diff --git a/source/_posts/caddy-nixos-part-1.md b/source/_posts/caddy-nixos-part-1.md index 9aaef81..e8147a5 100644 --- a/source/_posts/caddy-nixos-part-1.md +++ b/source/_posts/caddy-nixos-part-1.md @@ -4,10 +4,10 @@ excerpt: "Part 1: Installing NixOS" date: 2020-02-23 updated: 2021-02-22 tags: -- server -- linux -- caddy -- nixos + - server + - linux + - caddy + - nixos series: first --- @@ -58,13 +58,13 @@ NixOS has a detailed installation [guide](https://nixos.org/nixos/manual/index.h 1. The LiveCD automatically login as "nixos". Simply switch to the root shell. You could setup SSH before installation. Personally I can accept the KVM console latency and I didn't want to open another port, so I never bother. -``` sh +```sh sudo -s ``` 2. Create the necessary partitions. I went with the classic MBR since my VPS provider still supports it and I don't need 2 TB partition. I set up a "swap" partition due to having a tiny RAM; if you have less than 2 GB RAM, it's better to have it, otherwise the `nixos-install` step would fail. -``` sh +```sh # Most KVM-powered VPS use "/dev/vda" naming scheme (instead of "/dev/sda") # Check the output of `ls /dev/` to make sure parted /dev/vda -- mklabel msdos @@ -79,7 +79,7 @@ parted /dev/vda -- mkpart primary linux-swap -1GiB 100% 3. Format the partitions. -``` sh +```sh mkfs.btrfs -L nixos /dev/vda1 # Or "mkfs.ext4" if preferred @@ -88,35 +88,35 @@ mkswap -L swap /dev/vda2 4. Mount the partitions. -``` sh +```sh mount /dev/disk/by-label/nixos /mnt swapon /dev/vda2 ``` 5. Generate the configs. This generates "configuration.nix" and "hardware-configuration.nix". -``` sh +```sh nixos-generate-config --root /mnt ``` 6. I replaced the generated "configuration.nix" with my own "configuration.nix". Before uploading the config to the server, I did the following change, - 1. Replace "/dev/sda" with "/dev/vda" in `boot.loader.grub.device` - 2. Replace "eth0" to "ens3" in firewall config (check output of `ifconfig`) - 3. Encrypt the file using 7zip before upload. + 1. Replace "/dev/sda" with "/dev/vda" in `boot.loader.grub.device` + 2. Replace "eth0" to "ens3" in firewall config (check output of `ifconfig`) + 3. Encrypt the file using 7zip before upload. - ``` sh - # This is much less memory-intensive than `nix-env -i package` - # wormhole-william is Go-implementation of magic-wormhole - # Available in 20.09+ - nix-env -f '' -iA google-authenticator p7zip usbguard wormhole-william + ```sh + # This is much less memory-intensive than `nix-env -i package` + # wormhole-william is Go-implementation of magic-wormhole + # Available in 20.09+ + nix-shell -p google-authenticator p7zip usbguard wormhole-william - cd /tmp - wormhole-william receive configuration.7z - 7z x configuration.7z + cd /tmp + wormhole-william receive configuration.7z + 7z x configuration.7z - cp configuration.nix /mnt/etc/nixos/ - ``` + cp configuration.nix /mnt/etc/nixos/ + ``` 7. Install it without setting root password (so that root remains disabled) @@ -128,7 +128,7 @@ nixos-install --no-root-passwd 9. Once the installation is done, before shutting down, secure delete the downloaded files. -``` sh +```sh shred -uz configuration.7z configuration.nix ``` @@ -136,7 +136,7 @@ shred -uz configuration.7z configuration.nix Following is my "configuration.nix". I'll show you how to secure NixOS using hashed password, firewall, DNS-over-TLS and USBGuard in my next post. After that, I'll show you how to setup Caddy and Tor (they are disabled for now). -``` nix /etc/nixos/configuration.nix +```nix /etc/nixos/configuration.nix { config, pkgs, ... }: { diff --git a/source/_posts/caddy-nixos-part-2.md b/source/_posts/caddy-nixos-part-2.md index 8539020..654b760 100644 --- a/source/_posts/caddy-nixos-part-2.md +++ b/source/_posts/caddy-nixos-part-2.md @@ -29,10 +29,10 @@ Following diagram shows the architecture behind this website. ## Prerequisites -Before proceeding to the rest of this guide, there are some system packages that you need to install. +Before proceeding to the rest of this guide, there are some packages that you need to install. ``` -$ nix-env -f '' -iA google-authenticator p7zip usbguard wormhole-william +$ nix-shell -p google-authenticator p7zip usbguard wormhole-william ``` ## Disable mutableUsers diff --git a/source/_posts/caddy-nixos-part-3.md b/source/_posts/caddy-nixos-part-3.md index e79049a..7c23735 100644 --- a/source/_posts/caddy-nixos-part-3.md +++ b/source/_posts/caddy-nixos-part-3.md @@ -4,11 +4,11 @@ excerpt: "Part 3: Configure Caddy" date: 2020-03-14 updated: 2022-07-08 tags: -- server -- linux -- caddy -- nixos -- cloudflare + - server + - linux + - caddy + - nixos + - cloudflare series: true --- @@ -30,7 +30,7 @@ This post is Part 2 of a series of articles that show you how I set up Caddy and In NixOS, Caddy can be easily configured through "configuration.nix", without even touching a Caddyfile, if you have a rather simple setup. For example, to serve static files from "/var/www/" folder, -``` nix configuration.nix +```nix configuration.nix services.caddy = { enable = true; email = example@example.com; @@ -53,7 +53,7 @@ A package is installed in `/nix/store//` folder and that hash is what make 1. Locate the binary in "/nix/store" by checking `$ systemctl status caddy`. This is only available when caddy service is enabled in "configuration.nix". Disabling the service will remove the package. 