From 7999ff7e26022e2bf20d23e623acea72dc674cb5 Mon Sep 17 00:00:00 2001
From: Mr Hedgehog <hedgehog@mrhedgehog.xyz>
Date: Wed, 29 Jun 2022 16:03:48 -0400
Subject: [PATCH] caddy: enable tailscale https

---
 hosts/marvin/configuration.nix      |  1 +
 hosts/marvin/services/caddy.nix     | 66 ++++++++++++++++-------------
 hosts/marvin/services/tailscale.nix |  1 +
 3 files changed, 39 insertions(+), 29 deletions(-)

diff --git a/hosts/marvin/configuration.nix b/hosts/marvin/configuration.nix
index 319f68f..3b2dcf5 100644
--- a/hosts/marvin/configuration.nix
+++ b/hosts/marvin/configuration.nix
@@ -23,6 +23,7 @@
     # Running Services
     ./services/adguardhome.nix
     ./services/avahi.nix
+    ./services/caddy.nix
     ./services/cf-dyndns.nix
     ./services/cloudflared.nix
     ./services/hydra.nix
diff --git a/hosts/marvin/services/caddy.nix b/hosts/marvin/services/caddy.nix
index f179086..2725785 100644
--- a/hosts/marvin/services/caddy.nix
+++ b/hosts/marvin/services/caddy.nix
@@ -7,36 +7,44 @@
   services.caddy = {
     enable = true;
     email = "hedgehog@mrhedgehog.xyz";
-    # globalConfig = ''
-    # '';
-    virtualHosts = {
-      "cache.thehedgehog.me" = {
-        extraConfig = ''
-          import cf_tls
-          reverse_proxy http://localhost:5000
-        '';
-      };
-      "hydra.thehedgehog.me" = {
-        extraConfig = ''
-          import cf_tls
-          reverse_proxy http://localhost:3000
-        '';
-      };
-      "reddit.thehedgehog.me" = {
-        extraConfig = ''
-          import cf_tls
-          reverse_proxy http://localhost:4000
-        '';
-      };
-    };
+    globalConfig = ''
+      http_port 81
+    '';
     extraConfig = ''
-      (cf_tls) {
-        tls ${config.age.secrets.thehedgehog-pem.path} ${config.age.secrets.thehedgehog-key.path} {
-          protocols tls1.3
-          client_auth {
-            mode require_and_verify
-            trusted_ca_cert_file ${config.age.secrets.cloudflare-ca.path}
-          }
+      *.tailnet-a79e.ts.net {
+        @libreddit host libreddit.tailnet-a79e.ts.net
+        handle @libreddit {
+          reverse_proxy localhost:4000
+        }
+
+        @hydra host hydra.tailnet-a79e.ts.net
+        handle @hydra {
+          reverse_proxy localhost:3000
+        }
+
+        @radicale host dav.tailnet-a79e.ts.net
+        handle @radicale {
+          reverse_proxy localhost:5352
+        }
+
+        @vaultwarden host bw.tailnet-a79e.ts.net
+        handle @vaultwarden {
+          reverse_proxy localhost:8000
+        }
+
+        @miniflux host bw.tailnet-a79e.ts.net
+        handle @miniflux {
+          reverse_proxy localhost:6000
+        }
+
+        @jellyfin host media.tailnet-a79e.ts.net
+        handle @jellyfin {
+          reverse_proxy localhost:8096
+        }
+
+        @rssbridge host rss-bridge.tailnet-a79e.ts.net
+        handle @rssbridge {
+          reverse_proxy localhost:80
         }
       }
     '';
diff --git a/hosts/marvin/services/tailscale.nix b/hosts/marvin/services/tailscale.nix
index 74c0e90..a18c5d0 100644
--- a/hosts/marvin/services/tailscale.nix
+++ b/hosts/marvin/services/tailscale.nix
@@ -1,6 +1,7 @@
 {config, ...}: {
   services.tailscale = {
     enable = true;
+    permitCertUid = "962";
   };
   networking.firewall = {
     trustedInterfaces = [ "tailscale0" ];