diff --git a/hosts/bigding/configuration.nix b/hosts/bigding/configuration.nix index 2769089..d388eb3 100644 --- a/hosts/bigding/configuration.nix +++ b/hosts/bigding/configuration.nix @@ -3,7 +3,29 @@ pkgs, lib, ... -}: { +}: let + mkVHost = baseUrl: { + service, + port, + }: { + name = "${service}.${baseUrl}"; + value = { + listenAddresses = ["100.91.249.54"]; + extraConfig = '' + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } + + reverse_proxy localhost:${builtins.toString port} + ''; + }; + }; + + mkVHosts = baseUrl: hosts: builtins.listToAttrs (builtins.map (mkVHost baseUrl) hosts); +in { imports = [ ../common ./hardware-configuration.nix @@ -26,6 +48,7 @@ interfaces.ens3.useDHCP = true; firewall = { + allowedTCPPorts = [80 8448 443]; allowedTCPPortRanges = [ { from = 12500; @@ -46,6 +69,8 @@ }; }; + services.tailscale.permitCertUid = "caddy"; + services.syncthing = { settings = { gui = { @@ -55,6 +80,105 @@ guiAddress = "localhost:8387"; }; + users.groups."media".name = "media"; + + age.secrets = { + caddy_porkbun_api_env.file = ../../secrets/caddy_porkbun_api_env.age; + }; + + services.sabnzbd = { + enable = true; + group = "media"; + }; + + services.radarr = { + enable = true; + group = "media"; + }; + + services.caddy = { + enable = true; + enableReload = false; + environmentFile = config.age.secrets.caddy_porkbun_api_env.path; + package = pkgs.caddy.withPlugins { + plugins = ["github.com/caddy-dns/porkbun@v0.2.1"]; + hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg="; + }; + logFormat = "level INFO"; + virtualHosts = + (mkVHosts "broccoli.town" [ + { + service = "radarr"; + port = 7878; + } + { + service = "sonarr"; + port = 8989; + } + { + service = "sab"; + port = 8085; + } + { + service = "transmission"; + port = 9091; + } + ]) + // { + "danielpatterson.dev" = { + extraConfig = '' + header { + proof proven.lol/de4a14 + } + root * /srv/site/danielpatterson.dev + encode zstd gzip + file_server + ''; + }; + "movies.danielpatterson.dev" = { + extraConfig = '' + reverse_proxy localhost:8096 + ''; + }; + "git.broccoli.town" = { + extraConfig = '' + reverse_proxy localhost:3030 + ''; + }; + }; + }; + + # containers.radarr = { + # autoStart = false; + # bindMounts = { + # "/data" = { + # hostPath = "/var/media"; + # mountPoint = "/data"; + # isReadOnly = false; + # }; + # }; + # forwardPorts = [ + # { + # containerPort = 7878; + # hostPort = 7979; + # } + # ]; + # config = {config, pkgs, lib, ...}: { + # services.radarr = { + # enable = true; + # }; + # }; + # }; + + services.sonarr = { + enable = true; + group = "media"; + }; + + services.prowlarr = { + enable = true; + }; + environment.systemPackages = with pkgs; [ helix kitty # For terminfo diff --git a/modules/caddy/Caddyfile b/modules/caddy/Caddyfile index 28b5ce4..46c836a 100644 --- a/modules/caddy/Caddyfile +++ b/modules/caddy/Caddyfile @@ -2,16 +2,12 @@ log { level ERROR } - admin off + # admin off servers { metrics } } -http://localhost:2019 { - metrics /metrics -} - matrix.broccoli.town { reverse_proxy /_matrix/* http://localhost:8008 reverse_proxy /_synapse/client/* http://localhost:8008 @@ -25,26 +21,56 @@ broccoli.town:8448 { reverse_proxy http://localhost:8008 } -broccoli.town { - header /.well-known/* "Access-Control-Allow-Origin" "*" +radarr.broccoli.town { + bind 100.91.249.54 - respond /.well-known/matrix/client `{ "m.homeserver": { "base_url": "https://broccoli.town" } }` + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } - reverse_proxy /_matrix/* http://localhost:8008 - reverse_proxy /_synapse/client/* http://localhost:8008 - - redir / https://chat.broccoli.town + reverse_proxy http://localhost:7878 } -chat.broccoli.town { - header { - X-Frame-Options "SAMEORIGIN" - X-XSS-Protection "1; mode=block" - X-Content-Type-Options "nosniff" - X-Robots-Tag "noindex, noarchive, nofollow" +sab.broccoli.town { + bind 100.91.249.54 + + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } } - root * @element@ - file_server + + reverse_proxy http://localhost:8085 +} + +sonarr.broccoli.town { + bind 100.91.249.54 + + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } + + reverse_proxy localhost:8989 +} + +transmission.broccoli.town { + bind 100.91.249.54 + + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } + + reverse_proxy localhost:9091 } danielpatterson.dev { @@ -69,19 +95,14 @@ git.broccoli.town { } http://bigding:8384 { + bind 100.91.249.54 + reverse_proxy localhost:8387 } -bigding.squirrel-clownfish.ts.net { - tls { - get_certificate tailscale - } - reverse_proxy localhost:9091 -} - http://bigding { - reverse_proxy /transmission localhost:9091 - reverse_proxy /transmission/* localhost:9091 + bind 100.91.249.54 + handle_path /prometheus/* { reverse_proxy localhost:9090 } diff --git a/modules/caddy/default.nix b/modules/caddy/default.nix index aacc80e..3e26f96 100644 --- a/modules/caddy/default.nix +++ b/modules/caddy/default.nix @@ -1,36 +1,20 @@ { pkgs, lib, + config, ... }: { networking.firewall.allowedTCPPorts = [80 8448 443]; - services.tailscale.permitCertUid = "caddy"; - - services.caddy = let - catppuccin = builtins.fromJSON (builtins.readFile (pkgs.fetchurl { - url = "https://raw.githubusercontent.com/catppuccin/element/main/config.json"; - hash = "sha256-jaH6E2YO2np3Ewv6JQWbGRiRqsL75rIEJuKfXv95W6Y="; - })); - - element = pkgs.element-web.override { - conf = - { - default_server_config."m.homeserver" = { - "base_url" = "https://broccoli.town"; - "server_name" = "broccoli.town"; - }; - } - // catppuccin; + services.caddy = { + package = pkgs.caddy.withPlugins { + plugins = ["github.com/caddy-dns/porkbun@v0.2.1"]; + hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg="; }; - - config = pkgs.substituteAll { - inherit element; - src = ./Caddyfile; - }; - in { enable = true; - configFile = config; + enableReload = false; adapter = "caddyfile"; + environmentFile = config.age.secrets.caddy_porkbun_api_env.path; + configFile = ./Caddyfile; }; } diff --git a/modules/default.nix b/modules/default.nix index 09bfd08..d678497 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,7 +2,7 @@ bigding = { imports = [ ./backups/bigding - ./caddy + # ./caddy ./dungflix ./fail2ban ./gitea diff --git a/modules/dungflix/default.nix b/modules/dungflix/default.nix index 9bf2f28..2dcd207 100644 --- a/modules/dungflix/default.nix +++ b/modules/dungflix/default.nix @@ -4,26 +4,15 @@ ... }: let mountdir = "/var/media/danflix"; - - rclone_config = pkgs.writeText "" '' - [danflix-storage-box] - type = sftp - sftp_md5sum_command = md5sum - sftp_sha1sum_command = sha1sum - - [danflix-crypto] - type = crypt - remote = danflix-storage-box:danflix - ''; in { age.secrets = { - danflix_storage_box_crypt_obscured_pw.file = ../../secrets/danflix_storage_box_crypt_obscured_pw.age; danflix_hetzner_storage_box_pub_key.file = ../../secrets/danflix_hetzner_storage_box_pub_key.age; - danflix_env_file.file = ../../secrets/danflix_env_file.age; + danflix_rclone_config.file = ../../secrets/danflix_rclone_config.age; }; services = { jellyfin.enable = true; + jellyfin.group = "media"; transmission = { enable = true; @@ -55,7 +44,7 @@ in { "RCLONE_SFTP_KEY_FILE" = config.age.secrets.danflix_hetzner_storage_box_pub_key.path; }; script = '' - ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount danflix-crypto: ${mountdir} \ + ${pkgs.rclone}/bin/rclone --config="${config.age.secrets.danflix_rclone_config.path}" mount danflix-union: ${mountdir} \ --vfs-cache-mode full \ --vfs-cache-max-age 336h \ --vfs-cache-max-size 60G \ @@ -70,14 +59,13 @@ in { ''; postStart = '' sleep 5 - ${pkgs.rclone}/bin/rclone --config="${rclone_config}" rc vfs/refresh recursive=true _async=true + ${pkgs.rclone}/bin/rclone --config="${config.age.secrets.danflix_rclone_config.path}" rc vfs/refresh recursive=true _async=true ''; postStop = '' sleep 3 ${pkgs.fuse3}/bin/fusermount -u ${mountdir} ''; serviceConfig = { - EnvironmentFile = config.age.secrets.danflix_env_file.path; Restart = "on-failure"; }; }; diff --git a/modules/synapse/default.nix b/modules/synapse/default.nix index d87f782..9ce6e7e 100644 --- a/modules/synapse/default.nix +++ b/modules/synapse/default.nix @@ -7,7 +7,7 @@ fqdn = "matrix.broccoli.town"; in { services.postgresql = { - enable = true; + enable = false; package = pkgs.postgresql_16; ensureUsers = [ ]; @@ -20,7 +20,7 @@ in { }; services.matrix-synapse = { - enable = true; + enable = false; settings = { enable_metrics = true; server_name = "broccoli.town"; diff --git a/secrets/caddy_porkbun_api_env.age b/secrets/caddy_porkbun_api_env.age new file mode 100644 index 0000000..a22845c Binary files /dev/null and b/secrets/caddy_porkbun_api_env.age differ diff --git a/secrets/danflix_rclone_config.age b/secrets/danflix_rclone_config.age new file mode 100644 index 0000000..f9715ae Binary files /dev/null and b/secrets/danflix_rclone_config.age differ diff --git a/secrets/danflix_storage_box_crypt_pw.age b/secrets/danflix_storage_box_crypt_pw.age index 6d0ea6e..a20dfbe 100644 --- a/secrets/danflix_storage_box_crypt_pw.age +++ b/secrets/danflix_storage_box_crypt_pw.age @@ -1,18 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 eYYv1Q olD4OIi8YC5KZN7rVfOcis+OOvmJI27FsXN19tEX5lk -493ZDJgwYbzPsthtQtIzzHpVtj9ocje15w9wq5JtHSI --> ssh-ed25519 Bp5IaA FbriZLB/tTQflwwqgMrJUgcMibx6vG+UI841ZjiOmlM -l/rutNoo4EnL6qr3wkMNGbDHcIC+CGZgfOcsoSoHCAE --> ssh-ed25519 T/DpgA M+PqxOvScPQU58bYwQqtQaLykzKW5fIibAfoKNDPUHM -1l2ZBg3naogcGeQhzDgonuPEFA+zjL/tZBCMwa6rIDY --> ssh-ed25519 qMgRFg e3SJOsknOfqOdyqXvqTJ3+xo6ueWYSEyicj34+ufjDs -oOGb2SzADeydEtCO5eDyYGxJG0ZCLseAwslR3E6LsUs --> ssh-ed25519 dMZXNw N/D2EAYhGZkwtiDDf+0Krb/pOVjG66PLLBdeSAWqo1k -vs2fnH6CAcyvoDuPTmgjmMkUcIK9VHmQGfHOcpy71hU --> ssh-ed25519 70Nt2Q tr8TufTCMfU+8KtIdkFjyczVRiKUvFZ6rwGOPYUObVY -+akmkrm1+GIONvR3dR+Sj9d3Ajj+PqzYVn4SWWEKmo8 --> *_-grease |uf+h -NP9bxjUd03lJnmXKlH7wx0+1E2fQit01FsnXk8MtCzbSzf3DZUi5pHk0KAOUIpOE -uu81CrNA4J7InBlX56qNDqGMuQ ---- vE2U4+bAt/AmUZdwD05PYzzxeVl6IVGHjEOgNfqfAWI - k1Kq_?Tp8w10<hjXQՕ bG \ No newline at end of file +-> ssh-ed25519 eYYv1Q vLmVCfQl4olGGQ8kjiC/qSNkRvFCGvtGDDBnd7hOelk +NLP/1UpjbKJcbpDYFGG6hPS1K8dUz0K1IiMUTXkBrL0 +-> ssh-ed25519 Bp5IaA KwnFb0LjUEaOylWWlAixGkxrstf6iy6MMZHRB39/2yc +jREraVOqYqplbMMsvbPYI3haIlHdx0KKMBxKRQr4xKk +-> ssh-ed25519 T/DpgA c+GZB1UC3HFrGnqKmAlgAOLxLdP2ipMeUyYlLa42aT4 +LkZpsQsQdyJgDlEx/zkMO848nb3iv4XRhHQvhEVIJck +-> ssh-ed25519 qMgRFg HpEFdzSYpe9O3xRjbQOXIXcNbddIIdDEbU04ilEDO1Y +OK9/cZY/uyWAMX0CrYarfoAkdOetd3n3jPQrFy4ePjc +-> ssh-ed25519 dMZXNw yNlqlhu7rMy+0T4/1ofR8VKfJ8FqHjC0OVTPTP7ms1I +t6YwA0VOu/ltKmSnOvC0k5bPvzvrVcy0DddshxkDQWk +-> ssh-ed25519 70Nt2Q 0nHQLz3eBe5hlvzTVYtrJeYk/cXauAiFkf1mEOPX7ic +hdTIFUfwMi7QhSwse2InTVZ9DNmZ1K89iQ590CUeGUc +--- q1czXHzSy3OkDWSM2BC5kRZpnzKXf/y4tFFPqqaqC18 +9NhpYLӵfRٗ;4=3y6,EKڜBT@t%)9㵻Ai1oM1 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 310acb3..7166ad4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -32,4 +32,6 @@ in { "danflix_storage_box_crypt_pw.age".publicKeys = users ++ [system4]; "danflix_storage_box_crypt_obscured_pw.age".publicKeys = users ++ [system4]; "danflix_env_file.age".publicKeys = users ++ [system4]; + "danflix_rclone_config.age".publicKeys = users ++ [system4]; + "caddy_porkbun_api_env.age".publicKeys = users ++ [system4]; } diff --git a/users/daniel/host-specific/pingbox/default.nix b/users/daniel/host-specific/pingbox/default.nix index 1b56ef1..7d4e8d3 100644 --- a/users/daniel/host-specific/pingbox/default.nix +++ b/users/daniel/host-specific/pingbox/default.nix @@ -24,6 +24,5 @@ services.easyeffects = { enable = true; - }; }