reverse proxy

2026-03-17 14:05:50 -05:00
parent 436cc7ccc9
commit cf40c72e7e
4 changed files with 25 additions and 85 deletions
--- a/lib/module/default.nix
+++ b/lib/module/default.nix
@@ -50,15 +50,19 @@ rec {

      defaultConfig = {
        # Caddy reverse proxy: when reverseProxy.enable = true, contribute this
-        # service's virtual host block to the Caddy config. The TLS wildcard
-        # cert is handled via a (cloudflare_tls) snippet defined in globalConfig.
-        # services.caddy.virtualHosts.${fqdn} = lib.mkIf cfg.reverseProxy.enable {
-        #   extraConfig = ''
-        #     import cloudflare_tls
-        #     reverse_proxy ${upstreamUrl}
-        #     ${cfg.reverseProxy.extraCaddyConfig}
-        #   '';
-        # };
+        # service's named-matcher block into the shared wildcard virtual host.
+        # The TLS block stays in the caddy module itself; all services merge
+        # their handle blocks into the same "*.${domain}" extraConfig via the
+        # lines type (which concatenates automatically).
+        services.caddy.virtualHosts."*.${cfg.reverseProxy.domain}" = lib.mkIf cfg.reverseProxy.enable {
+          extraConfig = ''
+            @${name} host ${fqdn}
+            handle @${name} {
+              reverse_proxy ${upstreamUrl}
+              ${cfg.reverseProxy.extraCaddyConfig}
+            }
+          '';
+        };

        # Open firewall
        networking.firewall = lib.mkIf cfg.openFirewall {
@@ -112,11 +116,19 @@ rec {
        #   # "d ${cfg.configDir}/server-files 0775 ${name} ${name} - -"
        #   # "d ${cfg.configDir}/user-files 0775 ${name} ${name} - -"
        # ];
-      }
-      // moduleConfig;
+      };
    in
    { lib, ... }:
    {
+      imports = [
+        # defaultConfig and moduleConfig are kept as separate inline modules so
+        # the NixOS module system handles all merging (mkIf, mkForce, mkMerge,
+        # etc.) correctly, rather than merging raw attrsets with // or
+        # recursiveUpdate which can silently clobber mkIf wrappers.
+        { config = lib.mkIf cfg.enable defaultConfig; }
+        { config = lib.mkIf cfg.enable moduleConfig; }
+      ];
+
      options.${namespace}.${domain}.${name} = lib.mkOption {
        type = lib.types.submodule {
          options = {
@@ -167,8 +179,6 @@ rec {
        };
        default = { };
      };
-
-      config = lib.mkIf cfg.enable defaultConfig;
    };

  # container