{ inputs, self, ... }: { flake.modules.nixos.caddy = { config, lib, pkgs, ... }: let trustedProxies = lib.strings.concatStringsSep " " [ ]; in { infra.persist.directories = [ config.services.caddy.logDir config.services.caddy.dataDir ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; sops = { secrets."services/cloudflare/dns_api_key" = { owner = config.services.caddy.user; }; templates."caddy.env" = { content = '' INFRA_CF_DNS_API_KEY="${config.sops.placeholder."services/cloudflare/dns_api_key"}" ''; owner = config.services.caddy.user; }; }; systemd.services.caddy.serviceConfig.EnvironmentFile = config.sops.templates."caddy.env".path; services.caddy = { enable = true; package = pkgs.caddy.withPlugins { plugins = [ "github.com/caddy-dns/cloudflare@v0.2.4" # for DNS-01 challenge ]; hash = "sha256-bzMqxWTqrJ1skZmRTXyEMCKStXpljbqe5r0Ve2cnBfM="; }; logFormat = '' level INFO output file ${config.services.caddy.logDir}/caddy.log format append { fields { "caddy.version" "${config.services.caddy.package.version}" "infra.version" "${self.rev or self.dirtyRev}" "infra.nixpkgs_version" "${inputs.nixpkgs.rev}" "os.name" "${config.system.nixos.codeName}" "os.version" "${config.system.nixos.version}" "host.id" "${config.networking.hostId}" "host.name" "${config.networking.hostName}" service caddy } } ''; globalConfig = '' admin :2019 grace_period 30s skip_install_trust email acme@mail.vkcku.com acme_dns cloudflare {env.INFRA_CF_DNS_API_KEY} servers { timeouts { read_body 45s read_header 10s write 45s idle 10m } trusted_proxies static [private_ranges] ${trustedProxies} client_ip_headers CF-Connecting-IP X-Forwarded-For } servers :443 { name https } servers :80 { name http } ''; virtualHosts."http://" = { }; }; }; }