2. Install it as a system package using `environment.systemPackages`. -3. Install it as a user package using `$ nix-env -f '' -iA caddy`. +3. Install it as a user package using Home Manager (recommended), [ad-hoc shell](https://nix.dev/tutorials/first-steps/ad-hoc-shell-environments.html) or `$ nix-env -iA nixpkgs.caddy` ([discouraged](https://stop-using-nix-env.privatevoid.net/)). caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use case because I'm not binding caddy to port < 1024. @@ -61,7 +61,7 @@ caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use I created another nix file which is similar to "caddy.nix", but without `CAP_NET_BIND_SERVICE` capability. I also removed Let's Encrypt-related options since I'm using Cloudflare origin certificate. I renamed the `options.services.caddy` to `options.services.caddyProxy` to avoid clash with "caddy.nix". Save the file to "/etc/caddy/caddyProxy.nix" with root as owner. We'll revisit this file in "[configuration.nix](#configurationnix)" section later in this guide. -``` nix /etc/caddy/caddyProxy.nix +```nix /etc/caddy/caddyProxy.nix { config, lib, pkgs, ... }: with lib; @@ -186,9 +186,9 @@ If you followed my {% post_link caddy-nixos-part-2 'Part 2' %} guide, you should ### Initial setup -Set up Caddy to listen on apex domain and www.* on port 4430 +Set up Caddy to listen on apex domain and www.\* on port 4430 -``` plain Caddyfile +```plain Caddyfile mdleom.com:4430 www.mdleom.com:4430 { } @@ -234,7 +234,7 @@ If you prefer to redirect apex to www, Aside from reverse proxy to curben.netlify.app, I also configured my Netlify website to use Statically CDN for on-the-fly image processing. My current [config](https://gitlab.com/curben/blog) is: -``` plain source/_redirects https://gitlab.com/curben/blog/-/blob/master/source/_redirects _redirects +```plain source/_redirects https://gitlab.com/curben/blog/-/blob/master/source/_redirects _redirects /img/* https://cdn.statically.io/img/:splat 200 /screenshot/* https://cdn.statically.io/screenshot/curben.netlify.app/:splat 200 /files/* https://gitlab.com/curben/blog/-/raw/site/:splat 200 @@ -242,7 +242,7 @@ Aside from reverse proxy to curben.netlify.app, I also configured my Netlify web In Caddyfile, the config can be expressed as: -``` plain +```plain handle /img/* { reverse_proxy https://cdn.statically.io } @@ -270,38 +270,39 @@ In Caddyfile, the config can be expressed as: To make sure Caddy sends the correct `Host:` header to the upstream/backend locations, I use `header_up` option, {% codeblock mark:5,13,18 %} - handle /img/* { - reverse_proxy https://cdn.statically.io { - header_up Host cdn.statically.io - } - } +handle /img/\* { +reverse_proxy https://cdn.statically.io { +header_up Host cdn.statically.io +} +} - handle_path /screenshot/* { - rewrite * /screenshot/mdleom.com{path} +handle*path /screenshot/* { +rewrite \_ /screenshot/mdleom.com{path} reverse_proxy https://cdn.statically.io { header_up Host cdn.statically.io } - } - reverse_proxy https://curben.netlify.app { - header_up Host curben.netlify.app - } +} + +reverse_proxy https://curben.netlify.app { +header_up Host curben.netlify.app +} {% endcodeblock %} If there are multiple backends for the reverse_proxy, it's better to use a placeholder instead of hardcording the `Host` header. {% codeblock mark:2 %} - reverse_proxy https://curben.pages.dev https://curben.netlify.app { - header_up Host {http.reverse_proxy.upstream.host} - } +reverse_proxy https://curben.pages.dev https://curben.netlify.app { +header_up Host {http.reverse_proxy.upstream.host} +} {% endcodeblock %} ### Add or remove headers To prevent any unnecessary request headers from being sent to the upstreams, I use `header_up`. I use it to remove cookie, referer and [other headers](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) added by Cloudflare. Since there are many headers to remove, I group them as a global variable. I apply it to all `reverse_proxy` directives. -``` Caddyfile +```Caddyfile (removeHeaders) { header_up -cdn-loop header_up -cf-cache-status @@ -417,7 +418,7 @@ I also add the `Cache-Control` and `Referrer-Policy` to the response header. Use Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor Onion' %} and {% post_link i2p-eepsite-nixos 'I2P Eepsite' %}, I refactor most of the configuration into "common.conf" and import it into "caddyProxy.conf". -``` plain common.conf +```plain common.conf { ## disable admin endpoint # admin off @@ -587,7 +588,7 @@ Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor O } ``` -``` plain caddyProxy.conf +```plain caddyProxy.conf import common.conf ## mdleom.com @@ -619,7 +620,7 @@ mdleom.com:4430 www.mdleom.com:4430 { One last thing to do is to import "[caddyProxy.nix](#caddyproxynix)" and enable `services.caddyProxy`. -``` nix /etc/nixos/configuration.nix +```nix /etc/nixos/configuration.nix require = [ /etc/caddy/caddyProxy.nix ]; services.caddyProxy = { enable = true;