{ config , pkgs , inputs , ... }: { systemd.services.caddy = { serviceConfig = { # Required to use ports < 1024 AmbientCapabilities = "cap_net_bind_service"; CapabilityBoundingSet = "cap_net_bind_service"; EnvironmentFile = "/etc/secrets/caddy.env"; TimeoutStartSec = "5m"; }; }; services.caddy = { enable = true; email = "ssl@catnip.ee"; package = pkgs.caddy.withPlugins { # https://github.com/NixOS/nixpkgs/pull/358586#issuecomment-2564016652 plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ]; hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90="; }; virtualHosts = { "kaya.ee".extraConfig = '' tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } root * ${inputs.kaya-website} file_server browse { hide .git } ''; "http://syncthing.internal".extraConfig = '' @local remote_ip private_ranges 100.64.0.0/10 reverse_proxy @local http://${config.services.syncthing.guiAddress} ''; "http://files.internal".extraConfig = '' @local remote_ip private_ranges 100.64.0.0/10 root * /mnt/media file_server @local browse { hide .Trash-1000 } ''; "files.catnip.ee".extraConfig = '' tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } basic_auth { mrow {env.FILES_PASSWORD_HASH} } root * /mnt/media file_server browse { hide .Trash-1000 } ''; "catnip.ee".extraConfig = '' tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } root * ${inputs.catnip-website} file_server browse { hide .git } handle /.well-known/matrix/client { header Content-Type application/json header Access-Control-Allow-Origin * respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"}}` } handle /.well-known/matrix/server { header Content-Type application/json header Access-Control-Allow-Origin * respond `{"m.server": "matrix.catnip.ee:443"}` } ''; "www.catnip.ee".extraConfig = '' tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } redir https://catnip.ee{uri} permanent ''; ":80".extraConfig = '' respond awawaw ''; }; }; }