cloudflare caddy module for dns validation

2025-07-05 19:40:14 +00:00 · 2023-05-31 21:03:08 -04:00
parent 8cc158221d
commit df5fba19f8
3 changed files with 79 additions and 1 deletions
--- a/modules/nixos/services/caddy.nix
+++ b/modules/nixos/services/caddy.nix
@ -2,6 +2,11 @@

  options = {
    caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
+    caddy.tlsPolicies = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      description = "Caddy JSON TLS policies";
+      default = [ ];
+    };
    caddy.routes = lib.mkOption {
      type = lib.types.listOf lib.types.attrs;
      description = "Caddy JSON routes for http servers";
@ -26,6 +31,7 @@
          errors.routes = config.caddy.blocks;
          # logs = { }; # Uncomment to collect access logs
        };
+        apps.tls.automation.policies = config.caddy.tlsPolicies;
        logging.logs.main = {
          encoder = { format = "console"; };
          writer = {
--- a/modules/nixos/services/cloudflare.nix
+++ b/modules/nixos/services/cloudflare.nix
@ -1,6 +1,6 @@
 # This module is necessary for hosts that are serving through Cloudflare.

-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:

 let

@ -34,6 +34,41 @@ let

  ];

+  # Build with Cloudflare plugin for DNS validation
+  # Otherwise, requires HTTPS to be disabled for issuance
+  caddy = pkgs.stdenv.mkDerivation rec {
+    pname = "caddy";
+    version = "latest";
+    dontUnpack = true;
+
+    nativeBuildInputs = with pkgs; [ git go xcaddy ];
+
+    plugins = [
+      "github.com/caddy-dns/cloudflare@a9d3ae2690a1d232bc9f8fc8b15bd4e0a6960eec"
+    ];
+
+    configurePhase = ''
+      export GOCACHE=$TMPDIR/go-cache
+      export GOPATH="$TMPDIR/go"
+    '';
+
+    buildPhase = let
+      pluginArgs =
+        lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins;
+    in ''
+      runHook preBuild
+      ${pkgs.xcaddy}/bin/xcaddy build "v${version}" ${pluginArgs}
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+      mkdir -p $out/bin
+      mv caddy $out/bin
+      runHook postInstall
+    '';
+  };
+
 in {

  options.cloudflare.enable = lib.mkEnableOption "Use Cloudflare.";
@ -49,6 +84,30 @@ in {
      }];
    }];

+    # Tell Caddy to use Cloudflare DNS for ACME challenge validation
+    services.caddy.package = caddy;
+    caddy.tlsPolicies = [{
+      issuers = [{
+        module = "acme";
+        challenges = {
+          dns.provider = {
+            name = "cloudflare";
+            api_token = "{env.CF_API_TOKEN}";
+          };
+        };
+      }];
+    }];
+    systemd.services.caddy.serviceConfig.EnvironmentFile =
+      config.secrets.cloudflareApi.dest;
+
+    # API key must have access to modify Cloudflare DNS records
+    secrets.cloudflareApi = {
+      source = ../../../private/cloudflare-api.age;
+      dest = "${config.secretsDirectory}/cloudflare-api";
+      owner = "caddy";
+      group = "caddy";
+    };
+
    # Allows Nextcloud to trust Cloudflare IPs
    services.nextcloud.config.trustedProxies = cloudflareIpRanges;