jet/extremist-software
jet/extremist-software
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
extremist-software/modules/caddy.nix
Jet 802de6967f
fix: caddy override
2026-03-25 22:50:37 -07:00

164 lines
4.4 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [ "github.com/mholt/caddy-ratelimit@v0.1.0" ];
hash = "sha256-Ko4kJJiBUGX/2x6O+Q0f7hrf6r7YkVCQPRV04Adgedw=";
};
email = "postmaster@extremist.software";
globalConfig = ''
order rate_limit before basicauth
'';
virtualHosts = {
"extremist.software" = {
useACMEHost = "extremist.software";
extraConfig = ''
handle /.well-known/acme-challenge/* {
root * /var/lib/acme/acme-challenge
file_server
}
handle /.well-known/matrix/server {
header Access-Control-Allow-Origin "*"
header Content-Type "application/json"
respond `{"m.server": "matrix.extremist.software:443"}`
}
handle /.well-known/matrix/client {
header Access-Control-Allow-Origin "*"
header Content-Type "application/json"
respond `{"m.homeserver": {"base_url": "https://matrix.extremist.software"}}`
}
handle /.well-known/matrix/support {
header Access-Control-Allow-Origin "*"
header Content-Type "application/json"
respond `{"admins": [{"matrix_id": "@jet:extremist.software","role": "admin"}]}`
}
handle /.well-known/atproto-did {
header Content-Type "text/plain"
respond "did:plc:pvonud4oncr2m6en5f3jqrqk"
}
handle {
redir https://jetpham.com{uri}
}
'';
};
"git.extremist.software" = {
extraConfig = ''
rate_limit {
zone git_per_ip {
key {remote.ip}
events 1200
window 1m
}
}
reverse_proxy localhost:3000
'';
};
"mail.extremist.software" = {
useACMEHost = "extremist.software";
extraConfig = ''
handle /.well-known/acme-challenge/* {
root * /var/lib/acme/acme-challenge
file_server
}
rate_limit {
zone mail_per_ip {
key {remote.ip}
events 600
window 1m
}
}
handle {
reverse_proxy localhost:8080
}
'';
};
"search.extremist.software" = {
extraConfig = ''
rate_limit {
zone search_per_ip {
key {remote.ip}
events 600
window 1m
}
}
reverse_proxy localhost:8082
'';
};
"status.extremist.software" = {
extraConfig = ''
rate_limit {
zone grafana_per_ip {
key {remote.ip}
events 1200
window 1m
}
}
reverse_proxy localhost:3001 # Grafana
'';
};
"uptime.extremist.software" = {
extraConfig = ''
rate_limit {
zone uptime_per_ip {
key {remote.ip}
events 600
window 1m
}
}
reverse_proxy localhost:4001
'';
};
"ntfy.extremist.software" = {
extraConfig = ''
rate_limit {
zone ntfy_per_ip {
key {remote.ip}
events 1200
window 1m
}
}
reverse_proxy localhost:2586
'';
};
"matrix.extremist.software" = {
extraConfig = ''
rate_limit {
zone matrix_per_ip {
key {remote.ip}
events 2400
window 1m
}
}
reverse_proxy /_matrix/* 127.0.0.1:8008
reverse_proxy /_synapse/client/* 127.0.0.1:8008
reverse_proxy /.well-known/matrix/* 127.0.0.1:8008
'';
};
};
};
# Configure ACME to fetch Let's Encrypt certificates so they can be shared with other services like Stalwart
security.acme = {
acceptTerms = true;
defaults.email = "postmaster@extremist.software";
defaults.server = "https://acme-v02.api.letsencrypt.org/directory";
certs."extremist.software" = {
webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = [ "mail.extremist.software" ];
group = "acme";
};
};
# Ensure Caddy can read the certs too now that they are in the acme group
users.users.caddy.extraGroups = [ "acme" ];
}
Reference in a new issue View git blame Copy permalink