75 lines
1.8 KiB
Nix
75 lines
1.8 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
cfg = config.eboskma.caddy-proxy;
|
|
|
|
mkProxyHost = target: {
|
|
extraConfig = ''
|
|
reverse_proxy ${target}
|
|
|
|
tls {
|
|
dns cloudflare {env.CF_API_TOKEN}
|
|
propagation_timeout -1
|
|
}
|
|
'';
|
|
};
|
|
|
|
mkLocalProxyHost = target: {
|
|
extraConfig = ''
|
|
@local_or_ts {
|
|
remote_ip 10.0.0.0/24 100.64.0.0/10
|
|
}
|
|
handle @local_or_ts {
|
|
reverse_proxy ${target}
|
|
}
|
|
handle {
|
|
error "Nope." 403
|
|
}
|
|
|
|
tls {
|
|
dns cloudflare {env.CF_API_TOKEN}
|
|
propagation_timeout -1
|
|
}
|
|
'';
|
|
};
|
|
in
|
|
{
|
|
options.eboskma.caddy-proxy = {
|
|
enable = mkEnableOption "Caddy proxy";
|
|
package = mkPackageOption pkgs "caddy" { };
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
services.caddy = {
|
|
enable = true;
|
|
package = cfg.package;
|
|
|
|
email = "erwin@datarift.nl";
|
|
|
|
acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
|
|
|
|
virtualHosts = {
|
|
"home.datarift.nl" = mkProxyHost "homeassistant.barn-beaver.ts.net:8123";
|
|
"ci.datarift.nl" = mkProxyHost "ci.barn-beaver.ts.net:8100";
|
|
"frigate.datarift.nl" = mkLocalProxyHost "frigate.barn-beaver.ts.net:5000";
|
|
"git.datarift.nl" = mkProxyHost "gitea.barn-beaver.ts.net:3000";
|
|
"minio.datarift.nl" = mkProxyHost "minio.barn-beaver.ts.net:9000";
|
|
"minio-admin.datarift.nl" = mkLocalProxyHost "minio.barn-beaver.ts.net:9001";
|
|
"saga.datarift.nl" = mkLocalProxyHost "saga.barn-beaver.ts.net:3000";
|
|
"unifi.datarift.nl" = mkLocalProxyHost "unifi.barn-beaver.ts.net:8443";
|
|
};
|
|
};
|
|
|
|
systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
};
|
|
}
|