From 1f137c2f0c769c4a39d39ade4c6b1b0b6aca043f Mon Sep 17 00:00:00 2001 From: Daniel Patterson Date: Fri, 9 May 2025 00:22:34 +0100 Subject: [PATCH] Loadsamoney --- hosts/bigding/configuration.nix | 126 +++++++++++++++++- modules/caddy/Caddyfile | 79 +++++++---- modules/caddy/default.nix | 32 ++--- modules/default.nix | 2 +- modules/dungflix/default.nix | 20 +-- modules/synapse/default.nix | 4 +- secrets/caddy_porkbun_api_env.age | Bin 0 -> 935 bytes secrets/danflix_rclone_config.age | Bin 0 -> 1434 bytes secrets/danflix_storage_box_crypt_pw.age | 31 ++--- secrets/secrets.nix | 2 + .../daniel/host-specific/pingbox/default.nix | 1 - 11 files changed, 206 insertions(+), 91 deletions(-) create mode 100644 secrets/caddy_porkbun_api_env.age create mode 100644 secrets/danflix_rclone_config.age diff --git a/hosts/bigding/configuration.nix b/hosts/bigding/configuration.nix index 2769089..d388eb3 100644 --- a/hosts/bigding/configuration.nix +++ b/hosts/bigding/configuration.nix @@ -3,7 +3,29 @@ pkgs, lib, ... -}: { +}: let + mkVHost = baseUrl: { + service, + port, + }: { + name = "${service}.${baseUrl}"; + value = { + listenAddresses = ["100.91.249.54"]; + extraConfig = '' + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } + + reverse_proxy localhost:${builtins.toString port} + ''; + }; + }; + + mkVHosts = baseUrl: hosts: builtins.listToAttrs (builtins.map (mkVHost baseUrl) hosts); +in { imports = [ ../common ./hardware-configuration.nix @@ -26,6 +48,7 @@ interfaces.ens3.useDHCP = true; firewall = { + allowedTCPPorts = [80 8448 443]; allowedTCPPortRanges = [ { from = 12500; @@ -46,6 +69,8 @@ }; }; + services.tailscale.permitCertUid = "caddy"; + services.syncthing = { settings = { gui = { @@ -55,6 +80,105 @@ guiAddress = "localhost:8387"; }; + users.groups."media".name = "media"; + + age.secrets = { + caddy_porkbun_api_env.file = ../../secrets/caddy_porkbun_api_env.age; + }; + + services.sabnzbd = { + enable = true; + group = "media"; + }; + + services.radarr = { + enable = true; + group = "media"; + }; + + services.caddy = { + enable = true; + enableReload = false; + environmentFile = config.age.secrets.caddy_porkbun_api_env.path; + package = pkgs.caddy.withPlugins { + plugins = ["github.com/caddy-dns/porkbun@v0.2.1"]; + hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg="; + }; + logFormat = "level INFO"; + virtualHosts = + (mkVHosts "broccoli.town" [ + { + service = "radarr"; + port = 7878; + } + { + service = "sonarr"; + port = 8989; + } + { + service = "sab"; + port = 8085; + } + { + service = "transmission"; + port = 9091; + } + ]) + // { + "danielpatterson.dev" = { + extraConfig = '' + header { + proof proven.lol/de4a14 + } + root * /srv/site/danielpatterson.dev + encode zstd gzip + file_server + ''; + }; + "movies.danielpatterson.dev" = { + extraConfig = '' + reverse_proxy localhost:8096 + ''; + }; + "git.broccoli.town" = { + extraConfig = '' + reverse_proxy localhost:3030 + ''; + }; + }; + }; + + # containers.radarr = { + # autoStart = false; + # bindMounts = { + # "/data" = { + # hostPath = "/var/media"; + # mountPoint = "/data"; + # isReadOnly = false; + # }; + # }; + # forwardPorts = [ + # { + # containerPort = 7878; + # hostPort = 7979; + # } + # ]; + # config = {config, pkgs, lib, ...