aboutsummaryrefslogtreecommitdiff
path: root/infra/modules/caddy.nix
blob: 69edb9b9ba9ba87c040146e02d41d373bb2e3ca4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

{ inputs, self, ... }:
{
  flake.modules.nixos.caddy =
    {
      config,
      lib,
      pkgs,
      ...
    }:
    let
      trustedProxies = lib.strings.concatStringsSep " " [ ];
    in
    {
      infra.persist.directories = [
        config.services.caddy.logDir
        config.services.caddy.dataDir
      ];

      networking.firewall.allowedTCPPorts = [
        80
        443
      ];

      sops = {
        secrets."services/cloudflare/dns_api_key" = {
          owner = config.services.caddy.user;
        };

        templates."caddy.env" = {
          content = ''
            INFRA_CF_DNS_API_KEY="${config.sops.placeholder."services/cloudflare/dns_api_key"}"
          '';
          owner = config.services.caddy.user;
        };
      };

      systemd.services.caddy.serviceConfig.EnvironmentFile = config.sops.templates."caddy.env".path;

      services.caddy = {
        enable = true;
        package = pkgs.caddy.withPlugins {
          plugins = [
            "github.com/caddy-dns/[email protected]" # for DNS-01 challenge
          ];
          hash = "sha256-bzMqxWTqrJ1skZmRTXyEMCKStXpljbqe5r0Ve2cnBfM=";
        };

        logFormat = ''
          level INFO
          output file ${config.services.caddy.logDir}/caddy.log
          format append {
            fields {
              "caddy.version" "${config.services.caddy.package.version}"
              "infra.version" "${self.rev or self.dirtyRev}"
              "infra.nixpkgs_version" "${inputs.nixpkgs.rev}"
              "os.name" "${config.system.nixos.codeName}"
              "os.version" "${config.system.nixos.version}"
              "host.id" "${config.networking.hostId}"
              "host.name" "${config.networking.hostName}"
              service caddy
            }
          }
        '';

        globalConfig = ''
          admin :2019

          grace_period 30s

          skip_install_trust

          email [email protected]
          acme_dns cloudflare {env.INFRA_CF_DNS_API_KEY}

          servers {
            timeouts {
              read_body 45s
              read_header 10s
              write 45s
              idle 10m
            }

            trusted_proxies static [private_ranges] ${trustedProxies}
            client_ip_headers CF-Connecting-IP X-Forwarded-For
          }

          servers :443 {
            name https
          }

          servers :80 {
            name http
          }
        '';

        virtualHosts."http://" = { };
      };
    };
}
generated by cgit v1.3.1 (git 2.54.0) at 2026-06-02 10:46:13 +0000