Created module for caddy with plugins

2024-09-10 19:48:40 +02:00 · 2024-09-10 19:48:40 +02:00 · f4935560a4
commit f4935560a4
parent ecbf722032
3 changed files with 100 additions and 34 deletions
--- a/modules/networking/caddy.nix
+++ b/modules/networking/caddy.nix
@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.my.networking.caddy;
+in
+{
+  options.my.networking.caddy = {
+    enable = lib.mkEnableOption "Enable caddy as reverse proxy";
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    age.secrets = {
+      cloudflare-tegola-apiKey = {
+        file = ../../secrets/cloudflare-tegola-apiKey.age;
+        owner = config.services.caddy.user;
+        group = config.services.caddy.group;
+      };
+    };
+
+    services.caddy = {
+      enable = true;
+      package = pkgs.caddy-custom;
+      # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
+      extraConfig = ''
+        (cloudflare) {
+          tls {
+            dns cloudflare {env.CLOUDFLARE_KEY}
+            resolvers 1.1.1.1 100.100.100.100
+          }
+        }
+      '';
+    };
+
+    systemd.services.caddy.serviceConfig = {
+      EnvironmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    networking.firewall.allowedUDPPorts = [
+      80
+      443
+    ];
+  };
+
+}
--- a/modules/networking/default.nix
+++ b/modules/networking/default.nix
@ -1,6 +1,7 @@
 {
  imports = [
    ./avahi.nix
+    ./caddy.nix
    ./tailscale.nix
  ];
 }