From 23e793b7846753ecc9524f24ad434e6347212783 Mon Sep 17 00:00:00 2001
From: cnst <adam@cnst.dev>
Date: Wed, 16 Jul 2025 06:59:29 +0200
Subject: [PATCH] homelab tinkering 3

---
 hosts/sobotka/server.nix         |  2 ++
 modules/default.nix              |  1 +
 modules/server/caddy/default.nix | 25 ++++++++++++++++++++-----
 modules/server/default.nix       | 20 ++++++++++++++++++++
 4 files changed, 43 insertions(+), 5 deletions(-)
 create mode 100644 modules/server/default.nix

diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix
index 9f93bdf7..16f2b91e 100644
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -1,5 +1,7 @@
 {
   server = {
+    email = "adam@cnst.dev";
+    domain = "cnst.dev";
     caddy = {
       enable = true;
     };
diff --git a/modules/default.nix b/modules/default.nix
index 0633f6e4..3fe65047 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -119,6 +119,7 @@
     };
     server = {
       imports = [
+        ./server
         ./server/caddy
         ./server/vaultwarden
       ];
diff --git a/modules/server/caddy/default.nix b/modules/server/caddy/default.nix
index bbe0aa63..bd5ef66c 100644
--- a/modules/server/caddy/default.nix
+++ b/modules/server/caddy/default.nix
@@ -12,11 +12,11 @@ in {
     server.caddy.enable = mkEnableOption "Enables caddy";
   };
   config = mkIf cfg.enable {
-    # age.secrets.cloudflare-env = {
-    #   file = "${self}/secrets/cloudflare-env.age";
-    #   owner = "caddy";
-    #   mode = "400";
-    # };
+    age.secrets.cloudflare-env = {
+      file = "${self}/secrets/cloudflare-env.age";
+      owner = "caddy";
+      mode = "400";
+    };
     networking.firewall = let
       ports = [80 443];
     in {
@@ -24,6 +24,21 @@ in {
       allowedUDPPorts = ports;
     };
 
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = config.server.email;
+      certs.${config.server.domain} = {
+        reloadServices = ["caddy.service"];
+        domain = "${config.server.domain}";
+        extraDomainNames = ["*.${config.server.domain}"];
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1:53";
+        dnsPropagationCheck = true;
+        group = config.services.caddy.group;
+        environmentFile = config.age.secrets.cloudflare-env.path;
+      };
+    };
+
     services.caddy = {
       enable = true;
       # environmentFile = config.age.secrets.cloudflare-env.path;
diff --git a/modules/server/default.nix b/modules/server/default.nix
new file mode 100644
index 00000000..c827b2d8
--- /dev/null
+++ b/modules/server/default.nix
@@ -0,0 +1,20 @@
+{lib, ...}: let
+  inherit (lib) mkOption types;
+in {
+  options.server = {
+    email = mkOption {
+      default = "";
+      type = types.str;
+      description = ''
+        Email name to be used to access the server services via Caddy reverse proxy
+      '';
+    };
+    domain = mkOption {
+      default = "";
+      type = types.str;
+      description = ''
+        Base domain name to be used to access the server services via Caddy reverse proxy
+      '';
+    };
+  };
+}