services/caddy/default.nix at 70860d0f057c190be2bf333a3e8cbb53a5746fdc · sapphic.moe/flake

sapphic.moe / flake

❄️ Dotfiles for our NixOS system configuration.

flake / services / caddy / default.nix

at 70860d0f057c190be2bf333a3e8cbb53a5746fdc 1.2 kB view raw

 1{ config, pkgs, ... }:
 2
 3{
 4  age.secrets.caddy = {
 5    file = ../../secrets/caddy.age;
 6    mode = "600";
 7  };
 8
 9  services.caddy = {
10    enable = true;
11    package = pkgs.caddy.withPlugins {
12      plugins = [
13        "github.com/caddy-dns/bunny@v1.2.0"
14        "github.com/digilolnet/caddy-bunny-ip@v0.0.0-20250118080727-ef607b8e1644"
15      ];
16      hash = "sha256-j82fgKbh8AcM9jbKUoRKQsAvF/xaUj3pZLdAr9QtST0=";
17    };
18    environmentFile = config.age.secrets.caddy.path;
19    globalConfig = ''
20      email chloe@sapphic.moe
21      servers {
22        trusted_proxies bunny {
23          interval 6h
24          timeout 25s
25        }
26      }
27    '';
28    extraConfig = ''
29      (tls_bunny) {
30        tls {
31          dns bunny {env.BUNNY_API_KEY}
32          resolvers 9.9.9.9 149.112.112.112
33        }
34      }
35
36      (common) {
37        encode zstd gzip
38      }
39
40      (deny_non_bunny) {
41        @not_bunny not client_ip 127.0.0.1 ::1
42        handle @not_bunny {
43          abort
44        }
45      }
46    '';
47    logFormat = ''
48      level info
49      format json
50    '';
51  };
52
53  settings.firewall.allowedTCPPorts = [
54    80
55    443
56  ];
57
58  settings.firewall.allowedUDPPorts = [ 443 ];
59}