dotfiles/modules/nixos/services/caddy/caddy0/default.nix

{ flake, config, ... }:
let
  inherit (flake.config.services) instances;
  inherit (flake.config.machines.devices) eris;
  opencloud = instances.opencloud0;
  dns = instances.web.dns.provider0;
  opencloudHost = opencloud.domains.url0;
  dnsPath = "dns/${dns}";
  service = instances.caddy;
in
{
  services.caddy = {
    enable = true;
    virtualHosts = {
      "${opencloud.domains.url0}" = {
        extraConfig = ''
          reverse_proxy ${eris.ip.address0}:${builtins.toString service.ports.port0}
          tls ${opencloud.ssl.cert} ${opencloud.ssl.key} 
        '';
      };
    };
  };
  security.acme.certs."${opencloudHost}" = {
    dnsProvider = dns;
    environmentFile = config.sops.secrets.${dnsPath}.path;
    group = "caddy";
  };
  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0 # 80
        service.ports.port1 # 443
      ];
    };
  };
}