Created module for caddy with plugins

modules/networking/caddy.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.my.networking.caddy;
+in
+{
+  options.my.networking.caddy = {
+    enable = lib.mkEnableOption "Enable caddy as reverse proxy";
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    age.secrets = {
+      cloudflare-tegola-apiKey = {
+        file = ../../secrets/cloudflare-tegola-apiKey.age;
+        owner = config.services.caddy.user;
+        group = config.services.caddy.group;
+      };
+    };
+
+    services.caddy = {
+      enable = true;
+      package = pkgs.caddy-custom;
+      # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
+      extraConfig = ''
+        (cloudflare) {
+          tls {
+            dns cloudflare {env.CLOUDFLARE_KEY}
+            resolvers 1.1.1.1 100.100.100.100
+          }
+        }
+      '';
+    };
+
+    systemd.services.caddy.serviceConfig = {
+      EnvironmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    networking.firewall.allowedUDPPorts = [
+      80
+      443
+    ];
+  };
+
+}

modules/networking/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./avahi.nix
+    ./caddy.nix
     ./tailscale.nix
   ];
 }

overlay/caddy-custom.nix

@@ -3,46 +3,53 @@
 with pkgs;
 
 caddy.override {
-  buildGoModule = args: buildGoModule (args // {
-    src = stdenv.mkDerivation rec {
-      pname = "caddy-using-xcaddy-${xcaddy.version}";
-      inherit (caddy) version;
+  buildGoModule =
+    args:
+    buildGoModule (
+      args
+      // {
+        src = stdenv.mkDerivation rec {
+          pname = "caddy-using-xcaddy-${xcaddy.version}";
+          inherit (caddy) version;
 
-      dontUnpack = true;
-      dontFixup = true;
+          dontUnpack = true;
+          dontFixup = true;
 
-      nativeBuildInputs = [
-        cacert
-        go
-      ];
+          nativeBuildInputs = [
+            cacert
+            go
+          ];
 
-      plugins = [
-        # https://github.com/caddy-dns/cloudflare
-        "github.com/caddy-dns/cloudflare@89f16b99c18ef49c8bb470a82f895bce01cbaece"
-      ];
+          plugins = [ "github.com/caddy-dns/cloudflare@89f16b99c18ef49c8bb470a82f895bce01cbaece" ];
 
-      configurePhase = ''
-        export GOCACHE=$TMPDIR/go-cache
-        export GOPATH="$TMPDIR/go"
-        export XCADDY_SKIP_BUILD=1
-      '';
+          configurePhase = ''
+            export GOCACHE=$TMPDIR/go-cache
+            export GOPATH="$TMPDIR/go"
+            export XCADDY_SKIP_BUILD=1
+          '';
 
-      buildPhase = ''
-        ${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins}
-        cd buildenv*
-        go mod vendor
-      '';
+          buildPhase = ''
+            ${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${
+              lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins
+            }
+            cd buildenv*
+            go mod vendor
+          '';
 
-      installPhase = ''
-        cp -r --reflink=auto . $out
-      '';
+          installPhase = ''
+            cp -r --reflink=auto . $out
+          '';
 
-      outputHash = "sha256-lyhEIOgGkR31bt9YV+W854TBZw419G8uuTtBSsFcgCA=";
-      outputHashMode = "recursive";
-    };
+          outputHash = "sha256-lyhEIOgGkR31bt9YV+W854TBZw419G8uuTtBSsFcgCA=";
+          outputHashMode = "recursive";
+        };
 
-    subPackages = [ "." ];
-    ldflags = [ "-s" "-w" ]; ## don't include version info twice
-    vendorHash = null;
-  });
+        subPackages = [ "." ];
+        ldflags = [
+          "-s"
+          "-w"
+        ]; # # don't include version info twice
+        vendorHash = null;
+      }
+    );
 }