{ config, pkgs, ... }: with config.constants; { services.caddy = { enable = true; email = postMaster; virtualHosts = let acme = fqdns: builtins.listToAttrs (map (fqdn: { name = fqdn; value = { extraConfig = '' file_server ${wn "acme-challenge"}/* { root ${config.security.acme.defaults.webroot}/ } ''; useACMEHost = fqdn; }; }) fqdns); homeSrv = s: "nebula:${portStr.${s}}"; localSrv = s: "${localhost}:${portStr.${s}}"; mtfqdn = "matrix.${domain}"; portStr = builtins.mapAttrs (n: v: toString v) port; wn = s: "/.well-known/${s}"; in { "${domain}".extraConfig = let wnm = wn "matrix"; in '' header ${wnm}/* Content-Type application/json header ${wnm}/* Access-Control-Allow-Origin * respond ${wnm}/server `{ "m.server": "${mtfqdn}:${portStr.https}" }` respond ${wnm}/client `{ "m.homeserver": { "base_url": "https://${mtfqdn}" }, "m.identity_server": { "base_url": "https://${mtfqdn}" } }` ''; "aria2.${domain}".extraConfig = '' reverse_proxy /jsonrpc ${homeSrv "aria2"} file_server { root ${pkgs.ariang}/share/ariang } ''; "forgejo.${domain}".extraConfig = '' reverse_proxy ${homeSrv "forgejo"} ''; "headscale.${domain}".extraConfig = '' reverse_proxy ${localSrv "headscale"} ''; "jellyfin.${domain}".extraConfig = '' reverse_proxy ${homeSrv "jellyfin"} ''; "jellyseerr.${domain}".extraConfig = '' reverse_proxy ${homeSrv "jellyseerr"} ''; "matrix.${domain}".extraConfig = '' reverse_proxy /_matrix/* ${homeSrv "conduit"} file_server { root ${pkgs.element-web} } ''; "vault.${domain}".extraConfig = '' reverse_proxy ${localSrv "vault"} { header_up X-Real-IP {remote_host} } ''; } // (acme [config.mailserver.fqdn]); }; security.acme = { acceptTerms = true; defaults = { email = postMaster; webroot = "/var/lib/acme/acme-challenge"; }; }; }