feat: add Caddy TLS reverse proxy to host configs

czxtm · czxtm · commit 243a2d24e9c3 · 2026-03-30T10:57:30.000-07:00
- Enable services.caddy on both ovh-usw-1 and hzcloud-hel-1 hosts
- Virtual host api.stackpanel.com with reverse_proxy to 10.0.100.11:3000
- Caddy auto-HTTPS via Let's Encrypt (ACME HTTP-01)
- Open firewall ports 80 (ACME challenge) and 443 (HTTPS) on both hosts
- Caddy runs on the host, not inside VMs
diff --git a/nix/hosts/hzcloud-hel-1/default.nix b/nix/hosts/hzcloud-hel-1/default.nix
@@ -142,6 +142,8 @@ in
 
     firewall = {
       trustedInterfaces = [ "tailscale0" "br-vms" ];
+      # Open 80 (ACME HTTP challenge) and 443 (HTTPS) for Caddy on the host
+      allowedTCPPorts = [ 80 443 ];
     };
 
     # NAT: VMs reach the internet through the host's public interface
@@ -178,6 +180,21 @@ in
     };
   };
 
+  # ---------------------------------------------------------------------------
+  # Caddy: TLS termination on the host, reverse-proxying to the API VM
+  #
+  # Caddy uses ACME (Let's Encrypt) auto-HTTPS by default.
+  # Port 80 must be open externally for the HTTP-01 challenge.
+  # ---------------------------------------------------------------------------
+  services.caddy = {
+    enable = true;
+    virtualHosts."api.stackpanel.com" = {
+      extraConfig = ''
+        reverse_proxy 10.0.100.11:3000
+      '';
+    };
+  };
+
   # ---------------------------------------------------------------------------
   # microVM definitions
   # ---------------------------------------------------------------------------
diff --git a/nix/hosts/ovh-usw-1/default.nix b/nix/hosts/ovh-usw-1/default.nix
@@ -149,6 +149,8 @@ in
     firewall = {
       # Trust the VM bridge and Tailscale (inter-VM traffic unrestricted)
       trustedInterfaces = [ "tailscale0" "br-vms" ];
+      # Open 80 (ACME HTTP challenge) and 443 (HTTPS) for Caddy on the host
+      allowedTCPPorts = [ 80 443 ];
     };
 
     # NAT: VMs reach the internet through the host's public interface
@@ -187,6 +189,21 @@ in
     };
   };
 
+  # ---------------------------------------------------------------------------
+  # Caddy: TLS termination on the host, reverse-proxying to the API VM
+  #
+  # Caddy uses ACME (Let's Encrypt) auto-HTTPS by default.
+  # Port 80 must be open externally for the HTTP-01 challenge.
+  # ---------------------------------------------------------------------------
+  services.caddy = {
+    enable = true;
+    virtualHosts."api.stackpanel.com" = {
+      extraConfig = ''
+        reverse_proxy 10.0.100.11:3000
+      '';
+    };
+  };
+
   # ---------------------------------------------------------------------------
   # microVM definitions
   # ---------------------------------------------------------------------------
