services/caddy/default.nix at becd1626b11d8233cb667c09f09eb63ac5d6adc5 · sapphic.moe/flake

sapphic.moe / flake

❄️ Dotfiles for our NixOS system configuration.

flake / services / caddy / default.nix

at becd1626b11d8233cb667c09f09eb63ac5d6adc5 833 B view raw

 1{ config, pkgs, ... }:
 2
 3{
 4  age.secrets.caddy = {
 5    file = ../../secrets/caddy.age;
 6    mode = "600";
 7  };
 8
 9  services.caddy = {
10    enable = true;
11    package = pkgs.caddy.withPlugins {
12      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
13      hash = "sha256-iRzpN9awuEFsc7hqKzOMNiCFFEv833xhd4LM+VFQedI=";
14    };
15    environmentFile = config.age.secrets.caddy.path;
16    globalConfig = ''
17      email chloe@sapphic.moe
18    '';
19    extraConfig = ''
20      (tls_cloudflare) {
21        tls {
22          dns cloudflare {env.CF_API_TOKEN}
23          resolvers 8.8.8.8 1.1.1.1
24        }
25      }
26      (common) {
27        encode zstd gzip
28      }
29    '';
30    logFormat = ''
31      level info
32      format json
33    '';
34  };
35
36  settings.firewall.allowedTCPPorts = [
37    80
38    443
39  ];
40
41  settings.firewall.allowedUDPPorts = [ 443 ];
42}