move

nix/modules/caddy/base.Caddyfile

@@ -0,0 +1,59 @@
+{
+	email noratrieb@proton.me
+	auto_https disable_redirects
+
+	storage s3 {
+		host "localhost:3900"
+		bucket "caddy-store"
+		# access_id ENV S3_ACCESS_ID
+		# secret_key ENV S3_SECRET_KEY
+
+		insecure true
+	}
+
+	servers {
+		metrics
+	}
+
+	log default {
+		output stdout
+		format json
+	}
+}
+
+# https://gist.github.com/ryanburnette/d13575c9ced201e73f8169d3a793c1a3
+(cors) {
+	@cors_preflight{args[0]} method OPTIONS
+	@cors{args[0]} header Origin {args[0]}
+
+	handle @cors_preflight{args[0]} {
+		header {
+			Access-Control-Allow-Origin "{args[0]}"
+			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+			Access-Control-Allow-Credentials "false"
+			Access-Control-Allow-Headers "${args[1]}"
+			Access-Control-Max-Age "86400"
+			defer
+		}
+		respond "" 204
+	}
+
+	handle @cors{args[0]} {
+		header {
+			Access-Control-Allow-Origin "{args[0]}"
+			Access-Control-Expose-Headers *
+			defer
+		}
+	}
+}
+
+http:// {
+	log
+	respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418
+}
+
+# HTTP
+:9010 {
+	log
+	metrics /metrics
+}

nix/modules/caddy/caddy-build.nix

@@ -0,0 +1,116 @@
+# Copied from https://github.com/NixOS/nixpkgs/pull/259275 and updated.
+
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, gnused
+, nixosTests
+, caddy
+, stdenv
+, testers
+, installShellFiles
+, externalPlugins ? [ ]
+, vendorHash ? "sha256-1Api8bBZJ1/oYk4ZGIiwWCSraLzK9L+hsKXkFtk6iVM="
+}:
+
+let
+  attrsToModules = attrs:
+    builtins.map ({ name, repo, version }: "${repo}") attrs;
+  attrsToSources = attrs:
+    builtins.map ({ name, repo, version }: "${repo}@${version}") attrs;
+in
+buildGoModule rec {
+  pname = "caddy";
+  version = "2.8.4";
+
+  dist = fetchFromGitHub {
+    owner = "caddyserver";
+    repo = "dist";
+    rev = "v${version}";
+    hash = "sha256-O4s7PhSUTXoNEIi+zYASx8AgClMC5rs7se863G6w+l0=";
+  };
+
+  src = fetchFromGitHub {
+    owner = "caddyserver";
+    repo = "caddy";
+    rev = "v${version}";
+    hash = "sha256-CBfyqtWp3gYsYwaIxbfXO3AYaBiM7LutLC7uZgYXfkQ=";
+  };
+
+  inherit vendorHash;
+
+  subPackages = [ "cmd/caddy" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}"
+  ];
+
+  # matches upstream since v2.8.0
+  tags = [ "nobadger" ];
+
+  nativeBuildInputs = [ gnused installShellFiles ];
+
+  modBuildPhase = ''
+    for module in ${builtins.toString (attrsToModules externalPlugins)}; do
+      sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go
+    done
+    for plugin in ${builtins.toString (attrsToSources externalPlugins)}; do
+      go get $plugin
+    done
+
+    go generate
+    go mod vendor
+  '';
+
+  modInstallPhase = ''
+    mv -t vendor go.mod go.sum
+    cp -r --reflink=auto vendor "$out"
+  '';
+
+  preBuild = ''
+    chmod -R u+w vendor
+    [ -f vendor/go.mod ] && mv -t . vendor/go.{mod,sum}
+    go generate
+
+    for module in ${builtins.toString (attrsToModules externalPlugins)}; do
+      sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go
+    done
+  '';
+
+  postInstall = ''
+    install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system
+
+    substituteInPlace $out/lib/systemd/system/caddy.service \
+      --replace-fail "/usr/bin/caddy" "$out/bin/caddy"
+    substituteInPlace $out/lib/systemd/system/caddy-api.service \
+      --replace-fail "/usr/bin/caddy" "$out/bin/caddy"
+  '' + lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
+    # Generating man pages and completions fail on cross-compilation
+    # https://github.com/NixOS/nixpkgs/issues/308283
+
+    $out/bin/caddy manpage --directory manpages
+    installManPage manpages/*
+
+    installShellCompletion --cmd caddy \
+      --bash <($out/bin/caddy completion bash) \
+      --fish <($out/bin/caddy completion fish) \
+      --zsh <($out/bin/caddy completion zsh)
+  '';
+  passthru.tests = {
+    inherit (nixosTests) caddy;
+    version = testers.testVersion {
+      command = "${caddy}/bin/caddy version";
+      package = caddy;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://caddyserver.com";
+    description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS";
+    license = licenses.asl20;
+    mainProgram = "caddy";
+    maintainers = with maintainers; [ Br1ght0ne emilylange techknowlogick ];
+  };
+}

