server.nix/caddy.nix

{config, pkgs, lib, inputs, ...}: let
  settings = import ./settings.nix {};

  # pkgs.schildichat-web
  elementClient = pkgs.element-web.override {
    conf = {
      default_server_config = {
        m.homeserver = "matrix.catnip.ee:443";
      };
    };
  };

  wellKnownMatrix = ''
    handle /.well-known/matrix/client {
	    header Content-Type application/json
	    header Access-Control-Allow-Origin *
      respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"},"org.matrix.msc3575.proxy":{"url":"https://sliding-sync.catnip.ee"}}`
    }
    handle /.well-known/matrix/server {
	    header Content-Type application/json
	    header Access-Control-Allow-Origin *
	    respond `{"m.server": "matrix.catnip.ee:443"}`
    }
  '';
in {
  services.caddy = {
    enable = true;
    email = "anonymous_shiba@protonmail.com";
    virtualHosts = {
      "drasl.snailcore.net".extraConfig = ''
        reverse_proxy :${toString settings.ports.drasl}
      '';
      "lastfm.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.lastfm}
      '';
      "social.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.firefish}
      '';
      "forge.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.forgejo}
      '';
      "http://bazarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.bazarr}
      '';
      "http://archive".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.archivebox}
      '';
      "http://scrutiny".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.scrutiny}
      '';
      "http://prowlarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.prowlarr}
      '';
      "http://radarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.radarr}
      '';
      "http://sonarr".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.sonarr}
      '';
      "http://qbittorrent".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        reverse_proxy @local :${toString settings.ports.qbittorrent}
      '';
      "http://files".extraConfig = ''
        @local remote_ip private_ranges 100.64.0.0/10
        root * /mnt/media
        file_server @local browse {
          hide .Trash-1000
        }
      '';

      "files.catnip.ee" = {
        extraConfig = ''
        	basicauth * {
            mrow {env.FILES_PASSWORD_HASH}
        	}

          root * /mnt/media
          file_server browse {
            hide .Trash-1000
          }
        '';
      };
      "chat.catnip.ee".extraConfig = ''
        root * ${elementClient}
        file_server
      '';
      "sliding-sync.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.matrix-sliding-sync}
      '';
      "matrix.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.synapse}

        ${wellKnownMatrix}

        handle /telegram/* {
          reverse_proxy :${toString settings.ports.mautrix-telegram}
        }

        handle_path /synapse-admin* {
          root * ${pkgs.synapse-admin}
          file_server
        }
      '';

      "ntfy.catnip.ee".extraConfig = ''
          reverse_proxy ${config.services.ntfy-sh.settings.listen-http}

          # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
          # it to work with curl without the annoying https:// prefix.
          @httpget {
              protocol http
              method GET
              path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
          }
          redir @httpget https://{host}{uri}
      '';

      "waka.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.wakapi}
      '';
 
      # docker authentik
      "auth.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.authentik}
      '';

      "cloud.catnip.ee".extraConfig = ''
         redir /.well-known/carddav /remote.php/dav 301
         redir /.well-known/caldav /remote.php/dav 301

        header {
           Strict-Transport-Security "max-age=31536000; includeSubDomains"
           Referrer-Policy no-referrer
           Referrer-Policy same-origin
           Referrer-Policy strict-origin
           Referrer-Policy strict-origin-when-cross-origin
           Referrer-Policy no-referrer-when-downgrade
         }

         reverse_proxy 127.0.0.1:${toString settings.ports.nextcloud}
      '';

      "uptime.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.uptime_kuma}
      '';
      "catnip.ee" = {
        extraConfig = ''
          root * ${inputs.catnip-website}
          file_server browse {
            hide .git
          }

          ${wellKnownMatrix}
        '';
        serverAliases = [
          "www.catnip.ee"
        ];
      };
      "vue.jellyfin.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.jellyfin_vue}
      '';
      "jellyfin.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.jellyfin}
      '';
      "plex.catnip.ee".extraConfig = ''
        reverse_proxy :${toString settings.ports.plex}
      '';

      ":80".extraConfig = ''
        respond awawaw
      '';
    };
  };
}