xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-config/sys/machines/hopper/lab/caddy.nix
xunuwu 1e6a17c6a7 improve caddy config
2025-05-04 09:32:58 +02:00

71 lines
2.4 KiB
Nix
Raw Blame History

{
config,
vars,
inputs,
...
}: let
inherit (vars.common) domain;
caddyPort = 8336;
bridge = config.vpnNamespaces."wg".bridgeAddress;
in {
systemd.services.caddy.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
systemd.services.caddy = {
environment.CADDY_ADMIN = "0.0.0.0:2019";
serviceConfig.RuntimeDirectory = "caddy";
};
services.caddy = {
enable = true;
globalConfig = "metrics";
virtualHosts = let
mkPublicEntry = name: destination: {
useACMEHost = domain;
hostName = "${name}.${domain}:${toString caddyPort}";
extraConfig = ''
@blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
respond @blocked "Access only allowed through cloudflare" 403
reverse_proxy {
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
to ${destination}
}
'';
};
mkPrivateEntry = name: destination: {
hostName = "${name}.hopper.xun.host:80";
extraConfig = "reverse_proxy ${destination}";
};
in {
jellyfin = mkPublicEntry "jellyfin" "${bridge}:8096";
navidrome = mkPublicEntry "navidrome" "unix//var/lib/navidrome/navidrome.sock";
vaultwarden = mkPublicEntry "vw" "${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
slskd = mkPrivateEntry "slskd" "localhost:${toString config.services.slskd.settings.web.port}";
prometheus = mkPrivateEntry "prometheus" "${bridge}:${toString config.services.prometheus.port}";
adguard = mkPrivateEntry "adguard" "${bridge}:${toString config.services.adguardhome.port}";
transmission = mkPrivateEntry "transmission" "localhost:${toString config.services.transmission.settings.rpc-port}";
dash = mkPrivateEntry "dash" "${bridge}:${toString config.services.homepage-dashboard.listenPort}";
other = {
useACMEHost = domain;
hostName = ":${toString caddyPort}";
extraConfig = ''
respond 404 {
body "uhh that doesnt exist, i hope this isnt my fault.."
}
'';
};
otherPriv = {
hostName = ":80";
extraConfig = ''
respond 404 {
body "uhh that doesnt exist, i hope this isnt my fault.."
}
'';
};
};
};
}
Reference in a new issue View git blame Copy permalink