nix/modules/caddy/caddy-static-prepare/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, lib, name, src ? null, ... }: pkgs.stdenv.mkDerivation {
+  inherit name src;
+
+  buildInputs = with pkgs; [ python311 python311Packages.zstandard python311Packages.brotli ];
+
+  buildPhase = ''
+    mkdir -p $out
+    cp -r $src/* $out/
+    chmod -R +w $out
+    ${lib.getExe pkgs.python311} ${./prepare.py} $out
+    chmod -R -w $out
+  '';
+}

nix/modules/caddy/caddy-static-prepare/prepare.py

@@ -0,0 +1,60 @@
+import os
+import sys
+import gzip
+import brotli
+import zstandard
+import hashlib
+
+
+def usage():
+    print("usage: prepare.py [SRC]")
+
+
+def write_etag(path, content):
+    shasum = hashlib.sha256(content)
+    etag_path = path+".sha256"
+    with open(etag_path, "w") as f:
+        print(f"Writing ETag {etag_path}")
+        f.write(f'"{shasum.hexdigest()}"')
+
+
+def main():
+    if len(sys.argv) < 2:
+        usage()
+        exit(1)
+
+    src_dir = sys.argv[1]
+
+    for root, dirs, files in os.walk(src_dir):
+        for file in files:
+            path = os.path.join(root, file)
+
+            # Ignore etags
+            if path.endswith(".sha256") or path.endswith(".b3sum"):
+                continue
+
+            # Ignore already compressed files        
+            if path.endswith(".gz") or path.endswith(".zst") or path.endswith(".br"):
+                continue
+
+            with open(path, "rb") as f:
+                content = f.read()
+
+            compressions = [
+                (".gz", gzip),
+                (".zst", zstandard),
+                (".br", brotli),
+            ]
+
+            for ext, alg in compressions:
+                new_path = path+ext
+                with open(new_path, "wb") as out:
+                    print(f"Writing {new_path}")
+                    compressed = alg.compress(content)
+                    out.write(compressed)
+                    write_etag(new_path, compressed)
+
+            write_etag(path, content)
+
+if __name__ == "__main__":
+    main()

nix/modules/caddy/debugging-page/index.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>nora's server</title>
+</head>
+<body>
+    <h1>congrats, you landed on my server (100% NixOS) directly!?</h1>
+    <p>sorry, but there isn't anything cool here. this is <b>my</b> infra, you are not allowed here.</p>
+    <p>if you do want to be allowed here, then uh.. still no.</p>
+    <p>:3</p>
+</body>
+</html>

