From 8596004bf9affd86897359f5cddb7cbf8c45904c Mon Sep 17 00:00:00 2001 From: Rich Schumacher Date: Thu, 7 Nov 2024 00:17:10 -0500 Subject: [PATCH] feat: Improve Caddy config, use single cert The previous config would end requesting a TLS certificate for each individual subdomain and not use the wildcard certificate. This change modifies the labels used on the containers to create host matchers and handlers to do the routing under a single wildcard Caddyfile site. This is a little trickier and more verbose while defining the labels but ends a much cleaner Caddyfile[1][2] and only requires a single certificate. Hopefully this will all be moot once the auto_https prefer_wildcard option is released in `2.9.x`. 1. https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates 2. https://caddy.community/t/docker-proxy-wildcard-subdomains/22170 3. https://github.com/caddyserver/caddy/pull/6146 --- nix/services/audiobookshelf.nix | 8 +++++--- nix/services/gotify.nix | 11 ++++++----- nix/services/grafana.nix | 8 +++++--- nix/services/homer.nix | 7 ++++--- nix/services/influxdb.nix | 8 +++++--- nix/services/jellyfin.nix | 10 ++++++---- nix/services/jellyseerr.nix | 1 + nix/services/prowlarr.nix | 9 +++++---- nix/services/radarr.nix | 10 +++++----- nix/services/scrutiny.nix | 9 +++++---- nix/services/smokeping.nix | 9 +++++---- nix/services/sonarr.nix | 9 +++++---- nix/services/tandoor.nix | 9 +++++---- nix/services/transmission.nix | 9 +++++---- nix/services/uptime-kuma.nix | 10 ++++++---- 15 files changed, 73 insertions(+), 54 deletions(-) diff --git a/nix/services/audiobookshelf.nix b/nix/services/audiobookshelf.nix index a758688..33f3a56 100644 --- a/nix/services/audiobookshelf.nix +++ b/nix/services/audiobookshelf.nix @@ -20,9 +20,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.audiobookshelf.ip}" - "--label=caddy=books.fatsch.us" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@books=host books.fatsch.us" + "--label=caddy.handle=@books" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.import=cors" "--label=diun.include_tags=^\\d+\\.\\d+\\.\\d+$" ]; }; diff --git a/nix/services/gotify.nix b/nix/services/gotify.nix index cf420fc..5a79c7b 100644 --- a/nix/services/gotify.nix +++ b/nix/services/gotify.nix @@ -17,11 +17,12 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.gotify.ip}" - "--label=caddy=gotify.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.reverse_proxy.header_up=-Origin" - "--label=caddy.import=cors" - "--label=caddy.tls=internal" + "--label=caddy=*.fatsch.us" + "--label=caddy.@gotify=host gotify.fatsch.us" + "--label=caddy.handle=@gotify" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.reverse_proxy.header_up=-Origin" + "--label=caddy.handle.import=cors" ]; }; }; diff --git a/nix/services/grafana.nix b/nix/services/grafana.nix index dbdab69..7560312 100644 --- a/nix/services/grafana.nix +++ b/nix/services/grafana.nix @@ -17,9 +17,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.grafana.ip}" - "--label=caddy=grafana.schu" - "--label=caddy.reverse_proxy={{upstreams 3000}}" - "--label=caddy.tls=internal" + "--label=caddy=*.fatsch.us" + "--label=caddy.@grafana=host grafana.fatsch.us" + "--label=caddy.handle=@grafana" + "--label=caddy.handle.reverse_proxy={{upstreams 3000}}" + "--label=caddy.handle.import=cors" ]; }; diff --git a/nix/services/homer.nix b/nix/services/homer.nix index 1b05e33..8c95a6b 100644 --- a/nix/services/homer.nix +++ b/nix/services/homer.nix @@ -18,9 +18,10 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.homer.ip}" - "--label=caddy=home.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.tls=internal" + "--label=caddy=*.fatsch.us" + "--label=caddy.@home=host home.fatsch.us" + "--label=caddy.handle=@home" + "--label=caddy.handle.reverse_proxy={{upstreams}}" "--label=diun.include_tags=^v\\d+\\.\\d+\\.\\d+$" ]; }; diff --git a/nix/services/influxdb.nix b/nix/services/influxdb.nix index dd0472a..56c4f31 100644 --- a/nix/services/influxdb.nix +++ b/nix/services/influxdb.nix @@ -17,9 +17,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.influxdb.ip}" - "--label=caddy=influx.schu" - "--label=caddy.reverse_proxy={{upstreams 8086}}" - "--label=caddy.tls=internal" + "--label=caddy=*.fatsch.us" + "--label=caddy.@influx=host influx.fatsch.us" + "--label=caddy.handle=@influx" + "--label=caddy.handle.reverse_proxy={{upstreams 8086}}" + "--label=caddy.handle.import=cors" ]; }; }; diff --git a/nix/services/jellyfin.nix b/nix/services/jellyfin.nix index 3c1e297..57432ec 100644 --- a/nix/services/jellyfin.nix +++ b/nix/services/jellyfin.nix @@ -21,10 +21,12 @@ in "--device=/dev/dri:/dev/dri" "--network=services" "--ip=${vars.services.jellyfin.ip}" - "--label=caddy=watch.schu jellyfin.