58 lines
1.1 KiB
Nix
58 lines
1.1 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.my.networking.caddy;
|
|
in
|
|
{
|
|
options.my.networking.caddy = {
|
|
enable = lib.mkEnableOption "Enable caddy as reverse proxy";
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
age.secrets = {
|
|
cloudflare-tegola-apiKey = {
|
|
file = ../../secrets/cloudflare-tegola-apiKey.age;
|
|
owner = config.services.caddy.user;
|
|
group = config.services.caddy.group;
|
|
};
|
|
};
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
package = pkgs.caddy-custom;
|
|
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
|
|
extraConfig = ''
|
|
(cloudflare) {
|
|
tls {
|
|
dns cloudflare {env.CLOUDFLARE_KEY}
|
|
resolvers 1.1.1.1 100.100.100.100
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
|
|
systemd.services.caddy.serviceConfig = {
|
|
EnvironmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
|
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
|
|
networking.firewall.allowedUDPPorts = [
|
|
80
|
|
443
|
|
];
|
|
};
|
|
|
|
}
|