{ lib, pkgs, ... }: let atriDotDad = "atri.dad"; atashDotDev = "atash.dev"; matrixDomain = "matrix.${atriDotDad}"; livekitDomain = "livekit.${atriDotDad}"; upstream = "lloyd.tadpole-pain.ts.net"; streamPorts = [ 69 420 25565 25566 25567 30058 51820 ]; wellKnownServer = builtins.toJSON { "m.server" = "${matrixDomain}:443"; }; wellKnownClient = builtins.toJSON { "m.homeserver" = { base_url = "https://${matrixDomain}"; }; "org.matrix.msc4143.rtc_foci" = [ { type = "livekit"; livekit_service_url = "https://${livekitDomain}"; } ]; }; mkProxyBlock = { host, port, preset, }: '' ${host} { import ${preset} reverse_proxy http://${upstream}:${toString port} } ''; proxyServices = [ # atri.dad hosts { host = "abs.${atriDotDad}"; port = 30067; preset = "strict_config"; } { host = "analytics.${atriDotDad}"; port = 30060; preset = "relaxed_config"; } { host = "ascently.${atriDotDad}"; port = 8838; preset = "strict_config"; } { host = "chat.${atriDotDad}"; port = 30246; preset = "relaxed_config"; } { host = "mealie.${atriDotDad}"; port = 30111; preset = "strict_config"; } { host = "democlimb.${atriDotDad}"; port = 8008; preset = "strict_config"; } { host = "gist.${atriDotDad}"; port = 1227; preset = "relaxed_config"; } { host = "git.${atriDotDad}"; port = 30010; preset = "relaxed_config"; } { host = "links.${atriDotDad}"; port = 30243; preset = "strict_config"; } { host = "memos.${atriDotDad}"; port = 30311; preset = "strict_config"; } { host = "music.${atriDotDad}"; port = 30043; preset = "relaxed_config"; } { host = "openclimb.${atriDotDad}"; port = 1337; preset = "strict_config"; } { host = "photos.${atriDotDad}"; port = 30041; preset = "strict_config"; } { host = "posts.${atriDotDad}"; port = 8181; preset = "relaxed_config"; } { host = "s3.${atriDotDad}"; port = 30188; preset = "strict_config"; } { host = "search.${atriDotDad}"; port = 30053; preset = "relaxed_config"; } { host = "requests.${atriDotDad}"; port = 30357; preset = "relaxed_config"; } { host = "todo.${atriDotDad}"; port = 30107; preset = "relaxed_config"; } { host = "tv.${atriDotDad}"; port = 30013; preset = "strict_config"; } { host = "vault.${atriDotDad}"; port = 30032; preset = "strict_config"; } { host = "vpn.${atriDotDad}"; port = 30058; preset = "strict_config"; } # Other hosts { host = "ripkyle.org"; port = 4321; preset = "relaxed_config"; } { host = atashDotDev; port = 6969; preset = "relaxed_config"; } { host = "chronus.${atashDotDev}"; port = 7337; preset = "strict_config"; } ]; proxyBlocks = lib.concatMapStringsSep "\n" mkProxyBlock proxyServices; mkSocatService = port: proto: lib.nameValuePair "socat-${proto}-${toString port}" { description = "Socat ${proto} proxy for port ${toString port}"; after = [ "network-online.target" "tailscaled.service" ]; wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.socat}/bin/socat ${lib.toUpper proto}-LISTEN:${toString port},fork,reuseaddr ${lib.toUpper proto}:${upstream}:${toString port}"; Restart = "on-failure"; RestartSec = "5s"; DynamicUser = true; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; in { services.caddy = { enable = true; email = "me@${atriDotDad}"; package = pkgs.caddy.withPlugins { plugins = [ "pkg.jsn.cam/caddy-defender@v0.10.0" ]; hash = "sha256-d1hLwVylShdTOIHnt3HkbyWUAsmvFlC3cIo6wr89EUw="; }; extraConfig = '' (strict_config) { encode zstd gzip defender garbage { ranges openai deepseek aliyun azurepubliccloud aws gcloud githubcopilot mistral oci vultr digitalocean linode cloudflare } header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-Content-Type-Options "nosniff" X-Frame-Options "DENY" X-Robots-Tag "noimageindex, noodp, noydir, nofollow" Referrer-Policy "strict-origin-when-cross-origin" Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.atri.dad; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.atri.dad https://*.atash.dev; font-src 'self' data:; connect-src 'self' wss: https://*.atri.dad https://*.atash.dev; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" -Server -alt-svc } } (relaxed_config) { encode zstd gzip header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-Content-Type-Options "nosniff" X-Frame-Options "DENY" X-Robots-Tag "noimageindex, noodp, noydir, nofollow" Referrer-Policy "strict-origin-when-cross-origin" Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.atri.dad; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' wss: https:; media-src 'self' https://rogers-hls.leanstream.co; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" -Server -alt-svc } } ${atriDotDad} { import strict_config handle /.well-known/matrix/server { header Content-Type application/json header X-Content-Type-Options nosniff respond `${wellKnownServer}` 200 } handle /.well-known/matrix/client { header Content-Type application/json header Access-Control-Allow-Origin "*" header Vary Origin header X-Content-Type-Options nosniff respond `${wellKnownClient}` 200 } handle { reverse_proxy http://${upstream}:3000 } } ${proxyBlocks} ${matrixDomain} { import relaxed_config request_body { max_size 1GB } handle { reverse_proxy http://${upstream}:30394 } } ${livekitDomain} { import relaxed_config @jwt path /sfu/get /healthz /get_token handle @jwt { reverse_proxy http://${upstream}:8081 } handle { reverse_proxy http://${upstream}:7880 } } ''; }; systemd.services = lib.listToAttrs ( (map (port: mkSocatService port "tcp") streamPorts) ++ (map (port: mkSocatService port "udp") streamPorts) ); networking.firewall = { allowedTCPPorts = [ 80 443 ] ++ streamPorts; allowedUDPPorts = streamPorts; }; }