···
1
-
{ pkgs, lib, ... }: let
pns = lib.py.data.services;
marvin = lib.py.data.hosts.marvin.ts.ip4;
4
-
reverseProxyToMarvin = port: {
6
-
reverse_proxy http://${marvin}:${toString port}
5
+
tsNet = lib.py.data.tsNet;
6
+
reverseProxyToMarvin = port: ts: {
8
+
reverse_proxy http://${marvin}:${toString port}
9
+
${if ts then "tailscale_auth" else ""}
9
-
# Hosts that are just a reverse proxy declaration and nothing else
21
-
simpleHostAttrs = lib.mapAttrs' (name: value: lib.nameValuePair "${pns.${name}.extUrl}" (reverseProxyToMarvin (toString pns.${value}.port)))
22
-
(lib.genAttrs simpleHosts (name: name));
package = pkgs.caddy.withPlugins {
"github.com/caddy-dns/desec@v0.0.0-20240526070323-822a6a2014b2"
29
-
"github.com/greenpau/caddy-security@v1.1.29"
19
+
"github.com/greenpau/caddy-security@v1.1.31"
20
+
"github.com/tailscale/caddy-tailscale@v0.0.0-20250207163903-69a970c84556"
31
-
hash = "sha256-nfBjtwqn7UOGRr5Aqy0y1u9AYhWU9TLjbdhZ9uAwtHY=";
22
+
hash = "sha256-rvPZ/Lomx40tvlqqhUBIG9wCHJorN2FGus7gtO7ob/0=";
email = "pyrox@pyrox.dev";
# Just get TLS certs for mailserver
36
-
"mail.pyrox.dev" = {};
27
+
"mail.pyrox.dev" = { };
# Redirect old domains -> pyrox.dev
39
-
serverAliases = ["www.pyrox.dev" "thehedgehog.me"];
redir https://pyrox.dev{uri} permanent
···
77
-
"${pns.authentik.extUrl}:443" = reverseProxyToMarvin pns.authentik.port;
78
-
"${pns.authentik.extUrl}:80" = reverseProxyToMarvin pns.authentik.port;
79
-
"http://${pns.authentik.extUrl}:389" = reverseProxyToMarvin 389;
80
-
"${pns.authentik.extUrl}:636" = reverseProxyToMarvin 636;
71
+
"${pns.authentik.extUrl}:443" = reverseProxyToMarvin pns.authentik.port false;
72
+
"${pns.authentik.extUrl}:80" = reverseProxyToMarvin pns.authentik.port false;
73
+
"http://${pns.authentik.extUrl}:389" = reverseProxyToMarvin 389 false;
74
+
"${pns.authentik.extUrl}:636" = reverseProxyToMarvin 636 false;
${pns.vaultwarden.extUrl} = {
···
${pns.jellyfin.extUrl} = {
···
175
-
} // simpleHostAttrs;
171
+
${pns.git.extUrl} = {
173
+
reverse_proxy http://${marvin}:${toString pns.git.port}
178
+
${pns.grafana.extUrl} = {
180
+
reverse_proxy http://${marvin}:${toString pns.grafana.port}
185
+
${pns.miniflux.extUrl} = {
187
+
reverse_proxy http://${marvin}:${toString pns.miniflux.port}
192
+
${pns.nextcloud.extUrl} = {
194
+
reverse_proxy http://${marvin}:${toString pns.nextcloud.port}
198
+
# Nextcloud-Office(Collabora)
199
+
${pns.nextcloud-office.extUrl} = {
201
+
reverse_proxy http://${marvin}:${toString pns.nextcloud-office.port}
206
+
${pns.planka.extUrl} = {
208
+
reverse_proxy http://${marvin}:${toString pns.planka.port}
212
+
# Simple Tailscale Hosts
215
+
"${pns.deemix.tsHost}.${tsNet}" = {
217
+
bind tailscale/${pns.deemix.tsHost}
219
+
reverse_proxy http://${marvin}:${toString pns.deemix.port}
223
+
"${pns.pinchflat.tsHost}.${tsNet}" = {
225
+
bind tailscale/${pns.pinchflat.tsHost}
227
+
reverse_proxy http://${marvin}:${toString pns.pinchflat.port}
systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";
pyrox.dev