server.nix/caddy.nix

{ config
, pkgs
, inputs
, settings
, ...
}:
let
  elementClient = pkgs.element-web.override {
    conf = {
      default_server_config.default_server_name = "catnip.ee";
      element_call.use_exclusively = true;

      features = {
        feature_video_rooms = true;
        feature_element_call_video_rooms = true;
      };
    };
  };

  synapse-admin = pkgs.synapse-admin.override {
    baseUrl = "https://matrix.catnip.ee";
  };
in
{
  services.caddy = {
    enable = true;
    email = "ssl@catnip.ee";
    virtualHosts = {
      "fedi.catnip.ee".extraConfig = ''
        handle_path /system/* {
          file_server * {
            root /var/lib/mastodon/public-system
          }
        }

        handle /api/v1/streaming/* {
          reverse_proxy  unix//run/mastodon-streaming/streaming.socket
        }

        route * {
          file_server * {
          root ${pkgs.mastodon}/public
          pass_thru
          }
          reverse_proxy * unix//run/mastodon-web/web.socket
        }

        handle_errors {
          root * ${pkgs.mastodon}/public
          rewrite 500.html
          file_server
        }

        encode gzip

        header /* {
          Strict-Transport-Security "max-age=31536000;"
        }
        header /emoji/* Cache-Control "public, max-age=31536000, immutable"
        header /packs/* Cache-Control "public, max-age=31536000, immutable"
        header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
        header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
      '';

      ${config.services.coturn.realm} = {
        extraConfig = ''
          root /.well-known/acme-challenge/* ${settings.turnAcmeDir}
          file_server
        '';

        useACMEHost = config.services.coturn.realm;
      };
      "drasl.snailcore.net".extraConfig = ''
        reverse_proxy :${toString settings.ports.drasl}
      '';
      "lastfm.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.lastfm}
      '';
      "forge.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.forgejo}
      '';
      "http://epic".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.epicgames-freegames-node}
      '';
      "http://bazarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.bazarr}
      '';
      "http://archive".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.archivebox}
      '';
      "http://scrutiny".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.scrutiny}
      '';
      "http://prowlarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.prowlarr}
      '';
      "http://radarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.radarr}
      '';
      "http://sonarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.sonarr}
      '';
      "http://lidarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.lidarr}
      '';
      "http://qbittorrent".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.qbittorrent}
      '';
      "http://files".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        root * /mnt/media
        file_server @local browse {
          hide .Trash-1000
        }
      '';

      "files.catnip.ee".extraConfig = ''
        basicauth * {
         mrow {env.FILES_PASSWORD_HASH}
        }

        root * /mnt/media
        file_server browse {
          hide .Trash-1000
        }
      '';

      "chat.catnip.ee".extraConfig = ''
        root * ${elementClient}
        file_server
      '';
      "sliding-sync.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.matrix-sliding-sync}
      '';
      "synapse-admin.catnip.ee".extraConfig = ''
        root * ${synapse-admin}
        file_server
      '';
      "matrix.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.synapse}

        redir /telegram     /telegram/

        handle /.well-known/matrix/client {
          header Content-Type application/json
          header Access-Control-Allow-Origin *
          respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"},"org.matrix.msc3575.proxy":{"url":"https://sliding-sync.catnip.ee"}}`
        }
        handle /.well-known/matrix/server {
          header Content-Type application/json
          header Access-Control-Allow-Origin *
          respond `{"m.server": "matrix.catnip.ee:443"}`
        }

        handle /telegram/* {
          reverse_proxy :${toString settings.ports.mautrix-telegram}
        }
      '';

      "ntfy.catnip.ee".extraConfig = ''
        reverse_proxy ${config.services.ntfy-sh.settings.listen-http}

        # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
        # it to work with curl without the annoying https:// prefix.
        @httpget {
            protocol http
            method GET
            path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
        }
        redir @httpget https://{host}{uri}
      '';

      "waka.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.wakapi}
      '';

      "cloud.catnip.ee".extraConfig = ''
         redir /.well-known/carddav /remote.php/dav 301
         redir /.well-known/caldav /remote.php/dav 301

        header {
           Strict-Transport-Security "max-age=31536000; includeSubDomains"
           Referrer-Policy no-referrer
           Referrer-Policy same-origin
           Referrer-Policy strict-origin
           Referrer-Policy strict-origin-when-cross-origin
           Referrer-Policy no-referrer-when-downgrade
         }

         reverse_proxy 127.0.0.1:${toString settings.ports.nextcloud}
      '';

      "catnip.ee".extraConfig = ''
        root * ${inputs.catnip-website}
        file_server browse {
          hide .git
        }

        handle /.well-known/matrix/client {
          header Content-Type application/json
          header Access-Control-Allow-Origin *
          respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"},"org.matrix.msc3575.proxy":{"url":"https://sliding-sync.catnip.ee"}}`
        }
        handle /.well-known/matrix/server {
          header Content-Type application/json
          header Access-Control-Allow-Origin *
          respond `{"m.server": "matrix.catnip.ee:443"}`
        }
      '';
      "www.catnip.ee".extraConfig = ''
        redir https://catnip.ee{uri} permanent
      '';

      "vue.jellyfin.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.jellyfin_vue}
      '';
      "jellyfin.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.jellyfin}
      '';
      "plex.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.plex}
      '';

      ":80".extraConfig = ''
        respond awawaw
      '';
    };
  };
}