{ caddy-plugins, pkgs, config, ... }: let inherit (config.vars) mainUser; inherit (config.sops) secrets; caddy = caddy-plugins.packages.${pkgs.system}.default; in { imports = [caddy-plugins.nixosModules.default]; # User stuff environment.systemPackages = [caddy]; users.users.${mainUser}.extraGroups = ["caddy"]; systemd.services.caddy.serviceConfig = { EnvironmentFile = secrets.caddy-cloudflare.path; # For some reason the service # doesn't shutdown normally KillSignal = "SIGKILL"; RestartKillSignal = "SIGKILL"; }; services.caddy = { enable = true; enableReload = false; package = caddy; virtualHosts = let clusterIP = config.services.pcsd.virtualIps.caddy-vip.ip; nosIP = "10.0.0.121"; serviviIP = "10.0.0.249"; in { "nelim.org" = { serverAliases = ["*.nelim.org"]; extraConfig = '' tls { dns cloudflare {$CLOUDFLARE_API_TOKEN} resolvers 1.0.0.1 } ''; subDomains = { # Misc one-liners vault.reverseProxy = "${nosIP}:8781"; hauk.reverseProxy = "${nosIP}:3003"; headscale.reverseProxy = "${clusterIP}:8085"; jellyfin = { subDomainName = "jelly"; reverseProxy = "${nosIP}:8096"; subDirectories = { jfa-go = { subDirName = "accounts"; reverseProxy = "${nosIP}:8056"; }; }; }; pcsd = { extraConfig = '' reverse_proxy https://${clusterIP}:2224 { transport http { tls_insecure_skip_verify } } ''; }; # Resume builder resume.reverseProxy = "${nosIP}:3060"; resauth.reverseProxy = "${nosIP}:3100"; # Nextcloud & Co office.reverseProxy = "http://${nosIP}:8055"; nextcloud = { subDomainName = "cloud"; extraConfig = '' redir /.well-known/carddav /remote.php/dav 301 redir /.well-known/caldav /remote.php/dav 301 redir /.well-known/webfinger /index.php/.well-known/webfinger 301 redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 ''; reverseProxy = "${nosIP}:8042"; }; forgejo = { subDomainName = "git"; reverseProxy = "${nosIP}:3000"; }; nix-binary-cache = { subDomainName = "cache"; reverseProxy = "${serviviIP}:5000"; }; calibre = { subDomainName = "books"; reverseProxy = "${nosIP}:8083"; }; immich = { subDomainName = "photos"; reverseProxy = "${nosIP}:2283"; }; # FreshRSS & Co bridge.reverseProxy = "${nosIP}:3006"; drss.reverseProxy = "${nosIP}:3007"; freshrss = { subDomainName = "rss"; reverseProxy = "${nosIP}:2800"; }; jellyseer = { subDomainName = "seerr"; reverseProxy = "${nosIP}:5055"; }; gameyfin = { subDomainName = "games"; reverseProxy = "${nosIP}:8074"; }; wgui.reverseProxy = "${nosIP}:51821"; lan = { reverseProxy = "${nosIP}:3020"; extraConfig = '' redir /index.html / ''; subDirectories = { bazarr.reverseProxy = "${nosIP}:6767"; prowlarr.reverseProxy = "${nosIP}:9696"; radarr.reverseProxy = "${nosIP}:7878"; sabnzbd.reverseProxy = "${nosIP}:8382"; sonarr.reverseProxy = "${nosIP}:8989"; calibre.reverseProxy = "${nosIP}:8580"; qbittorent = { subDirName = "qbt"; experimental = true; reverseProxy = "${nosIP}:8080"; }; vaultwarden = { subDirName = "vault"; experimental = true; reverseProxy = "${nosIP}:8780"; }; }; }; # Top secret Business joal.extraConfig = '' route { rewrite * /joal/ui{uri} reverse_proxy * ${nosIP}:5656 } ''; joalws.extraConfig = '' route { reverse_proxy ${nosIP}:5656 } ''; }; }; }; }; }