From 5d81391bd879b9f31344c7a38c2101b661d4b543 Mon Sep 17 00:00:00 2001
From: cnst <adam@cnst.dev>
Date: Wed, 16 Jul 2025 06:40:12 +0200
Subject: [PATCH] homelab tinkering 2

---
 modules/server/caddy/default.nix       |  12 ++++++------
 modules/server/vaultwarden/default.nix |  17 +++++++++--------
 secrets/cloudflare-env.age             | Bin 604 -> 583 bytes
 secrets/vaultwarden-env.age            | Bin 607 -> 583 bytes
 4 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/modules/server/caddy/default.nix b/modules/server/caddy/default.nix
index c7a914bc..bbe0aa63 100644
--- a/modules/server/caddy/default.nix
+++ b/modules/server/caddy/default.nix
@@ -12,11 +12,11 @@ in {
     server.caddy.enable = mkEnableOption "Enables caddy";
   };
   config = mkIf cfg.enable {
-    age.secrets.cloudflare-env = {
-      file = "${self}/secrets/cloudflare-env.age";
-      owner = "caddy";
-      mode = "400";
-    };
+    # age.secrets.cloudflare-env = {
+    #   file = "${self}/secrets/cloudflare-env.age";
+    #   owner = "caddy";
+    #   mode = "400";
+    # };
     networking.firewall = let
       ports = [80 443];
     in {
@@ -26,7 +26,7 @@ in {
 
     services.caddy = {
       enable = true;
-      environmentFile = config.age.secrets.cloudflare-env.path;
+      # environmentFile = config.age.secrets.cloudflare-env.path;
       # package = self.packages.${pkgs.system}.caddy-with-plugins;
     };
   };
diff --git a/modules/server/vaultwarden/default.nix b/modules/server/vaultwarden/default.nix
index 1c359449..b9e79758 100644
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -29,14 +29,14 @@ in {
       Group = "root";
     };
 
-    services.caddy.virtualHosts."vault.cnst.dev".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT} {
-        header_up X-Real-IP {remote_host}
-        # Use this instead, if using Cloudflare's proxy
-        # header_up X-Real-IP {http.request.header.Cf-Connecting-Ip}
-      }
-    '';
+    # services.caddy.virtualHosts."vault.cnst.dev".extraConfig = ''
+    #   encode zstd gzip
+    #   reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT} {
+    #     # header_up X-Real-IP {remote_host}
+    #     # Use this instead, if using Cloudflare's proxy
+    #     header_up X-Real-IP {http.request.header.Cf-Connecting-Ip}
+    #   }
+    # '';
 
     services.vaultwarden = {
       enable = true;
@@ -51,6 +51,7 @@ in {
         ROCKET_PORT = 8222;
         EXTENDED_LOGGING = true;
         LOG_LEVEL = "warn";
+        IP_HEADER = "CF-Connecting-IP";
       };
     };
   };
diff --git a/secrets/cloudflare-env.age b/secrets/cloudflare-env.age
index 0aa737fafa70bf5f882fa31b17e38e1b62461e59..1f4c6bd9a2040b7174bdebf1d9b1109320262029 100644
GIT binary patch
delta 511
zcmcb^a-3y?PJKY3aZze|zH6wZk9MlIWreX@p_6G=Qc!6@rcZIQSyFzAi=$IuPN<JZ
zB$ta%gm$n&WLj!YicwNhc9lz#VQ5IDsfCA=k#l-Vjzv^SL5hB{f3lgSBbTn7LUD11
zZfc5=si~o*f_G@7ubZPniEo5kl9PLgXJvMPTVYCix?5hML4<#hXK-P*e`<k|PerIn
zUPP61hP$CJSFVqxpJiA{rG8kFVY)@0Ygo9GhjU<LXu5Wysf&52k3ocSkcVM$nP;N!
z#E;_PVP)wq2051L6}drS+K~ZOsfihZN!mu{#W{{<zEyr{A+BkTp8h4_!A8Yg0mW4z
z<)LmxmBxkU$zi_5j*$h1!KPjriGhZZMQP=kriB%b$)Q<(sg;3~;~B;4on0JFTr9LB
z!n6&%y!At?T*6axi}I_SJyT4K0xTm#bCSZs^NO=lLY=a?EX>@B!UOU{Qi>}RtBkcP
zDnddEeEpMrwKFXuf|5KkQrwEdOVZ2p(tYx|baizVj6M7d^308ceKISJ{EM`G!<-G%
zOH)0H9K-YTy`54koXW$4d<>2J{X#49x!kR9I$n9QZ_@g070&B(->!b_cC)!NWr=WO
z#HtlWi+R>BKb-iZ)7aP5j@NzZz4d3G+?%zqASQ=n@~UTZJmpdi{_nUv+uHKze&dM%
D`8T!Y

