nixos-config/modules/nixos/services/homeserver/caddy.nix

{ config, pkgs, ... }:

{
  sops.secrets = {
    "caddy/secrets.env" = {};

    "caddy/wo2wz.fyi.crt" = {
      owner = "caddy";
      group = "caddy";
      restartUnits = [ "caddy.service" ];
    };
    "caddy/wo2wz.fyi.key" = {
      owner = "caddy";
      group = "caddy";
      restartUnits = [ "caddy.service" ];
    };
  };

  services = {
    caddy = {
      enable = true;
      package = pkgs.caddy.withPlugins {
        plugins = [ "github.com/tailscale/caddy-tailscale@v0.0.0-20260106222316-bb080c4414ac" ];
        hash = "sha256-1BAY6oZ1qJCKlh0Y2KKqw87A45EUPVtwS2Su+LfXtCc=";
      };
      environmentFile = config.sops.secrets."caddy/secrets.env".path;

      # caddy-tailscale breaks reloading
      enableReload = false;

      extraConfig = ''
        (cloudflare-tls) {
            tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
        }

        (default-settings) {
            encode

            header {
                Strict-Transport-Security "max-age=15552000;"
                X-Frame-Options "SAMEORIGIN"
                X-Content-Type-Options "nosniff"
                X-Robots-Tag "noindex, nofollow"
                -Server
                -X-Powered-By
            }
        }
      '';
      # have to specify node tags here because if there are two tailscale blocks it just dont work
      globalConfig = ''
        grace_period 30s

        metrics {
            per_host
        }

        servers {
            client_ip_headers CF-Connecting-Ip X-Forwarded-For
            trusted_proxies static 127.0.0.1 ::1
        }

        tailscale {
            auth_key {env.CADDY_TAILSCALE_AUTH_KEY}
            state_dir ${config.services.caddy.dataDir}/caddy-tailscale

            ephemeral true

            tags tag:drone

            grafana {
                tags tag:drone tag:grafana
            }
            jellyfin {
                tags tag:drone tag:jellyfin
            }
            ntfy {
                tags tag:drone tag:ntfy
            }
            prometheus {
                tags tag:drone tag:prometheus
            }
            restic {
                tags tag:drone tag:restic
            }
            technitium {
                tags tag:drone tag:technitium
            }
            vaultwarden {
                tags tag:drone tag:vaultwarden
            }
        }
      '';

      virtualHosts."wo2wz.fyi".extraConfig = ''
        import default-settings
        import cloudflare-tls

        handle /.well-known/matrix/* {
            reverse_proxy unix/${config.services.matrix-continuwuity.settings.global.unix_socket_path}
        }

        respond "{client_ip}"
      '';
    };
  };
}