nix-stuff/roles/server/caddy.nix

{
  config,
  lib,
  ...
}: let
  manualHostname = "manual.everest.tailscale";
  downloadsHostname = "dl.everest.tailscale";
  downloadsConfig = ''
    import tailscale
    file_server browse
    root * /srv/dl/
  '';
in {
  services.caddy = {
    enable = true;
    globalConfig = ''
      pki {
        ca local {
          name "Caddy (Everest) local CA"
        }
      }
    '';
    extraConfig = ''
      (tailscale) {
        tls internal
        # Old tailscale IP
        # bind 100.73.96.48
        bind 100.100.0.1
      }
    '';
    virtualHosts = {
      nixos-manual = {
        hostName = manualHostname;
        extraConfig = ''
          import tailscale
          file_server
          root * ${config.system.build.manual.manualHTML}/share/doc/nixos
        '';
      };
      downloads = {
        hostName = downloadsHostname;
        extraConfig = downloadsConfig;
      };
      downloads-http = {
        hostName = "http://${downloadsHostname}";
        extraConfig = downloadsConfig;
      };
    };
  };
  services.dnsmasq.settings.cname = [
    "${manualHostname},everest"
    "${downloadsHostname},everest"
  ];
  systemd = {
    services.caddy.after = ["tailscaled.service"];
    # We have somewhat frequent power outages, and our ISP router takes
    # ages to boot up. If I don't add a delay, caddy tries to bind to
    # the tailscale interface before it's ready, making it crash too much
    # in too little time
    services.caddy.serviceConfig.RestartSec = lib.mkForce "120s";
  };
  programs.rust-motd.settings.service_status.Caddy = "caddy";
  networking.firewall.allowedTCPPorts = [443 80];
}