nixos-config/modules/caddy-proxy/default.nix

63 lines
1.5 KiB
Nix

{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.eboskma.caddy-proxy;
mkProxyHost = target: {
extraConfig = ''
reverse_proxy ${target}
tls {
dns cloudflare {env.CF_API_TOKEN}
}
'';
};
mkLocalProxyHost = target: {
extraConfig = ''
@local_or_ts {
remote_ip 10.0.0.0/24 100.64.0.0/10
}
handle @local_or_ts {
reverse_proxy ${target}
}
handle {
error "Nope." 401
}
tls {
dns cloudflare {env.CF_API_TOKEN}
}
'';
};
in
{
options.eboskma.caddy-proxy = {
enable = mkEnableOption "Caddy proxy";
package = mkPackageOption pkgs "caddy" { };
};
config = mkIf cfg.enable {
services.caddy = {
enable = true;
package = cfg.package;
email = "erwin@datarift.nl";
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
virtualHosts = {
"home.datarift.nl" = mkProxyHost "homeassistant.barn-beaver.ts.net:8123";
"drone.datarift.nl" = mkProxyHost "drone.barn-beaver.ts.net:8100";
"frigate.datarift.nl" = mkLocalProxyHost "frigate.barn-beaver.ts.net:5000";
"git.datarift.nl" = mkProxyHost "gitea.barn-beaver.ts.net:3000";
"minio.datarift.nl" = mkProxyHost "minio.barn-beaver.ts.net:9000";
"minio-admin.datarift.nl" = mkLocalProxyHost "minio.barn-beaver.ts.net:9001";
};
};
systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}