···

       
1
       
 
       
{

     

       
2
       
 
       
  data.hosts = builtins.fromTOML (builtins.readFile ./hosts.toml);

     

       
3
       
 
       
  data.services = builtins.fromTOML (builtins.readFile ./services.toml);

     

       
0
       
 
       

     

       
4
       
 
       
}

     

···

       
1
       
 
       
{

     

       
2
       
 
       
  data.hosts = builtins.fromTOML (builtins.readFile ./hosts.toml);

     

       
3
       
 
       
  data.services = builtins.fromTOML (builtins.readFile ./services.toml);

     

       
4
       
+
       
  data.tsNet = "coelacanth-dragon.ts.net";

     

       
5
       
 
       
}

     

···

       
1
       
-
       
{ pkgs, lib, ... }: let

     

       
0
       
 
       

     

       
2
       
 
       
  pns = lib.py.data.services;

     

       
3
       
 
       
  marvin = lib.py.data.hosts.marvin.ts.ip4;

     

       
4
       
-
       
  reverseProxyToMarvin = port: {

     

       
5
       
-
       
  extraConfig = ''

     

       
6
       
-
       
    reverse_proxy http://${marvin}:${toString port}

     

       
7
       
-
       
  '';

     

       
0
       
 
       

     

       
0
       
 
       

     

       
8
       
 
       
  };

     

       
9
       
-
       
  # Hosts that are just a reverse proxy declaration and nothing else

     

       
10
       
-
       
  simpleHosts = [

     

       
11
       
-
       
    "nextcloud"

     

       
12
       
-
       
    "nextcloud-office"

     

       
13
       
-
       
    "git"

     

       
14
       
-
       
    "miniflux"

     

       
15
       
-
       
    "iceshrimp"

     

       
16
       
-
       
    "grafana"

     

       
17
       
-
       
    "deemix"

     

       
18
       
-
       
    "planka"

     

       
19
       
-
       
  ];

     

       
20
       
-
       


     

       
21
       
-
       
  simpleHostAttrs = lib.mapAttrs' (name: value: lib.nameValuePair "${pns.${name}.extUrl}" (reverseProxyToMarvin (toString pns.${value}.port)))

     

       
22
       
-
       
    (lib.genAttrs simpleHosts (name: name));

     

       
23
       
-
       
in {

     

       
24
       
 
       
  services.caddy = {

     

       
25
       
 
       
    enable = true;

     

       
26
       
 
       
    package = pkgs.caddy.withPlugins {

     

       
27
       
 
       
      plugins = [

     

       
28
       
 
       
        "github.com/caddy-dns/desec@v0.0.0-20240526070323-822a6a2014b2"

     

       
29
       
-
       
        "github.com/greenpau/caddy-security@v1.1.29"

     

       
0
       
 
       

     

       
30
       
 
       
      ];

     

       
31
       
-
       
      hash = "sha256-nfBjtwqn7UOGRr5Aqy0y1u9AYhWU9TLjbdhZ9uAwtHY=";

     

       
32
       
 
       
    };

     

       
33
       
 
       
    email = "pyrox@pyrox.dev";

     

       
34
       
 
       
    virtualHosts = {

     

       
35
       
 
       
      # Just get TLS certs for mailserver

     

       
36
       
-
       
      "mail.pyrox.dev" = {};

     

       
37
       
 
       
      # Redirect old domains -> pyrox.dev

     

       
38
       
 
       
      "blog.pyrox.dev" = {

     

       
39
       
-
       
        serverAliases = ["www.pyrox.dev" "thehedgehog.me"];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
40
       
 
       
        extraConfig = ''

     

       
41
       
 
       
          redir https://pyrox.dev{uri} permanent

     

       
42
       
 
       
        '';

     
···

       
74
       
 
       
      };

     

       
75
       
 
       


     

       
76
       
 
       
      # Authentik

     

       
77
       
-
       
      "${pns.authentik.extUrl}:443" = reverseProxyToMarvin pns.authentik.port;

     

       
78
       
-
       
      "${pns.authentik.extUrl}:80" = reverseProxyToMarvin pns.authentik.port;

     

       
79
       
-
       
      "http://${pns.authentik.extUrl}:389" = reverseProxyToMarvin 389;

     

