convert caddy to nixos builtin

2026-01-14 16:55:00 +01:00 · 2025-08-04 21:18:59 +02:00 · 2025-08-04 21:18:59 +02:00 · 33a7017375
commit 33a7017375
parent 71b4ca1448
18 changed files with 326 additions and 263 deletions
--- a/nix/modules/caddy/base.Caddyfile
+++ b/nix/modules/caddy/base.Caddyfile
@ -1,59 +0,0 @@
-{
-	email noratrieb@proton.me
-	auto_https disable_redirects
-
-	storage s3 {
-		host "localhost:3900"
-		bucket "caddy-store"
-		# access_id ENV S3_ACCESS_ID
-		# secret_key ENV S3_SECRET_KEY
-
-		insecure true
-	}
-
-	servers {
-		metrics
-	}
-
-	log default {
-		output stdout
-		format json
-	}
-}
-
-# https://gist.github.com/ryanburnette/d13575c9ced201e73f8169d3a793c1a3
-(cors) {
-	@cors_preflight{args[0]} method OPTIONS
-	@cors{args[0]} header Origin {args[0]}
-
-	handle @cors_preflight{args[0]} {
-		header {
-			Access-Control-Allow-Origin "{args[0]}"
-			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-			Access-Control-Allow-Credentials "false"
-			Access-Control-Allow-Headers "${args[1]}"
-			Access-Control-Max-Age "86400"
-			defer
-		}
-		respond "" 204
-	}
-
-	handle @cors{args[0]} {
-		header {
-			Access-Control-Allow-Origin "{args[0]}"
-			Access-Control-Expose-Headers *
-			defer
-		}
-	}
-}
-
-http:// {
-	log
-	respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418
-}
-
-# HTTP
-:9010 {
-	log
-	metrics /metrics
-}
--- a/nix/modules/caddy/default.nix
+++ b/nix/modules/caddy/default.nix
@ -1,4 +1,4 @@
-{ pkgs, config, lib, name, my-projects-versions, ... }:
+{ pkgs, config, lib, name, ... }:

