From f30f5e0ad5b830f8d060d6e8b42b1b690194227a Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Fri, 10 Jan 2025 21:32:09 -0600
Subject: [PATCH] tailscale --> caddy lb --> proxmox nodes

add caddy to global environment packages

caddy config and add Caddyfile to remove-tabs ignore

update name

proxymox
---
 .pre-commit-config.yaml                |  2 +-
 nixos/hosts/telperion/config/Caddyfile | 13 +++++++++++++
 nixos/hosts/telperion/default.nix      | 24 ++++++++++++++++++++----
 nixos/profiles/global.nix              |  5 +++--
 4 files changed, 37 insertions(+), 7 deletions(-)
 create mode 100644 nixos/hosts/telperion/config/Caddyfile

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a4dcd6f..cde8192 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -25,7 +25,7 @@ repos:
     hooks:
       - id: remove-crlf
       - id: remove-tabs
-        exclude: (Makefile)
+        exclude: (Makefile|Caddyfile)
   - repo: https://github.com/zricethezav/gitleaks
     rev: v8.22.0
     hooks:
diff --git a/nixos/hosts/telperion/config/Caddyfile b/nixos/hosts/telperion/config/Caddyfile
new file mode 100644
index 0000000..35116f8
--- /dev/null
+++ b/nixos/hosts/telperion/config/Caddyfile
@@ -0,0 +1,13 @@
+telperion.meerkat-dab.ts.net {
+	log {
+		output file /var/log/caddy/telperion.meerkat-dab.ts.net.log
+	}
+	reverse_proxy {
+		transport http {
+			tls_insecure_skip_verify
+		}
+		lb_policy client_ip_hash
+		to https://10.1.1.66:8006
+		to https://10.1.1.67:8006
+	}
+}
diff --git a/nixos/hosts/telperion/default.nix b/nixos/hosts/telperion/default.nix
index 899e60d..1617920 100644
--- a/nixos/hosts/telperion/default.nix
+++ b/nixos/hosts/telperion/default.nix
@@ -5,6 +5,7 @@
   config,
   lib,
   modulesPath,
+  pkgs,
   ...
 }:
 
@@ -75,11 +76,26 @@
       };
     };
   };
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+    2019
+  ];
+  services = {
+    # Caddy
+    caddy = {
+      enable = true;
+      package = pkgs.unstable.caddy;
+      extraConfig = builtins.readFile ./config/Caddyfile;
+      logFormat = lib.mkForce "level INFO";
+    };
 
-  # Tailscale
-  services.tailscale = {
-    enable = true;
-    openFirewall = true;
+    # Tailscale
+    tailscale = {
+      enable = true;
+      openFirewall = true;
+      permitCertUid = builtins.toString config.users.users.caddy.uid;
+    };
   };
 
   # System settings and services.
diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix
index 02a4b74..384a65a 100644
--- a/nixos/profiles/global.nix
+++ b/nixos/profiles/global.nix
@@ -32,12 +32,13 @@ with lib;
 
     environment.systemPackages = with pkgs; [
       curl
-      wget
       dnsutils
       jq
-      yq-go
       nvme-cli
       smartmontools
+      unstable.caddy
+      wget
+      yq-go
     ];
 
     networking.domain = config.mySystem.domain;