From 187e067118f334fb5d14805d22f60af83d3657ef Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Thu, 3 Jul 2025 19:49:48 -0500
Subject: [PATCH] feat: added glance to caddy

---
 modules/nixos/services/acme/default.nix   |  1 +
 modules/nixos/services/glance/default.nix | 39 +++++++++++++++++++----
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix
index 1cbec44..931dafb 100755
--- a/modules/nixos/services/acme/default.nix
+++ b/modules/nixos/services/acme/default.nix
@@ -40,6 +40,7 @@ in
           "searx"
           "vaultwarden"
           "audiobookshelf"
+          "glance"
         ]
       )
       ++ (map
diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix
index c600215..5bb77f3 100755
--- a/modules/nixos/services/glance/default.nix
+++ b/modules/nixos/services/glance/default.nix
@@ -1,6 +1,17 @@
 { config, flake, ... }:
 let
-  inherit (flake.config.services.instances) glance jellyfin;
+  inherit (flake.config.services.instances)
+    glance
+    jellyfin
+    web
+    ;
+  inherit (flake.config.machines.devices) ceres mars deimos;
+  configHelpers = {
+    service = glance;
+    hostname = config.networking.hostName;
+    localhost = web.localhost.address0;
+    host = configHelpers.service.domains.url0;
+  };
   service = glance;
   configPath = ./config;
   configImports = {
@@ -17,6 +28,27 @@ in
       settings = configImports;
     };
   };
+  caddy = {
+    virtualHosts = {
+      "${configHelpers.host}" = {
+        extraConfig = ''
+          @allowed_ips {
+            remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0}
+          }
+
+          handle @allowed_ips {
+            redir /.well-known/carddav /remote.php/dav/ 301
+            redir /.well-known/caldav /remote.php/dav/ 301
+            reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0}
+          }
+          handle {
+            respond "Access Denied" 403
+          }
+          tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}
+        '';
+      };
+    };
+  };
   sops =
     let
       sopsPath = secret: {
@@ -41,11 +73,6 @@ in
       );
     };
 
-  systemd.tmpfiles.rules = [
-    # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
-    # "Z ${service.sops.path0} 755 root root -"
-  ];
-
   networking = {
     firewall = {
       allowedTCPPorts = [