}: { + # services.radarr = { + # enable = true; + # }; + # }; + # }; + + services.sonarr = { + enable = true; + group = "media"; + }; + + services.prowlarr = { + enable = true; + }; + environment.systemPackages = with pkgs; [ helix kitty # For terminfo diff --git a/modules/caddy/Caddyfile b/modules/caddy/Caddyfile index 28b5ce4..46c836a 100644 --- a/modules/caddy/Caddyfile +++ b/modules/caddy/Caddyfile @@ -2,16 +2,12 @@ log { level ERROR } - admin off + # admin off servers { metrics } } -http://localhost:2019 { - metrics /metrics -} - matrix.broccoli.town { reverse_proxy /_matrix/* http://localhost:8008 reverse_proxy /_synapse/client/* http://localhost:8008 @@ -25,26 +21,56 @@ broccoli.town:8448 { reverse_proxy http://localhost:8008 } -broccoli.town { - header /.well-known/* "Access-Control-Allow-Origin" "*" +radarr.broccoli.town { + bind 100.91.249.54 - respond /.well-known/matrix/client `{ "m.homeserver": { "base_url": "https://broccoli.town" } }` + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } - reverse_proxy /_matrix/* http://localhost:8008 - reverse_proxy /_synapse/client/* http://localhost:8008 - - redir / https://chat.broccoli.town + reverse_proxy http://localhost:7878 } -chat.broccoli.town { - header { - X-Frame-Options "SAMEORIGIN" - X-XSS-Protection "1; mode=block" - X-Content-Type-Options "nosniff" - X-Robots-Tag "noindex, noarchive, nofollow" +sab.broccoli.town { + bind 100.91.249.54 + + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } } - root * @element@ - file_server + + reverse_proxy http://localhost:8085 +} + +sonarr.broccoli.town { + bind 100.91.249.54 + + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } + + reverse_proxy localhost:8989 +} + +transmission.broccoli.town { + bind 100.91.249.54 + + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } + + reverse_proxy localhost:9091 } danielpatterson.dev { @@ -69,19 +95,14 @@ git.broccoli.town { } http://bigding:8384 { + bind 100.91.249.54 + reverse_proxy localhost:8387 } -bigding.squirrel-clownfish.ts.net { - tls { - get_certificate tailscale - } - reverse_proxy localhost:9091 -} - http://bigding { - reverse_proxy /transmission localhost:9091 - reverse_proxy /transmission/* localhost:9091 + bind 100.91.249.54 + handle_path /prometheus/* { reverse_proxy localhost:9090 } diff --git a/modules/caddy/default.nix b/modules/caddy/default.nix index aacc80e..3e26f96 100644 --- a/modules/caddy/default.nix +++ b/modules/caddy/default.nix @@ -1,36 +1,20 @@ { pkgs, lib, + config, ... }: { networking.firewall.allowedTCPPorts = [80 8448 443]; - services.tailscale.permitCertUid = "caddy"; - - services.caddy = let - catppuccin = builtins.fromJSON (builtins.readFile (pkgs.fetchurl { - url = "https://raw.githubusercontent.com/catppuccin/element/main/config.json"; - hash = "sha256-jaH6E2YO2np3Ewv6JQWbGRiRqsL75rIEJuKfXv95W6Y="; - })); - - element = pkgs.element-web.override { - conf = - { - default_server_config."m.homeserver" = { - "base_url" = "https://broccoli.town"; - "server_name" = "broccoli.town"; - }; - } - // catppuccin; + services.caddy = { + package = pkgs.caddy.withPlugins { + plugins = ["github.com/caddy-dns/porkbun@v0.2.1"]; + hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg="; }; - - config = pkgs.substituteAll { - inherit element; - src = ./Caddyfile; - }; - in { enable = true; - configFile = config; + enableReload = false; adapter = "caddyfile"; + environmentFile = config.age.secrets.caddy_porkbun_api_env.path; + configFile = ./Caddyfile; }; } diff --git a/modules/default.nix b/modules/default.nix index 09bfd08..d678497 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,7 +2,7 @@ bigding = { imports = [ ./backups/bigding - ./caddy + # ./caddy ./dungflix ./fail2ban ./gitea diff --git a/modules/dungflix/default.nix b/modules/dungflix/default.nix index 9bf2f28..2dcd207 100644 --- a/modules/dungflix/default.nix +++ b/modules/dungflix/default.nix @@ -4,26 +4,15 @@ ... }: let mountdir = "/var/media/danflix"; - - rclone_config = pkgs.writeText "" '' - [danflix-storage-box] - type = sftp - sftp_md5sum_command = md5sum - sftp_sha1sum_command = sha1sum - - [danflix-crypto] - type = crypt - remote = danflix-storage-box:danflix - ''; in { age.secrets = { - danflix_storage_box_crypt_obscured_pw.file = ../../secrets/danflix_storage_box_crypt_obscured_pw.age; danflix_hetzner_storage_box_pub_key.file = ../../secrets/danflix_hetzner_storage_box_pub_key.age; - danflix_env_file.file = ../../secrets/danflix_env_file.age; + danflix_rclone_config.file = ../../secrets/danflix_rclone_config.age; }; services = { jellyfin.enable = true; + jellyfin.group = "media"; transmission = { enable = true; @@ -55,7 +44,7 @@ in { "RCLONE_SFTP_KEY_FILE" = config.age.secrets.danflix_hetzner_storage_box_pub_key.path; }; script = '' - ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount danflix-crypto: ${mountdir} \ + ${pkgs.rclone}/bin/rclone --config="${config.age.secrets.danflix_rclone_config.path}" mount danflix-union: ${mountdir} \ --vfs-cache-mode full \ --vfs-cache-max-age 336h \ --vfs-cache-max-size 60G \ @@ -70,14 +59,13 @@ in { ''; postStart = '' sleep 5 - ${pkgs.rclone}/bin/rclone --config="${rclone_config}" rc vfs/refresh recursive=true _async=true + ${pkgs.rclone}/bin/rclone --config="${config.age.secrets.danflix_rclone_config.path}" rc