aylac.top / nixcfg-own-knot
forked from aylac.top/nixcfg
this repo has no description
fork atom
nixcfg-own-knot / modules / nixos / services / caddy / default.nix
at main 1.1 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 self, 6 ... 7}: { 8 options.myNixOS.services.caddy.enable = lib.mkEnableOption "Caddy web server."; 9 10 config = lib.mkIf config.myNixOS.services.caddy.enable { 11 # TS_AUTHKEY and CF_API_TOKEN are defined in this file 12 age.secrets.caddy.file = "${self.inputs.secrets}/caddy.age"; 13 networking.firewall.allowedTCPPorts = [80 443]; 14 15 boot.kernel.sysctl = { 16 "net.core.rmem_max" = 7500000; 17 "net.core.wmem_max" = 7500000; 18 }; 19 20 services = { 21 caddy = { 22 enable = true; 23 enableReload = false; 24 environmentFile = config.age.secrets.caddy.path; 25 26 globalConfig = '' 27 tailscale { 28 ephemeral true 29 } 30 ''; 31 32 package = pkgs.caddy.withPlugins { 33 plugins = ["github.com/tailscale/caddy-tailscale@v0.0.0-20250508175905-642f61fea3cc"]; 34 hash = "sha256-r9EDkhcgwK11dB46AV+Em8ZE6Aa7IDMwibDGkg3e/rc="; 35 }; 36 }; 37 tailscale.permitCertUid = "caddy"; 38 }; 39 systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 40 }; 41}