From 6e8309029bd5ccea5f83a020b682b3c1a82bef88 Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Tue, 16 Apr 2024 01:26:43 +0200
Subject: [PATCH] caddy

---
 hosts/alpha/acme.nix       |  2 ++
 hosts/alpha/caddy.nix      | 25 +++++++++++++++++++++++++
 hosts/alpha/default.nix    |  1 +
 modules/server/caddy.nix   | 30 ++++++++++++++++++++++++++++++
 modules/server/default.nix |  1 +
 5 files changed, 59 insertions(+)
 create mode 100644 hosts/alpha/caddy.nix
 create mode 100644 modules/server/caddy.nix

diff --git a/hosts/alpha/acme.nix b/hosts/alpha/acme.nix
index edb35e7..ba4f9e1 100644
--- a/hosts/alpha/acme.nix
+++ b/hosts/alpha/acme.nix
@@ -2,10 +2,12 @@
   security.acme.certs."caspervk.net" = {
     domain = "*.caspervk.net";
     reloadServices = [
+      "caddy.service"
       "murmur.service"
     ];
   };
   users.groups.acme.members = [
+    "caddy"
     "murmur"
   ];
 }
diff --git a/hosts/alpha/caddy.nix b/hosts/alpha/caddy.nix
new file mode 100644
index 0000000..a300e51
--- /dev/null
+++ b/hosts/alpha/caddy.nix
@@ -0,0 +1,25 @@
+{...}: {
+  # See modules/server/caddy.nix
+  services.caddy = {
+    # Wildcard certificates are used whenever possible to avoid leaking domains
+    # to the certificate transparency logs.
+    virtualHosts = let
+      # https://caddy.community/t/caddy-server-that-returns-only-ip-address-as-text/6928
+      ipConfig = ''
+        templates
+        header Content-Type text/plain
+        respond "{{.RemoteIP}}"
+      '';
+    in {
+      # Explicit http:// and https:// disables automatic HTTPS redirect to
+      # allow for easier curl'ing.
+      "http://ip.caspervk.net" = {
+        extraConfig = ipConfig;
+      };
+      "https://ip.caspervk.net" = {
+        useACMEHost = "caspervk.net";
+        extraConfig = ipConfig;
+      };
+    };
+  };
+}
diff --git a/hosts/alpha/default.nix b/hosts/alpha/default.nix
index 07c3ec2..ff66f22 100644
--- a/hosts/alpha/default.nix
+++ b/hosts/alpha/default.nix
@@ -4,6 +4,7 @@
     ../../modules/base
     ../../modules/server
     ./acme.nix
+    ./caddy.nix
     ./hardware.nix
     ./knot-dns.nix
     ./mumble.nix
diff --git a/modules/server/caddy.nix b/modules/server/caddy.nix
new file mode 100644
index 0000000..02ba4ad
--- /dev/null
+++ b/modules/server/caddy.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  ...
+}:
+# Virtual hosts are configured in each server's caddy.nix. This module
+# configures shared auxiliary settings if any are configured.
+lib.mkIf (config.services.caddy.virtualHosts != {}) {
+  # Caddy is a powerful, enterprise-ready, open source web server with
+  # automatic HTTPS written in Go.
+  # https://nixos.wiki/wiki/Caddy
+  services.caddy = {
+    enable = true;
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [80 443];
+  };
+
+  environment.persistence."/nix/persist" = {
+    directories = [
+      {
+        directory = "/var/lib/caddy";
+        user = "caddy";
+        group = "caddy";
+        mode = "0755";
+      }
+    ];
+  };
+}
diff --git a/modules/server/default.nix b/modules/server/default.nix
index 2f21acd..176f3b3 100644
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@@ -1,6 +1,7 @@
 {...}: {
   imports = [
     ./acme.nix
+    ./caddy.nix
     ./system.nix
   ];
 }