will-holdsworth/dots
1
1
Fork 0
Code Issues 22 Pull requests Projects 1 Releases Packages Wiki Activity Actions 1

feat(caddy): install and replace nginx

Browse source
This commit is contained in:
wi11-holdsworth 2026-01-14 23:45:35 +11:00
parent 500c704cf4
commit 33af7eaadf
27 changed files with 212 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/nixos/bundles/server.nix
View file

@ -6,6 +6,7 @@
imports = util.toImports ../features [
# keep-sorted start
"bazarr"
"caddy"
"copyparty"
"couchdb"
"firefly"
@ -16,7 +17,6 @@
"kavita"
"lidarr"
"miniflux"
"nginx"
"ntfy-sh"
"nzbget"
"paperless"

12
modules/nixos/features/bazarr.nix
View file

@ -1,5 +1,6 @@
let
port = 5017;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -10,10 +11,11 @@ in
listenPort = port;
};
nginx.virtualHosts."bazarr.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."bazarr.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

28
modules/nixos/features/caddy.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
...
}:
{
services.caddy = {
enable = true;
dataDir = "/srv/caddy";
globalConfig = ''
auto_https disable_redirects
'';
};
security.acme = {
acceptTerms = true;
defaults.email = "festive-steed-fit@duck.com";
certs."fi33.buzz" = {
group = config.services.caddy.group;
domain = "fi33.buzz";
extraDomainNames = [ "*.fi33.buzz" ];
dnsProvider = "porkbun";
dnsPropagationCheck = true;
credentialsFile = config.age.secrets."porkbun-api".path;
};
};
age.secrets."porkbun-api".file = ../../../secrets/porkbun-api.age;
}

12
modules/nixos/features/copyparty.nix
View file

@ -7,6 +7,7 @@
}:
let
port = 5000;
certloc = "/var/lib/acme/fi33.buzz";
in
{
imports = [ inputs.copyparty.nixosModules.default ];
@ -33,11 +34,12 @@ in
};
};
nginx.virtualHosts."copyparty.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."copyparty.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
# secrets

12
modules/nixos/features/couchdb.nix
View file

@ -1,5 +1,6 @@
let
port = 5984;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -34,10 +35,11 @@ in
};
};
nginx.virtualHosts."couchdb.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."couchdb.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

38
modules/nixos/features/firefly.nix
View file

@ -2,12 +2,15 @@
config,
...
}:
let
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
firefly-iii = {
enable = true;
dataDir = "/srv/firefly";
group = "nginx";
group = config.services.caddy.group;
settings = {
# keep-sorted start
ALLOW_WEBHOOKS = "true";
@ -28,28 +31,17 @@
}
];
nginx.virtualHosts."firefly.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
root = "${config.services.firefly-iii.package}/public";
locations = {
"/" = {
tryFiles = "$uri $uri/ /index.php?$query_string";
index = "index.php";
extraConfig = ''
sendfile off;
'';
};
"~ \\.php$" = {
extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params ;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:${config.services.phpfpm.pools.firefly-iii.socket};
'';
};
};
};
caddy.virtualHosts."firefly.fi33.buzz".extraConfig = ''
root * ${config.services.firefly-iii.package}/public
php_fastcgi unix//${config.services.phpfpm.pools.firefly-iii.socket}
try_files {path} {path}/ /index.php?{query}
file_server {
index index.php
}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
age.secrets = {

12
modules/nixos/features/homepage-dashboard.nix
View file

@ -38,6 +38,7 @@ let
"sonarr"
# keep-sorted end
];
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -376,11 +377,12 @@ in
];
};
nginx.virtualHosts."homepage-dashboard.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."homepage-dashboard.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
# secrets

18
modules/nixos/features/immich.nix
View file

@ -1,5 +1,6 @@
let
port = 2283;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -18,16 +19,11 @@ in
}
];
nginx = {
clientMaxBodySize = "50000M";
virtualHosts."immich.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/" = {
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
};
};
caddy.virtualHosts."immich.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/jellyfin.nix
View file

@ -1,5 +1,6 @@
let
port = 8096;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -9,11 +10,12 @@ in
group = "srv";
};
nginx.virtualHosts."jellyfin.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."jellyfin.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
# use intel iGP

12
modules/nixos/features/karakeep.nix
View file

@ -1,5 +1,6 @@
let
port = 5014;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -11,10 +12,11 @@ in
};
};
nginx.virtualHosts."karakeep.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."karakeep.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/kavita.nix
View file

@ -4,6 +4,7 @@
}:
let
port = 5015;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -14,11 +15,12 @@ in
tokenKeyFile = config.age.secrets.kavita.path;
};
nginx.virtualHosts."kavita.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."kavita.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
age.secrets.kavita.file = ../../../secrets/kavita.age;