       
80
       
-
       
      "${pns.authentik.extUrl}:636" = reverseProxyToMarvin 636;

     

       
81
       
 
       


     

       
82
       
 
       
      # Vaultwarden

     

       
83
       
 
       
      ${pns.vaultwarden.extUrl} = {

     
···

       
112
       
 
       
          }

     

       
113
       
 
       
        '';

     

       
114
       
 
       
      };

     

       
115
       
-
       


     

       
116
       
 
       
      # Jellyfin

     

       
117
       
 
       
      ${pns.jellyfin.extUrl} = {

     

       
118
       
 
       
        extraConfig = ''

     
···

       
172
       
 
       
          metrics /metrics

     

       
173
       
 
       
        '';

     

       
174
       
 
       
      };

     

       
175
       
-
       
    } // simpleHostAttrs;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
176
       
 
       
  };

     

       
177
       
 
       
  systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

     

       
178
       
 
       
  systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";

     

···

       
1
       
+
       
{ pkgs, lib, ... }:

     

       
2
       
+
       
let

     

       
3
       
 
       
  pns = lib.py.data.services;

     

       
4
       
 
       
  marvin = lib.py.data.hosts.marvin.ts.ip4;

     

       
5
       
+
       
  tsNet = lib.py.data.tsNet;

     

       
6
       
+
       
  reverseProxyToMarvin = port: ts: {

     

       
7
       
+
       
    extraConfig = ''

     

       
8
       
+
       
      reverse_proxy http://${marvin}:${toString port}

     

       
9
       
+
       
      ${if ts then "tailscale_auth" else ""}

     

       
10
       
+
       
    '';

     

       
11
       
 
       
  };

     

       
12
       
+
       
in

     

       
13
       
+
       
{

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
14
       
 
       
  services.caddy = {

     

       
15
       
 
       
    enable = true;

     

       
16
       
 
       
    package = pkgs.caddy.withPlugins {

     

       
17
       
 
       
      plugins = [

     

       
18
       
 
       
        "github.com/caddy-dns/desec@v0.0.0-20240526070323-822a6a2014b2"

     

       
19
       
+
       
        "github.com/greenpau/caddy-security@v1.1.31"

     

       
20
       
+
       
        "github.com/tailscale/caddy-tailscale@v0.0.0-20250207163903-69a970c84556"

     

       
21
       
 
       
      ];

     

       
22
       
+
       
      hash = "sha256-rvPZ/Lomx40tvlqqhUBIG9wCHJorN2FGus7gtO7ob/0=";

     

       
23
       
 
       
    };

     

       
24
       
 
       
    email = "pyrox@pyrox.dev";

     

       
25
       
 
       
    virtualHosts = {

     

       
26
       
 
       
      # Just get TLS certs for mailserver

     

       
27
       
+
       
      "mail.pyrox.dev" = { };

     

       
28
       
 
       
      # Redirect old domains -> pyrox.dev

     

       
29
       
 
       
      "blog.pyrox.dev" = {

     

       
30
       
+
       
        serverAliases = [

     

       
31
       
+
       
          "www.pyrox.dev"

     

       
32
       
+
       
          "thehedgehog.me"

     

       
33
       
+
       
        ];

     

       
34
       
 
       
        extraConfig = ''

     

       
35
       
 
       
          redir https://pyrox.dev{uri} permanent

     

       
36
       
 
       
        '';

     
···

       
68
       
 
       
      };

     

       
69
       
 
       


     

       
70
       
 
       
      # Authentik

     

       
71
       
+
       
      "${pns.authentik.extUrl}:443" = reverseProxyToMarvin pns.authentik.port false;

     

       
72
       
+
       
      "${pns.authentik.extUrl}:80" = reverseProxyToMarvin pns.authentik.port false;

     

       
73
       
+
       
      "http://${pns.authentik.extUrl}:389" = reverseProxyToMarvin 389 false;

     

       
74
       
+
       
      "${pns.authentik.extUrl}:636" = reverseProxyToMarvin 636 false;

     

       
75
       
 
       


     

       
76
       
 
       
      # Vaultwarden

     

       
77
       
 
       
      ${pns.vaultwarden.extUrl} = {

     
···

       
106
       
 
       
          }

     

       
107
       
 
       
