From 8f561610a7fe52ef2b42cf61b7048cb743f8ea0f Mon Sep 17 00:00:00 2001
From: Ben Sima <ben@bensima.com>
Date: Thu, 25 Dec 2025 17:54:37 -0500
Subject: Omni/Deploy: make Caddy optional in Deployer.nix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add enableCaddy option (default true) to allow hosts like beryllium
that use Tailscale Funnel to disable Caddy reverse proxy.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 Omni/Deploy/Deployer.nix | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'Omni/Deploy/Deployer.nix')

diff --git a/Omni/Deploy/Deployer.nix b/Omni/Deploy/Deployer.nix
index 091b43b..ea4ae47 100644
--- a/Omni/Deploy/Deployer.nix
+++ b/Omni/Deploy/Deployer.nix
@@ -43,6 +43,12 @@ in {
       default = "/nix/var/nix/gcroots/biz";
       description = "Directory for GC roots to prevent closure garbage collection";
     };
+
+    enableCaddy = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable Caddy reverse proxy for HTTP services";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -86,9 +92,9 @@ in {
       };
     };
 
-    # Caddy reverse proxy for deployed services
+    # Caddy reverse proxy for deployed services (optional)
     # TODO: Generate this dynamically from manifest in the future
-    services.caddy = {
+    services.caddy = lib.mkIf cfg.enableCaddy {
       enable = true;
       globalConfig = ''
         admin localhost:2019
@@ -98,7 +104,7 @@ in {
       '';
     };
 
-    # Open firewall for HTTP/HTTPS
-    networking.firewall.allowedTCPPorts = [80 443];
+    # Open firewall for HTTP/HTTPS (only if Caddy enabled)
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.enableCaddy [80 443];
   };
 }
-- 
cgit v1.2.3