{ pkgs, ... }: { imports = [ ./networkSetup.nix ]; services.caddy.virtualHosts."immich.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:2283 ''; }; services.caddy.virtualHosts."ha.deprived.dev" = { extraConfig = '' reverse_proxy 127.0.0.1:8123 ''; }; # services.caddy.virtualHosts."argocd.deprived.dev" = { # extraConfig = '' # reverse_proxy https://127.0.0.1:4325 { # header_up Host {host} # transport http { # tls_insecure_skip_verify # } # } # ''; # }; services.caddy.virtualHosts."webui.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:3000 ''; }; services.caddy.virtualHosts."yaaumma.com" = { extraConfig = '' redir https://www.yaaumma.com{uri} permanent ''; }; services.caddy.virtualHosts."jelly.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:8096 ''; }; services.caddy.virtualHosts."seer.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:5055 ''; }; services.caddy.virtualHosts."penpot.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:5544 ''; }; services.caddy.virtualHosts."api.deprived.dev" = { extraConfig = '' @allowedOrigin header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ @hasOrigin header Origin * @preflight method OPTIONS @badOrigin { not { header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ } header Origin * } @preflightAllowed { method OPTIONS header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ } # Allowed preflight handle @preflightAllowed { header { Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE" Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}" Access-Control-Max-Age "3600" Access-Control-Allow-Credentials "true" Access-Control-Allow-Origin "{http.request.header.Origin}" Vary "Origin" } respond "" 204 } # Preflight but missing/bad origin handle @preflight { respond "CORS origin not allowed" 403 } # Block actual requests with bad origin handle @badOrigin { respond "CORS origin not allowed" 403 } # Allowed origins → proxy + always add CORS (even if upstream returns 204) handle @allowedOrigin { reverse_proxy 127.0.0.1:6333 { header_down -Access-Control-* header_down -Vary } header { Access-Control-Allow-Origin "{http.request.header.Origin}" Access-Control-Allow-Credentials "true" Access-Control-Expose-Headers "Authorization" Vary "Origin" } } # No Origin: just proxy handle { reverse_proxy 127.0.0.1:6333 } ''; }; services.caddy.virtualHosts."pocket.deprived.dev" = { extraConfig = '' @allowedOrigin header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ @hasOrigin header Origin * @preflight method OPTIONS @badOrigin { not { header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ } header Origin * } @preflightAllowed { method OPTIONS header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ } # Allowed preflight handle @preflightAllowed { header { Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE" Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}" Access-Control-Max-Age "3600" Access-Control-Allow-Credentials "true" Access-Control-Allow-Origin "{http.request.header.Origin}" Vary "Origin" } respond "" 204 } # Preflight but missing/bad origin handle @preflight { respond "CORS origin not allowed" 403 } # Block actual requests with bad origin handle @badOrigin { respond "CORS origin not allowed" 403 } # Allowed origins → proxy + always add CORS (even if upstream returns 204) handle @allowedOrigin { reverse_proxy 127.0.0.1:3433 { header_down -Access-Control-* header_down -Vary } header { Access-Control-Allow-Origin "{http.request.header.Origin}" Access-Control-Allow-Credentials "true" Access-Control-Expose-Headers "Authorization" Vary "Origin" } } # No Origin: just proxy handle { reverse_proxy 127.0.0.1:3433 } ''; }; services.caddy.virtualHosts."spotify.playing.deprived.dev" = { extraConfig = '' encode zstd gzip @preflight method OPTIONS handle @preflight { header { Access-Control-Allow-Origin "{http.request.header.Origin}" Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}" Access-Control-Allow-Credentials "true" Access-Control-Max-Age "600" Vary "Origin" } respond 204 } @protected not method OPTIONS basicauth @protected { alex $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG } reverse_proxy 127.0.0.1:8800 header { Access-Control-Allow-Origin "{http.request.header.Origin}" Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}" Access-Control-Allow-Credentials "true" Vary "Origin" } ''; }; services.caddy.virtualHosts."spotify.api.deprived.dev" = { extraConfig = '' encode zstd gzip # 1. CORS Headers # We switched "*" to "{header.Origin}" and added "Credentials: true" # This allows the browser to send the Authorization header safely. header { Access-Control-Allow-Origin "{header.Origin}" Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" Access-Control-Allow-Credentials "true" Vary "Origin" } # 2. Handle Preflight (OPTIONS) # Must be defined before Basic Auth @options { method OPTIONS } respond @options 204 # 3. Protect everything EXCEPT Options # (Fix: Ensure this is on a new line) @protected { not method OPTIONS } basicauth @protected { alex $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG } # 4. Proxy reverse_proxy 127.0.0.1:4142 { header_down -Access-Control-Allow-Origin } ''; }; services.caddy.virtualHosts."lyrics.deprived.dev" = { extraConfig = '' header { Access-Control-Allow-Origin "*" Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" } @options { method OPTIONS } respond @options 204 reverse_proxy * 127.0.0.1:7444 ''; }; # Github MaintainerCD hook services.caddy.virtualHosts."lyrics.hook.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:7576 ''; }; services.caddy.virtualHosts."docker.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:5000 ''; }; services.caddy.virtualHosts."docker.ui.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:6842 ''; }; services.caddy.virtualHosts."zhenss.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:8388 ''; }; services.caddy.virtualHosts."zcol.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:7577 ''; }; services.caddy.virtualHosts."zcollection.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:7577 ''; }; services.caddy.virtualHosts."zcollection.mcd.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:7578 ''; }; services.caddy.virtualHosts."direct.stream.deprived.dev" = { extraConfig = '' @allowKey { query key=0c156f3d-dc1d-489f-866e-69e306249e92 } route { handle @allowKey { reverse_proxy http://127.0.0.1:3344 } respond "Forbidden" 403 } ''; }; services.caddy.virtualHosts."development.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:5173 ''; }; services.caddy.virtualHosts."dev.hook.deprived.dev" = { extraConfig = '' reverse_proxy * 127.0.0.1:3322 ''; }; services.caddy.virtualHosts."internal.deprived.dev" = { extraConfig = '' # Only allow GET + POST @not_allowed { not method GET POST } respond @not_allowed 405 # Auth (same as before): require auth for non-POST (i.e., GET) @protected { not method POST } basicauth @protected { git $2a$14$VlDba5ipUmRYKPYmjPql8.pa8vO7cYsmUf26cXzTk.MbHoRA/ZKJy } # /backup → 127.0.0.1:3435 @backup path /backup* reverse_proxy @backup 127.0.0.1:3435 # everything else → 127.0.0.1:3322 reverse_proxy * 127.0.0.1:3322 ''; }; }