nixos-config/modules/caddy-proxy/default.nix

{
  pkgs,
  config,
  lib,
  ...
}:
with lib;
let
  cfg = config.eboskma.caddy-proxy;

  proxyHost = types.submodule {
    options = {
      externalHostname = mkOption {
        description = "Hostname where this service should be reached";
        type = types.str;
      };
      proxyAddress = mkOption {
        description = "Internal address where this service is reachable";
        type = types.str;
      };
      external = mkEnableOption "Make this host externally reachable.";
    };
  };

  mkProxyHost = target: {
    extraConfig = ''
      reverse_proxy ${target}

      import cloudflare-tls
    '';
  };

  mkLocalProxyHost = target: {
    extraConfig = ''
      @local_or_ts {
        remote_ip 10.0.0.0/24 100.64.0.0/10
      }
      handle @local_or_ts {
        reverse_proxy ${target}
      }
      handle {
        error "Nope." 403
      }

      import cloudflare-tls
    '';
  };
in
{
  options.eboskma.caddy-proxy = {
    enable = mkEnableOption "Caddy proxy";
    package = mkPackageOption pkgs "caddy" { };
    proxyHosts = mkOption {
      description = "Proxy hosts";
      type = types.listOf proxyHost;
    };
  };

  config = mkIf cfg.enable {
    services.caddy = {
      enable = true;
      package = cfg.package;

      email = "erwin@datarift.nl";

      acmeCA = "https://acme-v02.api.letsencrypt.org/directory";

      extraConfig = ''
        (cloudflare-tls) {
            tls {
                dns cloudflare {env.CF_API_TOKEN}
                propagation_timeout -1
            }
        }
      '';

      virtualHosts = builtins.listToAttrs (
        map (
          host:
          let
            mkProxy = if host ? external && host.external then mkProxyHost else mkLocalProxyHost;
          in
          {
            name = host.externalHostname;
            value = mkProxy host.proxyAddress;
          }
        ) cfg.proxyHosts
      );
    };

    systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];
  };
}