From 04300c6f50186d98ab0eb80215de879787d5ad0c Mon Sep 17 00:00:00 2001
From: Alexander Wainwright <code@figtree.dev>
Date: Sat, 11 Apr 2026 13:12:29 +1000
Subject: [PATCH] refactor(alt): remove caddy reverse proxy, now on wintermute

Caddy has been migrated to wintermute. Remove the caddy.nix import,
delete the config file, and drop ports 80/443 from alt's firewall.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 hosts/alt/caddy.nix         | 63 -------------------------------------
 hosts/alt/configuration.nix |  2 --
 2 files changed, 65 deletions(-)
 delete mode 100644 hosts/alt/caddy.nix

diff --git a/hosts/alt/caddy.nix b/hosts/alt/caddy.nix
deleted file mode 100644
index d8fb7de..0000000
--- a/hosts/alt/caddy.nix
+++ /dev/null
@@ -1,63 +0,0 @@
-{ config, pkgs, inputs, lib, ... }:
-let
-	# String = simple site, Attrset = custom site.
-	sites = {
-		"analytics.figtree.dev" = "http://192.168.80.1:3300";
-		"figtree.dev"           = "http://192.168.1.63:8080";
-		"files.figtree.dev"     = "http://192.168.80.4:8080";
-		"git.figtree.dev"       = "http://192.168.80.8:3000";
-		"nc.figtree.dev"        = "http://192.168.1.62:11000";
-		"paperless.figtree.dev" = "http://192.168.1.63:8010";
-		"photos.figtree.dev"    = "http://192.168.80.1:2283";
-		"shiori.figtree.dev"    = "http://192.168.80.4:8234";
-		"tasks.figtree.dev"     = "http://192.168.80.7:3456";
-		"www.figtree.dev"       = "http://192.168.1.63:8080";
-		"ha.figtree.dev"        = "http://192.168.1.50:8123";
-		# "budget.figtree.dev"    = "http://192.168.80.1:5006";
-
-		# .lan domains now automatically get "tls internal"
-		"home.lan"              = "http://192.168.1.63:3000";
-		"budget.lan"            = "http://192.168.80.1:5006";
-		"torrent.lan"           = "http://192.168.1.65:8080";
-		"books.lan"             = "http://192.168.80.4:8010";
-		"recipes.lan"           = "http://192.168.80.4:8222";
-		"jelly.lan"             = "http://192.168.80.4:8096";
-		"plex.lan"              = "http://192.168.1.63:32400";
-	};
-
-	# Normalize sites:
-	# 1. Turn strings into { backend = "..."; }.
-	# 2. Automatically prepend `tls internal` for any domain ending in .lan.
-	normalizedSites = lib.mapAttrs (domain: siteConfig:
-		let
-			# Ensure siteConfig is an attrset.
-			baseConfig = if lib.isString siteConfig then { backend = siteConfig; } else siteConfig;
-			# Check if it's a .lan domain.
-			isLanDomain = lib.hasSuffix ".lan" domain;
-		in
-			if isLanDomain then
-				baseConfig // {
-					extraBefore = ''
-						tls internal
-						${lib.optionalString (baseConfig ? extraBefore) baseConfig.extraBefore}
-					'';
-				}
-			else
-				baseConfig
-	) sites;
-
-	# Render each vhost from its config.
-	mkVHost = cfg: {
-		extraConfig = ''
-			${lib.optionalString (cfg ? extraBefore) cfg.extraBefore}
-			reverse_proxy ${cfg.backend}
-			${lib.optionalString (cfg ? extra) cfg.extra}
-		'';
-	};
-in
-{
-	services.caddy = {
-		enable = true;
-		virtualHosts = lib.mapAttrs (_: cfg: mkVHost cfg) normalizedSites;
-	};
-}
diff --git a/hosts/alt/configuration.nix b/hosts/alt/configuration.nix
index 4559ad6..e48401a 100644
--- a/hosts/alt/configuration.nix
+++ b/hosts/alt/configuration.nix
@@ -12,7 +12,6 @@
       ../modules/kafka-mounts.nix
       ../modules/server.nix
       ../modules/syncthing.nix
-      ./caddy.nix
       ./jellyfin.nix
     ];
 
@@ -25,7 +24,6 @@
   services.syncthing.guiAddress = "0.0.0.0:8384";
 
   networking.firewall.allowedTCPPorts = [
-    80 443 # caddy
     8000
     8001
     8010 # audio bookshelf