Changes to rpi setup

modules/caddy.nix

@@ -18,16 +18,14 @@ let
   cfg    = config.homey.caddy;
   domain = homeyConfig.domain;
 
-  # Build Caddy with the Cloudflare DNS plugin.
-  # This compiles on the Pi (slow once, cached after).
-  caddyWithCloudflare = pkgs.caddy.override {
-    externalPlugins = [
-      {
-        name    = "github.com/caddy-dns/cloudflare";
-        version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
-      }
+  # Build Caddy with the Cloudflare DNS plugin using the nixos-25.05 API.
+  # `withPlugins` is a passthru function on the caddy package; it uses xcaddy
+  # under the hood to produce a fixed-output derivation.
+  caddyWithCloudflare = pkgs.caddy.withPlugins {
+    plugins = [
+      "github.com/caddy-dns/cloudflare@v0.2.2-0.20250724223520-f589a18c0f5d"
     ];
-    vendorHash = lib.fakeHash; # replace with real hash after first build
+    hash = "sha256-2Fb2fgM7YhWk9kBnnNGb85MJkAkgzXiI1fb6eK3ykIE=";
   };
 
   # Reusable Authelia forward_auth snippet
@@ -147,34 +145,41 @@ in
         "torrent.${domain}" = {
           extraConfig = ''
             ${autheliaForwardAuth}
-            reverse_proxy localhost:9091_transmission
+            reverse_proxy localhost:9092
           '';
-          # NOTE: transmission uses 9091 too; we'll bind it to 9092 in its
-          # module to avoid a clash with authelia.
+          # NOTE: transmission is bound to 9092 to avoid clash with authelia on 9091.
         };
 
       };
     };
 
     # -----------------------------------------------------------------------
-    # Pass Cloudflare token as env var to the caddy systemd unit
+    # Pass Cloudflare token as env var to the caddy systemd unit.
+    #
+    # The caddy-dns/cloudflare plugin reads CLOUDFLARE_API_TOKEN directly.
+    # sops decrypts the secret to a file at runtime; we write a transient
+    # env file to /run/ in ExecStartPre so systemd picks it up via
+    # EnvironmentFile.  The file is removed in ExecStopPost.
     # -----------------------------------------------------------------------
     systemd.services.caddy = {
       serviceConfig = {
-        EnvironmentFile = pkgs.writeText "caddy-cf-env"
-          "CLOUDFLARE_API_TOKEN_FILE=${config.sops.secrets."cloudflare/api_token".path}";
-        # Caddy supports _FILE suffix for env vars via its secret file reader,
-        # but cloudflare plugin reads CLOUDFLARE_API_TOKEN directly.
-        # We write a wrapper ExecStartPre to populate the env var from the file:
+        EnvironmentFile = "/run/caddy-secrets.env";
         ExecStartPre = [
           (pkgs.writeShellScript "caddy-inject-cf-token" ''
-            export CLOUDFLARE_API_TOKEN=$(cat ${config.sops.secrets."cloudflare/api_token".path})
-            systemctl set-environment CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN"
+            install -m 0600 /dev/null /run/caddy-secrets.env
+            printf 'CLOUDFLARE_API_TOKEN=%s\n' \
+              "$(cat ${config.sops.secrets."cloudflare/api_token".path})" \
+              > /run/caddy-secrets.env
+          '')
+        ];
+        ExecStopPost = [
+          (pkgs.writeShellScript "caddy-cleanup-env" ''
+            rm -f /run/caddy-secrets.env
           '')
         ];
       };
-      after    = lib.mkAfter  [ "podman-authelia.service" ];
-      wants    = lib.mkAfter  [ "podman-authelia.service" ];
+      after = lib.mkAfter [ "podman-authelia.service" ];
+      wants = lib.mkAfter [ "podman-authelia.service" ];
     };
 
     # -----------------------------------------------------------------------