nixos/options/custom/services/caddy.nix

{
  config,
  inputs,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.custom.services.caddy;
in {
  options.custom.services.caddy.enable = mkOption {default = false;};

  config = mkIf cfg.enable {
    age.secrets = let
      secret = filename: {
        file = "${inputs.self}/secrets/${filename}";
        owner = "caddy";
        group = "caddy";
      };
    in {
      "${config.custom.profile}/caddy/Caddyfile" = secret "${config.custom.profile}/caddy/Caddyfile";
    };

    # https://caddyserver.com/
    # https://github.com/caddyserver/caddy
    services = {
      caddy = {
        enable = true;

        # BUG: DNS-over-TLS not currently functional, reattempt when fixed or PROXY protocol supported
        # https://github.com/mholt/caddy-l4/issues/276
        # https://github.com/AdguardTeam/AdGuardHome/issues/2798
        # TODO: Use stable package when available with plugins
        # https://github.com/NixOS/nixpkgs/pull/358586
        # package = pkgs.unstable.caddy.withPlugins {
        #   #?? Copy from failed build
        #   hash = "sha256-rB2exWVfKS82QpAuEM6+PlUNNmd8sqxvqNHRxCVIE/c=";

        #   #?? REPO@TAG
        #   plugins = [
        #     # https://github.com/mholt/caddy-l4
        #     "github.com/mholt/caddy-l4@v0.0.0-20250124234235-87e3e5e2c7f9"

        #     # https://github.com/tailscale/caddy-tailscale
        #     "github.com/tailscale/caddy-tailscale@v0.0.0-20250207004440-fd3f49d73216"
        #   ];
        # };

        # TODO: Convert services to Tailscale subdomains when supported or use plugin when supported by nix
        # https://github.com/tailscale/tailscale/issues/7081
        # https://github.com/tailscale/caddy-tailscale
        # https://github.com/NixOS/nixpkgs/pull/317881
        configFile = config.age.secrets."${config.custom.profile}/caddy/Caddyfile".path;
      };
    };

    # Serve static files
    systemd.tmpfiles.settings."10-caddy" = {
      "/srv/static" = {
        d = {
          user = "caddy";
          group = "caddy";
        };

        #!! Recursive
        Z = {
          user = "caddy";
          group = "caddy";
        };
      };
    };

    networking.firewall = {
      allowedTCPPorts = [
        80 # HTTP
        443 # HTTPS
      ];
    };
  };
}
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-08 19:22:14 -05:00			`{`
			`config,`
			`inputs,`
			`lib,`
caddy: add disabled plugins Signed-off-by: Myned <dev@bjork.tech> 2025-02-06 20:43:53 -06:00			`pkgs,`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-08 19:22:14 -05:00			`...`
			`}:`
nix: format with alejandra Signed-off-by: Myned <dev@bjork.tech> 2024-09-12 20:50:53 -05:00			`with lib; let`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-08 19:22:14 -05:00			`cfg = config.custom.services.caddy;`
nix: format with alejandra Signed-off-by: Myned <dev@bjork.tech> 2024-09-12 20:50:53 -05:00			`in {`
			`options.custom.services.caddy.enable = mkOption {default = false;};`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-08 19:22:14 -05:00
			`config = mkIf cfg.enable {`
nix: format with alejandra Signed-off-by: Myned <dev@bjork.tech> 2024-09-12 20:50:53 -05:00			`age.secrets = let`
			`secret = filename: {`
			`file = "${inputs.self}/secrets/${filename}";`
			`owner = "caddy";`
			`group = "caddy";`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-08 19:22:14 -05:00			`};`
nix: format with alejandra Signed-off-by: Myned <dev@bjork.tech> 2024-09-12 20:50:53 -05:00			`in {`
			`"${config.custom.profile}/caddy/Caddyfile" = secret "${config.custom.profile}/caddy/Caddyfile";`
			`};`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-08 19:22:14 -05:00
			`# https://caddyserver.com/`
			`# https://github.com/caddyserver/caddy`
			`services = {`
			`caddy = {`
			`enable = true;`

caddy: add disabled plugins Signed-off-by: Myned <dev@bjork.tech> 2025-02-06 20:43:53 -06:00			`# BUG: DNS-over-TLS not currently functional, reattempt when fixed or PROXY protocol supported`
			`# https://github.com/mholt/caddy-l4/issues/276`
			`# https://github.com/AdguardTeam/AdGuardHome/issues/2798`
			`# TODO: Use stable package when available with plugins`
			`# https://github.com/NixOS/nixpkgs/pull/358586`
			`# package = pkgs.unstable.caddy.withPlugins {`
			`# #?? Copy from failed build`
			`# hash = "sha256-rB2exWVfKS82QpAuEM6+PlUNNmd8sqxvqNHRxCVIE/c=";`

			`# #?? REPO@TAG`
			`# plugins = [`
			`# # https://github.com/mholt/caddy-l4`
			`# "github.com/mholt/caddy-l4@v0.0.0-20250124234235-87e3e5e2c7f9"`

			`# # https://github.com/tailscale/caddy-tailscale`
			`# "github.com/tailscale/caddy-tailscale@v0.0.0-20250207004440-fd3f49d73216"`
			`# ];`
			`# };`

git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-08 19:22:14 -05:00			`# TODO: Convert services to Tailscale subdomains when supported or use plugin when supported by nix`
			`# https://github.com/tailscale/tailscale/issues/7081`
			`# https://github.com/tailscale/caddy-tailscale`
			`# https://github.com/NixOS/nixpkgs/pull/317881`
			`configFile = config.age.secrets."${config.custom.profile}/caddy/Caddyfile".path;`
			`};`
			`};`

			`# Serve static files`
nix: use tmpfiles.settings instead of rules Signed-off-by: Myned <dev@bjork.tech> 2024-12-06 19:48:23 -06:00			`systemd.tmpfiles.settings."10-caddy" = {`
			`"/srv/static" = {`
			`d = {`
			`user = "caddy";`
			`group = "caddy";`
			`};`

			`#!! Recursive`
			`Z = {`
			`user = "caddy";`
			`group = "caddy";`
			`};`
			`};`
			`};`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-08 19:22:14 -05:00
			`networking.firewall = {`
			`allowedTCPPorts = [`
			`80 # HTTP`
			`443 # HTTPS`
			`];`
			`};`
			`};`
			`}`