Add cloudflare ssl cert adding to most domains

2024-11-12 23:50:21 +02:00 · 2024-11-12 23:50:21 +02:00 · f88e9e7d71
commit f88e9e7d71
parent cc316744dc
1 changed files with 86 additions and 6 deletions
--- a/caddy/default.nix
+++ b/caddy/default.nix
@ -60,6 +60,11 @@ in
        serverAliases = [ "*.bsky.ee" ];
      };
      "fedi.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        handle_path /system/* {
          file_server * {
            root /var/lib/mastodon/public-system
@ -94,7 +99,6 @@ in
        header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
        header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
      '';
-
      ${config.services.coturn.realm} = {
        extraConfig = ''
          root /.well-known/acme-challenge/* ${settings.turnAcmeDir}
@ -104,11 +108,30 @@ in
        useACMEHost = config.services.coturn.realm;
      };
      "lastfm.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        reverse_proxy :${toString config.services.lastfm-status.port}
      '';
      "forge.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
      '';
+      "waka.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
+        reverse_proxy :${toString config.services.wakapi.settings.server.port}
+      '';
+
      "http://syncthing.internal".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local http://${config.services.syncthing.guiAddress}
@ -137,9 +160,6 @@ in
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.radarr}
      '';
-      "waka.catnip.ee".extraConfig = ''
-        reverse_proxy :${toString config.services.wakapi.settings.server.port}
-      '';
      "http://sonarr.internal".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.sonarr}
@ -161,6 +181,11 @@ in
      '';

      "files.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        basic_auth {
         mrow {env.FILES_PASSWORD_HASH}
        }
@ -172,14 +197,29 @@ in
      '';

      "chat.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        root * ${elementClient}
        file_server
      '';
      "synapse-admin.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        root * ${synapse-admin}
        file_server
      '';
      "matrix.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        reverse_proxy :${toString settings.ports.synapse}

        redir /telegram /telegram/
@ -202,10 +242,20 @@ in

      # mautrix-discord media proxy https://docs.mau.fi/bridges/go/discord/direct-media.html
      "discord-media.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        reverse_proxy :29334
      '';

      "ntfy.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        reverse_proxy ${config.services.ntfy-sh.settings.listen-http}

        # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
@ -219,6 +269,11 @@ in
      '';

      "cloud.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301

@ -235,6 +290,11 @@ in
      '';

      "catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        root * ${inputs.catnip-website}
        file_server browse {
          hide .git
@ -252,16 +312,36 @@ in
        }
      '';
      "www.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        redir https://catnip.ee{uri} permanent
      '';

      "vue.jellyfin.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        reverse_proxy :${toString settings.ports.jellyfin_vue}
      '';
      "jellyfin.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        reverse_proxy :${toString settings.ports.jellyfin}
      '';
      "confess.catnip.ee".extraConfig = ''
+        tls {
+          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+          resolvers 1.1.1.1
+        }
+
        reverse_proxy :${toString config.services.confess-web.port}
      '';