extremist-software/modules/caddy.nix

{ config, pkgs, ... }:

{
  services.caddy = {
    enable = true;
    email = "postmaster@extremist.software";
    virtualHosts = {
      "extremist.software" = {
        useACMEHost = "extremist.software";
        extraConfig = ''
          handle /.well-known/acme-challenge/* {
            root * /var/lib/acme/acme-challenge
            file_server
          }
          handle /.well-known/matrix/server {
            header Access-Control-Allow-Origin "*"
            header Content-Type "application/json"
            respond `{"m.server": "matrix.extremist.software:443"}`
          }
          handle /.well-known/matrix/client {
            header Access-Control-Allow-Origin "*"
            header Content-Type "application/json"
            respond `{"m.homeserver": {"base_url": "https://matrix.extremist.software"}}`
          }
          handle /.well-known/matrix/support {
            header Access-Control-Allow-Origin "*"
            header Content-Type "application/json"
            respond `{"admins": [{"matrix_id": "@jet:extremist.software","role": "admin"}]}`
          }
          handle {
            redir https://jetpham.com{uri}
          }
        '';
      };
      
      "git.extremist.software" = {
        extraConfig = ''
          reverse_proxy localhost:3000
        '';
      };

      "mail.extremist.software" = {
        useACMEHost = "extremist.software";
        extraConfig = ''
          handle /.well-known/acme-challenge/* {
            root * /var/lib/acme/acme-challenge
            file_server
          }
          handle {
            reverse_proxy localhost:8080
          }
        '';
      };

      "search.extremist.software" = {
        extraConfig = ''
          reverse_proxy localhost:8082
        '';
      };

      "status.extremist.software" = {
        extraConfig = ''
          reverse_proxy localhost:3001 # Grafana
        '';
      };

      "ntfy.extremist.software" = {
        extraConfig = ''
          reverse_proxy localhost:2586
        '';
      };

      "matrix.extremist.software" = {
        extraConfig = ''
          reverse_proxy /_matrix/* 127.0.0.1:8008
          reverse_proxy /_synapse/client/* 127.0.0.1:8008
          reverse_proxy /.well-known/matrix/* 127.0.0.1:8008
        '';
      };
    };
  };

  # Configure ACME to fetch Let's Encrypt certificates so they can be shared with other services like Stalwart
  security.acme = {
    acceptTerms = true;
    defaults.email = "postmaster@extremist.software";
    defaults.server = "https://acme-v02.api.letsencrypt.org/directory";
    certs."extremist.software" = {
      webroot = "/var/lib/acme/acme-challenge";
      extraDomainNames = [ "mail.extremist.software" ];
      group = "acme";
    };
  };

  # Ensure Caddy can read the certs too now that they are in the acme group
  users.users.caddy.extraGroups = [ "acme" ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}