12
modules/nixos/features/lidarr.nix
View file

@ -1,5 +1,6 @@
let
port = 5012;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -12,10 +13,11 @@ in
group = "srv";
};
nginx.virtualHosts."lidarr.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."lidarr.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/miniflux.nix
View file

@ -4,6 +4,7 @@
}:
let
port = 5010;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -25,11 +26,12 @@ in
}
];
nginx.virtualHosts."miniflux.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."miniflux.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
age.secrets."miniflux-creds".file = ../../../secrets/miniflux-creds.age;

15
modules/nixos/features/ntfy-sh.nix
View file

@ -1,5 +1,6 @@
let
port = 5002;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -12,13 +13,11 @@ in
};
};
nginx.virtualHosts."ntfy-sh.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/" = {
proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true;
};
};
caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/nzbget.nix
View file

@ -4,6 +4,7 @@
}:
let
port = 5018;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -16,11 +17,12 @@ in
group = "srv";
};
nginx.virtualHosts."nzbget.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."nzbget.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
environment.systemPackages = with pkgs; [ unrar ];

12
modules/nixos/features/paperless.nix
View file

@ -4,6 +4,7 @@
}:
let
port = 5013;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -29,11 +30,12 @@ in
];
};
nginx.virtualHosts."paperless.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."paperless.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
age.secrets."paperless" = {

14
modules/nixos/features/prowlarr.nix
View file

@ -1,5 +1,6 @@
let
port = 5009;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -11,12 +12,11 @@ in
};
};
nginx = {
virtualHosts."prowlarr.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
};
caddy.virtualHosts."prowlarr.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/qbittorrent.nix
View file

@ -1,5 +1,6 @@
let
port = 5005;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -13,10 +14,11 @@ in
];
};
nginx.virtualHosts."qbittorrent.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."qbittorrent.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/qui.nix
View file

@ -7,6 +7,7 @@
}:
let
port = 5019;
certloc = "/var/lib/acme/fi33.buzz";
in
{
environment.systemPackages = [ pkgs.qui ];
@ -22,9 +23,10 @@ in
};
};
services.nginx.virtualHosts."qui.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
services.caddy.virtualHosts."qui.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
}

12
modules/nixos/features/radarr.nix
View file

@ -1,5 +1,6 @@
let
port = 5007;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -12,10 +13,11 @@ in
group = "srv";
};
nginx.virtualHosts."radarr.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."radarr.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/radicale.nix
View file

@ -4,6 +4,7 @@
}:
let
port = 5003;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -27,11 +28,12 @@ in
};
};
nginx.virtualHosts."radicale.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."radicale.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
# secrets

12
modules/nixos/features/readarr.nix
View file

@ -1,5 +1,6 @@
let
port = 5016;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -12,10 +13,11 @@ in
group = "srv";
};
nginx.virtualHosts."readarr.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."readarr.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/sonarr.nix
View file

@ -1,5 +1,6 @@
let
port = 5006;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -12,10 +13,11 @@ in
group = "srv";
};
nginx.virtualHosts."sonarr.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."sonarr.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/syncthing.nix
View file

@ -40,6 +40,7 @@ let
}
) (builtins.filter (deviceSet: deviceSet.device != hostName) devicesList)
);
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -66,10 +67,11 @@ in
else
null;
nginx.virtualHosts."syncthing.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
caddy.virtualHosts."syncthing.fi33.buzz".extraConfig = ''
reverse_proxy http://localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
}

12
modules/nixos/features/upbank2firefly.nix
View file

@ -5,6 +5,7 @@
}:
let
port = 5021;
certloc = "/var/lib/acme/fi33.buzz";
in
{
virtualisation.oci-containers = {
@ -48,11 +49,12 @@ in
};
};
services.nginx.virtualHosts."upbank2firefly.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/".proxyPass = "http://localhost:${toString port}";
};
services.caddy.virtualHosts."upbank2firefly.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
age.secrets.upbank2firefly.file = ../../../secrets/upbank2firefly.age;
}

15
modules/nixos/features/vaultwarden.nix
View file

@ -4,6 +4,7 @@
}:
let
port = 5001;
certloc = "/var/lib/acme/fi33.buzz";
in
{
services = {
@ -22,14 +23,12 @@ in
};
};
nginx.virtualHosts."vaultwarden.fi33.buzz" = {
forceSSL = true;
useACMEHost = "fi33.buzz";
locations."/" = {
proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true;
};
};
caddy.virtualHosts."vaultwarden.fi33.buzz".extraConfig = ''
reverse_proxy localhost:${toString port}
tls ${certloc}/cert.pem ${certloc}/key.pem {
protocols tls1.3
}
'';
};
age.secrets."vaultwarden-admin" = {