From f3f5a9c726939e980c0bdd6e41fc1d61d7ad6e2b Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 10 Mar 2026 14:52:29 -0400
Subject: [PATCH] caddy: add redirect from old domain

---
 services/caddy.nix | 46 ++++++++++++++++++++++++++++++++++++----------
 1 file changed, 36 insertions(+), 10 deletions(-)

diff --git a/services/caddy.nix b/services/caddy.nix
index 1269acd..c6adaf2 100644
--- a/services/caddy.nix
+++ b/services/caddy.nix
@@ -41,6 +41,9 @@ let
       hugo --minify -d $out;
     '';
   };
+
+  newDomain = service_configs.https.domain;
+  oldDomain = service_configs.https.old_domain;
 in
 {
   imports = [
@@ -52,29 +55,52 @@ in
   services.caddy = {
     enable = true;
     email = "titaniumtown@proton.me";
+
+    # Enable on-demand TLS for old domain redirects
+    # Certs are issued dynamically when subdomains are accessed
+    globalConfig = ''
+      on_demand_tls {
+        ask http://localhost:9123/check
+      }
+    '';
+
+    # Internal endpoint to validate on-demand TLS requests
+    # Only allows certs for *.${oldDomain}
+    extraConfig = ''
+      http://localhost:9123 {
+        @allowed expression {query.domain}.endsWith(".${oldDomain}") || {query.domain} == "${oldDomain}" || {query.domain} == "www.${oldDomain}"
+        respond @allowed 200
+        respond 403
+      }
+    '';
+
     virtualHosts = {
-      ${service_configs.https.domain} = {
+      ${newDomain} = {
         extraConfig = ''
           root * ${hugoWebsite}
           file_server browse
         '';
 
-        serverAliases = [ "www.${service_configs.https.domain}" ];
+        serverAliases = [ "www.${newDomain}" ];
       };
 
-      # Redirect old domain (bare) to new domain
-      ${service_configs.https.old_domain} = {
+      # Redirect old domain (bare + www) to new domain
+      ${oldDomain} = {
         extraConfig = ''
-          redir https://${service_configs.https.domain}{uri} permanent
+          redir https://${newDomain}{uri} permanent
         '';
-        serverAliases = [ "www.${service_configs.https.old_domain}" ];
+        serverAliases = [ "www.${oldDomain}" ];
       };
 
-      # Redirect old domain (wildcard subdomains) to new domain
-      "*.${service_configs.https.old_domain}" = {
+      # Wildcard redirect for all old domain subdomains
+      # Uses on-demand TLS - certs issued automatically on first request
+      "*.${oldDomain}" = {
         extraConfig = ''
-          # {labels.2} extracts the subdomain from *.gardling.com
-          redir https://{labels.2}.${service_configs.https.domain}{uri} permanent
+          tls {
+            on_demand
+          }
+          # {labels.2} extracts subdomain from *.gardling.com
+          redir https://{labels.2}.${newDomain}{uri} permanent
         '';
       };
     };