caddy nonsense

flake.nix

@@ -188,7 +188,10 @@
             # Workloads server
             hostname = "shadowfax";
             system = "x86_64-linux";
-            disabledModules = [ "services/web-servers/minio.nix" ];
+            disabledModules = [
+              "services/web-servers/minio.nix"
+              "services/web-servers/caddy/default.nix"
+            ];
             hardwareModules = [
               lix-module.nixosModules.default
               ./nixos/profiles/hw-threadripperpro.nix
@@ -196,6 +199,7 @@
             profileModules = [
               vscode-server.nixosModules.default
               "${nixpkgs-unstable}/nixos/modules/services/web-servers/minio.nix"
+              "${nixpkgs-unstable}/nixos/modules/services/web-servers/caddy/default.nix"
               ./nixos/profiles/role-dev.nix
               ./nixos/profiles/role-server.nix
               { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }

nixos/hosts/shadowfax/config/Caddyfile

@@ -0,0 +1,14 @@
+redeye.hsn.dev {
+	log {
+		output file /var/log/caddy/redeye.hsn.dev.log
+	}
+	tls {
+		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+	}
+	reverse_proxy {
+		transport http {
+			tls_insecure_skip_verify
+		}
+		to http://127.0.0.1:11080
+	}
+}

nixos/hosts/shadowfax/default.nix

@@ -93,15 +93,30 @@ in
     };
   };
 
-  # Open minio ports for firewall
+  # Open ports in the firewall.
   networking.firewall = {
     allowedTCPPorts = [
+      # Caddy
+      80 # http
+      443 # https
+      2019 # caddy admin api
+      # Minio
       9000 # console web interface
       9001 # api interface
+
     ];
   };
 
   services = {
+    # Caddy
+    # caddy = {
+    #   enable = true;
+    #   package = pkgs.unstable.caddy;
+    #   extraConfig = builtins.readFile ./config/Caddyfile;
+    #   logFormat = lib.mkForce "level INFO";
+    #   environmentFile = config.sops.secrets."caddy/env".path;
+    # };
+
     # Minio
     minio = {
       enable = true;
@@ -168,6 +183,12 @@ in
       mode = "400";
       restartUnits = [ "syncthing.service" ];
     };
+    # "caddy/env" = {
+    #   sopsFile = ./secrets.sops.yaml;
+    #   owner = "caddy";
+    #   mode = "400";
+    #   restartUnits = [ "caddy.service" ];
+    # };
   };
 
   # System settings and services.

nixos/hosts/shadowfax/secrets.sops.yaml

@@ -84,8 +84,8 @@ sops:
             aVlOSHhFb2I5UnYwVytyQzlWTXBDYUUKdQKilmfJ1F7UYKtQV9zV95FcRIK17p4M
             vGvu/pGJ32tH8xI7cNs9I5Hmg9c5wOam21W1FDk+VlJ/ClXqQzS0MA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-27T09:27:41Z"
+    lastmodified: "2025-01-23T00:36:34Z"
-    mac: ENC[AES256_GCM,data:x2em1h5iUJVXtHq25TpoaZ+JfFwc7g9n7Nkz9gZDMYZJhWXJAL/W31C7Hf8FvHkN38onMTaFKELC/w6hAAXT1SQRQyoCBzPilkYHkuovIHS53saIfq0bCFiphJ2JagjvWT/blpsw4mw/3hXHe2ebt/jS57nGYeQH3vG50EeonDc=,iv:fW0KbIbtkimTpOADTVs5fDskFupXwr+RimYiwHQirPk=,tag:BZHNcp10fsNTEt020NPq0g==,type:str]
+    mac: ENC[AES256_GCM,data:2H1NCCVjvR/pSTI6njNkE7RuWWlCSPIvKLBqkJbEKNvc2aaPIUmGLlLpvNRQ1rQJbQa2okVnL4wITeYT+uuBhus4ubTAD7RH3HIjXMcK2HFCA/ey/kJ9GZI6I+0pwyjavUlWitIqUjUpTOK1hGSTzRSm6G38uSLhfQGMG3clUjw=,iv:1qZ6eKIaE/6QF3r4adGw2dvKlrZvjCktmgJ2L3n3kEs=,tag:kZ7wAbXebk0VF1kAbjxRSA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

nixos/hosts/telperion/config/Caddyfile

@@ -6,8 +6,16 @@ telperion.meerkat-dab.ts.net {
 		transport http {
 			tls_insecure_skip_verify
 		}
+		fail_duration 10s
+		health_interval 5s
+		health_timeout 2s
+		health_uri /
 		lb_policy client_ip_hash
-		to https://10.1.1.66:8006
+		lb_try_duration 5s
-		to https://10.1.1.67:8006
+		lb_try_interval 250ms
+		max_fails 1
+		unhealthy_status 5xx
+		to https://legion.meerkat-dab.ts.net:8006
+		to https://rosie.meerkat-dab.ts.net:8006
 	}
 }