sf

2026-03-16 16:41:46 -05:00
parent 742e1703d8
commit 7538f734f1
19 changed files with 259 additions and 851 deletions
--- a/lib/module/default.nix
+++ b/lib/module/default.nix
@@ -40,18 +40,25 @@ rec {
    let
      cfg = config.${namespace}.${domain}.${name};

-      # Create reverse proxy configuration using mkReverseProxy
-      reverseProxyConfig = lib.${namespace}.mkReverseProxy {
-        inherit name;
-        subdomain = cfg.reverseProxy.subdomain;
-        url = "http://${config.${namespace}.network.ipv4.address}:${toString cfg.port}";
-        middlewares = cfg.reverseProxy.middlewares;
-      };
+      upstreamUrl =
+        if cfg.reverseProxy.upstreamUrl != null then
+          cfg.reverseProxy.upstreamUrl
+        else
+          "http://127.0.0.1:${toString cfg.port}";
+
+      fqdn = "${cfg.reverseProxy.subdomain}.${cfg.reverseProxy.domain}";

      defaultConfig = {
-        ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
-          reverseProxies = [ reverseProxyConfig ];
-        };
+        # Caddy reverse proxy: when reverseProxy.enable = true, contribute this
+        # service's virtual host block to the Caddy config. The TLS wildcard
+        # cert is handled via a (cloudflare_tls) snippet defined in globalConfig.
+        # services.caddy.virtualHosts.${fqdn} = lib.mkIf cfg.reverseProxy.enable {
+        #   extraConfig = ''
+        #     import cloudflare_tls
+        #     reverse_proxy ${upstreamUrl}
+        #     ${cfg.reverseProxy.extraCaddyConfig}
+        #   '';
+        # };

        # Open firewall
        networking.firewall = lib.mkIf cfg.openFirewall {
@@ -222,14 +229,20 @@ rec {
  mkBoolOpt' = mkOpt' types.bool;

  mkReverseProxyOpt = name: {
-    enable = mkBoolOpt false "Enable reverse proxy support";
+    enable = mkBoolOpt false "Enable Caddy reverse proxy for this service";

-    subdomain = mkOpt types.str name "subdomain of the service";
+    subdomain = mkOpt types.str name "Subdomain for the service (default: service name)";

-    middlewares = mkOpt (types.listOf types.str) [
-      "crowdsec"
-      "whitelist-geoblock"
-    ] "List of middlewares to use";
+    domain = mkOpt types.str "mjallen.dev" "Base domain for the reverse proxy";
+
+    # Override the upstream URL if the backend is not on localhost at cfg.port.
+    # Leave empty to use http://127.0.0.1:<port> automatically.
+    upstreamUrl =
+      mkOpt (types.nullOr types.str) null
+        "Override upstream URL (e.g. for services on a different host). Defaults to http://127.0.0.1:<port>.";
+
+    # Extra Caddyfile directives inserted inside the virtual host block.
+    extraCaddyConfig = mkOpt types.lines "" "Extra Caddyfile directives for this virtual host block";
  };

  # Standard enable/disable patterns