 let
  caddy = pkgs.callPackage ./caddy-build.nix {
@ -11,15 +11,6 @@ let
    ];
    vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI=";
  };
-  website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz");
-  blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz";
-  slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz";
-  website-build = website { inherit pkgs slides blog; };
-  hugo-chat-client = fetchTarball {
-    url =
-      "https://github.com/C0RR1T/HugoChat/releases/download/2024-08-05/hugo-client.tar.xz";
-    sha256 = "sha256:121ai8q6bm7gp0pl1ajfk0k2nrfg05zid61i20z0j5gpb2qyhsib";
-  };
 in
 {
  environment.systemPackages = [ caddy ];
@ -43,79 +34,56 @@ in
  services.caddy = {
    enable = true;
    package = caddy;
-    configFile = pkgs.writeTextFile {
-      name = "Caddyfile";
-      text = (
-        builtins.readFile ./base.Caddyfile +
-        ''
-          ${config.networking.hostName}.infra.noratrieb.dev {
-              log
-              encode zstd gzip
-              header -Last-Modified
-              root * ${import ./caddy-static-prepare {
-                name = "debugging-page";
-                src = ./debugging-page;
-                inherit pkgs lib;
-              }}
-              file_server {
-                  etag_file_extensions .sha256
-                  precompressed zstd gzip br
-              }
+    logFormat = ''
+      output stdout
+      format json
+    '';
+    globalConfig = ''
+      email noratrieb@proton.me
+      auto_https disable_redirects
+
+      storage s3 {
+        host "localhost:3900"
+        bucket "caddy-store"
+        # access_id ENV S3_ACCESS_ID
+        # secret_key ENV S3_SECRET_KEY
+
+        insecure true
+      }
+
+      servers {
+        metrics
+      }
+    '';
+    virtualHosts = {
+      "http://" = {
+        logFormat = "";
+        extraConfig = ''
+          respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418
+        '';
+      };
+      ":9010" = {
+        logFormat = "output discard";
+        extraConfig = ''
+          metrics /metrics
+        '';
+      };
+      "${name}.infra.noratrieb.dev" = {
+        logFormat = "";
+        extraConfig = ''
+          encode zstd gzip
+          header -Last-Modified
+          root * ${import ./caddy-static-prepare {
+            name = "debugging-page";
+            src = ./debugging-page;
+            inherit pkgs lib;
+          }}
+          file_server {
+            etag_file_extensions .sha256
+            precompressed zstd gzip br
          }
-
-          ${
-            if name == "vps1" || name == "vps3" || name == "vps4" then ''
-            noratrieb.dev {
-                log
-                encode zstd gzip
-                header -Last-Modified
-                root * ${import ./caddy-static-prepare {
-                  name = "website";
-                  src = website-build;
-                  inherit pkgs lib;
-                }}
-                file_server {
-                    etag_file_extensions .sha256
-                    precompressed zstd gzip br
-                }
-            }
-
-            files.noratrieb.dev {
-              log
-              encode zstd gzip
-
-              reverse_proxy * localhost:3902
-            }
-            '' else ""
-          }
-
-          ${if name == "vps1" then ''
-            hugo-chat.noratrieb.dev {
-              log
-              encode zstd gzip
-              root * ${import ./caddy-static-prepare {
-                name = "hugo-chat-client";
-                src = hugo-chat-client;
-                inherit pkgs lib;
-              }}
-              try_files {path} /index.html
-              file_server {
-                etag_file_extensions .sha256
-                precompressed zstd gzip br
-              }
-            }
-          '' else ""}
-
-          ${
-            if name == "vps1" || name == "vps3" || name == "vps4" then
-            builtins.readFile ./${name}.Caddyfile else ""
-          }
-        ''
-      );
-      checkPhase = ''
-        ${lib.getExe caddy} --version
-        ${lib.getExe caddy} validate --adapter=caddyfile --config=$out
-      '';
+        '';
+      };
    };
  };
 }
--- a/nix/modules/caddy/vps1.Caddyfile
+++ b/nix/modules/caddy/vps1.Caddyfile
@ -1,111 +0,0 @@
-www.noratrieb.dev {
-	log
-	redir https://noratrieb.dev{uri} permanent
-}
-
-api.hugo-chat.noratrieb.dev {
-	log
-	import cors https://hugo-chat.noratrieb.dev "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
-	encode zstd gzip
-	reverse_proxy * localhost:5001
-}
-
-docker.noratrieb.dev {
-	log
-	reverse_proxy * localhost:5000
-}
-
-git.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:5015
-}
-
-olat.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:5011
-}
-
-# unsure if necessary... something was misconfigured in the past here...
-olat.noratrieb.dev:8088 {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:5011
-}
-
-upload.files.noratrieb.dev {
-	log
-	encode zstd gzip
-	# we need HTTP/2 here because the server doesn't work with HTTP/1.1
-	# because it will send early 401 responses during the upload without consuming the body
-	reverse_proxy * h2c://localhost:3050
-}
-
-################################################################
-# retired
-
-bisect-rustc.noratrieb.dev {
-	log
-	redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service
-}
-
-uptime.noratrieb.dev {
-	log
-	redir https://github.com/Noratrieb/uptime?tab=readme-ov-file#uptime
-}
-
-blog.noratrieb.dev {
-	log
-	redir https://noratrieb.dev/blog{uri} permanent
-}
-
-nilstrieb.dev {
-	log
-	redir https://noratrieb.dev{uri} permanent
-}
-
-www.nilstrieb.dev {
-	log
-	redir https://noratrieb.dev{uri} permanent
-}
-
-blog.nilstrieb.dev {
-	log
-	redir https://noratrieb.dev/blog{uri} permanent
-}
-
-bisect-rustc.nilstrieb.dev {
-	log
-	redir https://bisect-rustc.noratrieb.dev/blog{uri} permanent
-}
-
-docker.nilstrieb.dev {
-	log
-	redir https://docker.noratrieb.dev{uri} permanent
-}
-
-hugo-chat.nilstrieb.dev {
-	log
-	redir https://hugo-chat.noratrieb.dev{uri} permanent
-}
-
-api.hugo-chat.nilstrieb.dev {
-	log
-	redir https://api.hugo-chat.noratrieb.dev{uri} permanent
-}
-
-uptime.nilstrieb.dev {
-	log
-	redir https://uptime.noratrieb.dev{uri} permanent
-}
-
-olat.nilstrieb.dev {
-	log
-	redir https://olat.noratrieb.dev{uri} permanent
-}
-
-olat.nilstrieb.dev:8088 {
-	log
-	redir https://olat.noratrieb.dev{uri} permanent
-}
--- a/nix/modules/caddy/vps3.Caddyfile
+++ b/nix/modules/caddy/vps3.Caddyfile
@ -1,5 +0,0 @@
-grafana.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:3000
-}
--- a/nix/modules/caddy/vps4.Caddyfile
+++ b/nix/modules/caddy/vps4.Caddyfile
@ -1,5 +0,0 @@
-does-it-build.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:3000
-}
--- a/nix/modules/prometheus/default.nix
+++ b/nix/modules/prometheus/default.nix
@ -94,6 +94,14 @@
    };
  };

+  services.caddy.virtualHosts."grafana.noratrieb.dev" = {
+    logFormat = "";
+    extraConfig = ''
+      encode zstd gzip
+      reverse_proxy * localhost:3000
+    '';
+  };
+
  networking.firewall.interfaces.wg0.allowedTCPPorts = [
    config.services.loki.configuration.server.http_listen_port
    4040 # pyroscope
--- a/nix/modules/registry/default.nix
+++ b/nix/modules/registry/default.nix
@ -60,4 +60,11 @@
      };
    };
  };
+
+  services.caddy.virtualHosts."docker.noratrieb.dev" = {
+    logFormat = "";
+    extraConfig = ''
+      reverse_proxy * localhost:5000
+    '';
+  };
 }