diff --git a/modules/nixos/services/cloudflare.nix b/modules/nixos/services/cloudflare.nix index 3d7c8ab..800565c 100644 --- a/modules/nixos/services/cloudflare.nix +++ b/modules/nixos/services/cloudflare.nix @@ -34,41 +34,6 @@ let ]; - # Build with Cloudflare plugin for DNS validation - # Otherwise, requires HTTPS to be disabled for issuance - caddy = pkgs.stdenv.mkDerivation rec { - pname = "caddy"; - version = "latest"; - dontUnpack = true; - - nativeBuildInputs = with pkgs; [ git go xcaddy ]; - - plugins = [ - "github.com/caddy-dns/cloudflare@a9d3ae2690a1d232bc9f8fc8b15bd4e0a6960eec" - ]; - - configurePhase = '' - export GOCACHE=$TMPDIR/go-cache - export GOPATH="$TMPDIR/go" - ''; - - buildPhase = let - pluginArgs = - lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins; - in '' - runHook preBuild - ${pkgs.xcaddy}/bin/xcaddy build "v${version}" ${pluginArgs} - runHook postBuild - ''; - - installPhase = '' - runHook preInstall - mkdir -p $out/bin - mv caddy $out/bin - runHook postInstall - ''; - }; - in { options.cloudflare.enable = lib.mkEnableOption "Use Cloudflare."; @@ -85,20 +50,29 @@ in { }]; # Tell Caddy to use Cloudflare DNS for ACME challenge validation - services.caddy.package = caddy; + services.caddy.package = + (pkgs.callPackage ../../../overlays/custom-caddy.nix { + plugins = [ "github.com/caddy-dns/cloudflare" ]; + # vendorSha256 = "sha256-K9HPZnr+hMcK5aEd1H4gEg6PXAaNrNWFvaHYm5m62JY="; + }); caddy.tlsPolicies = [{ issuers = [{ module = "acme"; challenges = { - dns.provider = { - name = "cloudflare"; - api_token = "{env.CF_API_TOKEN}"; + dns = { + provider = { + name = "cloudflare"; + api_token = "{env.CF_API_TOKEN}"; + }; + resolvers = [ "1.1.1.1" ]; }; }; }]; }]; systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrets.cloudflareApi.dest; + systemd.services.caddy.serviceConfig.AmbientCapabilities = + "CAP_NET_BIND_SERVICE"; # API key must have access to modify Cloudflare DNS records secrets.cloudflareApi = { diff --git a/overlays/custom-caddy.nix b/overlays/custom-caddy.nix new file mode 100644 index 0000000..4f7cb7e --- /dev/null +++ b/overlays/custom-caddy.nix @@ -0,0 +1,55 @@ +{ lib, buildGo118Module, fetchFromGitHub, plugins ? [ ] }: +let + imports = lib.flip lib.concatMapStrings plugins (pkg: " _ \"${pkg}\"\n"); + main = '' + package main + import ( + caddycmd "github.com/caddyserver/caddy/v2/cmd" + _ "github.com/caddyserver/caddy/v2/modules/standard" + ${imports} + ) + func main() { + caddycmd.Main() + } + ''; +in buildGo118Module rec { + pname = "caddy"; + version = "2.6.4"; + runVend = true; + + subPackages = [ "cmd/caddy" ]; + + src = fetchFromGitHub { + owner = "caddyserver"; + repo = "caddy"; + rev = "v${version}"; + sha256 = "sha256:3a3+nFHmGONvL/TyQRqgJtrSDIn0zdGy9YwhZP17mU0="; + }; + + vendorSha256 = "sha256:CrHqJcJ0knX+txQ5qvzW4JrU8vfi3FO3M/xtislIC1M="; + + overrideModAttrs = (_: { + preBuild = '' + echo '${main}' > cmd/caddy/main.go + go get github.com/caddy-dns/cloudflare + ''; + postInstall = "cp go.sum go.mod $out/ && ls $out/"; + }); + + postPatch = '' + echo '${main}' > cmd/caddy/main.go + cat cmd/caddy/main.go + ''; + + postConfigure = '' + cp vendor/go.sum ./ + cp vendor/go.mod ./ + ''; + + meta = with lib; { + homepage = "https://caddyserver.com"; + description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS"; + license = licenses.asl20; + maintainers = with maintainers; [ Br1ght0ne techknowlogick ]; + }; +}