feat(module,services): caddy behing cloudflare tunnnels

flake.nix

@@ -222,6 +222,7 @@
     };
 
     nixosModules = {
+      cloudflared-caddy = ./modules/cloudflared-caddy.nix;
       neovim = inputs.neovim.nixosModules.default;
       playit = ./modules/playit.nix;
       services = {

modules/cloudflared-caddy.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  options.services.cloudflared = {
+    tunnels = mkOption {
+      type = with types;
+        attrsOf (submodule
+          ({...}: {
+            options.caddy-domain = mkOption {
+              type = nullOr str;
+              default = null;
+            };
+          }));
+      apply = tunnels:
+        mapAttrs (n: v: let
+          domain = v.caddy-domain;
+        in
+          if isNull domain
+          then v
+          else
+            v
+            // {
+              ingress =
+                (pipe config.services.caddy.virtualHosts [
+                  (mapAttrs' (n: v: let
+                    domainPort = splitString ":" n;
+                    domain = elemAt domainPort 0;
+                    port =
+                      if (length domainPort) > 1
+                      then elemAt domainPort 1
+                      else null;
+                  in
+                    nameValuePair domain port))
+                  (filterAttrs (n: v: !(isNull v) && hasSuffix domain n))
+                  (mapAttrs (n: v: {service = "http://localhost:${v}";}))
+                ])
+                // v.ingress;
+            })
+        tunnels;
+    };
+  };
+}

services/cloudflared.nix

@@ -1,13 +1,24 @@
-{config, ...}: {
+{
+  config,
+  self,
+  ...
+}: {
+  imports = [
+    self.nixosModules.cloudflared-caddy
+  ];
+
   services.cloudflared.enable = true;
   services.cloudflared.tunnels = {
     "9ed8b48f-9585-4a67-9895-114b162172fb" = {
       certificateFile = config.sops.secrets."services/cloudflared/guzone-cert".path;
       credentialsFile = config.sops.secrets."services/cloudflared/guzone-cred".path;
+      caddy-domain = "guz.one";
       default = "http_status:404";
     };
   };
 
+  services.caddy.enable = true;
+
   sops.secrets = {
     "services/cloudflared/guzone-cert" = {};
     "services/cloudflared/guzone-cred" = {};

services/minecraft-servers.nix

@@ -143,6 +143,7 @@ in {
         jre_headless = pkgs.jdk25_headless;
         loaderVersion = fabricVersion;
       };
+      managementSystem.systemd-socket.enable = true;
       symlinks =
         collectFilesAt modpack "mods"
         // {
@@ -240,6 +241,7 @@ in {
         FABRIC_PROXY_SECRET_FILE = config.sops.secrets."services/minecraft/proxy-secret".path;
       };
       serverProperties = {
+        allow-flight = true;
         broadcast-console-to-opts = true;
         difficulty = "normal";
         enforce-whitelist = true;
@@ -257,15 +259,22 @@ in {
     };
   };
 
-  services.cloudflared.tunnels."9ed8b48f-9585-4a67-9895-114b162172fb" = let
+  services.caddy.virtualHosts."favelasmp.guz.one:80" = let
     meshLib = cfg.servers."favelasmp".files."config/mesh-lib/main.json".value;
   in {
-    ingress = {
-      "favelasmp.guz.one" = {
-        service = "http://localhost:${toString meshLib.httpPort}";
-        path = "^/git-pack-manager.*$";
-      };
-    };
+    extraConfig = ''
+      header Content-Type text/html
+      respond <<HTML
+        <html>
+          <head><title>FavelaSMP</title></head>
+          <body><h1>Hello, FavelaSMP</h1></body>
+        </html>
+        HTML 200
+
+      handle /git-pack-manager* {
+        reverse_proxy http://localhost:${toString meshLib.httpPort}
+      }
+    '';
   };
 
   environment.persistence."/persist".directories = [