run caddy on racksrv asw

2025-06-06 07:01:38 +02:00 · 2025-06-06 07:01:38 +02:00 · 47820c5563
commit 47820c5563
parent 5f1ed3c492
6 changed files with 72 additions and 7 deletions
--- a/sys/machines/hopper/lab/caddy.nix
+++ b/sys/machines/hopper/lab/caddy.nix
@ -23,8 +23,7 @@ in {
    globalConfig = "metrics";
    virtualHosts = let
      mkPublicEntry = name: destination: {
-        useACMEHost = domain;
-        hostName = "${name}.${domain}";
+        hostName = "${name}.${domain}:80";
        extraConfig = ''
          reverse_proxy {
            to ${destination}
@ -33,6 +32,7 @@ in {
      };
      mkPrivateEntry = name: destination: {
        hostName = "${name}.hopper.priv.${domain}";
+        useACMEHost = domain;
        extraConfig = ''
          @blocked not remote_ip ${bridge}
          respond @blocked "limited to intranet" 403
@ -53,8 +53,7 @@ in {
      glances = mkPrivateEntry "glances" "${bridge}:${toString config.services.glances.port}";

      base = {
-        useACMEHost = domain;
-        hostName = "${domain}";
+        hostName = "${domain}:80";
        extraConfig = ''
          root * ${inputs.own-website.packages.${pkgs.system}.default}
          file_server
@ -62,8 +61,7 @@ in {
      };

      other = {
-        useACMEHost = domain;
-        hostName = "*.${domain}";
+        hostName = "*.${domain}:80";
        extraConfig = ''
          respond 404 {
            body "uhh that doesnt exist, i hope this isnt my fault.."
--- a/sys/machines/rackserv/caddy.nix
+++ b/sys/machines/rackserv/caddy.nix
@ -0,0 +1,43 @@
+{
+  vars,
+  config,
+  ...
+}: let
+  inherit (vars) domain;
+  hopper = "10.0.0.2";
+in {
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "xunuwu@gmail.com";
+    certs = {
+      "${domain}" = {
+        domain = "${domain}";
+        extraDomainNames = ["*.${domain}"];
+        dnsProvider = "cloudflare";
+        reloadServices = ["caddy.service"];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
+      };
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      misc = {
+        hostName = "${domain}";
+        serverAliases = ["*.${domain}"];
+        useACMEHost = domain;
+        extraConfig = ''
+          reverse_proxy ${hopper}
+        '';
+      };
+      other = {
+        extraConfig = ''
+          respond 404
+        '';
+      };
+    };
+  };
+}
--- a/sys/machines/rackserv/default.nix
+++ b/sys/machines/rackserv/default.nix
@ -12,6 +12,7 @@
      ./fail2ban.nix
      ./wireguard-server.nix
      ./backups.nix
+      ./caddy.nix
    ]
    ++ (map (x: systemProfiles + x) [
      /secrets/default.nix
--- a/sys/machines/rackserv/wireguard-server.nix
+++ b/sys/machines/rackserv/wireguard-server.nix
@ -7,7 +7,7 @@
  networking.firewall = let
    forwardPorts = {
      "10.0.0.2" =
-        [24001 24002 24003 443 80]
+        [24001 24002 24003]
        |> map (n: {
          protocols = ["tcp"];
          port = n;