diff --git a/modules/networking/caddy.nix b/modules/networking/caddy.nix new file mode 100644 index 0000000..d0dd592 --- /dev/null +++ b/modules/networking/caddy.nix @@ -0,0 +1,58 @@ +{ + config, + pkgs, + lib, + ... +}: + +with lib; + +let + cfg = config.my.networking.caddy; +in +{ + options.my.networking.caddy = { + enable = lib.mkEnableOption "Enable caddy as reverse proxy"; + }; + + config = lib.mkIf cfg.enable { + + age.secrets = { + cloudflare-tegola-apiKey = { + file = ../../secrets/cloudflare-tegola-apiKey.age; + owner = config.services.caddy.user; + group = config.services.caddy.group; + }; + }; + + services.caddy = { + enable = true; + package = pkgs.caddy-custom; + # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT! + extraConfig = '' + (cloudflare) { + tls { + dns cloudflare {env.CLOUDFLARE_KEY} + resolvers 1.1.1.1 100.100.100.100 + } + } + ''; + }; + + systemd.services.caddy.serviceConfig = { + EnvironmentFile = config.age.secrets.cloudflare-tegola-apiKey.path; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + networking.firewall.allowedUDPPorts = [ + 80 + 443 + ]; + }; + +} diff --git a/modules/networking/default.nix b/modules/networking/default.nix index ec009b6..746cb98 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -1,6 +1,7 @@ { imports = [ ./avahi.nix + ./caddy.nix ./tailscale.nix ]; } diff --git a/overlay/caddy-custom.nix b/overlay/caddy-custom.nix index 8bfbd11..910d8bb 100644 --- a/overlay/caddy-custom.nix +++ b/overlay/caddy-custom.nix @@ -3,46 +3,53 @@ with pkgs; caddy.override { - buildGoModule = args: buildGoModule (args // { - src = stdenv.mkDerivation rec { - pname = "caddy-using-xcaddy-${xcaddy.version}"; - inherit (caddy) version; + buildGoModule = + args: + buildGoModule ( + args + // { + src = stdenv.mkDerivation rec { + pname = "caddy-using-xcaddy-${xcaddy.version}"; + inherit (caddy) version; - dontUnpack = true; - dontFixup = true; + dontUnpack = true; + dontFixup = true; - nativeBuildInputs = [ - cacert - go - ]; + nativeBuildInputs = [ + cacert + go + ]; - plugins = [ - # https://github.com/caddy-dns/cloudflare - "github.com/caddy-dns/cloudflare@89f16b99c18ef49c8bb470a82f895bce01cbaece" - ]; + plugins = [ "github.com/caddy-dns/cloudflare@89f16b99c18ef49c8bb470a82f895bce01cbaece" ]; - configurePhase = '' - export GOCACHE=$TMPDIR/go-cache - export GOPATH="$TMPDIR/go" - export XCADDY_SKIP_BUILD=1 - ''; + configurePhase = '' + export GOCACHE=$TMPDIR/go-cache + export GOPATH="$TMPDIR/go" + export XCADDY_SKIP_BUILD=1 + ''; - buildPhase = '' - ${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins} - cd buildenv* - go mod vendor - ''; + buildPhase = '' + ${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${ + lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins + } + cd buildenv* + go mod vendor + ''; - installPhase = '' - cp -r --reflink=auto . $out - ''; + installPhase = '' + cp -r --reflink=auto . $out + ''; - outputHash = "sha256-lyhEIOgGkR31bt9YV+W854TBZw419G8uuTtBSsFcgCA="; - outputHashMode = "recursive"; - }; + outputHash = "sha256-lyhEIOgGkR31bt9YV+W854TBZw419G8uuTtBSsFcgCA="; + outputHashMode = "recursive"; + }; - subPackages = [ "." ]; - ldflags = [ "-s" "-w" ]; ## don't include version info twice - vendorHash = null; - }); + subPackages = [ "." ]; + ldflags = [ + "-s" + "-w" + ]; # # don't include version info twice + vendorHash = null; + } + ); }