delta 532
zcmX@ka))JtPJNWNvzb?BKtWn~qIZ-_ltHn3NJOTYPfn1RdxmFFW>C4WQMo}*T5@@a
z0heiryRWfPQHpD>M|h%3n!lw_a!R42dq7B)cX3v6X{uLAU{*$DenEjpGMBEMLUD11
zZfc5=si~o*f_G@7ubZPnenF~9NQy~eu(5uMM`FG~id$lGRK81OYI1?TTbaIrlXps`
zV`+XtiH|`xmy=Opn!7=zc2=Q#Mu>J%SW#MdQBHVbUX(>{c4$VbOJJCfe{zI#uv?Dn
z#E;_PWgaC)C5aZM=^1Ge?m3QGA%>peDWRqXQIVGBt|{fF9_Artj@~InF2==NRmmYi
zjv2m59^u}`!Il}B$wiq4$v&AmX8NI_F1em1Ri+goZf1$4z7ffj;~B;4Q_HI?BLh8L
zN-~X0E20ca)3e--{S2HfigUv<L({^2$|{l!v$c(lg0oDxOw3cND!hWi4GPmO5{-k3
zvjdCGoh!`)tBQ;B-P1e_GWGp)(*n$la?HxPbaizVA_JrHDsn1H0xjH~OMFWL%Tm%p
zO7kreLwzzGUCO)z&5YgB&HW-HgUvJYxsC?!3<wi5oqIq(&X4D(KVRpqqf9#2&ZbHp
zeqJb*xQv6TpNH3Kd;6wytU;5fx8Bn!U8+1&@an9e?-Tj#W`3(&oymA%!Agf5(cN0>
YXLK!RaJ;#-xF}zRr{Z#Y?+2bZ0JxdE!vFvP

diff --git a/secrets/vaultwarden-env.age b/secrets/vaultwarden-env.age
index 9e1e5ec6c013518395c84c32480cfbf70c716434..99293ee3b83f9d0d6a282bff9e5b3fe3f205bc18 100644
GIT binary patch
delta 511
zcmcc5a-3y?PQ9UHRH2EhySt&ewn12krMr=#PhO&BiDRINMTnPArCC^*UwL?lb6#GE
zD_4$oaek#mQkX$;n7N5rl4*EFL1kG{Xogd+pP_}Ld1`=fxTjI5rA0w<IhU@TLUD11
zZfc5=si~o*f_G@7ubZPnK%!%Dw!39erdhalx_42EuUkQcWl?~IdvJlDTcV|<L1t=V
zQc8MIj!|YHSFT68r%7dosb6Jcae<jZo=?7uQD9hhNJv;xWx9o7h*_{#l%c<$d2xFA
z#E;_Po}q>YQ6b(Ifd=k@X(rCO#%YNWl}RbSMY+k^fdL`eMMnA_?(Sy6VXo<1nI$DA
zkp}+hS>|a@Cce%gWx2_Denuu49!|!|j+rK2h915l!KUG1QThgx;~B;44MGe89V5!T
zwF6T^{Cy&|Gb|DV{fdGO&0I<iJS;sTqlzM23?nN&44sR)oU+SJLo73blZ%R+EIka1
z{L2fC3Ie^da?67al9Gc`b3IBT+zO2>EQ1ZWbaizV5{=AKvQ3k`iYvpDj9eX!6LZXS
z%$<DPQVfmVgM$5o(tNaoQX>M(v-B&oxel(lH}T#fk436Blk}gyTbrKbWb|?Ry`!yl
z+kPb+6%tdLvuGWMT7Y@I-;F5g`^qWLmExVAhyH#a|D(8)gW;3?qer!AT9Q#_mpTCW
Cbgmo#

delta 535
zcmX@ka-U^_PQ7oGi(yc>wuhNXaG6=9i+id^aE4E!qk(6nU#L%oLAhB-l#{l8R8_EX
zHdkV9a6px7en>@BL{3mhRA7{kU$LpFkxN;wN2s=IXmVz9ez|tCi++%wBbTn7LUD11
zZfc5=si~o*f_G@7ubZQSiJ_%;rJH|9NOEARhg+U&np<*Zfs<LDnQ?GLzG11EiH}L1
zw~I+|k$$=>S7Eq8p;2k6aZZt6c2!kmZdp)hR;FuNl4-iJWpHFvYI=BpvujYIOJ$np
z#E;_P6$Qa5+7X7iAr&QlzNy--h2EZN`Ic$kiD|AC8GiX5{>~xAX<p?P1#Tu>5fzmt
zB`IZPX=eIa5#E70$pv94Vfs;p5zc<jDTZFge#vGfIWBpbr3LAe;~B;43(B?Az038}
zoHJdV%)PveqoRCEf*dW90>bkmU8?fZgDbL~Egelt&732-LP{%~at!k#A_EHiQ@mWY
zJ>5zR@{K|xGYVZCGmQ%i!yL<t%v~Zfea(HjbaizVeErMH6T=G9Q%YUU3xbS;-10M0
zk}6#MD)rsdA_BZU&2vq%LUPK3z0=&%xz;_~_$DZ@Hz8bl+3BvHnMy|<oXS4%_Ib^2
zwivrBOS-SzdF{7OWE110$D*3YxfW^0?);wfB7L?4_rsa9AIUv%Pzuaz{xN?hTVi)(
cT1A3ap=(OA%dF4UYui4DCa7k$y+6bb0K1LC9{>OV