My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: add HTTP→HTTPS redirects for tailnet vhosts and enable PCP

Add plain-HTTP Caddy vhosts on the Tailscale IP for Nextcloud, Immich,
Jellyfin, and Cockpit that permanently redirect to their HTTPS equivalents.
Also enable PCP for historical graphs in Cockpit.

+33
+7
modules/immich.nix
··· 94 94 # Let's Encrypt wildcard cert (*.ewancroft.uk) via Cloudflare DNS-01. 95 95 # Reachable from any tailnet device at https://${im.hostname} once split-dns 96 96 # is configured in the Tailscale admin console (see modules/split-dns.nix). 97 + services.caddy.virtualHosts."http://${im.hostname}" = lib.mkIf (cfg.server.tailscaleIP != "") { 98 + extraConfig = '' 99 + bind ${cfg.server.tailscaleIP} 100 + redir https://${im.hostname}{uri} permanent 101 + ''; 102 + }; 103 + 97 104 services.caddy.virtualHosts."https://${im.hostname}" = lib.mkIf (cfg.server.tailscaleIP != "") { 98 105 extraConfig = '' 99 106 bind ${cfg.server.tailscaleIP}
+7
modules/jellyfin.nix
··· 98 98 # Let's Encrypt wildcard cert (*.ewancroft.uk) via Cloudflare DNS-01. 99 99 # Reachable at https://${jf.hostname} from any tailnet device once split-dns 100 100 # is configured (see modules/split-dns.nix). 101 + services.caddy.virtualHosts."http://${jf.hostname}" = lib.mkIf (cfg.server.tailscaleIP != "") { 102 + extraConfig = '' 103 + bind ${cfg.server.tailscaleIP} 104 + redir https://${jf.hostname}{uri} permanent 105 + ''; 106 + }; 107 + 101 108 services.caddy.virtualHosts."https://${jf.hostname}" = lib.mkIf (cfg.server.tailscaleIP != "") { 102 109 extraConfig = '' 103 110 bind ${cfg.server.tailscaleIP}
+7
modules/nextcloud.nix
··· 172 172 # Let's Encrypt wildcard cert (*.ewancroft.uk) via Cloudflare DNS-01. 173 173 # Reachable at https://${nc.hostname} from any tailnet device once split-dns 174 174 # is configured (see modules/split-dns.nix). 175 + services.caddy.virtualHosts."http://${nc.hostname}" = lib.mkIf (cfg.server.tailscaleIP != "") { 176 + extraConfig = '' 177 + bind ${cfg.server.tailscaleIP} 178 + redir https://${nc.hostname}{uri} permanent 179 + ''; 180 + }; 181 + 175 182 services.caddy.virtualHosts."https://${nc.hostname}" = lib.mkIf (cfg.server.tailscaleIP != "") { 176 183 extraConfig = '' 177 184 bind ${cfg.server.tailscaleIP}
+12
modules/server/services.nix
··· 11 11 # Tailscale VPN for inter-host communication 12 12 services.tailscale.enable = true; 13 13 14 + # PCP (Performance Co-Pilot) — enables historical graphs in Cockpit. 15 + services.pcp.enable = true; 16 + 14 17 # SSH daemon (server hardened configuration from modules/server/ssh.nix) 15 18 # No additional SSH config needed here — it's handled by server-hardened profile. 16 19 ··· 29 32 ProtocolHeader = "X-Forwarded-Proto"; 30 33 }; 31 34 }; 35 + 36 + services.caddy.virtualHosts."http://${cockpit.hostname}" = 37 + lib.mkIf (cockpit.enable && cfg.server.tailscaleIP != "") 38 + { 39 + extraConfig = '' 40 + bind ${cfg.server.tailscaleIP} 41 + redir https://${cockpit.hostname}{uri} permanent 42 + ''; 43 + }; 32 44 33 45 services.caddy.virtualHosts."https://${cockpit.hostname}" = 34 46 lib.mkIf (cockpit.enable && cfg.server.tailscaleIP != "")