From 027ac0682d2a1b865d6524a3ec33daaecef94adb Mon Sep 17 00:00:00 2001
From: vkcku <git@mail.vkcku.com>
Date: Tue, 2 Jun 2026 07:59:34 +0530
Subject: infra: add caddy module

monorepo-revid: 8c7683c06b78606a897644ebf6f504215c373459
---
 infra/modules/base/secrets.yaml |  7 ++-
 infra/modules/caddy.nix         | 99 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 104 insertions(+), 2 deletions(-)
 create mode 100644 infra/modules/caddy.nix

diff --git a/infra/modules/base/secrets.yaml b/infra/modules/base/secrets.yaml
index 352dac2..26c05df 100644
--- a/infra/modules/base/secrets.yaml
+++ b/infra/modules/base/secrets.yaml
@@ -1,4 +1,7 @@
 services:
+    cloudflare:
+        account_id: ENC[AES256_GCM,data:rTXER17XjAg0AioY0vIJBN2w4idhOky3nE2mVevVG6I=,iv:CZhgQseXuZBRYQ2/kkqH3/VX7+C9sNI94ehhij5v67s=,tag:hxA9KGplzJUPXdbBdOImLQ==,type:str]
+        dns_api_key: ENC[AES256_GCM,data:IlSYDs8sOhZodM02B2u2bczd5CHrNrZD9xqUP/oaCs1h89NrnnGqRaNWFVhKaR4EGKYai64=,iv:vopk0tXCYoF9kuE9HaZ5j/tmaiC4YMIKLKQJKJMCj/U=,tag:4jJJWecNoGGoZOYVOhkmZQ==,type:str]
     tailscale:
         auth_key: ENC[AES256_GCM,data:QF/BuwVIxmvq2fpu0j8AvmkRUs7LdzetP/iRJO59b+/pcIVcpAbE9RPU4Jr2mPI0KmrluR2lUSnha46sIg==,iv:zIrrqshSKl+c6xKJm+60+nhFW5ZIVckZ6Uv8Meq42KY=,tag:b8DuWv6OPIt57vF1JVP35g==,type:str]
         nixos_vm_auth_key: ENC[AES256_GCM,data:xXnpn4rAl4AMMxs9B9eMRoMtqCc6eudwh0Kb5WvQNUQ+DCWGzA4OpP4IhGDI94ldFkyiiFnW2vgV9qRRE+0=,iv:LppvzOqpIXJl1BHHF7BMKb0rcJC2c4JFPMjOFO5I7aM=,tag:RrMePFIN40oD8M250541Tg==,type:str]
@@ -38,7 +41,7 @@ sops:
             zSPgipY3pAVzRYgXReNVD0Y2+RJHZqsNl5IVblTwortze1kf3xCTsw==
             -----END AGE ENCRYPTED FILE-----
           recipient: age16eld3w6r2dkdh0x358fr0ntkvan7cw62nqjpq7t7flvqd0uayvhqnxe2kk
-    lastmodified: "2026-06-01T12:49:14Z"
-    mac: ENC[AES256_GCM,data:jaJeP38dymysPHRNAyKuqIUs694DseieQ/tfrR/xMhg+XAqG0HcKpfUecX+xDfMDtqPYHnHiTON0Bio8DKkWagrKJJPUg7NLGT+lC/Jdb5bnFwjGym7GYoTwU+Uws8egBeB6f5khmmKjdOKLIeLUFZ/6zJWzH9nUg7jXGXdxq0Y=,iv:JQqRPEwP7jVnXMx4xfePLO+Qq5NrJN4dsyzlqRYDNFY=,tag:QBfEnXGnTKQ2WHn40sqvOg==,type:str]
+    lastmodified: "2026-06-02T02:31:56Z"
+    mac: ENC[AES256_GCM,data:gXPUt8NCyinxWMYrPb90eSmSnFcvpyNZLfzp4am8+Mj00scfzFLMf83qzSAp8qXYufRXBP1bjsM3S6f41UWgZ/4cSHSKPD0P3P/VqcpynOiUFnAGp3koPoloLjywnci3XHHtTaopH4nPqWiBuc9Kgd25NF87kfXSbADvAyJ4ECU=,iv:y0GsniUSigyhw9TU/BWVV/xCuDsNyMW/KmF6IaXLVjE=,tag:57aErwdupcCRwlnV939BdQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.13.1
diff --git a/infra/modules/caddy.nix b/infra/modules/caddy.nix
new file mode 100644
index 0000000..69edb9b
--- /dev/null
+++ b/infra/modules/caddy.nix
@@ -0,0 +1,99 @@
+{ inputs, self, ... }:
+{
+  flake.modules.nixos.caddy =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      trustedProxies = lib.strings.concatStringsSep " " [ ];
+    in
+    {
+      infra.persist.directories = [
+        config.services.caddy.logDir
+        config.services.caddy.dataDir
+      ];
+
+      networking.firewall.allowedTCPPorts = [
+        80
+        443
+      ];
+
+      sops = {
+        secrets."services/cloudflare/dns_api_key" = {
+          owner = config.services.caddy.user;
+        };
+
+        templates."caddy.env" = {
+          content = ''
+            INFRA_CF_DNS_API_KEY="${config.sops.placeholder."services/cloudflare/dns_api_key"}"
+          '';
+          owner = config.services.caddy.user;
+        };
+      };
+
+      systemd.services.caddy.serviceConfig.EnvironmentFile = config.sops.templates."caddy.env".path;
+
+      services.caddy = {
+        enable = true;
+        package = pkgs.caddy.withPlugins {
+          plugins = [
+            "github.com/caddy-dns/cloudflare@v0.2.4" # for DNS-01 challenge
+          ];
+          hash = "sha256-bzMqxWTqrJ1skZmRTXyEMCKStXpljbqe5r0Ve2cnBfM=";
+        };
+
+        logFormat = ''
+          level INFO
+          output file ${config.services.caddy.logDir}/caddy.log
+          format append {
+            fields {
+              "caddy.version" "${config.services.caddy.package.version}"
+              "infra.version" "${self.rev or self.dirtyRev}"
+              "infra.nixpkgs_version" "${inputs.nixpkgs.rev}"
+              "os.name" "${config.system.nixos.codeName}"
+              "os.version" "${config.system.nixos.version}"
+              "host.id" "${config.networking.hostId}"
+              "host.name" "${config.networking.hostName}"
+              service caddy
+            }
+          }
+        '';
+
+        globalConfig = ''
+          admin :2019
+
+          grace_period 30s
+
+          skip_install_trust
+
+          email acme@mail.vkcku.com
+          acme_dns cloudflare {env.INFRA_CF_DNS_API_KEY}
+
+          servers {
+            timeouts {
+              read_body 45s
+              read_header 10s
+              write 45s
+              idle 10m
+            }
+
+            trusted_proxies static [private_ranges] ${trustedProxies}
+            client_ip_headers CF-Connecting-IP X-Forwarded-For
+          }
+
+          servers :443 {
+            name https
+          }
+
+          servers :80 {
+            name http
+          }
+        '';
+
+        virtualHosts."http://" = { };
+      };
+    };
+}
-- 
cgit v1.3.1