dotfiles/modules/nixos/services/caddy.nix

{ config, pkgs, lib, ... }: {

  options = {
    caddy = {
      tlsPolicies = lib.mkOption {
        type = lib.types.listOf lib.types.attrs;
        description = "Caddy JSON TLS policies";
        default = [ ];
      };
      routes = lib.mkOption {
        type = lib.types.listOf lib.types.attrs;
        description = "Caddy JSON routes for http servers";
        default = [ ];
      };
      blocks = lib.mkOption {
        type = lib.types.listOf lib.types.attrs;
        description = "Caddy JSON error blocks for http servers";
        default = [ ];
      };
      cidrAllowlist = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        description = "CIDR blocks to allow for requests";
        default = [ ];
      };
    };
  };

  config = lib.mkIf config.services.caddy.enable {

    # Force Caddy to 403 if not coming from allowlisted source
    caddy.cidrAllowlist = [ "127.0.0.1/32" ];
    caddy.routes = [{
      match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
      handle = [{
        handler = "static_response";
        status_code = "403";
      }];
    }];

    services.caddy = {
      adapter = "''"; # Required to enable JSON
      configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
        apps.http.servers.main = {
          listen = [ ":443" ];
          routes = config.caddy.routes;
          errors.routes = config.caddy.blocks;
          logs = { }; # Uncomment to collect access logs
        };
        apps.http.servers.metrics = { }; # Enables Prometheus metrics
        apps.tls.automation.policies = config.caddy.tlsPolicies;
        logging.logs.main = {
          encoder = { format = "console"; };
          writer = {
            output = "file";
            filename = "${config.services.caddy.logDir}/caddy.log";
            roll = true;
            roll_size_mb = 1;
          };
          level = "INFO";
        };
      });

    };

    networking.firewall.allowedTCPPorts = [ 80 443 ];
    networking.firewall.allowedUDPPorts = [ 443 ];

    prometheus.scrapeTargets = [ "127.0.0.1:2019" ];

  };

}
lockdown caddy and ssh connections 2022-10-13 23:40:30 +00:00			`{ config, pkgs, lib, ... }: {`
move caddy config into separate file 2022-10-02 15:24:25 +00:00
			`options = {`
use bind for local dns 2023-07-18 03:52:37 +00:00			`caddy = {`
			`tlsPolicies = lib.mkOption {`
			`type = lib.types.listOf lib.types.attrs;`
			`description = "Caddy JSON TLS policies";`
			`default = [ ];`
			`};`
			`routes = lib.mkOption {`
			`type = lib.types.listOf lib.types.attrs;`
			`description = "Caddy JSON routes for http servers";`
			`default = [ ];`
			`};`
			`blocks = lib.mkOption {`
			`type = lib.types.listOf lib.types.attrs;`
			`description = "Caddy JSON error blocks for http servers";`
			`default = [ ];`
			`};`
			`cidrAllowlist = lib.mkOption {`
			`type = lib.types.listOf lib.types.str;`
			`description = "CIDR blocks to allow for requests";`
fix: localhost as default not in caddy allowlist 2023-07-20 00:18:28 +00:00			`default = [ ];`
use bind for local dns 2023-07-18 03:52:37 +00:00			`};`
move cloudflare to separate file 2022-10-15 19:00:37 +00:00			`};`
move caddy config into separate file 2022-10-02 15:24:25 +00:00			`};`

use bind for local dns 2023-07-18 03:52:37 +00:00			`config = lib.mkIf config.services.caddy.enable {`

			`# Force Caddy to 403 if not coming from allowlisted source`
fix: localhost as default not in caddy allowlist 2023-07-20 00:18:28 +00:00			`caddy.cidrAllowlist = [ "127.0.0.1/32" ];`
use bind for local dns 2023-07-18 03:52:37 +00:00			`caddy.routes = [{`
			`match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];`
			`handle = [{`
			`handler = "static_response";`
			`status_code = "403";`
			`}];`
			`}];`

			`services.caddy = {`
			`adapter = "''"; # Required to enable JSON`
			`configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {`
			`apps.http.servers.main = {`
			`listen = [ ":443" ];`
			`routes = config.caddy.routes;`
			`errors.routes = config.caddy.blocks;`
fix warnings in nextcloud 2023-08-04 05:13:43 +00:00			`logs = { }; # Uncomment to collect access logs`
use bind for local dns 2023-07-18 03:52:37 +00:00			`};`
			`apps.http.servers.metrics = { }; # Enables Prometheus metrics`
			`apps.tls.automation.policies = config.caddy.tlsPolicies;`
			`logging.logs.main = {`
			`encoder = { format = "console"; };`
			`writer = {`
			`output = "file";`
			`filename = "${config.services.caddy.logDir}/caddy.log";`
			`roll = true;`
fix warnings in nextcloud 2023-08-04 05:13:43 +00:00			`roll_size_mb = 1;`
remote prometheus and reconfig server modules 2023-07-04 22:20:43 +00:00			`};`
use bind for local dns 2023-07-18 03:52:37 +00:00			`level = "INFO";`
			`};`
			`});`
move caddy config into separate file 2022-10-02 15:24:25 +00:00
use bind for local dns 2023-07-18 03:52:37 +00:00			`};`
move caddy config into separate file 2022-10-02 15:24:25 +00:00
use bind for local dns 2023-07-18 03:52:37 +00:00			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
			`networking.firewall.allowedUDPPorts = [ 443 ];`
fix firewall issues with oracle 2022-10-03 12:19:29 +00:00
use bind for local dns 2023-07-18 03:52:37 +00:00			`prometheus.scrapeTargets = [ "127.0.0.1:2019" ];`
enable caddy prometheus metrics 2023-07-16 20:13:41 +00:00
use bind for local dns 2023-07-18 03:52:37 +00:00			`};`
move caddy config into separate file 2022-10-02 15:24:25 +00:00
			`}`