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@jellyfin=host jellyfin.fatsch.us watch.fatsch.us" + "--label=caddy.handle=@jellyfin" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.import=cors" + "--label=diun.include_tags=^v\\d+\\.\\d+\\.\\d+-omnibus$" ]; }; }; diff --git a/nix/services/jellyseerr.nix b/nix/services/jellyseerr.nix index 773e928..5cb4516 100644 --- a/nix/services/jellyseerr.nix +++ b/nix/services/jellyseerr.nix @@ -27,6 +27,7 @@ in }; systemd.services.docker-jellyseerr = { + enable = false; unitConfig = { RequiresMountsFor = appPath; }; diff --git a/nix/services/prowlarr.nix b/nix/services/prowlarr.nix index 96a2b27..d162eaf 100644 --- a/nix/services/prowlarr.nix +++ b/nix/services/prowlarr.nix @@ -18,10 +18,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.prowlarr.ip}" - "--label=caddy=prowlarr.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@prowlarr=host prowlarr.fatsch.us" + "--label=caddy.handle=@prowlarr" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.import=cors" "--label=diun.include_tags=^\\d+\\.\\d+\\.\\d+$" ]; }; diff --git a/nix/services/radarr.nix b/nix/services/radarr.nix index b7feca2..40af7e1 100644 --- a/nix/services/radarr.nix +++ b/nix/services/radarr.nix @@ -19,11 +19,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.radarr.ip}" - "--label=caddy=radarr.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" - #"--label=diun.include_tags=^\d+\.\d+\.\d+$" + "--label=caddy=*.fatsch.us" + "--label=caddy.@radarr=host radarr.fatsch.us" + "--label=caddy.handle=@radarr" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.import=cors" ]; }; }; diff --git a/nix/services/scrutiny.nix b/nix/services/scrutiny.nix index eef9083..95b0bd3 100644 --- a/nix/services/scrutiny.nix +++ b/nix/services/scrutiny.nix @@ -34,10 +34,11 @@ in "--device=/dev/sdo" "--network=services" "--ip=${vars.services.scrutiny.ip}" - "--label=caddy=disks.schu" - "--label=caddy.reverse_proxy={{upstreams 8080}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@disks=host disks.fatsch.us" + "--label=caddy.handle=@disks" + "--label=caddy.handle.reverse_proxy={{upstreams 8080}}" + "--label=caddy.handle.import=cors" "--label=diun.include_tags=^v\\d+\\.\\d+\\.\\d+-omnibus$" ]; }; diff --git a/nix/services/smokeping.nix b/nix/services/smokeping.nix index c878f3b..0ca692c 100644 --- a/nix/services/smokeping.nix +++ b/nix/services/smokeping.nix @@ -19,10 +19,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.smokeping.ip}" - "--label=caddy=smokeping.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@smokeping=host smokeping.fatsch.us" + "--label=caddy.handle=@smokeping" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.import=cors" ]; }; }; diff --git a/nix/services/sonarr.nix b/nix/services/sonarr.nix index 9ddf5e2..52de0a9 100644 --- a/nix/services/sonarr.nix +++ b/nix/services/sonarr.nix @@ -19,10 +19,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.sonarr.ip}" - "--label=caddy=sonarr.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@sonarr=host sonarr.fatsch.us" + "--label=caddy.handle=@sonarr" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.import=cors" ]; }; }; diff --git a/nix/services/tandoor.nix b/nix/services/tandoor.nix index 79710eb..b50b372 100644 --- a/nix/services/tandoor.nix +++ b/nix/services/tandoor.nix @@ -25,10 +25,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.tandoor.ip}" - "--label=caddy=recipes.schu tandoor.schu" - "--label=caddy.reverse_proxy={{upstreams 8080}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@recipes=host recipes.fatsch.us" + "--label=caddy.handle=@recipes" + "--label=caddy.handle.reverse_proxy={{upstreams 8080}}" + "--label=caddy.handle.import=cors" ]; }; }; diff --git a/nix/services/transmission.nix b/nix/services/transmission.nix index 351e128..a32d6f9 100644 --- a/nix/services/transmission.nix +++ b/nix/services/transmission.nix @@ -21,10 +21,11 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.transmission.ip}" - "--label=caddy=transmission.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@transmission=host transmission.fatsch.us" + "--label=caddy.handle=@transmission" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.import=cors" ]; }; }; diff --git a/nix/services/uptime-kuma.nix b/nix/services/uptime-kuma.nix index de8f824..d5142ef 100644 --- a/nix/services/uptime-kuma.nix +++ b/nix/services/uptime-kuma.nix @@ -17,10 +17,12 @@ in extraOptions = [ "--network=services" "--ip=${vars.services.uptime-kuma.ip}" - "--label=caddy=status.schu" - "--label=caddy.reverse_proxy={{upstreams}}" - "--label=caddy.tls=internal" - "--label=caddy.import=cors" + "--label=caddy=*.fatsch.us" + "--label=caddy.@status=host status.fatsch.us" + "--label=caddy.handle=@status" + "--label=caddy.handle.reverse_proxy={{upstreams}}" + "--label=caddy.handle.import=cors" + "--pull=newer" ]; }; };