weilite: alternative domain for immich

2025-02-05 11:51:04 +08:00 · 2025-02-05 11:51:04 +08:00 · a78e9164e9
commit a78e9164e9
parent 6331a915ac
5 changed files with 72 additions and 44 deletions
--- a/machines/weilite/services/caddy.nix
+++ b/machines/weilite/services/caddy.nix
@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+{
+  sops = {
+    secrets = {
+      "caddy/cf_dns_token" = {
+        owner = "caddy";
+        mode = "400";
+      };
+      "caddy/dnspod_dns_token" = {
+        owner = "caddy";
+        mode = "400";
+      };
+    };
+    templates."caddy.env".content = ''
+      CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"}
+      DNSPOD_API_TOKEN=${config.sops.placeholder."caddy/dnspod_dns_token"}
+    '';
+  };
+
+  services.caddy =
+    let
+      acmeCF = "tls {
+        dns cloudflare {env.CF_API_TOKEN}
+      }";
+      acmeDnspod = "tls {
+        dns dnspod {env.DNSPOD_API_TOKEN}
+      }";
+    in
+    {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [
+          "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
+          "github.com/caddy-dns/dnspod@v0.0.4"
+        ];
+        hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM=";
+      };
+      virtualHosts."derper00.namely.icu:8443".extraConfig = ''
+        ${acmeDnspod}
+        reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
+      '';
+      # API Token must be added in systemd environment file
+      virtualHosts."immich.xinyang.life:8000".extraConfig = ''
+        ${acmeDnspod}
+        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
+      '';
+      virtualHosts."immich.xiny.li:8443".extraConfig = ''
+        ${acmeCF}
+        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
+      '';
+    };
+
+  networking.firewall.allowedTCPPorts = [
+    8000
+    8443
+  ];
+
+  systemd.services.caddy = {
+    serviceConfig = {
+      EnvironmentFile = config.sops.templates."caddy.env".path;
+    };
+  };
+}
--- a/machines/weilite/services/default.nix
+++ b/machines/weilite/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
+    ./caddy.nix
    ./ocis.nix
    ./restic.nix
    ./media-download.nix
--- a/machines/weilite/services/restic.nix
+++ b/machines/weilite/services/restic.nix
@ -42,6 +42,9 @@ in
  networking.firewall.allowedTCPPorts = [ 8443 ];

  services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
+    tls {
+      dns dnspod {env.DNSPOD_API_TOKEN}
+    }
    reverse_proxy ${config.services.restic.server.listenAddress}
  '';
 }