{ config, pkgs, ... }: { services.caddy = { enable = true; email = config.constants.postMaster; virtualHosts = let dn = config.constants.domain; homeSrv = s: "nebula:${portStr.${s}}"; localSrv = s: "${config.constants.localhost}:${portStr.${s}}"; msfqdn = config.mailserver.fqdn; mtfqdn = "matrix.${dn}"; portStr = builtins.mapAttrs (n: v: toString v) config.constants.port; wn = s: "/.well-known/${s}"; in { "${dn}".extraConfig = let wnm = wn "matrix"; in '' header ${wnm}/* Content-Type application/json header ${wnm}/* Access-Control-Allow-Origin * respond ${wnm}/server `{ "m.server": "${mtfqdn}:${portStr.https}" }` respond ${wnm}/client `{ "m.homeserver": { "base_url": "https://${mtfqdn}" }, "m.identity_server": { "base_url": "https://${mtfqdn}" } }` ''; "aria2.${dn}".extraConfig = '' reverse_proxy /jsonrpc ${homeSrv "aria2"} file_server { root ${pkgs.ariang}/share/ariang } ''; "forgejo.${dn}".extraConfig = '' reverse_proxy ${homeSrv "forgejo"} ''; "headscale.${dn}".extraConfig = '' reverse_proxy ${localSrv "headscale"} ''; "jellyfin.${dn}".extraConfig = '' reverse_proxy ${homeSrv "jellyfin"} ''; "jellyseerr.${dn}".extraConfig = '' reverse_proxy ${homeSrv "jellyseerr"} ''; ${msfqdn} = { extraConfig = '' file_server ${wn "acme-challenge"}/* { root ${config.security.acme.defaults.webroot}/ } ''; useACMEHost = msfqdn; }; "matrix.${dn}".extraConfig = '' reverse_proxy /_matrix/* ${homeSrv "conduit"} file_server { root ${pkgs.cinny} } ''; "vault.${dn}".extraConfig = '' reverse_proxy ${localSrv "vault"} { header_up X-Real-IP {remote_host} } ''; "writefreely.${dn}".extraConfig = '' reverse_proxy ${homeSrv "writefreely"} ''; }; }; security.acme = { acceptTerms = true; defaults = { email = config.constants.postMaster; webroot = "/var/lib/acme/acme-challenge"; }; }; }