{ pkgs, config, lib, ... }: with lib; let cfg = config.eboskma.caddy-proxy; mkProxyHost = target: { extraConfig = '' reverse_proxy ${target} tls { dns cloudflare {env.CF_API_TOKEN} propagation_timeout -1 } ''; }; mkLocalProxyHost = target: { extraConfig = '' @local_or_ts { remote_ip 10.0.0.0/24 100.64.0.0/10 } handle @local_or_ts { reverse_proxy ${target} } handle { error "Nope." 401 } tls { dns cloudflare {env.CF_API_TOKEN} propagation_timeout -1 } ''; }; in { options.eboskma.caddy-proxy = { enable = mkEnableOption "Caddy proxy"; package = mkPackageOption pkgs "caddy" { }; }; config = mkIf cfg.enable { services.caddy = { enable = true; package = cfg.package; email = "erwin@datarift.nl"; acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; virtualHosts = { "home.datarift.nl" = mkProxyHost "homeassistant.barn-beaver.ts.net:8123"; "ci.datarift.nl" = mkProxyHost "ci.barn-beaver.ts.net:8100"; "frigate.datarift.nl" = mkLocalProxyHost "frigate.barn-beaver.ts.net:5000"; "git.datarift.nl" = mkProxyHost "gitea.barn-beaver.ts.net:3000"; "minio.datarift.nl" = mkProxyHost "minio.barn-beaver.ts.net:9000"; "minio-admin.datarift.nl" = mkLocalProxyHost "minio.barn-beaver.ts.net:9001"; "saga.datarift.nl" = mkLocalProxyHost "saga.barn-beaver.ts.net:3000"; "unifi.datarift.nl" = mkLocalProxyHost "unifi.barn-beaver.ts.net:8443"; }; }; systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }