From 44cf0004f41ddd07d7736f49f83f1aa5b54e0935 Mon Sep 17 00:00:00 2001
From: Lu Wang <rebmit@rebmit.moe>
Date: Sat, 14 Dec 2024 21:10:44 +0800
Subject: [PATCH] services/caddy: init

---
 nixos/profiles/services/caddy/default.nix | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 nixos/profiles/services/caddy/default.nix

diff --git a/nixos/profiles/services/caddy/default.nix b/nixos/profiles/services/caddy/default.nix
new file mode 100644
index 0000000..2b89eb7
--- /dev/null
+++ b/nixos/profiles/services/caddy/default.nix
@@ -0,0 +1,22 @@
+{ config, mylib, ... }:
+{
+  services.caddy = {
+    enable = true;
+    enableReload = true;
+  };
+
+  systemd.services.caddy.serviceConfig = mylib.misc.serviceHardened // {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+  };
+
+  systemd.services.caddy-api.serviceConfig = mylib.misc.serviceHardened // {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+  };
+
+  services.restic.backups.b2.paths = [
+    config.services.caddy.logDir
+    config.services.caddy.dataDir
+  ];
+}