From 7d2ce03dc36639a28539eb16e9cc01a4e78bcde4 Mon Sep 17 00:00:00 2001
From: pazpi <pasettodavide@gmail.com>
Date: Mon, 7 Oct 2024 22:03:39 +0200
Subject: [PATCH] Build Caddy with cloudflare as overlay

---
 flake.lock                   | 19 +++++++++++-
 flake.nix                    |  2 ++
 hosts/caddy/default.nix      | 11 ++++++-
 hosts/default.nix            |  9 +++++-
 modules/networking/caddy.nix | 57 ++++++++++++++++++++++++++++++++++++
 5 files changed, 95 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index d0801c1..251d85f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -241,6 +241,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1726463316,
+        "narHash": "sha256-gI9kkaH0ZjakJOKrdjaI/VbaMEo9qBbSUl93DnU7f4c=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "99dc8785f6a0adac95f5e2ab05cc2e1bf666d172",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -248,7 +264,8 @@
         "home-manager": "home-manager_2",
         "lix-module": "lix-module",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable"
       }
     },
     "stable": {
diff --git a/flake.nix b/flake.nix
index 08257b9..0e0ee92 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,6 +11,7 @@
 
     # NixOS related inputs
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
@@ -40,6 +41,7 @@
     {
       self,
       nixpkgs,
+      nixpkgs-unstable,
       nixos-hardware,
       lix-module,
       agenix,
diff --git a/hosts/caddy/default.nix b/hosts/caddy/default.nix
index 5d3fb1c..a6fdd59 100644
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@@ -31,6 +31,12 @@ in
           host = "metrics.internal";
         };
       };
+      grafana = {
+        proxy = {
+          domain = "tegola.pro";
+          host = "metrics.internal";
+        };
+      };
     };
 
     networking = {
@@ -64,7 +70,10 @@ in
     };
   };
 
-  networking.nameservers = [ "192.168.1.2" ];
+  networking = {
+    firewall.allowedTCPPorts = [ 9100 ];
+    nameservers = [ "192.168.1.2" ];
+  };
 
   system.stateVersion = "24.05";
 }
diff --git a/hosts/default.nix b/hosts/default.nix
index 13b1e86..2cd3d60 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -1,5 +1,6 @@
 {
   nixpkgs,
+  nixpkgs-unstable,
   nixos-hardware,
   agenix,
   home-manager,
@@ -9,7 +10,13 @@
 let
   agenixOverlay = final: prev: { agenix = agenix.packages.${prev.system}.default; };
 
-  customOverlays = import ../overlay;
+  # customOverlays = import ../overlay;
+  customOverlays = (
+    final: prev: {
+      caddy-custom = prev.callPackage ../overlay/caddy-custom.nix { };
+      jellyseerr = nixpkgs-unstable.legacyPackages."x86_64-linux".jellyseerr;
+    }
+  );
 
   pkgs =
     system:
diff --git a/modules/networking/caddy.nix b/modules/networking/caddy.nix
index d0dd592..ee158eb 100644
--- a/modules/networking/caddy.nix
+++ b/modules/networking/caddy.nix
@@ -29,6 +29,12 @@ in
       enable = true;
       package = pkgs.caddy-custom;
       # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
+      globalConfig = ''
+        admin :2024
+        servers {
+          metrics
+        }
+      '';
       extraConfig = ''
         (cloudflare) {
           tls {
@@ -44,9 +50,60 @@ in
       AmbientCapabilities = "CAP_NET_BIND_SERVICE";
     };
 
+    # By default, the module create a custom user but it lacks permission to read caddy files
+    systemd.services.promtail.serviceConfig = {
+      Group = lib.mkForce config.services.caddy.group;
+      User = lib.mkForce config.services.caddy.user;
+    };
+
+    services.promtail = {
+      enable = true;
+      configuration = {
+        server.http_listen_port = 9080;
+        server.grpc_listen_port = 0;
+        clients = [ { url = "http://metrics.internal:3100/loki/api/v1/push"; } ];
+
+        scrape_configs = [
+          {
+            job_name = "journal";
+            journal = {
+              max_age = "12h";
+              labels = {
+                job = "systemd-journal";
+              };
+            };
+            relabel_configs = [
+              {
+                source_labels = [ "__journal__systemd_unit" ];
+                regex = "(.*)\\.service";
+                target_label = "service";
+              }
+              {
+                source_labels = [ "__journal__hostname" ];
+                target_label = "hostname";
+              }
+            ];
+          }
+          {
+            job_name = "caddy";
+            static_configs = [
+              {
+                targets = [ "localhost" ];
+                labels = {
+                  job = "caddylogs";
+                  __path__ = "${config.services.caddy.logDir}/*.log";
+                };
+              }
+            ];
+          }
+        ];
+      };
+    };
+
     networking.firewall.allowedTCPPorts = [
       80
       443
+      2024
     ];
 
     networking.firewall.allowedUDPPorts = [