nix/hosts/laptop-server/config/services/caddy/default.nix

27 lines
947 B
Nix
Raw Normal View History

{ pkgs, secrets, ... }:
{
# TODO: Containerize once I setup a proper shared bridge network
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [ "github.com/caddy-dns/porkbun@v0.2.1" ];
hash = "sha256-oizWuPXI0M9ngBCt/iEXWt+/33wpKlCs1yBPKnzFhRY=";
};
# Use a custom config because doing Caddyfile in multiline nix strings
# feels messy (and not syntax highlighted)
configFile = ./Caddyfile;
};
# Pass secrets through the systemd service's environment variables
systemd.services.caddy.environment = {
PORKBUN_API_KEY = secrets.programs.caddy.porkbun_api_key;
PORKBUN_API_SECRET_KEY = secrets.programs.caddy.porkbun_secret_key;
};
# Allow caddy through the firewall
networking.firewall = {
allowedTCPPorts = [ 80 443 ]; # HTTP/1-2
allowedUDPPorts = [ 443 ]; # HTTP/3 w/ QUIC
};
}