✨ [pi4] Added initial caddy config based on homelab

2025-05-13 21:31:29 +02:00
parent 08cd2cbebc
commit 050741393b
2 changed files with 84 additions and 0 deletions
--- a/hosts/pi4/caddy.nix
+++ b/hosts/pi4/caddy.nix
@ -0,0 +1,80 @@
 let
  domain = "martials.no";
 in
 {
  services.caddy = {
    enable = true;
    email = "cert@${domain}";
    virtualHosts =
      let
        reverseProxy = port: "reverse_proxy localhost:${builtins.toString port}";
      in
      {
        "beta.${domain}".extraConfig = ''
          redir https://${domain}{uri}
        '';
        "git.${domain}".extraConfig = ''
          redir https://code.${domain}{uri}
        '';
        # Gitea
        "code.${domain}".extraConfig = ''
          ${reverseProxy 3000}
        '';
        # Nextcloud
        "nextcloud.${domain}".extraConfig = ''
          redir /.well-known/carddav /remote.php/dav 301
          redir /.well-known/caldav /remote.php/dav 301
          ${reverseProxy 11000}
        '';
        # Kitchenowl
        "kitchenowl.${domain}".extraConfig = ''
          ${reverseProxy 800}
        '';
        # Actual Budget
        "budget.${domain}".extraConfig = ''
          ${reverseProxy 5006}
        '';
        # Uptime Kuma
        "status.${domain}".extraConfig = ''
          ${reverseProxy 3001}
        '';
        # Headscale
        "vpn.${domain}".extraConfig = ''
          reverse_proxy /web* localhost:8084
          reverse_proxy * localhost:8082
        '';
        # Headscale SmartDNS
        "dns.${domain}".extraConfig = ''
          ${reverseProxy 8082}
        '';
        # FreshRSS
        "rss.${domain}".extraConfig = ''
          ${reverseProxy 8085}
        '';
        # Ente backend
        "api.ente.${domain}".extraConfig = ''
          ${reverseProxy 8083}
        '';
        # Ente Photos frontend
        "ente.${domain}".extraConfig = ''
          ${reverseProxy 3003}
        '';
        # Ente Auth frontend
        "mfa.${domain}".extraConfig = ''
          ${reverseProxy 3004}
        '';
        # Homepage / portfolio
        "${domain}".extraconfig = ''
          ${reverseProxy 4321}
        '';
        # Yamtrack
        "track.${domain}".extraConfig = ''
          ${reverseProxy 8090}
        '';
        # Postal
        "mail.${domain}".extraConfig = ''
          ${reverseProxy 5000}
        '';
      };
  };
 }
--- a/hosts/pi4/security/firewall.nix
+++ b/hosts/pi4/security/firewall.nix
@ -2,6 +2,10 @@
  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [
        80
        443
      ];
      trustedInterfaces = [ "tailscale0" ];
      extraInputRules =
        let