nixos-config/modules/caddy-proxy/default.nix

76 lines
1.8 KiB
Nix
Raw Normal View History

2024-02-05 11:46:52 +01:00
{
pkgs,
config,
lib,
...
}:
with lib;
let
cfg = config.eboskma.caddy-proxy;
mkProxyHost = target: {
extraConfig = ''
reverse_proxy ${target}
tls {
dns cloudflare {env.CF_API_TOKEN}
2024-02-28 22:49:27 +01:00
propagation_timeout -1
}
'';
};
mkLocalProxyHost = target: {
extraConfig = ''
@local_or_ts {
remote_ip 10.0.0.0/24 100.64.0.0/10
}
handle @local_or_ts {
reverse_proxy ${target}
}
handle {
2024-03-14 10:06:53 +01:00
error "Nope." 403
}
tls {
dns cloudflare {env.CF_API_TOKEN}
2024-02-28 22:49:27 +01:00
propagation_timeout -1
}
'';
};
in
{
options.eboskma.caddy-proxy = {
enable = mkEnableOption "Caddy proxy";
package = mkPackageOption pkgs "caddy" { };
};
config = mkIf cfg.enable {
services.caddy = {
enable = true;
package = cfg.package;
email = "erwin@datarift.nl";
2024-02-28 22:49:27 +01:00
acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
virtualHosts = {
"home.datarift.nl" = mkProxyHost "homeassistant.barn-beaver.ts.net:8123";
2024-01-02 22:43:48 +01:00
"ci.datarift.nl" = mkProxyHost "ci.barn-beaver.ts.net:8100";
"frigate.datarift.nl" = mkLocalProxyHost "frigate.barn-beaver.ts.net:5000";
"git.datarift.nl" = mkProxyHost "gitea.barn-beaver.ts.net:3000";
"minio.datarift.nl" = mkProxyHost "minio.barn-beaver.ts.net:9000";
"minio-admin.datarift.nl" = mkLocalProxyHost "minio.barn-beaver.ts.net:9001";
2024-02-28 22:49:27 +01:00
"saga.datarift.nl" = mkLocalProxyHost "saga.barn-beaver.ts.net:3000";
2023-09-06 17:01:14 +02:00
"unifi.datarift.nl" = mkLocalProxyHost "unifi.barn-beaver.ts.net:8443";
};
};
systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
2024-02-05 11:46:52 +01:00
networking.firewall.allowedTCPPorts = [
80
443
];
};
}