even more backups of things

2025-10-28 16:11:45 -05:00 · 2025-10-28 16:11:45 -05:00 · 630f9b0074
commit 630f9b0074
parent b8d125d448
46 changed files with 1166 additions and 197 deletions
--- a/hosts/lithium/services/caddy.nix
+++ b/hosts/lithium/services/caddy.nix
@ -1,13 +1,22 @@
-{ config, pkgs, ... }:
+{ inputs, config, pkgs, lib, ... }:
+let
+  homelabDomain = inputs.nixos-secrets.homelabDomain;
+  certDir = config.security.acme.certs."${homelabDomain}".directory;
+in
 {
-  sops.secrets.caddy_env = {
-    sopsFile = ../secrets/caddy.env;
-    format = "dotenv";
+  services.nginx.enable = lib.mkForce false;
+
+  sops.secrets.cloudflare_env = {
    mode = "0440";
-    owner = config.services.caddy.user;
+    sopsFile = "${inputs.nixos-secrets}/lithium/cloudflare.env";
+    format = "dotenv";
    group = config.services.caddy.group;
    restartUnits = [ "caddy.service" ];
  };
+
+  # TODO: Revert to using Caddy DNS for the whole thing.
+  # TODO: Add another cloudflare DDNS provider.
+  # TODO: Add Metrics with Prometheus & Grafana
  services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
@ -16,26 +25,33 @@
        "github.com/mholt/caddy-dynamicdns@v0.0.0-20250430031602-b846b9e8fb83"
        "github.com/caddy-dns/cloudflare@v0.2.1"
      ];
-
-      # NOTE: Built on 6/4/2025
-      hash = "sha256-swskhAr7yFJX+qy0FR54nqJarTOojwhV2Mbk7+fyS0I=";
+      # NOTE: Built on 9/30/2025
+      hash = "sha256-xuwNkxZop+RnzFtM9DEwah95nPSyx8KgM+Eu4EJ9kqI=";
    };
    # NOTE: Use Staging CA while testing, check `systemctl status caddy`
    # to see if everything is working.
    # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
-
-    # TODO: Add Metrics with Prometheus & Grafana
-    environmentFile = config.sops.secrets.caddy_env.path;
+    
+    environmentFile = config.sops.secrets.cloudflare_env.path;
+    # NOTE: DNS provider settings
+    # https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148
    globalConfig = ''
-      # acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+      #acme_dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
      dynamic_dns {
-        provider cloudflare {env.CLOUDFLARE_API_TOKEN}
+        provider cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
+        check_interval 30m
+        ttl 5m
        domains {
-          ${config.networking.domain} @
+          ${homelabDomain} @
        }
        dynamic_domains
      }
    '';
+    
  };
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall = {
+    allowedTCPPorts = [ 80 443 ];
+    allowedUDPPorts = [ 443 ];
+  };
+
 }