nixos-config/modules/caddy-proxy/default.nix

{
  pkgs,
  config,
  lib,
  ...
}:
with lib;
let
  cfg = config.eboskma.caddy-proxy;

  proxyHost = types.submodule {
    options = {
      externalHostname = mkOption {
        description = "Hostname where this service should be reached";
        type = types.str;
      };
      proxyAddress = mkOption {
        description = "Internal address where this service is reachable";
        type = types.str;
      };
      external = mkEnableOption "Make this host externally reachable.";
    };
  };

  mkProxyHost = target: {
    extraConfig = ''
      reverse_proxy ${target}

      import cloudflare-tls
    '';
  };

  mkLocalProxyHost = target: {
    extraConfig = ''
      @local_or_ts {
        remote_ip 10.0.0.0/24 100.64.0.0/10
      }
      handle @local_or_ts {
        reverse_proxy ${target}
      }
      handle {
        error "Nope." 403
      }

      import cloudflare-tls
    '';
  };
in
{
  options.eboskma.caddy-proxy = {
    enable = mkEnableOption "Caddy proxy";
    package = mkPackageOption pkgs "caddy" { };
    proxyHosts = mkOption {
      description = "Proxy hosts";
      type = types.listOf proxyHost;
    };
  };

  config = mkIf cfg.enable {
    services.caddy = {
      enable = true;
      package = cfg.package;

      email = "erwin@datarift.nl";

      acmeCA = "https://acme-v02.api.letsencrypt.org/directory";

      extraConfig = ''
        (cloudflare-tls) {
            tls {
                dns cloudflare {env.CF_API_TOKEN}
                propagation_timeout -1
            }
        }
      '';

      virtualHosts = builtins.listToAttrs (
        map (
          host:
          let
            mkProxy = if host ? external && host.external then mkProxyHost else mkLocalProxyHost;
          in
          {
            name = host.externalHostname;
            value = mkProxy host.proxyAddress;
          }
        ) cfg.proxyHosts
      );
    };

    systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];
  };
}
Run nixfmt 2024-02-05 11:46:52 +01:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00			`with lib;`
			`let`
			`cfg = config.eboskma.caddy-proxy;`

caddy-proxy: Decouple configuration of virtualHosts from module 2024-04-10 22:19:33 +02:00			`proxyHost = types.submodule {`
			`options = {`
			`externalHostname = mkOption {`
			`description = "Hostname where this service should be reached";`
			`type = types.str;`
			`};`
			`proxyAddress = mkOption {`
			`description = "Internal address where this service is reachable";`
			`type = types.str;`
			`};`
			`external = mkEnableOption "Make this host externally reachable.";`
			`};`
			`};`

Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00			`mkProxyHost = target: {`
			`extraConfig = ''`
			`reverse_proxy ${target}`

caddy-proxy: Decouple configuration of virtualHosts from module 2024-04-10 22:19:33 +02:00			`import cloudflare-tls`
Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00			`'';`
			`};`

			`mkLocalProxyHost = target: {`
			`extraConfig = ''`
			`@local_or_ts {`
			`remote_ip 10.0.0.0/24 100.64.0.0/10`
			`}`
			`handle @local_or_ts {`
			`reverse_proxy ${target}`
			`}`
			`handle {`
caddy: Use correct HTTP status code 2024-03-14 10:06:53 +01:00			`error "Nope." 403`
Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00			`}`

caddy-proxy: Decouple configuration of virtualHosts from module 2024-04-10 22:19:33 +02:00			`import cloudflare-tls`
Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00			`'';`
			`};`
			`in`
			`{`
			`options.eboskma.caddy-proxy = {`
			`enable = mkEnableOption "Caddy proxy";`
			`package = mkPackageOption pkgs "caddy" { };`
caddy-proxy: Decouple configuration of virtualHosts from module 2024-04-10 22:19:33 +02:00			`proxyHosts = mkOption {`
			`description = "Proxy hosts";`
			`type = types.listOf proxyHost;`
			`};`
Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00			`};`

			`config = mkIf cfg.enable {`
			`services.caddy = {`
			`enable = true;`
			`package = cfg.package;`

			`email = "erwin@datarift.nl";`

saga: monitoring server 2024-02-28 22:49:27 +01:00			`acmeCA = "https://acme-v02.api.letsencrypt.org/directory";`
Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00
caddy-proxy: Decouple configuration of virtualHosts from module 2024-04-10 22:19:33 +02:00			`extraConfig = ''`
			`(cloudflare-tls) {`
			`tls {`
			`dns cloudflare {env.CF_API_TOKEN}`
			`propagation_timeout -1`
			`}`
			`}`
			`'';`

			`virtualHosts = builtins.listToAttrs (`
			`map (`
			`host:`
			`let`
			`mkProxy = if host ? external && host.external then mkProxyHost else mkLocalProxyHost;`
			`in`
			`{`
			`name = host.externalHostname;`
			`value = mkProxy host.proxyAddress;`
			`}`
			`) cfg.proxyHosts`
			`);`
Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00			`};`

			`systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];`

Run nixfmt 2024-02-05 11:46:52 +01:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
Use caddy as proxy in place of nginx-proxy-manager 2023-08-10 16:43:46 +02:00			`};`
			`}`