make caddy a L4 proxy to terminate TLS for HiveMQ

This commit is contained in:
Lars Nolden
2026-06-29 17:23:02 +02:00
parent 70c2ada986
commit bf8b25f374
3 changed files with 100 additions and 20 deletions
+6 -3
View File
@@ -21,13 +21,16 @@
# GEBOS_POSTGRES_PASSWORD sourced from /run/secrets/gebos-env (sops-nix).
};
# Caddy fronts TLS for `ingest.gebos.online` and forwards to HiveMQ.
# Caddy (layer4) terminates TLS on :8883 and forwards cleartext MQTT to
# HiveMQ's loopback listener on :1883. tcpProxy is the upstream backend.
services.gebos.caddy = {
enable = true;
sites = {
"ingest.gebos.online" = { tcpProxy = "127.0.0.1:8883"; };
"ingest.gebos.online" = { tcpProxy = "127.0.0.1:1883"; };
};
};
networking.firewall.allowedTCPPorts = [ 8883 ];
# 8883: MQTTS for senders. 80/443: ACME challenge so Caddy can obtain/renew
# the ingest.gebos.online cert that the layer4 TLS handler serves.
networking.firewall.allowedTCPPorts = [ 80 443 8883 ];
}