will-holdsworth/dots
1
1
Fork 0
Code Issues 22 Pull requests Projects 1 Releases Packages Wiki Activity Actions 1

Switch to caddy #80

Merged
wi11-holdsworth merged 1 commit from 55 into main 2026-01-15 00:34:28 +11:00
Conversation 0 Commits 1 Files changed 27 +214 -158
27 changed files with 214 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/nixos/bundles/server.nix
View file

@ -6,6 +6,7 @@
imports = util.toImports ../features [ imports = util.toImports ../features [
# keep-sorted start # keep-sorted start
"bazarr" "bazarr"
"caddy"
"copyparty" "copyparty"
"couchdb" "couchdb"
"firefly" "firefly"
@ -16,7 +17,6 @@
"kavita" "kavita"
"lidarr" "lidarr"
"miniflux" "miniflux"
"nginx"
"ntfy-sh" "ntfy-sh"
"nzbget" "nzbget"
"paperless" "paperless"

12
modules/nixos/features/bazarr.nix
View file

@ -1,5 +1,6 @@
let let
port = 5017; port = 5017;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -10,10 +11,11 @@ in
listenPort = port; listenPort = port;
}; };
nginx.virtualHosts."bazarr.fi33.buzz" = { caddy.virtualHosts."bazarr.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

30
modules/nixos/features/caddy.nix Normal file
View file

@ -0,0 +1,30 @@
{
config,
...
}:
{
services.caddy = {
enable = true;
dataDir = "/srv/caddy";
globalConfig = ''
auto_https disable_redirects
'';
extraConfig = "";
};
security.acme = {
acceptTerms = true;
defaults.email = "festive-steed-fit@duck.com";
certs."fi33.buzz" = {
group = config.services.caddy.group;
domain = "fi33.buzz";
extraDomainNames = [ "*.fi33.buzz" ];
dnsProvider = "porkbun";
dnsPropagationCheck = true;
credentialsFile = config.age.secrets."porkbun-api".path;
};
};
age.secrets."porkbun-api".file = ../../../secrets/porkbun-api.age;
}

12
modules/nixos/features/copyparty.nix
View file

@ -7,6 +7,7 @@
}: }:
let let
port = 5000; port = 5000;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
imports = [ inputs.copyparty.nixosModules.default ]; imports = [ inputs.copyparty.nixosModules.default ];
@ -33,11 +34,12 @@ in
}; };
}; };
nginx.virtualHosts."copyparty.fi33.buzz" = { caddy.virtualHosts."copyparty.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
# secrets # secrets

12
modules/nixos/features/couchdb.nix
View file

@ -1,5 +1,6 @@
let let
port = 5984; port = 5984;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -34,10 +35,11 @@ in
}; };
}; };
nginx.virtualHosts."couchdb.fi33.buzz" = { caddy.virtualHosts."couchdb.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

36
modules/nixos/features/firefly.nix
View file

@ -2,12 +2,15 @@
config, config,
... ...
}: }:
let
certloc = "/var/lib/acme/fi33.buzz";
in
{ {
services = { services = {
firefly-iii = { firefly-iii = {
enable = true; enable = true;
dataDir = "/srv/firefly"; dataDir = "/srv/firefly";
group = "nginx"; group = config.services.caddy.group;
settings = { settings = {
# keep-sorted start # keep-sorted start
ALLOW_WEBHOOKS = "true"; ALLOW_WEBHOOKS = "true";
@ -28,29 +31,18 @@
} }
]; ];
nginx.virtualHosts."firefly.fi33.buzz" = { caddy.virtualHosts."firefly.fi33.buzz".extraConfig = ''
forceSSL = true; root * ${config.services.firefly-iii.package}/public
useACMEHost = "fi33.buzz"; php_fastcgi unix//${config.services.phpfpm.pools.firefly-iii.socket}
root = "${config.services.firefly-iii.package}/public"; try_files {path} {path}/ /index.php?{query}
locations = { file_server {
"/" = { index index.php
tryFiles = "$uri $uri/ /index.php?$query_string"; }
index = "index.php"; tls ${certloc}/cert.pem ${certloc}/key.pem {
extraConfig = '' protocols tls1.3
sendfile off; }
''; '';
}; };
"~ \\.php$" = {
extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params ;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:${config.services.phpfpm.pools.firefly-iii.socket};
'';
};
};
};
};
age.secrets = { age.secrets = {
firefly = { firefly = {

