nixos-config/machines/gitea/caddy.nix

# { caddy-with-plugins, ... }:
{
  pkgs,
  config,
  inputs,
  ...
}:
{
  services.caddy = {
    enable = true;
    package = inputs.caddy-with-plugins.lib.caddyWithPackages {
      inherit (pkgs) caddy buildGoModule;
      plugins = [ "github.com/caddy-dns/cloudflare@2fa0c8ac916ab13ee14c836e59fec9d85857e429" ];
      vendorHash = "sha256-9ogaUKtczQ3U/BFdum+tD9kWJ9CH3amR4z2ozE324bY=";
    };

    email = "erwin@datarift.nl";

    virtualHosts = {
      "git.datarift.nl" = {
        extraConfig = ''
          @local {
            remote_ip 10.0.0.0/24
          }

          handle @local {
            reverse_proxy 127.0.0.1:3000
          }

          handle {
            error "Nope." 403
          }

          tls {
            dns cloudflare {env.CF_API_TOKEN}
          }
        '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
}