roles/syncthingserver: use caddy server instead of traefik

roles/syncthingserver.nix

@@ -23,7 +23,6 @@ in
   config = mkIf cfg.enable {
     environment.systemPackages = with pkgsUnstable; [
       syncthing
-      traefik
     ];
 
     services.syncthing = {
@@ -50,46 +49,17 @@ in
       };
     };
 
-    services.traefik = {
+    services.tailscale.permitCertUid = "caddy";
+
+    services.caddy = {
       enable = true;
-
-      staticConfigOptions = {
-        entryPoints = {
-          web = {
-            address = ":80";
-            asDefault = true;
-            http.redirections.entrypoint = {
-              to = "websecure";
-              scheme = "https";
-            };
-          };
-
-          websecure = {
-            address = ":443";
-            asDefault = true;
-            http.tls.certResolver = "tailscale";
-          };
-        };
-
-        certificatesResolvers.tailscale."tailscale" = { };
-      };
-
-      dynamicConfigOptions = {
-        http.routers.syncthing = {
-          entrypoints = [ "websecure" ];
-          rule = "Host(`${config.networking.hostName}.tail755c5.ts.net`)";
-          service = "syncthing-gui";
-          tls.certResolver = "tailscale";
-        };
-
-        http.services.syncthing-gui = {
-          loadBalancer.servers = [ { url = "http://localhost:${toString syncthingGuiPort}"; } ];
-        };
+      virtualHosts."${config.networking.hostName}.tail755c5.ts.net" = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString syncthingGuiPort}
+        '';
       };
     };
 
-    services.tailscale.permitCertUid = "traefik";
-
     networking.firewall.allowedTCPPorts = [
       config.services.syncthing.relay.port
     ];