1
1
Fork 0
nixos/options/custom/services/caddy.nix

78 lines
1.7 KiB
Nix
Raw Normal View History

{
config,
inputs,
lib,
...
}:
with lib;
let
cfg = config.custom.services.caddy;
in
{
options.custom.services.caddy.enable = mkOption { default = false; };
config = mkIf cfg.enable {
age.secrets =
let
secret = filename: {
file = "${inputs.self}/secrets/${filename}";
owner = "caddy";
group = "caddy";
};
in
{
"${config.custom.profile}/caddy/Caddyfile" = secret "${config.custom.profile}/caddy/Caddyfile";
};
# https://caddyserver.com/
# https://github.com/caddyserver/caddy
services = {
caddy = {
enable = true;
# TODO: Convert services to Tailscale subdomains when supported or use plugin when supported by nix
# https://github.com/tailscale/tailscale/issues/7081
# https://github.com/tailscale/caddy-tailscale
# https://github.com/NixOS/nixpkgs/pull/317881
configFile = config.age.secrets."${config.custom.profile}/caddy/Caddyfile".path;
};
};
# Serve static files
systemd.tmpfiles.rules = [
"d /srv/static - caddy caddy"
"Z /srv/static - caddy caddy"
];
# https://wiki.nixos.org/wiki/Firewall
# https://github.com/coturn/coturn/blob/master/docker/coturn/README.md
# https://element-hq.github.io/synapse/latest/turn-howto.html
networking.firewall = {
enable = true;
allowedTCPPorts = [
80 # HTTP
443 # HTTPS
1935 # RTMP
3478 # TURN
5349 # TURN
];
allowedUDPPorts = [
3478 # TURN
5349 # TURN
];
allowedUDPPortRanges = [
{
# TURN
from = 49152;
to = 65535;
}
];
};
};
}