gitea: Add caddy proxy

machines/gitea/caddy.nix

@@ -0,0 +1,48 @@
+# { caddy-with-plugins, ... }:
+{
+  pkgs,
+  config,
+  inputs,
+  ...
+}:
+{
+  services.caddy = {
+    enable = true;
+    package = inputs.caddy-with-plugins.lib.caddyWithPackages {
+      inherit (pkgs) caddy buildGoModule;
+      plugins = [ "github.com/caddy-dns/cloudflare@2fa0c8ac916ab13ee14c836e59fec9d85857e429" ];
+      vendorHash = "sha256-9ogaUKtczQ3U/BFdum+tD9kWJ9CH3amR4z2ozE324bY=";
+    };
+
+    email = "erwin@datarift.nl";
+
+    virtualHosts = {
+      "git.datarift.nl" = {
+        extraConfig = ''
+          @local {
+            remote_ip 10.0.0.0/24
+          }
+
+          handle @local {
+            reverse_proxy 127.0.0.1:3000
+          }
+
+          handle {
+            error "Nope." 403
+          }
+
+          tls {
+            dns cloudflare {env.CF_API_TOKEN}
+          }
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
+}

machines/gitea/configuration.nix

@@ -7,8 +7,8 @@
     ../../users/root
     ../../users/erwin
     ./backup.nix
-
     ./forgejo
+    ./caddy.nix
   ];
 
   eboskma = {
@@ -83,6 +83,7 @@
     };
     gitea_backup_ssh_key = { };
     gitea_backup_pass = { };
+    caddy-env = { };
   };
 
   system.stateVersion = "22.05";

machines/gitea/secrets.yaml

@@ -1,6 +1,7 @@
 gitea_db_password: ENC[AES256_GCM,data:DhTDb2LuzEnkdSztIsSoICIz1qIpqNQYp2Z69NDNqPib3u/fzjnt6EyI5k9+0c2s0+AZBKPzItCm61WKquoIV80MsDgROANP2LP63j+id4KHMtIvvT7TBZelN8vaZnM422MutUzOFYB0+SA2LcSDtTHL9WKtqTnF4AjK3UpKjYk=,iv:zK65d01tXoSPYIu2JxRy2O8wURD73AqM7r+80H2nzAs=,tag:qc63u9c9/NaMT/OI5IsuLQ==,type:str]
 gitea_backup_ssh_key: ENC[AES256_GCM,data:t+Pu22ziCtpOt5cSdQB9ubfeLRYn6k++dCrMpcuF69AX3yCeZGDAabGx7FHeTFQ0xiUrXo9LxwxJrFAnguOtis67SOT0AO0f6HhrrWTo7XxvuSRRNB3Tk0i8hEXj6KPQMHcqenHLX0T1wJ1ZL/DQCaTgtXBFE5/UlLiF9vWS/OKHNZcRZlpPHWjvBsSfyI6fblmbRUlfekVZKkojA7NQLKSOv5O9oo9v82jQJKk4l+/QBrhmuSpk+AsMob3tRX3EAz/E8ZXo/Zoh1qxUPPWn+jn2PT+dfKUp4DzuJlnJAShjG5H94BcW+7p6g469my5VohpPmZTSCkp6AxDQgSGuWczpksdKRM5aDuIEYdd0DdvbdnZWORZMZamCwsfwRec/hvBbT+h8zjnWqNhsHVdtjLePUQdzXxAksUM2DKGKRyZHhCkKmsx8WqrHzxnJYJVa+e/E3xY4JQ7+zhTrp/FtuiWQitr9kohZupmmBLdBeVQpde2XXdFc7FPAHeCdT2mtE+Z2BfbHjrv4pEEnicXt,iv:iWi4uKEVlAGSNvJj11rnBcCZtp9EJlAjUwxuosOZctQ=,tag:DRPAD/ojMS6BkPtfPWKTag==,type:str]
 gitea_backup_pass: ENC[AES256_GCM,data:6UgfUOgLpCZrRNEcsrG7JKFp4isTSGcuedRnE2tDTe7sHe+8Ky+07VsEW+kUdIx8GnluajpatSeWLCeVT72pJazfz6aECblDLQPJLK9odpwmoqZKHz9wSntnofPWT0CAVYSRG1/NPoyzeIY4+Qu4u4ZmuWmRo/Wy2Sz1jhPapR8=,iv:q0+fbP8pE1uRVuEgN/nl0qV4ymNfhmKdHlZN0MU7QUw=,tag:aCD75vFgcgTkfdBHvbtetw==,type:str]
+caddy-env: ENC[AES256_GCM,data:AZ3k2mVTvfz5ZNVViKu/sN1TsnzJcZmOx4TX4RTdVppHwE0OVuD4cs762VCiePVdFwAaY8cV,iv:B9rNP7Oa8uzz/h3qFEZtbd7RnYE9mpdkbNWIYtd6Upo=,tag:5K01g8VdSQswT1OBLCspJQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -34,8 +35,8 @@ sops:
             bjRhdWRWN1l0WkpiQkx6OGdYanZWYzAKygot2Ef5HWuetcXNP16ZfNx7ZsIXX0Ap
             mMSyckoJWMTnuxBLGq8WZMeoHTANPL+gpVoPU1IULCqpIff5rn7z4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-26T18:26:01Z"
+    lastmodified: "2024-03-12T15:08:35Z"
-    mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str]
+    mac: ENC[AES256_GCM,data:gnJSCpg6du0HQ17LeM76t7DylclKBVTNCH/vupFGzBn1WCYA8rOCoWsnSkmm8cEjw76ucLBpLSbJl+KQrHIGWrZ3cf4fdRMb5HeGRdjSPoXpbVlzX9tH+4db4EeDvICtzhGRrypeCrGK1jgDY8/cXiJiASjvLwU+jpgE7foNyoU=,iv:QHGkNQStKjkE7PNrqqgEr/5rlPJ0AGExfmtPcVU2tT8=,tag:vmEoLq0ta7tG1aQ3X8o7pQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1