added caddy for paperless

2025-05-27 00:51:36 -05:00
parent 7bf0271b45
commit 373fc522e3
4 changed files with 31 additions and 3 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -3,6 +3,11 @@
    services.openssh.enable = true;
    services.avahi = { enable = true; nssmdns4 = true; };

+    sops.defaultSopsFile = ./secrets/encrypted_secrets.yaml;
+    sops.defaultSopsFormat = "yaml";
+
+    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
    environment.systemPackages = with pkgs; [
      home-manager
      bash
--- a/nixosModules/caddy.nix
+++ b/nixosModules/caddy.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+{
+  sops.secrets.cloudflare-api-key = {};
+
+  # https://nixos.wiki/wiki/Caddy
+  services.caddy = {
+    enable = true;
+    environmentFile = config.sops.secrets.cloudflare-api-key.path;
+    virtualHosts."paperless.john-stream.com".extraConfig = ''
+      reverse_proxy 192.168.1.110:8000
+      tls {
+        dns cloudflare {env.CF_API_TOKEN}
+      }
+    '';
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
+      hash = "sha256-Gsuo+ripJSgKSYOM9/yl6Kt/6BFCA6BuTDvPdteinAI=";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/nixosModules/default.nix
+++ b/nixosModules/default.nix
@@ -1,6 +1,7 @@
 { ... }: {
  imports =
    [
+      ./caddy.nix
      ./services/loki.nix
      ./users.nix
    ];
--- a/secrets/encrypted_secrets.yaml
+++ b/secrets/encrypted_secrets.yaml
@@ -1,4 +1,4 @@
-TUNNEL_TOKEN: ENC[AES256_GCM,data:vrA9MCZqVBOsSIPzVkP/87eoY4CBEiCtSRPKtXqxJrrlGmRrxvOI20m8Mrj8Y8u0apatNGGGy74L4DNAueTyvykCLEqtSrt8OG+a03wdD4m4skqWwyzULWlFYUokf0B29z62gZk3Y0ATTF6+nAczs5drKzn2CMlHpXZCzb6UwX3TGJvZLS3bGmG3EhoqdUsYi3TvA4LdN6MBQwpvW1Ga31gls+U71fHmdOrlszt6EojSv3uibRtKUA==,iv:45SDkBHa7DTohhoTI6QhP8p219EIDBiM6vozxI2uVK0=,tag:y3GGLdG9nQs6vREp6XirEw==,type:str]
+cloudflare-api-key: ENC[AES256_GCM,data:ktlEznpdv7H6+w7vPe+0ylHdNR9ODZe2TMRiKs5RMEmblqMsvZTiCG5J/54cjaGwgwPHdw02pwc=,iv:H4YoS7sqxl9MBmwYb6N7pA/hGm21AyYgBQv64dSQU/o=,tag:93Ah+xReidRHuhvnuMWqdQ==,type:str]
 sops:
    age:
        - recipient: age102mctuw7xvs3fakft0mlfh740kc6rdaqqgmmwf400c4g3spefyjqrfmwct
@@ -10,7 +10,7 @@ sops:
            ZnExa3NseGRrdXcrNTN4YkVSa2d6SDAKlzXHOUKAjNxY/okZJQurTpeaZUjjnyp/
            OrvFMTxuMfK+EIIgj6WTm23ZKV4vmk0q0yboS4eXgDZTEB79tKxgyA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-27T05:10:38Z"
-    mac: ENC[AES256_GCM,data:N53rUCPtj2YnffCEeA83l2wiHzeAtB95WZf7IY0680NtAiVPwd8LwMRPX43GP/bt+WbuesWotXhlX+G640KZ+qrs5ziwzgSVp9d6t6N9xztveJxrFxcz/mzhR5dQiAda3FPRUSZ/umK+xyPcFMmB+AhuhU45sU4f7Hbb/lY9ug0=,iv:40oDpmeeyi4lpwyi/MABl8Tp9QwyitBWYKd3/3BXrfw=,tag:fB8RSJTn4X6rdviWj+o0aw==,type:str]
+    lastmodified: "2025-05-27T05:32:23Z"
+    mac: ENC[AES256_GCM,data:ogFHQuKe2RkkaZRdbkUWaF61+bmyCAoesJuCDCPgKLEoCaLSfnQ/gSI5eNbrKvBGc7UsMjl86iTkLksPVHKOZQi4dCETVxbxh5ASSxTTREgBHKRGx4Vx+3aWjhyU/ympHKiAQ58Q1FnkwaF38ub42BszfqMTnjmODNTL75mz/9k=,iv:Q4514nGzCWJaDn+Lk4w6OOasnIafHHK0WxSAn6B8WLc=,tag:E8vEGwXPk1CfFSUS3xeHBA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2