{ config, pkgs, ... }: { services.caddy = { enable = true; package = pkgs.caddy.withPlugins { plugins = [ "github.com/mholt/caddy-ratelimit@v0.1.0" ]; hash = "sha256-Ko4kJJiBUGX/2x6O+Q0f7hrf6r7YkVCQPRV04Adgedw="; }; email = "postmaster@extremist.software"; globalConfig = '' order rate_limit before basicauth ''; virtualHosts = { "extremist.software" = { useACMEHost = "extremist.software"; extraConfig = '' handle /.well-known/acme-challenge/* { root * /var/lib/acme/acme-challenge file_server } handle /.well-known/matrix/server { header Access-Control-Allow-Origin "*" header Content-Type "application/json" respond `{"m.server": "matrix.extremist.software:443"}` } handle /.well-known/matrix/client { header Access-Control-Allow-Origin "*" header Content-Type "application/json" respond `{"m.homeserver": {"base_url": "https://matrix.extremist.software"}}` } handle /.well-known/matrix/support { header Access-Control-Allow-Origin "*" header Content-Type "application/json" respond `{"admins": [{"matrix_id": "@jet:extremist.software","role": "admin"}]}` } handle /.well-known/atproto-did { header Content-Type "text/plain" respond "did:plc:pvonud4oncr2m6en5f3jqrqk" } handle { redir https://jetpham.com{uri} } ''; }; "git.extremist.software" = { extraConfig = '' rate_limit { zone git_per_ip { key {remote.ip} events 1200 window 1m } } reverse_proxy localhost:3000 ''; }; "mail.extremist.software" = { useACMEHost = "extremist.software"; extraConfig = '' handle /.well-known/acme-challenge/* { root * /var/lib/acme/acme-challenge file_server } rate_limit { zone mail_per_ip { key {remote.ip} events 600 window 1m } } handle { reverse_proxy localhost:8080 } ''; }; "search.extremist.software" = { extraConfig = '' rate_limit { zone search_per_ip { key {remote.ip} events 600 window 1m } } reverse_proxy localhost:8082 ''; }; "status.extremist.software" = { extraConfig = '' rate_limit { zone grafana_per_ip { key {remote.ip} events 1200 window 1m } } reverse_proxy localhost:3001 # Grafana ''; }; "uptime.extremist.software" = { extraConfig = '' rate_limit { zone uptime_per_ip { key {remote.ip} events 600 window 1m } } reverse_proxy localhost:4001 ''; }; "ntfy.extremist.software" = { extraConfig = '' rate_limit { zone ntfy_per_ip { key {remote.ip} events 1200 window 1m } } reverse_proxy localhost:2586 ''; }; "matrix.extremist.software" = { extraConfig = '' rate_limit { zone matrix_per_ip { key {remote.ip} events 2400 window 1m } } reverse_proxy /_matrix/* 127.0.0.1:8008 reverse_proxy /_synapse/client/* 127.0.0.1:8008 reverse_proxy /.well-known/matrix/* 127.0.0.1:8008 ''; }; }; }; # Configure ACME to fetch Let's Encrypt certificates so they can be shared with other services like Stalwart security.acme = { acceptTerms = true; defaults.email = "postmaster@extremist.software"; defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; certs."extremist.software" = { webroot = "/var/lib/acme/acme-challenge"; extraDomainNames = [ "mail.extremist.software" ]; group = "acme"; }; }; # Ensure Caddy can read the certs too now that they are in the acme group users.users.caddy.extraGroups = [ "acme" ]; }