feat: add customizable caddy package (with plugin support)

2025-10-11 07:10:39 +02:00 · 2023-06-05 01:14:46 +02:00 · 2023-06-05 01:14:46 +02:00 · 6f84594c87
commit 6f84594c87
parent c5a863ce51
9 changed files with 90 additions and 26 deletions
--- a/hosts/sentinel/acme.nix
+++ b/hosts/sentinel/acme.nix
@ -0,0 +1,21 @@
+{config, ...}: let
+  inherit (config.repo.secrets.local) acme;
+in {
+  rekey.secrets.acme-credentials = {
+    file = ./secrets/acme-credentials.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      inherit (acme) email;
+      credentialsFile = config.rekey.secrets.acme-credentials.path;
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+    };
+  };
+  extra.acme.wildcardDomains = acme.domains;
+}
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@ -2,30 +2,12 @@
  config,
  lib,
  nodes,
+  pkgs,
  ...
 }: let
  inherit (config.repo.secrets.local) acme personalDomain;
 in {
-  networking.domain = personalDomain;
-
-  rekey.secrets.acme-credentials = {
-    file = ./secrets/acme-credentials.age;
-    mode = "440";
-    group = "acme";
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      inherit (acme) email;
-      credentialsFile = config.rekey.secrets.acme-credentials.path;
-      dnsProvider = "cloudflare";
-      dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
-    };
-  };
-  extra.acme.wildcardDomains = acme.domains;
-  users.groups.acme.members = ["nginx"];
+  users.groups.acme.members = ["caddy"];

  rekey.secrets."dhparams.pem" = {
    file = ./secrets/dhparams.pem.age;
@ -41,5 +23,15 @@ in {
    lokiDomain = "loki.${personalDomain}";
    lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
  in {
+    enable = true;
+    package = pkgs.caddy.withPackages {
+      plugins = [
+        {
+          name = "github.com/greenpau/caddy-security";
+          version = "v1.1.18";
+        }
+      ];
+      vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
+    };
  };
 }
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -12,7 +12,8 @@

    ./fs.nix
    ./net.nix
-    #./nginx.nix
+    ./acme.nix
    ./caddy.nix
+    #./nginx.nix
  ];
 }
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -5,6 +5,7 @@
  ...
 }: {
  networking.hostId = config.repo.secrets.local.networking.hostId;
+  networking.domain = config.repo.secrets.local.personalDomain;

  boot.initrd.systemd.network = {
    enable = true;
--- a/hosts/sentinel/nginx.nix
+++ b/hosts/sentinel/nginx.nix
@ -6,8 +6,6 @@
 }: let
  inherit (config.repo.secrets.local) acme personalDomain;
 in {
-  networking.domain = personalDomain;
-
  rekey.secrets.acme-credentials = {
    file = ./secrets/acme-credentials.age;
    mode = "440";