nixos-config/modules/nixos/services/homeserver/caddy.nix

{ config, pkgs, ... }:

{
  sops.secrets = {
    "caddy/secrets.env" = {};

    "caddy/wo2wz.fyi.crt" = {
      owner = "caddy";
      group = "caddy";
      reloadUnits = [ "caddy.service" ];
    };
    "caddy/wo2wz.fyi.key" = {
      owner = "caddy";
      group = "caddy";
      reloadUnits = [ "caddy.service" ];
    };
  };

  services = {
    caddy = {
      enable = true;
      # use unstable for caddy-tailscale
      package = pkgs.caddy.withPlugins {
        plugins = [
          "github.com/WeidiDeng/caddy-cloudflare-ip@v0.0.0-20231130002422-f53b62aa13cb"
          "github.com/tailscale/caddy-tailscale@v0.0.0-20260106222316-bb080c4414ac"
        ];
        hash = "sha256-ST0MYExPlBbZt2xyFfyMdQRq5n06dgwOZkEeGO8dDeA=";
      };
      environmentFile = config.sops.secrets."caddy/secrets.env".path;

      # caddy-tailscale breaks reloading
      enableReload = false;

      extraConfig = ''
        (cloudflare-tls) {
            tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
        }

        (default-settings) {
            encode

            header {
                Strict-Transport-Security "max-age=15552000;"
                X-Frame-Options "SAMEORIGIN"
                X-Content-Type-Options "nosniff"
                X-Robots-Tag "noindex, nofollow"
                -Server
                -X-Powered-By
            }
        }
      '';
      # have to specify node tags here because if there are two tailscale blocks it just dont work
      globalConfig = ''
        grace_period 30s

        metrics {
            per_host
        }

        servers {
            client_ip_headers CF-Connecting-Ip X-Forwarded-For
            trusted_proxies cloudflare {
                interval 7d
                timeout 15s
            }
            trusted_proxies_strict
        }

        tailscale {
            auth_key {env.CADDY_TAILSCALE_AUTH_KEY}
            state_dir ${config.services.caddy.dataDir}/caddy-tailscale

            ephemeral true

            tags tag:drone

            grafana {
                tags tag:drone tag:grafana
            }
            jellyfin {
                tags tag:drone tag:jellyfin
            }
            ntfy {
                tags tag:drone tag:ntfy
            }
            prometheus {
                tags tag:drone tag:prometheus
            }
            restic {
                tags tag:drone tag:restic
            }
            vaultwarden {
                tags tag:drone tag:vaultwarden
            }
        }
      '';

      virtualHosts."wo2wz.fyi".extraConfig = ''
        import default-settings
        import cloudflare-tls

        respond "not much to see here"
      '';
    };
  };
}