traccar: route tracking through caddy for tls

2026-04-12 20:59:19 -04:00
parent f2ca84ab53
commit fd27d8d985
2 changed files with 12 additions and 13 deletions
--- a/service-configs.nix
+++ b/service-configs.nix
@@ -68,10 +68,6 @@ rec {
        port = 64738;
        proto = "both";
      };
      traccar_tracking = {
        port = 5056;
        proto = "tcp";
      };
    };
    # Ports bound to localhost / VPN only. The flake asserts none of
@@ -205,6 +201,10 @@ rec {
        port = 8082;
        proto = "tcp";
      };
      traccar_tracking = {
        port = 5056;
        proto = "tcp";
      };
    };
  };
--- a/services/traccar.nix
+++ b/services/traccar.nix
@@ -12,10 +12,6 @@
    (lib.serviceFilePerms "traccar" [
      "Z /var/lib/traccar 0700 traccar traccar"
    ])
    (lib.mkCaddyReverseProxy {
      subdomain = "traccar";
      port = service_configs.ports.private.traccar_web.port;
    })
  ];
  users.users.traccar = {
@@ -63,7 +59,7 @@
      # Only enable OsmAnd protocol (phone app). Prevents Traccar from
      # opening 200+ default protocol ports that conflict with other services.
      protocols.enable = "osmand";
-      osmand.port = toString service_configs.ports.public.traccar_tracking.port;
+      osmand.port = toString service_configs.ports.private.traccar_tracking.port;
    };
  };
@@ -78,8 +74,11 @@
    };
  };
-  # OsmAnd tracking port must be reachable from the internet for the phone app
+  # Route tracking requests (OsmAnd protocol) through Caddy for TLS.
-  networking.firewall.allowedTCPPorts = [
+  # The phone app connects via HTTPS instead of a separate plain port.
-    service_configs.ports.public.traccar_tracking.port
+  services.caddy.virtualHosts."${service_configs.traccar.domain}".extraConfig = ''
-  ];
+    @tracking query id=*
    reverse_proxy @tracking :${toString service_configs.ports.private.traccar_tracking.port}
    reverse_proxy :${toString service_configs.ports.private.traccar_web.port}
  '';
 }