wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity
nixos-config/modules/nixos/services/homeserver/caddy.nix

102 lines
2.5 KiB
Nix
Executable file
Raw Blame History

{ config, pkgs, ... }:
{
sops.secrets = {
"caddy/secrets.env" = {};
"caddy/wo2wz.fyi.crt" = {
owner = "caddy";
group = "caddy";
restartUnits = [ "caddy.service" ];
};
"caddy/wo2wz.fyi.key" = {
owner = "caddy";
group = "caddy";
restartUnits = [ "caddy.service" ];
};
};
services = {
caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [ "github.com/tailscale/caddy-tailscale@v0.0.0-20260106222316-bb080c4414ac" ];
hash = "sha256-1BAY6oZ1qJCKlh0Y2KKqw87A45EUPVtwS2Su+LfXtCc=";
};
environmentFile = config.sops.secrets."caddy/secrets.env".path;
# caddy-tailscale breaks reloading
enableReload = false;
extraConfig = ''
(cloudflare-tls) {
tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
}
(default-settings) {
encode
header {
Strict-Transport-Security "max-age=15552000;"
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
X-Robots-Tag "noindex, nofollow"
-Server
-X-Powered-By
}
}
'';
# have to specify node tags here because if there are two tailscale blocks it just dont work
globalConfig = ''
grace_period 30s
metrics {
per_host
}
servers {
client_ip_headers CF-Connecting-Ip X-Forwarded-For
trusted_proxies static 127.0.0.1 ::1
}
tailscale {
auth_key {env.CADDY_TAILSCALE_AUTH_KEY}
state_dir ${config.services.caddy.dataDir}/caddy-tailscale
ephemeral true
tags tag:drone
grafana {
tags tag:drone tag:grafana
}
jellyfin {
tags tag:drone tag:jellyfin
}
ntfy {
tags tag:drone tag:ntfy
}
prometheus {
tags tag:drone tag:prometheus
}
restic {
tags tag:drone tag:restic
}
technitium {
tags tag:drone tag:technitium
}
vaultwarden {
tags tag:drone tag:vaultwarden
}
}
'';
virtualHosts."wo2wz.fyi".extraConfig = ''
import default-settings
import cloudflare-tls
respond "{client_ip}"
'';
};
};
}
Reference in a new issue View git blame Copy permalink