Caddy

A simple guide to setting up private services on NixOS using Tailscale and Caddy with authentication.

Caddy has a handle_path directive that you can use to host services that don’t like being hosted on paths, it will strip the prefix for the underlying service so it sees just the root domain

Services being routed by caddy-tailscale are treated as full-fledged Tailscale nodes and thus follow the ACL policies of deny-by-default. If I want to be able to ping a Tailscale address from the server I will have to add an ACL grant allowing the server’s tag to access the tag applied to the service. This was necessary today for the Firefly-iii data importer to be able to access the Firefly-iii instance running on the same server.