaI/VbaMEo9qBbSUl93DnU7f4c=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "99dc8785f6a0adac95f5e2ab05cc2e1bf666d172",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "agenix": "agenix",
@ -248,7 +264,8 @@
        "home-manager": "home-manager_2",
        "lix-module": "lix-module",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable"
      }
    },
    "stable": {
--- a/flake.nix
+++ b/flake.nix
@ -11,6 +11,7 @@

    # NixOS related inputs
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";

    nixos-hardware.url = "github:NixOS/nixos-hardware/master";

@ -40,6 +41,7 @@
    {
      self,
      nixpkgs,
+      nixpkgs-unstable,
      nixos-hardware,
      lix-module,
      agenix,
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@ -31,6 +31,12 @@ in
          host = "metrics.internal";
        };
      };
+      grafana = {
+        proxy = {
+          domain = "tegola.pro";
+          host = "metrics.internal";
+        };
+      };
    };

    networking = {
@ -64,7 +70,10 @@ in
    };
  };

-  networking.nameservers = [ "192.168.1.2" ];
+  networking = {
+    firewall.allowedTCPPorts = [ 9100 ];
+    nameservers = [ "192.168.1.2" ];
+  };

  system.stateVersion = "24.05";
 }
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -1,5 +1,6 @@
 {
  nixpkgs,
+  nixpkgs-unstable,
  nixos-hardware,
  agenix,
  home-manager,
@ -9,7 +10,13 @@
 let
  agenixOverlay = final: prev: { agenix = agenix.packages.${prev.system}.default; };

-  customOverlays = import ../overlay;
+  # customOverlays = import ../overlay;
+  customOverlays = (
+    final: prev: {
+      caddy-custom = prev.callPackage ../overlay/caddy-custom.nix { };
+      jellyseerr = nixpkgs-unstable.legacyPackages."x86_64-linux".jellyseerr;
+    }
+  );

  pkgs =
    system:
--- a/modules/networking/caddy.nix
+++ b/modules/networking/caddy.nix
@ -29,6 +29,12 @@ in
      enable = true;
      package = pkgs.caddy-custom;
      # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
+      globalConfig = ''
+        admin :2024
+        servers {
+          metrics
+        }
+      '';
      extraConfig = ''
        (cloudflare) {
          tls {
@ -44,9 +50,60 @@ in
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
    };

+    # By default, the module create a custom user but it lacks permission to read caddy files
+    systemd.services.promtail.serviceConfig = {
+      Group = lib.mkForce config.services.caddy.group;
+      User = lib.mkForce config.services.caddy.user;
+    };
+
+    services.promtail = {
+      enable = true;
+      configuration = {
+        server.http_listen_port = 9080;
+        server.grpc_listen_port = 0;
+        clients = [ { url = "http://metrics.internal:3100/loki/api/v1/push"; } ];
+
+        scrape_configs = [
+          {
+            job_name = "journal";
+            journal = {
+              max_age = "12h";
+              labels = {
+                job = "systemd-journal";
+              };
+            };
+            relabel_configs = [
+              {
+                source_labels = [ "__journal__systemd_unit" ];
+                regex = "(.*)\\.service";
+                target_label = "service";
+              }
+              {
+                source_labels = [ "__journal__hostname" ];
+                target_label = "hostname";
+              }
+            ];
+          }
+          {
+            job_name = "caddy";
+            static_configs = [
+              {
+                targets = [ "localhost" ];
+                labels = {
+                  job = "caddylogs";
+                  __path__ = "${config.services.caddy.logDir}/*.log";
+                };
+              }
+            ];
+          }
+        ];
+      };
+    };
+
    networking.firewall.allowedTCPPorts = [
      80
      443
+      2024
    ];

    networking.firewall.allowedUDPPorts = [