feat(oksys): prepare caddy

2023-11-29 22:15:31 -05:00 · 2023-11-29 22:15:31 -05:00 · 07ff404017
parent f87c73d3d2
commit 07ff404017
3 changed files with 175 additions and 0 deletions
--- a/devices/oksys/modules/caddy.nix
+++ b/devices/oksys/modules/caddy.nix
@ -0,0 +1,150 @@
+{
+  caddy-plugins,
+  pkgs,
+  config,
+  ...
+}: let
+  user = config.services.device-vars.username;
+
+  caddy = caddy-plugins.packages.${pkgs.system}.default;
+
+  # TODO: use agenix?
+  verySecretToken = "TODO";
+in {
+  imports = [caddy-plugins.nixosModules.default];
+  environment.systemPackages = [caddy];
+  users.users.${user}.extraGroups = ["caddy"];
+
+  services.caddy = {
+    enable = true;
+    enableReload = false;
+    package = caddy;
+
+    virtualHosts = {
+      "http://pi.hole".reverseProxy = "localhost:8000";
+
+      "nelim.org" = let
+        mainIP = "10.0.0.122";
+        jellyIP = "10.0.0.123";
+      in {
+        serverAliases = ["*.nelim.org"];
+        extraConfig = ''
+           tls {
+             dns cloudflare ${verySecretToken}
+             resolvers 1.0.0.1
+          }
+        '';
+
+        subDomains = {
+          # Misc one-liners
+          vault.reverseProxy = "${mainIP}:8781";
+          hauk.reverseProxy = "${mainIP}:3003";
+          headscale.reverseProxy = "localhost:8085";
+          jelly.reverseProxy = "${jellyIP}:80";
+
+          # Resume builder
+          resume.reverseProxy = "${mainIP}:3060";
+          resauth.reverseProxy = "${mainIP}:3100";
+
+          # Nextcloud & Co
+          bakail.reverseProxy = "${mainIP}:8077";
+          office.reverseProxy = "http://${mainIP}:8055";
+          nextcloud = {
+            subDomainName = "cloud";
+            extraConfig = ''
+              redir /.well-known/carddav /remote.php/dav 301
+              redir /.well-known/caldav /remote.php/dav 301
+              redir /.well-known/webfinger /index.php/.well-known/webfinger 301
+              redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
+            '';
+            reverseProxy = "${mainIP}:8042";
+          };
+
+          forgejo = {
+            subDomainName = "git";
+            reverseProxy = "${mainIP}:3000";
+          };
+
+          calibre = {
+            subDomainName = "books";
+            reverseProxy = "${mainIP}:8083";
+          };
+
+          immich = {
+            subDomainName = "photos";
+            reverseProxy = "${mainIP}:2283";
+          };
+
+          # FreshRSS & Co
+          drss.reverseProxy = "${mainIP}:3007";
+          freshrss = {
+            subDomainName = "rss";
+            reverseProxy = "${mainIP}:2800";
+          };
+
+          jellyseer = {
+            subDomainName = "seerr";
+            reverseProxy = "${mainIP}:5055";
+          };
+
+          games.reverseProxy = "${mainIP}:8074";
+
+          # FIXME: what's the IP?
+          #wgui.extraConfig = ''
+          #  reverse_proxy ???:51821
+          #'';
+
+          lan = {
+            reverseProxy = "10.0.0.122:3020";
+            extraConfig = ''
+              redir /index.html /
+            '';
+
+            subDirectories = {
+              bazarr.reverseProxy = "10.0.0.122:6767";
+              bazarr-french = {
+                subDirName = "bafrr";
+                reverseProxy = "10.0.0.122:6766";
+              };
+
+              prowlarr.reverseProxy = "10.0.0.122:9696";
+              radarr.reverseProxy = "10.0.0.122:7878";
+              sabnzbd.reverseProxy = "10.0.0.122:8382";
+              sonarr.reverseProxy = "10.0.0.122:8989";
+
+              calibre = {
+                experimental = true;
+                reverseProxy = "10.0.0.122:8580";
+              };
+
+              qbittorent = {
+                subDirName = "qbt";
+                experimental = true;
+                reverseProxy = "10.0.0.128:8080";
+              };
+
+              vaultwarden = {
+                subDirName = "vault";
+                experimental = true;
+                reverseProxy = "10.0.0.122:8780";
+              };
+            };
+          };
+
+          # Top secret Business
+          joal.extraConfig = ''
+            route {
+              rewrite * /joal/ui{uri}
+              reverse_proxy * ${mainIP}:5656
+            }
+          '';
+          joalws.extraConfig = ''
+            route {
+              reverse_proxy ${mainIP}:5656
+            }
+          '';
+        };
+      };
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -20,6 +20,26 @@
        "type": "github"
      }
    },
+    "caddy-plugins": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1701313498,
+        "narHash": "sha256-nENCM5LlV3a/1NN9O2kRoSqxzJKxew+CQB/eqtM6l6I=",
+        "owner": "matt1432",
+        "repo": "nixos-caddy-patched",
+        "rev": "024433df425afbb0cda263336cc159598775de3d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "matt1432",
+        "repo": "nixos-caddy-patched",
+        "type": "github"
+      }
+    },
    "coc-stylelintplus-flake": {
      "inputs": {
        "flake-utils": "flake-utils",
@ -816,6 +836,7 @@
    "root": {
      "inputs": {
        "ags": "ags",
+        "caddy-plugins": "caddy-plugins",
        "coc-stylelintplus-flake": "coc-stylelintplus-flake",
        "headscale": "headscale",
        "home-manager": "home-manager",
--- a/flake.nix
+++ b/flake.nix
@ -16,6 +16,10 @@
      url = "github:juanfont/headscale";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    caddy-plugins = {
+      url = "github:matt1432/nixos-caddy-patched";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

    hyprland = {
      url = "github:hyprwm/Hyprland";