nix-stuff/roles/server/caddy.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  manualHostname = "manual.everest.tailscale";
  downloadsHostname = "dl.everest.tailscale";
  downloadsConfig = ''
    import tailscale
    file_server browse
    root * /srv/dl/
  '';
  script = pkgs.writeShellApplication {
    name = "wait-for-tailscale-ip";
    runtimeInputs = [pkgs.iproute2];
    text = ''
      # Based on https://github.com/tailscale/tailscale/issues/11504#issuecomment-2113331262
      echo Waiting for tailscale0 to get an IP adress..
      for i in {1..300}; do
        if ip addr show dev tailscale0 | grep -q 'inet '; then break; fi
        echo "Waiting $i/240 seconds"
        sleep 1
      done
    '';
  };
in {
  services.caddy = {
    enable = true;
    globalConfig = ''
      pki {
        ca local {
          name "Caddy (Everest) local CA"
        }
      }
    '';
    extraConfig = ''
      (tailscale) {
        tls internal
        # Old tailscale IP
        # bind 100.73.96.48
        bind 100.100.0.1
      }
    '';
    virtualHosts = {
      nixos-manual = {
        hostName = manualHostname;
        extraConfig = let
          manual = pkgs.compressDrvWeb config.system.build.manual.manualHTML {};
        in ''
          import tailscale
          file_server {
            precompressed zstd br gzip
          }
          root * ${manual}/share/doc/nixos
        '';
      };
      downloads = {
        hostName = downloadsHostname;
        extraConfig = downloadsConfig;
      };
      downloads-http = {
        hostName = "http://${downloadsHostname}";
        extraConfig = downloadsConfig;
      };
    };
  };
  services.headscale.settings.dns.extra_records = let
    makeRecords = builtins.map (recordName: {
      name = recordName;
      type = "A";
      value = "100.100.0.1";
    });
  in
    makeRecords [
      manualHostname
      downloadsHostname
    ];
  systemd = {
    services.caddy.after = ["tailscaled.service"];
    # We have somewhat frequent power outages, and our ISP router takes
    # ages to boot up. If I don't add a delay, caddy tries to bind to
    # the tailscale interface before it's ready, making it crash too much
    # in too little time
    services.caddy.serviceConfig.RestartSec = lib.mkForce "120s";
    services.caddy.unitConfig.StartLimitBurst = lib.mkForce "infinity";
    services.caddy.preStart = "${script}/bin/wait-for-tailscale-ip";
  };
  programs.rust-motd.settings.service_status.Caddy = "caddy";
  networking.firewall.allowedTCPPorts = [443 80];
}