nix-stuff/roles/server/caddy.nix

{
  config,
  lib,
  ...
}: let
  manualHostname = "manual.everest.tailscale";
in {
  services.caddy = {
    enable = true;
    globalConfig = ''
      pki {
        ca local {
          name "Caddy (Everest) local CA"
        }
      }
    '';
    extraConfig = ''
      (tailscale) {
        tls internal
        bind 100.73.96.48
      }
    '';
    virtualHosts.nixos-manual = {
      hostName = manualHostname;
      extraConfig = ''
        import tailscale
        file_server
        root * ${config.system.build.manual.manualHTML}/share/doc/nixos
      '';
    };
  };
  services.dnsmasq.settings.cname = ["${manualHostname},everest"];
  systemd = {
    units.tailscaled.requiredBy = ["caddy.service"];
    # We have somewhat frequent power outages, and our ISP router takes
    # ages to boot up. If I don't add a delay, traefik tries to bind to
    # the tailscale interface before it's ready, making it crash too much
    # in too little time
    services.caddy.serviceConfig.RestartSec = lib.mkForce "120s";
  };
  programs.rust-motd.settings.service_status.Caddy = "caddy";
}