panoptes-nix/nixosModules/caddy.nix

{ config, pkgs, ... }:
{
  sops.secrets.cloudflare-api-key = {};

  # https://nixos.wiki/wiki/Caddy
  services.caddy = {
    enable = true;
    environmentFile = config.sops.secrets.cloudflare-api-key.path;
    virtualHosts."panoptes.john-stream.com".extraConfig = ''
      reverse_proxy 192.168.1.110:8000
      tls {
        dns cloudflare {env.CF_API_TOKEN}
      }
    '';
    package = pkgs.caddy.withPlugins {
      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
      hash = "sha256-Gsuo+ripJSgKSYOM9/yl6Kt/6BFCA6BuTDvPdteinAI=";
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  # systemd.services.caddy.serviceConfig = {
  #   # EnvironmentFile = "/etc/caddy/cloudflare.env";
  #   AmbientCapabilities = "CAP_NET_BIND_SERVICE";
  # };
}