nixcfg/modules/caddy/default.nix

{
  pkgs,
  lib,
  ...
}: {
  networking.firewall.allowedTCPPorts = [80 8448 443];

  services.tailscale.permitCertUid = "caddy";

  services.caddy = let
    catppuccin = builtins.fromJSON (builtins.readFile (pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/catppuccin/element/main/config.json";
      hash = "sha256-9y113raGhCKlKAPmi5MXEW64qpPJ9u2oN/kwR5etZo0=";
    }));

    element = pkgs.element-web.override {
      conf =
        {
          default_server_config."m.homeserver" = {
            "base_url" = "https://broccoli.town";
            "server_name" = "broccoli.town";
          };
        }
        // catppuccin;
    };
  in {
    enable = true;
    virtualHosts = {
      "http://metrics.town" = {
        extraConfig = ''
          reverse_proxy http://localhost:3000
        '';
      };

      "matrix.broccoli.town" = {
        extraConfig = ''
          reverse_proxy /_matrix/* http://localhost:8008
          reverse_proxy /_synapse/client/* http://localhost:8008
        '';
      };

      "broccoli.town:8448" = {
        extraConfig = ''
          reverse_proxy http://localhost:8008
        '';
      };

      "broccoli.town" = {
        extraConfig = ''
          header /.well-known/* "Access-Control-Allow-Origin" "*"
          respond /.well-known/matrix/client "{\"m.homeserver\": {\"base_url\": \"https://broccoli.town\"}}"

          reverse_proxy /_matrix/* http://localhost:8008
          reverse_proxy /_synapse/client/* http://localhost:8008

          redir / https://chat.broccoli.town
        '';
      };

      "chat.broccoli.town" = {
        extraConfig = ''
          header {
            X-Frame-Options "SAMEORIGIN"
            X-XSS-Protection "1; mode=block"
            X-Content-Type-Options "nosniff"
            X-Robots-Tag "noindex, noarchive, nofollow"
          }
          root * ${element}
          file_server
        '';
      };

      "danielpatterson.dev" = {
        extraConfig = ''
          header {
            proof proven.lol/de4a14
          }
          root * /srv/site/danielpatterson.dev
          encode zstd gzip
          file_server
        '';
      };

      "movies.danielpatterson.dev" = {
        extraConfig = ''
          reverse_proxy localhost:8096
        '';
      };

      "elixir.danielpatterson.dev" = {
        extraConfig = ''
          reverse_proxy localhost:8080
        '';
      };

      "git.broccoli.town" = {
        extraConfig = ''
          reverse_proxy localhost:3030
        '';
      };

      "http://bigding:8384" = {
        extraConfig = ''
          reverse_proxy localhost:8387
        '';
      };

      "bigding.squirrel-clownfish.ts.net" = {
        extraConfig = ''
          tls {
            get_certificate tailscale
          }
          reverse_proxy localhost:9091
        '';
      };

      "http://bigding" = {
        extraConfig = ''
          reverse_proxy /transmission localhost:9091
          reverse_proxy /transmission/* localhost:9091
        '';
      };
    };
  };
}