traccar: route tracking through caddy for tls

2026-04-12 20:59:19 -04:00
parent f2ca84ab53
commit fd27d8d985
2 changed files with 12 additions and 13 deletions
--- a/service-configs.nix
+++ b/service-configs.nix
@@ -68,10 +68,6 @@ rec {
        port = 64738;
        proto = "both";
      };
-      traccar_tracking = {
-        port = 5056;
-        proto = "tcp";
-      };
    };

    # Ports bound to localhost / VPN only. The flake asserts none of
@@ -205,6 +201,10 @@ rec {
        port = 8082;
        proto = "tcp";
      };
+      traccar_tracking = {
+        port = 5056;
+        proto = "tcp";
+      };
    };
  };

--- a/services/traccar.nix
+++ b/services/traccar.nix
@@ -12,10 +12,6 @@
    (lib.serviceFilePerms "traccar" [
      "Z /var/lib/traccar 0700 traccar traccar"
    ])
-    (lib.mkCaddyReverseProxy {
-      subdomain = "traccar";
-      port = service_configs.ports.private.traccar_web.port;
-    })
  ];

  users.users.traccar = {
@@ -63,7 +59,7 @@
      # Only enable OsmAnd protocol (phone app). Prevents Traccar from
      # opening 200+ default protocol ports that conflict with other services.
      protocols.enable = "osmand";
-      osmand.port = toString service_configs.ports.public.traccar_tracking.port;
+      osmand.port = toString service_configs.ports.private.traccar_tracking.port;
    };
  };

@@ -78,8 +74,11 @@
    };
  };

-  # OsmAnd tracking port must be reachable from the internet for the phone app
-  networking.firewall.allowedTCPPorts = [
-    service_configs.ports.public.traccar_tracking.port
-  ];
+  # Route tracking requests (OsmAnd protocol) through Caddy for TLS.
+  # The phone app connects via HTTPS instead of a separate plain port.
+  services.caddy.virtualHosts."${service_configs.traccar.domain}".extraConfig = ''
+    @tracking query id=*
+    reverse_proxy @tracking :${toString service_configs.ports.private.traccar_tracking.port}
+    reverse_proxy :${toString service_configs.ports.private.traccar_web.port}
+  '';
 }