server.nix/caddy.nix

{ config
, pkgs
, inputs
, ...
}: {
  systemd.services.caddy = {
    serviceConfig = {
      # Required to use ports < 1024
      AmbientCapabilities = "cap_net_bind_service";
      CapabilityBoundingSet = "cap_net_bind_service";
      EnvironmentFile = "/etc/secrets/caddy.env";
      TimeoutStartSec = "5m";
    };
  };

  services.caddy = {
    enable = true;
    email = "ssl@catnip.ee";

    package = pkgs.caddy.withPlugins {
      # https://github.com/NixOS/nixpkgs/pull/358586#issuecomment-2564016652
      plugins = [ "github.com/caddy-dns/cloudflare@v0.1.0" ];
      hash = "sha256-1tpxaW6wueh4hVmTypLHSgXX/5t3Bf5TGOkbeI2H6nE=";
    };

    virtualHosts = {
      "kaya.ee".extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
          resolvers 1.1.1.1
        }

        respond owo
      '';
      "http://syncthing.internal".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local http://${config.services.syncthing.guiAddress}
      '';
      "http://files.internal".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        root * /mnt/media
        file_server @local browse {
          hide .Trash-1000
        }
      '';
      "files.catnip.ee".extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
          resolvers 1.1.1.1
        }

        basic_auth {
         mrow {env.FILES_PASSWORD_HASH}
        }

        root * /mnt/media
        file_server browse {
          hide .Trash-1000
        }
      '';
      "catnip.ee".extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
          resolvers 1.1.1.1
        }

        root * ${inputs.catnip-website}
        file_server browse {
          hide .git
        }

        handle /.well-known/matrix/client {
          header Content-Type application/json
          header Access-Control-Allow-Origin *
          respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"}}`
        }
        handle /.well-known/matrix/server {
          header Content-Type application/json
          header Access-Control-Allow-Origin *
          respond `{"m.server": "matrix.catnip.ee:443"}`
        }
      '';
      "www.catnip.ee".extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
          resolvers 1.1.1.1
        }

        redir https://catnip.ee{uri} permanent
      '';
      ":80".extraConfig = ''
        respond awawaw
      '';
    };
  };
}
Formatting 2024-05-02 14:09:52 +03:00			`{ config`
			`, pkgs`
			`, inputs`
			`, ...`
refactor: Clean up many things 2025-04-19 04:23:06 +03:00			`}: {`
Change caddy for cloudflare caddy plugin, needed for bsky wildcard 2024-11-01 20:50:46 +02:00			`systemd.services.caddy = {`
Move forgejo and gitea-runner into services/forgejo.nix 2024-11-16 00:31:06 +02:00			`serviceConfig = {`
			`# Required to use ports < 1024`
			`AmbientCapabilities = "cap_net_bind_service";`
			`CapabilityBoundingSet = "cap_net_bind_service";`
			`EnvironmentFile = "/etc/secrets/caddy.env";`
			`TimeoutStartSec = "5m";`
			`};`
Change caddy for cloudflare caddy plugin, needed for bsky wildcard 2024-11-01 20:50:46 +02:00			`};`

Initial commit 2024-02-23 01:56:51 +02:00			`services.caddy = {`
			`enable = true;`
Update ssl emails 2024-03-22 13:52:30 +02:00			`email = "ssl@catnip.ee";`
Change caddy for cloudflare caddy plugin, needed for bsky wildcard 2024-11-01 20:50:46 +02:00
Replace custom xcaddy with the new one in nixpkgs 2025-01-15 02:39:07 +02:00			`package = pkgs.caddy.withPlugins {`
			`# https://github.com/NixOS/nixpkgs/pull/358586#issuecomment-2564016652`
feat: Update to caddy cloudflare v0.1.0 2025-04-12 02:02:37 +03:00			`plugins = [ "github.com/caddy-dns/cloudflare@v0.1.0" ];`
fix: Update caddy hash 2025-04-21 23:44:45 +03:00			`hash = "sha256-1tpxaW6wueh4hVmTypLHSgXX/5t3Bf5TGOkbeI2H6nE=";`
Replace custom xcaddy with the new one in nixpkgs 2025-01-15 02:39:07 +02:00			`};`
Change caddy for cloudflare caddy plugin, needed for bsky wildcard 2024-11-01 20:50:46 +02:00
Initial commit 2024-02-23 01:56:51 +02:00			`virtualHosts = {`
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`"kaya.ee".extraConfig = ''`
			`tls {`
			`dns cloudflare {env.CLOUDFLARE_API_TOKEN}`
			`resolvers 1.1.1.1`
			`}`
Add üü.ee 2024-11-27 19:12:36 +02:00
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`respond owo`
			`'';`
Add syncthing #1 2024-10-25 20:12:49 +03:00			`"http://syncthing.internal".extraConfig = ''`
			`@local remote_ip private_ranges 100.64.0.0/10`
			`reverse_proxy @local http://${config.services.syncthing.guiAddress}`
			`'';`
Replace .local with .internal as ICANN suggests that 2024-10-21 20:17:48 +03:00			`"http://files.internal".extraConfig = ''`
Initial commit 2024-02-23 01:56:51 +02:00			`@local remote_ip private_ranges 100.64.0.0/10`
			`root * /mnt/media`
			`file_server @local browse {`
			`hide .Trash-1000`
			`}`
			`'';`
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`"files.catnip.ee".extraConfig = ''`
			`tls {`
			`dns cloudflare {env.CLOUDFLARE_API_TOKEN}`
			`resolvers 1.1.1.1`
			`}`
Add cloudflare ssl cert adding to most domains 2024-11-12 23:50:21 +02:00
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`basic_auth {`
			`mrow {env.FILES_PASSWORD_HASH}`
			`}`
Formatting 2024-03-05 21:21:27 +02:00
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`root * /mnt/media`
			`file_server browse {`
			`hide .Trash-1000`
			`}`
			`'';`
			`"catnip.ee".extraConfig = ''`
			`tls {`
			`dns cloudflare {env.CLOUDFLARE_API_TOKEN}`
			`resolvers 1.1.1.1`
			`}`
Add cloudflare ssl cert adding to most domains 2024-11-12 23:50:21 +02:00
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`root * ${inputs.catnip-website}`
			`file_server browse {`
			`hide .git`
			`}`
Redirect www.catnip.ee to catnip.ee 2024-03-27 15:26:19 +02:00
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`handle /.well-known/matrix/client {`
			`header Content-Type application/json`
			`header Access-Control-Allow-Origin *`
Clean up, remove epicgames-freegames-node, move scrutiny to its own file 2025-01-24 19:18:20 +02:00			respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"}}`
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`}`
			`handle /.well-known/matrix/server {`
			`header Content-Type application/json`
			`header Access-Control-Allow-Origin *`
			respond `{"m.server": "matrix.catnip.ee:443"}`
			`}`
			`'';`
			`"www.catnip.ee".extraConfig = ''`
			`tls {`
			`dns cloudflare {env.CLOUDFLARE_API_TOKEN}`
			`resolvers 1.1.1.1`
			`}`
Add cloudflare ssl cert adding to most domains 2024-11-12 23:50:21 +02:00
Fix caddy regression after update 2025-01-15 02:46:55 +02:00			`redir https://catnip.ee{uri} permanent`
			`'';`
Initial commit 2024-02-23 01:56:51 +02:00			`":80".extraConfig = ''`
			`respond awawaw`
			`'';`
			`};`
			`};`
			`}`