vfs/refresh recursive=true _async=true ''; postStop = '' sleep 3 ${pkgs.fuse3}/bin/fusermount -u ${mountdir} ''; serviceConfig = { - EnvironmentFile = config.age.secrets.danflix_env_file.path; Restart = "on-failure"; }; }; diff --git a/modules/synapse/default.nix b/modules/synapse/default.nix index d87f782..9ce6e7e 100644 --- a/modules/synapse/default.nix +++ b/modules/synapse/default.nix @@ -7,7 +7,7 @@ fqdn = "matrix.broccoli.town"; in { services.postgresql = { - enable = true; + enable = false; package = pkgs.postgresql_16; ensureUsers = [ ]; @@ -20,7 +20,7 @@ in { }; services.matrix-synapse = { - enable = true; + enable = false; settings = { enable_metrics = true; server_name = "broccoli.town"; diff --git a/secrets/caddy_porkbun_api_env.age b/secrets/caddy_porkbun_api_env.age new file mode 100644 index 0000000000000000000000000000000000000000..a22845c9ec87376231b4f87a03c599dc7784c406 GIT binary patch literal 935 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnjf^Za3{;4!tTfK4 z46O_Z&Iz~7^470Rcd9CN_716VOA3xE_o(!&%E-w|GcGcAF6OEXiPR4<3h>M}N%Hec zvdoQgN;L7v2`DeL^mj9<%+EEbtjJ3Vv@okE%tp7(sle1T(NV#~%+*leSKGwjvMeLt zq$1thC*9k~EZC$xDlelb&?_^eG~ZCaBsft&G?J?@C`3CvzrrUXJ6J!@KRYSNP~RxR zJ0L4DGAk^v(!wJu#l>8^Am7|G+!5Wj5Pg?|bVmi#Jl~Mys2~@^wDiJAr_>A|AJ2f& zpn_1(v|u+=qu|OYclUzwh(MqG;7BgNl00{J7jJ(Lr(n+@?}(JlP$NIT49l!i|D3|i zf=VC1D9eI0k3@@rA`IIKeba;7(iO6@Qr&`l-3pU^LrjhI{Y>)>+$+P<{8RiK^SvGO zyk~}NC3p0Z%(j$wV z3<}bcFhVlLH!8xfT*1&=+c&_mDBIZ8EwCiSpt!;{)7Z-`B|Xq5)Ys9=M7zw(Bh13k zCCf86kSj4Nz{glSEX2^wx5}V2*}$)=u++;vOh44Qz%!>PBs46@$;&G=C%ZDz6+I-) z4g5-s0u>zdbBohMT%3F|$|6mI)7=e9oSmHwbBY2}^K&!x(} z-Z4~vocG3j#+pT&%^bZy%U3(})fvyb@yju??OmY!3y-CeTb7D1X}e@1Zekr+oLkHG yJ!g?}1f%;K50>B+TK|tde)w*+&%+wwxd#KecsZ(s++`-a89RK}*lUt}(-#0}EJ?fo literal 0 HcmV?d00001 diff --git a/secrets/danflix_rclone_config.age b/secrets/danflix_rclone_config.age new file mode 100644 index 0000000000000000000000000000000000000000..f9715aeed359ddbfd6275ae768944c9f39f4a864 GIT binary patch literal 1434 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnjf^Za3{(j8G>s}x zH;yvOHFGx1i?FOTDkv)ob2fDK^>XyLC~zq)bqjP&DGu}sD(CVI4T;LgGxPMx3r#DJ zF!HDfugLZ_%Qq@DH7Ig%@$mQZF3B$rO!di6G(oq`sle1T(NQ5UGP}axucRV0Ogl9{ zCE3i$(6uW|E(=k1>JUctt%dw=?FC#qE*n-O_vM43rxY9TyqQF1P+tjdJ+dnKl z)Y;9TG}kZPEYaVrBC9ge*hN2GKN;P&5Pg?|bVmiZd@siWchi!r^gK`fh=R1F6yKaI zlX8Q!?4&~PiX303!f;bxQ+Hz{<8-cq^upxK!Vtrdw7k#?Bj4OYa|`!CpL`S7EVq!f zz+zLcDi6z`2;X#rjBIq<3VqXq+|m`w43o<$ohnl-G7a=ov&|ACywZ)*j7nSzy~_v z%?$EQEIiR|OYx10@GDmcGfVPuNh{7U$}$WnDR%cyG0zDt4-favH;Xd!_4P?jj0_73 ziwbecP50&U&MXXf3C*q0_sMk$v`jDX56(2Hh^VwQ4h|1Xb}cCOb4qm&sB#VuD2qh5 z&D_AR#3)c9&nqa`$0gM=-8?8UBHLWsJJiz5EY;PoDy1@~%-Jx)r?|`_Ju}-vyRw)o z)jY++$1}_z+toAF+|)bV!o@Jer64=Py*RYeDAhaH&nP3+AWz>QH_ekvS65e|D$h8q zI5;D#!qY6-tt{6$(>F0FH{UI#D#Sm>JUhuaJuT8W+@vtiur!-;D>5=v0kPp8!9Tyes-LdjkM}r>SW55ocFC%BJXd+m&PyGIb@ayU5PZjlF$N3R~y8A*q$<&?f@=eLMmD>vRhzo>o6=cI!