feat(caddy): move to new package

2024-12-29 01:28:33 -05:00 · 2024-12-29 01:28:33 -05:00 · 98833bdc6f
commit 98833bdc6f
parent 83fe089c5e
14 changed files with 367 additions and 46 deletions
--- a/configurations/cluster/modules/caddy/default.nix
+++ b/configurations/cluster/modules/caddy/default.nix
@ -0,0 +1,175 @@
+{
+  config,
+  lib,
+  mainUser,
+  pkgs,
+  self,
+  ...
+}: let
+  inherit (lib) attrValues;
+
+  inherit (config.sops) secrets;
+  inherit (config.networking) hostName;
+in {
+  imports = [self.nixosModules.caddy-plus];
+
+  users.users.${mainUser}.extraGroups = ["caddy"];
+
+  boot.kernel.sysctl."net.ipv4.ip_nonlocal_bind" = 1;
+
+  systemd.services.caddy.serviceConfig = {
+    EnvironmentFile = secrets.caddy-cloudflare.path;
+  };
+
+  services.caddy = {
+    enable = true;
+    enableReload = false;
+
+    package = let
+      pluginsInfo = import ./plugins.nix;
+    in
+      pkgs.caddy.withPlugins {
+        plugins = map (x: "${x.url}@${x.version}") (attrValues pluginsInfo.plugins);
+        inherit (pluginsInfo) hash;
+      };
+
+    virtualHosts = let
+      clusterIP = config.services.pcsd.virtualIps.caddy-vip.ip;
+      nosIP = "10.0.0.121";
+      serviviIP = "10.0.0.249";
+      homieIP = "100.64.0.10";
+
+      tlsConf = ''
+        tls {
+          dns cloudflare {$CLOUDFLARE_API_TOKEN}
+          resolvers 1.0.0.1
+        }
+      '';
+
+      mkPublicReverseProxy = subdomain: ip: extraConf:
+        {
+          hostName = "${subdomain}.nelim.org";
+          reverseProxy = ip;
+          listenAddresses = [clusterIP];
+          extraConfig = tlsConf + (extraConf.extraConfig or "");
+        }
+        // (builtins.removeAttrs extraConf ["extraConfig"]);
+    in {
+      # Public
+      "Home-Assistant" = mkPublicReverseProxy "homie" "${homieIP}:8123" {};
+      "Vaultwarden" = mkPublicReverseProxy "vault" "${nosIP}:8781" {};
+      "Hauk" = mkPublicReverseProxy "hauk" "${nosIP}:3003" {};
+      "Headscale" = mkPublicReverseProxy "headscale" "${clusterIP}:8085" {};
+
+      "Jellyfin" = mkPublicReverseProxy "jelly" "${nosIP}:8096" {
+        subDirectories.jfa-go = {
+          subDirName = "accounts";
+          reverseProxy = "${nosIP}:8056";
+        };
+      };
+
+      "Jellyseer" = mkPublicReverseProxy "seerr" "${nosIP}:5055" {};
+
+      "Gameyfin" = mkPublicReverseProxy "games" "${nosIP}:8074" {};
+
+      "Forgejo" = mkPublicReverseProxy "git" "${nosIP}:3000" {};
+
+      "Nextcloud" = mkPublicReverseProxy "cloud" "${nosIP}:8042" {
+        extraConfig = ''
+          redir /.well-known/carddav /remote.php/dav 301
+          redir /.well-known/caldav /remote.php/dav 301
+          redir /.well-known/webfinger /index.php/.well-known/webfinger 301
+          redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
+        '';
+      };
+      "OnlyOffice" = mkPublicReverseProxy "office" "http://${nosIP}:8055" {};
+
+      "Immich" = mkPublicReverseProxy "photos" "${nosIP}:2283" {};
+
+      "Binary Cache" = mkPublicReverseProxy "cache" "${serviviIP}:5000" {};
+      "Apt Binary Cache" = mkPublicReverseProxy "cache-apt" "${homieIP}:5000" {};
+
+      # Private
+      "nelim.org" = {
+        serverAliases = ["*.nelim.org"];
+        extraConfig = tlsConf;
+        listenAddresses = [
+          (
+            if hostName == "thingone"
+            then "100.64.0.8"
+            else "100.64.0.9"
+          )
+        ];
+
+        subDomains = {
+          esphome.reverseProxy = "${homieIP}:6052";
+          pr-tracker.reverseProxy = "${serviviIP}:3000";
+
+          pcsd = {
+            extraConfig = ''
+              reverse_proxy https://${clusterIP}:2224 {
+                  transport http {
+                      tls_insecure_skip_verify
+                  }
+              }
+            '';
+          };
+
+          # Resume builder
+          resume.reverseProxy = "${nosIP}:3060";
+          resauth.reverseProxy = "${nosIP}:3100";
+
+          # FreshRSS & Co
+          bridge.reverseProxy = "${nosIP}:3006";
+          drss.reverseProxy = "${nosIP}:3007";
+          freshrss = {
+            subDomainName = "rss";
+            reverseProxy = "${nosIP}:2800";
+          };
+
+          wgui.reverseProxy = "${nosIP}:51821";
+
+          lan = {
+            reverseProxy = "${nosIP}:3020";
+            extraConfig = ''
+              redir /index.html /
+            '';
+
+            subDirectories = {
+              bazarr.reverseProxy = "${nosIP}:6767";
+              prowlarr.reverseProxy = "${nosIP}:9696";
+              radarr.reverseProxy = "${nosIP}:7878";
+              sabnzbd.reverseProxy = "${nosIP}:8382";
+              sonarr.reverseProxy = "${nosIP}:8989";
+
+              qbittorent = {
+                subDirName = "qbt";
+                experimental = true;
+                reverseProxy = "${nosIP}:8080";
+              };
+
+              vaultwarden = {
+                subDirName = "vault";
+                experimental = true;
+                reverseProxy = "${nosIP}:8780";
+              };
+            };
+          };
+
+          # Top secret Business
+          joal.extraConfig = ''
+            route {
+              rewrite * /joal/ui{uri}
+              reverse_proxy * ${nosIP}:5656
+            }
+          '';
+          joalws.extraConfig = ''
+            route {
+              reverse_proxy ${nosIP}:5656
+            }
+          '';
+        };
+      };
+    };
+  };
+}
--- a/configurations/cluster/modules/caddy/plugins.nix
+++ b/configurations/cluster/modules/caddy/plugins.nix
@ -0,0 +1,11 @@
+# This file was autogenerated. DO NOT EDIT!
+{
+  plugins = {
+    cloudflare = {
+      url = "github.com/caddy-dns/cloudflare";
+      version = "v0.0.0-20240703190432-89f16b99c18e";
+    };
+  };
+
+  hash = "sha256-WGV/Ve7hbVry5ugSmTYWDihoC9i+D3Ct15UKgdpYc9U=";
+}