feat: replace traefik with caddy as default reverse proxy

README.md

@@ -69,7 +69,7 @@ The following is a list of the key elements of my setup, with links to their con
 |  Shell   | [zsh], [starship], [nvim], [tmux], [fastfetch], [bat], [fzf]      |
 |    WM    | [hyprland], [waybar], [hyprlock], [mako], [gtk], [rofi], [swappy] |
 |   Apps   | [vscode], [zathura], [alacritty]                                  |
-| Services | [homepage-dashboard], [traefik], [home-assistant]                 |
+| Services | [homepage-dashboard], [home-assistant]                            |
 
 ## 🖼️ Screenshots
 
@@ -93,7 +93,6 @@ The following is a list of the key elements of my setup, with links to their con
 [starship]: ./home/common/shell/starship.nix
 [swappy]: ./home/common/desktop/swappy.nix
 [tmux]: ./home/common/shell/tmux.nix
-[traefik]: ./host/common/services/traefik/
 [vscode]: ./home/common/dev/desktop.nix
 [waybar]: ./home/common/desktop/waybar/default.nix
 [zathura]: ./home/common/desktop/zathura.nix

host/common/services/traefik/default.nix → host/common/services/reverse-proxy/default.nix

@@ -7,8 +7,8 @@
 {
   imports = lib.optional (builtins.pathExists (./. + "/${hostname}.nix")) ./${hostname}.nix;
 
-  services.traefik = {
+  services.caddy = {
     enable = true;
-    package = pkgs.unstable.traefik;
+    package = pkgs.unstable.custom-caddy;
   };
 }

host/common/services/reverse-proxy/thor.nix

@@ -0,0 +1,36 @@
+{ config, self, ... }:
+let
+  tailnet = "tailnet-d5da.ts.net";
+  domain = "jnsgr.uk";
+
+  mkVHost = backend: ''
+    tls {
+      dns digitalocean {$DO_AUTH_TOKEN}
+    }
+    reverse_proxy ${backend}
+  '';
+in
+{
+  age.secrets.digitalocean = {
+    file = "${self}/secrets/thor-digitalocean.age";
+    owner = "caddy";
+    group = "caddy";
+    mode = "600";
+  };
+
+  # Ensure DigitalOcean token is in Caddy's environment
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.digitalocean.path;
+
+  services = {
+    # Enable caddy to talk to the tailscale daemon for certs
+    tailscale.permitCertUid = "caddy";
+
+    caddy.virtualHosts = {
+      "dash.${domain}".extraConfig = mkVHost "http://localhost:8082";
+      "files.${domain}".extraConfig = mkVHost "http://localhost:8081";
+      "freyja.sync.${domain}".extraConfig = mkVHost "http://freyja.${tailnet}:8384";
+      "kara.sync.${domain}".extraConfig = mkVHost "http://kara.${tailnet}:8384";
+      "thor.sync.${domain}".extraConfig = mkVHost "http://thor.${tailnet}:8384";
+    };
+  };
+}

host/thor/extra.nix

@@ -6,8 +6,8 @@
     ../common/services/libations.nix
     ../common/services/homepage
     ../common/services/photo-backup
+    ../common/services/reverse-proxy
     ../common/services/servarr
-    ../common/services/traefik
   ];
 
   age.secrets = {

overlays/custom-caddy.nix

@@ -0,0 +1,63 @@
+{ pkgs, ... }:
+let
+  inherit (pkgs)
+    buildGoModule
+    cacert
+    caddy
+    go
+    lib
+    stdenv
+    xcaddy
+    ;
+in
+caddy.override {
+  buildGoModule =
+    args:
+    buildGoModule (
+      args
+      // {
+        src = stdenv.mkDerivation rec {
+          pname = "caddy-using-xcaddy-${xcaddy.version}";
+          inherit (caddy) version;
+
+          dontUnpack = true;
+          dontFixup = true;
+
+          nativeBuildInputs = [
+            cacert
+            go
+          ];
+
+          plugins = [ "github.com/caddy-dns/digitalocean" ];
+
+          configurePhase = ''
+            export GOCACHE=$TMPDIR/go-cache
+            export GOPATH="$TMPDIR/go"
+            export XCADDY_SKIP_BUILD=1
+          '';
+
+          buildPhase = ''
+            ${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${
+              lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins
+            }
+            cd buildenv*
+            go mod vendor
+          '';
+
+          installPhase = ''
+            cp -r --reflink=auto . $out
+          '';
+
+          outputHash = "sha256-TSqIzqOKVdzuKCWoVinXQ+Rxi/9mZScK8AmSmlk3IO8=";
+          outputHashMode = "recursive";
+        };
+
+        subPackages = [ "." ];
+        ldflags = [
+          "-s"
+          "-w"
+        ]; # # don't include version info twice
+        vendorHash = null;
+      }
+    );
+}

overlays/default.nix

@@ -39,11 +39,18 @@
 
   # When applied, the unstable nixpkgs set (declared in the flake inputs) will
   # be accessible through 'pkgs.unstable'
-  unstable-packages = final: _prev: rec {
+  unstable-packages = final: _prev: {
     unstable = import inputs.unstable {
       inherit (final) system;
       config.allowUnfree = true;
-      overlays = [ (_final: _prev: { }) ];
+      overlays = [
+        (_final: prev: {
+          # example = prev.example.overrideAttrs (oldAttrs: rec {
+          # ...
+          # });
+          custom-caddy = import ./custom-caddy.nix { pkgs = prev; };
+        })
+      ];
     };
   };
 }

secrets/thor-digitalocean.age

@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 ASg3Sg fdfEEB6h2PjTUtQHeOYDOM9YdwF+Y5FEHHJokfXOjxE
-b59xNlXGYPlA3bK1QQfJUPdIlXyOfHgQL9KHqFRCnmM
--> ssh-ed25519 HTYk+g whfs99yVZW4up2KKLxr+5C6X8KCX3EXr1nXtWB3qm1Y
-fzm34J5FM3DbZXmi3J9nU/J0jtFODOcL3143bjWmk0M
--> =`X-grease
-mLWLA+xSfPIk11wV
---- +qq22jL9+Mbqxvb5jnocqRpXi4nTbvZOay9fe1qVZ7c
-B�Q�NݻN��*v�5Q�]�Ө6�3�~�g�K�O��/E�H߱�c���nf�e�qK����;�*�RV��K���44����!�
-�I�<
+-> ssh-ed25519 ASg3Sg JqTYNQ/ERHuSxAyyE2BglFTm5EVSosotV6/k4Uy+b3w
+gWk4kJvnuMTmxx9ZvgaJ7LF/HBqujM1K3zW5BuKRW+I
+-> ssh-ed25519 HTYk+g G/XX8kTvM0+wLNUy7AYWvvHzVkhSdKyz7Q6N1qc6m1s
+B8dmEcX7py5wM1eK0KR8leJc4zJuexvEHzlHcbF+g6s
+--- LsfgXiGUkKwajRCzXBycKs6p4w9mdp//kR5ZLjWOeEQ
+�ڙ�H�9i�Awz�
/�ھ�S��A���:���fg�9*�N�7�@��ս�����Ω_k�k)-@��ֲ�ݲ���v��-f���!32eP����w�5�I�߽er���'��F