blob: a76672eefb8ff431ab5ed499453431f5af672beb [file] [log] [blame]
{ base, config, pkgs, lib, ... }: lib.recursiveUpdate {
services.caddy.enable = true;
services.caddy.configFile = lib.pipe ./caddy/caddyfile.nix [
import
(f: f { inherit pkgs lib; })
builtins.toJSON
(pkgs.writeText "caddy.json")
];
services.caddy.package = pkgs.callPackage ../packages/caddy.nix { };
services.caddy.user = "root";
systemd.services.caddy.serviceConfig.ProtectHome = lib.mkForce false;
sops.secrets.cloudflare_token = {
mode = "0600";
owner = config.users.users.root.name;
group = config.users.users.nobody.group;
sopsFile = ../secrets/caddy.json;
format = "json";
};
} (
let
isDerived = base != null;
in
if isDerived
then
let
caddy_json = base.config.services.caddy.configFile;
in
{
scalpel.trafos."caddy.json" = {
source = toString caddy_json;
matchers."cloudflare_token".secret =
config.sops.secrets.cloudflare_token.path;
owner = config.users.users.root.name;
group = config.users.users.nobody.group;
mode = "0400";
};
services.caddy.configFile = lib.mkForce config.scalpel.trafos."caddy.json".destination;
systemd.services.caddy.reloadTriggers = [ caddy_json ];
}
else { }
)