12
modules/nixos/features/homepage-dashboard.nix
View file

@ -38,6 +38,7 @@ let
"sonarr" "sonarr"
# keep-sorted end # keep-sorted end
]; ];
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -376,11 +377,12 @@ in
]; ];
}; };
nginx.virtualHosts."homepage-dashboard.fi33.buzz" = { caddy.virtualHosts."homepage-dashboard.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
# secrets # secrets

18
modules/nixos/features/immich.nix
View file

@ -1,5 +1,6 @@
let let
port = 2283; port = 2283;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -18,16 +19,11 @@ in
} }
]; ];
nginx = { caddy.virtualHosts."immich.fi33.buzz".extraConfig = ''
clientMaxBodySize = "50000M"; reverse_proxy localhost:${toString port}
virtualHosts."immich.fi33.buzz" = { tls ${certloc}/cert.pem ${certloc}/key.pem {
forceSSL = true; protocols tls1.3
useACMEHost = "fi33.buzz"; }
locations."/" = { '';
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
};
};
}; };
} }

12
modules/nixos/features/jellyfin.nix
View file

@ -1,5 +1,6 @@
let let
port = 8096; port = 8096;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -9,11 +10,12 @@ in
group = "srv"; group = "srv";
}; };
nginx.virtualHosts."jellyfin.fi33.buzz" = { caddy.virtualHosts."jellyfin.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
# use intel iGP # use intel iGP

12
modules/nixos/features/karakeep.nix
View file

@ -1,5 +1,6 @@
let let
port = 5014; port = 5014;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -11,10 +12,11 @@ in
}; };
}; };
nginx.virtualHosts."karakeep.fi33.buzz" = { caddy.virtualHosts."karakeep.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

12
modules/nixos/features/kavita.nix
View file

@ -4,6 +4,7 @@
}: }:
let let
port = 5015; port = 5015;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -14,11 +15,12 @@ in
tokenKeyFile = config.age.secrets.kavita.path; tokenKeyFile = config.age.secrets.kavita.path;
}; };
nginx.virtualHosts."kavita.fi33.buzz" = { caddy.virtualHosts."kavita.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
age.secrets.kavita.file = ../../../secrets/kavita.age; age.secrets.kavita.file = ../../../secrets/kavita.age;

12
modules/nixos/features/lidarr.nix
View file

@ -1,5 +1,6 @@
let let
port = 5012; port = 5012;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -12,10 +13,11 @@ in
group = "srv"; group = "srv";
}; };
nginx.virtualHosts."lidarr.fi33.buzz" = { caddy.virtualHosts."lidarr.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

12
modules/nixos/features/miniflux.nix
View file

@ -4,6 +4,7 @@
}: }:
let let
port = 5010; port = 5010;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -25,11 +26,12 @@ in
} }
]; ];
nginx.virtualHosts."miniflux.fi33.buzz" = { caddy.virtualHosts."miniflux.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
age.secrets."miniflux-creds".file = ../../../secrets/miniflux-creds.age; age.secrets."miniflux-creds".file = ../../../secrets/miniflux-creds.age;

15
modules/nixos/features/ntfy-sh.nix
View file

@ -1,5 +1,6 @@
let let
port = 5002; port = 5002;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -12,13 +13,11 @@ in
}; };
}; };
nginx.virtualHosts."ntfy-sh.fi33.buzz" = { caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/" = { protocols tls1.3
proxyPass = "http://localhost:${toString port}"; }
proxyWebsockets = true; '';
};
};
}; };
} }

12
modules/nixos/features/nzbget.nix
View file

@ -4,6 +4,7 @@
}: }:
let let
port = 5018; port = 5018;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -16,11 +17,12 @@ in
group = "srv"; group = "srv";
}; };
nginx.virtualHosts."nzbget.fi33.buzz" = { caddy.virtualHosts."nzbget.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
environment.systemPackages = with pkgs; [ unrar ]; environment.systemPackages = with pkgs; [ unrar ];

12
modules/nixos/features/paperless.nix
View file

@ -4,6 +4,7 @@
}: }:
let let
port = 5013; port = 5013;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -29,11 +30,12 @@ in
]; ];
}; };
nginx.virtualHosts."paperless.fi33.buzz" = { caddy.virtualHosts."paperless.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
age.secrets."paperless" = { age.secrets."paperless" = {

14
modules/nixos/features/prowlarr.nix
View file

@ -1,5 +1,6 @@
let let
port = 5009; port = 5009;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -11,12 +12,11 @@ in
}; };
}; };
nginx = { caddy.virtualHosts."prowlarr.fi33.buzz".extraConfig = ''
virtualHosts."prowlarr.fi33.buzz" = { reverse_proxy localhost:${toString port}
forceSSL = true; tls ${certloc}/cert.pem ${certloc}/key.pem {
useACMEHost = "fi33.buzz"; protocols tls1.3
locations."/".proxyPass = "http://localhost:${toString port}"; }
}; '';
};
}; };
} }

