From 050741393b359721d742201949604300e41e19a4 Mon Sep 17 00:00:00 2001
From: Martin Berg Alstad <git@martials.no>
Date: Tue, 13 May 2025 21:31:29 +0200
Subject: [PATCH] :sparkles: [pi4] Added initial caddy config based on homelab

---
 hosts/pi4/caddy.nix             | 80 +++++++++++++++++++++++++++++++++
 hosts/pi4/security/firewall.nix |  4 ++
 2 files changed, 84 insertions(+)
 create mode 100644 hosts/pi4/caddy.nix

diff --git a/hosts/pi4/caddy.nix b/hosts/pi4/caddy.nix
new file mode 100644
index 0000000..b8710cc
--- /dev/null
+++ b/hosts/pi4/caddy.nix
@@ -0,0 +1,80 @@
+let
+  domain = "martials.no";
+in
+{
+  services.caddy = {
+    enable = true;
+    email = "cert@${domain}";
+    virtualHosts =
+      let
+        reverseProxy = port: "reverse_proxy localhost:${builtins.toString port}";
+      in
+      {
+        "beta.${domain}".extraConfig = ''
+          redir https://${domain}{uri}
+        '';
+        "git.${domain}".extraConfig = ''
+          redir https://code.${domain}{uri}
+        '';
+        # Gitea
+        "code.${domain}".extraConfig = ''
+          ${reverseProxy 3000}
+        '';
+        # Nextcloud
+        "nextcloud.${domain}".extraConfig = ''
+          redir /.well-known/carddav /remote.php/dav 301
+          redir /.well-known/caldav /remote.php/dav 301
+          ${reverseProxy 11000}
+        '';
+        # Kitchenowl
+        "kitchenowl.${domain}".extraConfig = ''
+          ${reverseProxy 800}
+        '';
+        # Actual Budget
+        "budget.${domain}".extraConfig = ''
+          ${reverseProxy 5006}
+        '';
+        # Uptime Kuma
+        "status.${domain}".extraConfig = ''
+          ${reverseProxy 3001}
+        '';
+        # Headscale
+        "vpn.${domain}".extraConfig = ''
+          reverse_proxy /web* localhost:8084
+          reverse_proxy * localhost:8082
+        '';
+        # Headscale SmartDNS
+        "dns.${domain}".extraConfig = ''
+          ${reverseProxy 8082}
+        '';
+        # FreshRSS
+        "rss.${domain}".extraConfig = ''
+          ${reverseProxy 8085}
+        '';
+        # Ente backend
+        "api.ente.${domain}".extraConfig = ''
+          ${reverseProxy 8083}
+        '';
+        # Ente Photos frontend
+        "ente.${domain}".extraConfig = ''
+          ${reverseProxy 3003}
+        '';
+        # Ente Auth frontend
+        "mfa.${domain}".extraConfig = ''
+          ${reverseProxy 3004}
+        '';
+        # Homepage / portfolio
+        "${domain}".extraconfig = ''
+          ${reverseProxy 4321}
+        '';
+        # Yamtrack
+        "track.${domain}".extraConfig = ''
+          ${reverseProxy 8090}
+        '';
+        # Postal
+        "mail.${domain}".extraConfig = ''
+          ${reverseProxy 5000}
+        '';
+      };
+  };
+}
diff --git a/hosts/pi4/security/firewall.nix b/hosts/pi4/security/firewall.nix
index b5e2a2f..28e5773 100644
--- a/hosts/pi4/security/firewall.nix
+++ b/hosts/pi4/security/firewall.nix
@@ -2,6 +2,10 @@
   networking = {
     firewall = {
       enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
       trustedInterfaces = [ "tailscale0" ];
       extraInputRules =
         let