This commit is contained in:
Casper V. Kristensen 2024-04-16 01:26:43 +02:00
parent 90982b423c
commit 83d77adb77
5 changed files with 59 additions and 0 deletions

View file

@ -2,11 +2,13 @@
security.acme.certs."caspervk.net" = {
domain = "*.caspervk.net";
reloadServices = [
"caddy.service"
"kresd@1.service"
"kresd@2.service"
];
};
users.groups.acme.members = [
"caddy"
"knot-resolver"
];
}

25
hosts/delta/caddy.nix Normal file
View file

@ -0,0 +1,25 @@
{...}: {
# See modules/server/caddy.nix
services.caddy = {
# Wildcard certificates are used whenever possible to avoid leaking domains
# to the certificate transparency logs.
virtualHosts = let
# https://caddy.community/t/caddy-server-that-returns-only-ip-address-as-text/6928
ipConfig = ''
templates
header Content-Type text/plain
respond "{{.RemoteIP}}"
'';
in {
# Explicit http:// and https:// disables automatic HTTPS redirect to
# allow for easier curl'ing.
"http://ip.caspervk.net" = {
extraConfig = ipConfig;
};
"https://ip.caspervk.net" = {
useACMEHost = "caspervk.net";
extraConfig = ipConfig;
};
};
};
}

View file

@ -4,6 +4,7 @@
../../modules/base
../../modules/server
./acme.nix
./caddy.nix
./hardware.nix
./knot-resolver.nix
./network.nix

30
modules/server/caddy.nix Normal file
View file

@ -0,0 +1,30 @@
{
config,
lib,
...
}:
# Virtual hosts are configured in each server's caddy.nix. This module
# configures shared auxiliary settings if any are configured.
lib.mkIf (config.services.caddy.virtualHosts != {}) {
# Caddy is a powerful, enterprise-ready, open source web server with
# automatic HTTPS written in Go.
# https://nixos.wiki/wiki/Caddy
services.caddy = {
enable = true;
};
networking.firewall = {
allowedTCPPorts = [80 443];
};
environment.persistence."/nix/persist" = {
directories = [
{
directory = "/var/lib/caddy";
user = "caddy";
group = "caddy";
mode = "0755";
}
];
};
}

View file

@ -1,6 +1,7 @@
{...}: {
imports = [
./acme.nix
./caddy.nix
./system.nix
];
}