        '';

     

       
108
       
 
       
      };

     

       
0
       
 
       

     

       
109
       
 
       
      # Jellyfin

     

       
110
       
 
       
      ${pns.jellyfin.extUrl} = {

     

       
111
       
 
       
        extraConfig = ''

     
···

       
165
       
 
       
          metrics /metrics

     

       
166
       
 
       
        '';

     

       
167
       
 
       
      };

     

       
168
       
+
       
      # SIMPLE HOSTS

     

       
169
       
+
       


     

       
170
       
+
       
      # Forgejo

     

       
171
       
+
       
      ${pns.git.extUrl} = {

     

       
172
       
+
       
        extraConfig = ''

     

       
173
       
+
       
          reverse_proxy http://${marvin}:${toString pns.git.port}

     

       
174
       
+
       
        '';

     

       
175
       
+
       
      };

     

       
176
       
+
       


     

       
177
       
+
       
      # Grafana

     

       
178
       
+
       
      ${pns.grafana.extUrl} = {

     

       
179
       
+
       
        extraConfig = ''

     

       
180
       
+
       
          reverse_proxy http://${marvin}:${toString pns.grafana.port}

     

       
181
       
+
       
        '';

     

       
182
       
+
       
      };

     

       
183
       
+
       


     

       
184
       
+
       
      # Miniflux

     

       
185
       
+
       
      ${pns.miniflux.extUrl} = {

     

       
186
       
+
       
        extraConfig = ''

     

       
187
       
+
       
          reverse_proxy http://${marvin}:${toString pns.miniflux.port}

     

       
188
       
+
       
        '';

     

       
189
       
+
       
      };

     

       
190
       
+
       


     

       
191
       
+
       
      # Nextcloud

     

       
192
       
+
       
      ${pns.nextcloud.extUrl} = {

     

       
193
       
+
       
        extraConfig = ''

     

       
194
       
+
       
          reverse_proxy http://${marvin}:${toString pns.nextcloud.port}

     

       
195
       
+
       
        '';

     

       
196
       
+
       
      };

     

       
197
       
+
       


     

       
198
       
+
       
      # Nextcloud-Office(Collabora)

     

       
199
       
+
       
      ${pns.nextcloud-office.extUrl} = {

     

       
200
       
+
       
        extraConfig = ''

     

       
201
       
+
       
          reverse_proxy http://${marvin}:${toString pns.nextcloud-office.port}

     

       
202
       
+
       
        '';

     

       
203
       
+
       
      };

     

       
204
       
+
       


     

       
205
       
+
       
      # Planka

     

       
206
       
+
       
      ${pns.planka.extUrl} = {

     

       
207
       
+
       
        extraConfig = ''

     

       
208
       
+
       
          reverse_proxy http://${marvin}:${toString pns.planka.port}

     

       
209
       
+
       
        '';

     

       
210
       
+
       
      };

     

       
211
       
+
       


     

       
212
       
+
       
      # Simple Tailscale Hosts

     

       
213
       
+
       


     

       
214
       
+
       
      # Deemix

     

       
215
       
+
       
      "${pns.deemix.tsHost}.${tsNet}" = {

     

       
216
       
+
       
        extraConfig = ''

     

       
217
       
+
       
          bind tailscale/${pns.deemix.tsHost}

     

       
218
       
+
       
          tailscale_auth

     

       
219
       
+
       
          reverse_proxy http://${marvin}:${toString pns.deemix.port}

     

       
220
       
+
       
        '';

     

       
221
       
+
       
      };

     

       
222
       
+
       
      # Pinchflat

     

       
223
       
+
       
      "${pns.pinchflat.tsHost}.${tsNet}" = {

     

       
224
       
+
       
        extraConfig = ''

     

       
225
       
+
       
          bind tailscale/${pns.pinchflat.tsHost}

     

       
226
       
+
       
          tailscale_auth

     

       
227
       
+
       
          reverse_proxy http://${marvin}:${toString pns.pinchflat.port}

     

       
228
       
+
       
        '';

     

       
229
       
+
       
      };

     

       
230
       
+
       


     

       
231
       
+
       
    };

     

       
232
       
 
       
  };

     

       
233
       
 
       
  systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

     

       
234
       
 
       
  systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";