>Z?L_P6Xh%y+jhtCq3V~Vn!ZbXIxONdORqBbM;E>>-8@h8OgCrtn&W)I z8>}uzT;ve6m3ueA)i1s|gnizXJ+brmx+bVROYT_weA8t^wzGQKD@Bu->w2efY|uFU z^6_TZMY2Hi)hM$>pBltSnxUBR=wH8l56tn(2_3yYyY&)Ru{4G z*RRiiEui_dfbX*TiV2A?LU*u8TMIm2IjNKDhCRo}UkhBic{VI|SJ?ORweBJ;?fn`C0 z_vW3uW1YDrBDFIpjdAg@xl1+9c^q7GEAIDs)8AV?N~SM3q}LHuGiBH6YfI#oGi67u zySZNMZQ`lL>k}=KJ#06dFE+5;@-i^y_9o#b^#WOEw%gp7>@-^be|;2n{zszq-BmFH z>C@bIWZE5fP3BnqZ0Vl>-6fSpS|a+ ssh-ed25519 eYYv1Q olD4OIi8YC5KZN7rVfOcis+OOvmJI27FsXN19tEX5lk -493ZDJgwYbzPsthtQtIzzHpVtj9ocje15w9wq5JtHSI --> ssh-ed25519 Bp5IaA FbriZLB/tTQflwwqgMrJUgcMibx6vG+UI841ZjiOmlM -l/rutNoo4EnL6qr3wkMNGbDHcIC+CGZgfOcsoSoHCAE --> ssh-ed25519 T/DpgA M+PqxOvScPQU58bYwQqtQaLykzKW5fIibAfoKNDPUHM -1l2ZBg3naogcGeQhzDgonuPEFA+zjL/tZBCMwa6rIDY --> ssh-ed25519 qMgRFg e3SJOsknOfqOdyqXvqTJ3+xo6ueWYSEyicj34+ufjDs -oOGb2SzADeydEtCO5eDyYGxJG0ZCLseAwslR3E6LsUs --> ssh-ed25519 dMZXNw N/D2EAYhGZkwtiDDf+0Krb/pOVjG66PLLBdeSAWqo1k -vs2fnH6CAcyvoDuPTmgjmMkUcIK9VHmQGfHOcpy71hU --> ssh-ed25519 70Nt2Q tr8TufTCMfU+8KtIdkFjyczVRiKUvFZ6rwGOPYUObVY -+akmkrm1+GIONvR3dR+Sj9d3Ajj+PqzYVn4SWWEKmo8 --> *_-grease |uf+h -NP9bxjUd03lJnmXKlH7wx0+1E2fQit01FsnXk8MtCzbSzf3DZUi5pHk0KAOUIpOE -uu81CrNA4J7InBlX56qNDqGMuQ ---- vE2U4+bAt/AmUZdwD05PYzzxeVl6IVGHjEOgNfqfAWI - k1Kq_?Tp8w10<hjXQՕ bG \ No newline at end of file +-> ssh-ed25519 eYYv1Q vLmVCfQl4olGGQ8kjiC/qSNkRvFCGvtGDDBnd7hOelk +NLP/1UpjbKJcbpDYFGG6hPS1K8dUz0K1IiMUTXkBrL0 +-> ssh-ed25519 Bp5IaA KwnFb0LjUEaOylWWlAixGkxrstf6iy6MMZHRB39/2yc +jREraVOqYqplbMMsvbPYI3haIlHdx0KKMBxKRQr4xKk +-> ssh-ed25519 T/DpgA c+GZB1UC3HFrGnqKmAlgAOLxLdP2ipMeUyYlLa42aT4 +LkZpsQsQdyJgDlEx/zkMO848nb3iv4XRhHQvhEVIJck +-> ssh-ed25519 qMgRFg HpEFdzSYpe9O3xRjbQOXIXcNbddIIdDEbU04ilEDO1Y +OK9/cZY/uyWAMX0CrYarfoAkdOetd3n3jPQrFy4ePjc +-> ssh-ed25519 dMZXNw yNlqlhu7rMy+0T4/1ofR8VKfJ8FqHjC0OVTPTP7ms1I +t6YwA0VOu/ltKmSnOvC0k5bPvzvrVcy0DddshxkDQWk +-> ssh-ed25519 70Nt2Q 0nHQLz3eBe5hlvzTVYtrJeYk/cXauAiFkf1mEOPX7ic +hdTIFUfwMi7QhSwse2InTVZ9DNmZ1K89iQ590CUeGUc +--- q1czXHzSy3OkDWSM2BC5kRZpnzKXf/y4tFFPqqaqC18 +9NhpYLӵfRٗ;4=3y6,EKڜBT@t%)9㵻Ai1oM1 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 310acb3..7166ad4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -32,4 +32,6 @@ in { "danflix_storage_box_crypt_pw.age".publicKeys = users ++ [system4]; "danflix_storage_box_crypt_obscured_pw.age".publicKeys = users ++ [system4]; "danflix_env_file.age".publicKeys = users ++ [system4]; + "danflix_rclone_config.age".publicKeys = users ++ [system4]; + "caddy_porkbun_api_env.age".publicKeys = users ++ [system4]; } diff --git a/users/daniel/host-specific/pingbox/default.nix b/users/daniel/host-specific/pingbox/default.nix index 1b56ef1..7d4e8d3 100644 --- a/users/daniel/host-specific/pingbox/default.nix +++ b/users/daniel/host-specific/pingbox/default.nix @@ -24,6 +24,5 @@ services.easyeffects = { enable = true; - }; }