✨ [pi4] Added initial caddy config based on homelab

2025-05-13 21:31:29 +02:00
parent 08cd2cbebc
commit 050741393b
2 changed files with 84 additions and 0 deletions
--- a/hosts/pi4/caddy.nix
+++ b/hosts/pi4/caddy.nix
@ -0,0 +1,80 @@
+let
+  domain = "martials.no";
+in
+{
+  services.caddy = {
+    enable = true;
+    email = "cert@${domain}";
+    virtualHosts =
+      let
+        reverseProxy = port: "reverse_proxy localhost:${builtins.toString port}";
+      in
+      {
+        "beta.${domain}".extraConfig = ''
+          redir https://${domain}{uri}
+        '';
+        "git.${domain}".extraConfig = ''
+          redir https://code.${domain}{uri}
+        '';
+        # Gitea
+        "code.${domain}".extraConfig = ''
+          ${reverseProxy 3000}
+        '';
+        # Nextcloud
+        "nextcloud.${domain}".extraConfig = ''
+          redir /.well-known/carddav /remote.php/dav 301
+          redir /.well-known/caldav /remote.php/dav 301
+          ${reverseProxy 11000}
+        '';
+        # Kitchenowl
+        "kitchenowl.${domain}".extraConfig = ''
+          ${reverseProxy 800}
+        '';
+        # Actual Budget
+        "budget.${domain}".extraConfig = ''
+          ${reverseProxy 5006}
+        '';
+        # Uptime Kuma
+        "status.${domain}".extraConfig = ''
+          ${reverseProxy 3001}
+        '';
+        # Headscale
+        "vpn.${domain}".extraConfig = ''
+          reverse_proxy /web* localhost:8084
+          reverse_proxy * localhost:8082
+        '';
+        # Headscale SmartDNS
+        "dns.${domain}".extraConfig = ''
+          ${reverseProxy 8082}
+        '';
+        # FreshRSS
+        "rss.${domain}".extraConfig = ''
+          ${reverseProxy 8085}
+        '';
+        # Ente backend
+        "api.ente.${domain}".extraConfig = ''
+          ${reverseProxy 8083}
+        '';
+        # Ente Photos frontend
+        "ente.${domain}".extraConfig = ''
+          ${reverseProxy 3003}
+        '';
+        # Ente Auth frontend
+        "mfa.${domain}".extraConfig = ''
+          ${reverseProxy 3004}
+        '';
+        # Homepage / portfolio
+        "${domain}".extraconfig = ''
+          ${reverseProxy 4321}
+        '';
+        # Yamtrack
+        "track.${domain}".extraConfig = ''
+          ${reverseProxy 8090}
+        '';
+        # Postal
+        "mail.${domain}".extraConfig = ''
+          ${reverseProxy 5000}
+        '';
+      };
+  };
+}
--- a/hosts/pi4/security/firewall.nix
+++ b/hosts/pi4/security/firewall.nix
@ -2,6 +2,10 @@
  networking = {
    firewall = {
      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
      trustedInterfaces = [ "tailscale0" ];
      extraInputRules =
        let