12
modules/nixos/features/qbittorrent.nix
View file

@ -1,5 +1,6 @@
let let
port = 5005; port = 5005;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -13,10 +14,11 @@ in
]; ];
}; };
nginx.virtualHosts."qbittorrent.fi33.buzz" = { caddy.virtualHosts."qbittorrent.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

12
modules/nixos/features/qui.nix
View file

@ -7,6 +7,7 @@
}: }:
let let
port = 5019; port = 5019;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
environment.systemPackages = [ pkgs.qui ]; environment.systemPackages = [ pkgs.qui ];
@ -22,9 +23,10 @@ in
}; };
}; };
services.nginx.virtualHosts."qui.fi33.buzz" = { services.caddy.virtualHosts."qui.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
} }

12
modules/nixos/features/radarr.nix
View file

@ -1,5 +1,6 @@
let let
port = 5007; port = 5007;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -12,10 +13,11 @@ in
group = "srv"; group = "srv";
}; };
nginx.virtualHosts."radarr.fi33.buzz" = { caddy.virtualHosts."radarr.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

12
modules/nixos/features/radicale.nix
View file

@ -4,6 +4,7 @@
}: }:
let let
port = 5003; port = 5003;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -27,11 +28,12 @@ in
}; };
}; };
nginx.virtualHosts."radicale.fi33.buzz" = { caddy.virtualHosts."radicale.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
# secrets # secrets

12
modules/nixos/features/readarr.nix
View file

@ -1,5 +1,6 @@
let let
port = 5016; port = 5016;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -12,10 +13,11 @@ in
group = "srv"; group = "srv";
}; };
nginx.virtualHosts."readarr.fi33.buzz" = { caddy.virtualHosts."readarr.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

12
modules/nixos/features/sonarr.nix
View file

@ -1,5 +1,6 @@
let let
port = 5006; port = 5006;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -12,10 +13,11 @@ in
group = "srv"; group = "srv";
}; };
nginx.virtualHosts."sonarr.fi33.buzz" = { caddy.virtualHosts."sonarr.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

12
modules/nixos/features/syncthing.nix
View file

@ -40,6 +40,7 @@ let
} }
) (builtins.filter (deviceSet: deviceSet.device != hostName) devicesList) ) (builtins.filter (deviceSet: deviceSet.device != hostName) devicesList)
); );
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -66,10 +67,11 @@ in
else else
null; null;
nginx.virtualHosts."syncthing.fi33.buzz" = { caddy.virtualHosts."syncthing.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy http://localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }

12
modules/nixos/features/upbank2firefly.nix
View file

@ -5,6 +5,7 @@
}: }:
let let
port = 5021; port = 5021;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
virtualisation.oci-containers = { virtualisation.oci-containers = {
@ -48,11 +49,12 @@ in
}; };
}; };
services.nginx.virtualHosts."upbank2firefly.fi33.buzz" = { services.caddy.virtualHosts."upbank2firefly.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
age.secrets.upbank2firefly.file = ../../../secrets/upbank2firefly.age; age.secrets.upbank2firefly.file = ../../../secrets/upbank2firefly.age;
} }

15
modules/nixos/features/vaultwarden.nix
View file

@ -4,6 +4,7 @@
}: }:
let let
port = 5001; port = 5001;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -22,14 +23,12 @@ in
}; };
}; };
nginx.virtualHosts."vaultwarden.fi33.buzz" = { caddy.virtualHosts."vaultwarden.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/" = { protocols tls1.3
proxyPass = "http://localhost:${toString port}"; }
proxyWebsockets = true; '';
};
};
}; };
age.secrets."vaultwarden-admin" = { age.secrets."vaultwarden-admin" = {

12
modules/templates/web-feature.nix
View file

@ -1,5 +1,6 @@
let let
port = 0000; port = 0000;
certloc = "/var/lib/acme/fi33.buzz";
in in
{ {
services = { services = {
@ -19,10 +20,11 @@ in
# ]; # ];
# }; # };
nginx.virtualHosts."feature.fi33.buzz" = { caddy.virtualHosts."feature.fi33.buzz".extraConfig = ''
forceSSL = true; reverse_proxy localhost:${toString port}
useACMEHost = "fi33.buzz"; tls ${certloc}/cert.pem ${certloc}/key.pem {
locations."/".proxyPass = "http://localhost:${toString port}"; protocols tls1.3
}; }
'';
}; };
} }