nix/modules/caddy/default.nix

@@ -0,0 +1,95 @@
+{ pkgs, config, lib, name, website, slides, blog, ... }:
+
+let
+  caddy = pkgs.callPackage ./caddy-build.nix {
+    externalPlugins = [
+      {
+        name = "certmagic-s3";
+        repo = "github.com/noratrieb-mirrors/certmagic-s3";
+        version = "e48519f95173e982767cbb881d49335b6a00a599";
+      }
+    ];
+    vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI=";
+  };
+in
+{
+  environment.systemPackages = [ caddy ];
+
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9010 ]; # metrics
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      80 # HTTP
+      443 # HTTPS
+    ];
+    allowedUDPPorts = [
+      443 # HTTP/3 via QUIC
+    ];
+  };
+
+  age.secrets.caddy_s3_key_secret.file = ../../secrets/caddy_s3_key_secret.age;
+
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.caddy_s3_key_secret.path;
+  systemd.services.caddy.after = [ "garage.service" ]; # the cert store depends on garage
+  services.caddy = {
+    enable = true;
+    package = caddy;
+    configFile = pkgs.writeTextFile {
+      name = "Caddyfile";
+      text = (
+        builtins.readFile ./base.Caddyfile +
+        ''
+          ${config.networking.hostName}.infra.noratrieb.dev {
+              log
+              encode zstd gzip
+              header -Last-Modified
+              root * ${import ./caddy-static-prepare {
+                name = "debugging-page";
+                src = ./debugging-page;
+                inherit pkgs lib;
+              }}
+              file_server {
+                  etag_file_extensions .sha256
+                  precompressed zstd gzip br
+              }
+          }
+
+          ${
+            if name == "vps1" || name == "vps3" || name == "vps4" then ''
+            noratrieb.dev {
+                log
+                encode zstd gzip
+                header -Last-Modified
+                root * ${import ./caddy-static-prepare {
+                  name = "website";
+                  src = website { inherit pkgs slides blog; };
+                  inherit pkgs lib;
+                }}
+                file_server {
+                    etag_file_extensions .sha256
+                    precompressed zstd gzip br
+                }
+            }
+
+            files.noratrieb.dev {
+              log
+              encode zstd gzip
+
+              reverse_proxy * localhost:3902
+            }
+            '' else ""
+          }
+
+          ${
+            if name == "vps1" || name == "vps3" || name == "vps4" then
+            builtins.readFile ./${name}.Caddyfile else ""
+          }
+        ''
+      );
+      checkPhase = ''
+        ${lib.getExe caddy} --version
+        ${lib.getExe caddy} validate --adapter=caddyfile --config=$out
+      '';
+    };
+  };
+}

nix/modules/caddy/vps1.Caddyfile

@@ -0,0 +1,119 @@
+www.noratrieb.dev {
+	log
+	redir https://noratrieb.dev{uri} permanent
+}
+
+uptime.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5010
+}
+
+hugo-chat.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5002
+}
+
+api.hugo-chat.noratrieb.dev {
+	log
+	import cors https://hugo-chat.noratrieb.dev "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
+	encode zstd gzip
+	reverse_proxy * localhost:5001
+}
+
+bisect-rustc.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5005
+}
+
+docker.noratrieb.dev {
+	log
+	reverse_proxy * localhost:5000
+}
+
+git.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5015
+}
+
+olat.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5011
+}
+
+# unsure if necessary... something was misconfigured in the past here...
+olat.noratrieb.dev:8088 {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5011
+}
+
+upload.files.noratrieb.dev {
+	log
+	encode zstd gzip
+	# we need HTTP/2 here because the server doesn't work with HTTP/1.1
+	# because it will send early 401 responses during the upload without consuming the body
+	reverse_proxy * h2c://localhost:3050
+}
+
+################################################################
+# redirects
+
+blog.noratrieb.dev {
+	log
+	redir https://noratrieb.dev/blog{uri} permanent
+}
+
+nilstrieb.dev {
+	log
+	redir https://noratrieb.dev{uri} permanent
+}
+
+www.nilstrieb.dev {
+	log
+	redir https://noratrieb.dev{uri} permanent
+}
+
+blog.nilstrieb.dev {
+	log
+	redir https://noratrieb.dev/blog{uri} permanent
+}
+
+bisect-rustc.nilstrieb.dev {
+	log
+	redir https://bisect-rustc.dev/blog{uri} permanent
+}
+
+docker.nilstrieb.dev {
+	log
+	redir https://docker.noratrieb.dev{uri} permanent
+}
+
+hugo-chat.nilstrieb.dev {
+	log
+	redir https://hugo-chat.noratrieb.dev{uri} permanent
+}
+
+api.hugo-chat.nilstrieb.dev {
+	log
+	redir https://api.hugo-chat.noratrieb.dev{uri} permanent
+}
+
+uptime.nilstrieb.dev {
+	log
+	redir https://uptime.noratrieb.dev{uri} permanent
+}
+
+olat.nilstrieb.dev {
+	log
+	redir https://olat.noratrieb.dev{uri} permanent
+}
+
+olat.nilstrieb.dev:8088 {
+	log
+	redir https://olat.noratrieb.dev{uri} permanent
+}

nix/modules/caddy/vps3.Caddyfile

@@ -0,0 +1,5 @@
+grafana.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:3000
+}

nix/modules/caddy/vps4.Caddyfile

@@ -0,0 +1,5 @@
+does-it-build.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:3000
+}