Add cloudflare ssl cert adding to most domains

caddy/default.nix

@@ -60,6 +60,11 @@ in
         serverAliases = [ "*.bsky.ee" ];
       };
       "fedi.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         handle_path /system/* {
           file_server * {
             root /var/lib/mastodon/public-system
@@ -94,7 +99,6 @@ in
         header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
         header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
       '';
-
       ${config.services.coturn.realm} = {
         extraConfig = ''
           root /.well-known/acme-challenge/* ${settings.turnAcmeDir}
@@ -104,11 +108,30 @@ in
         useACMEHost = config.services.coturn.realm;
       };
       "lastfm.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         reverse_proxy :${toString config.services.lastfm-status.port}
       '';
       "forge.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
       '';
+      "waka.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
+        reverse_proxy :${toString config.services.wakapi.settings.server.port}
+      '';
+
       "http://syncthing.internal".extraConfig = ''
         @local remote_ip private_ranges 100.64.0.0/10
         reverse_proxy @local http://${config.services.syncthing.guiAddress}
@@ -137,9 +160,6 @@ in
         @local remote_ip private_ranges 100.64.0.0/10
         reverse_proxy @local :${toString settings.ports.radarr}
       '';
-      "waka.catnip.ee".extraConfig = ''
-        reverse_proxy :${toString config.services.wakapi.settings.server.port}
-      '';
       "http://sonarr.internal".extraConfig = ''
         @local remote_ip private_ranges 100.64.0.0/10
         reverse_proxy @local :${toString settings.ports.sonarr}
@@ -161,6 +181,11 @@ in
       '';
 
       "files.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         basic_auth {
          mrow {env.FILES_PASSWORD_HASH}
         }
@@ -172,14 +197,29 @@ in
       '';
 
       "chat.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         root * ${elementClient}
         file_server
       '';
       "synapse-admin.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         root * ${synapse-admin}
         file_server
       '';
       "matrix.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         reverse_proxy :${toString settings.ports.synapse}
 
         redir /telegram /telegram/
@@ -202,10 +242,20 @@ in
 
       # mautrix-discord media proxy https://docs.mau.fi/bridges/go/discord/direct-media.html
       "discord-media.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         reverse_proxy :29334
       '';
 
       "ntfy.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         reverse_proxy ${config.services.ntfy-sh.settings.listen-http}
 
         # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
@@ -219,8 +269,13 @@ in
       '';
 
       "cloud.catnip.ee".extraConfig = ''
-         redir /.well-known/carddav /remote.php/dav 301
+        tls {
-         redir /.well-known/caldav /remote.php/dav 301
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
+        redir /.well-known/carddav /remote.php/dav 301
+        redir /.well-known/caldav /remote.php/dav 301
 
         header {
            Strict-Transport-Security "max-age=31536000; includeSubDomains"
@@ -235,6 +290,11 @@ in
       '';
 
       "catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         root * ${inputs.catnip-website}
         file_server browse {
           hide .git
@@ -252,16 +312,36 @@ in
         }
       '';
       "www.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         redir https://catnip.ee{uri} permanent
       '';
 
       "vue.jellyfin.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         reverse_proxy :${toString settings.ports.jellyfin_vue}
       '';
       "jellyfin.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         reverse_proxy :${toString settings.ports.jellyfin}
       '';
       "confess.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
         reverse_proxy :${toString config.services.confess-web.port}
       '';