Loadsamoney

2025-05-09 00:22:34 +01:00
parent a3afa8eb2c
commit 1f137c2f0c
11 changed files with 206 additions and 91 deletions
--- a/hosts/bigding/configuration.nix
+++ b/hosts/bigding/configuration.nix
@@ -3,7 +3,29 @@
  pkgs,
  lib,
  ...
-}: {
+}: let
  mkVHost = baseUrl: {
    service,
    port,
  }: {
    name = "${service}.${baseUrl}";
    value = {
      listenAddresses = ["100.91.249.54"];
      extraConfig = ''
        tls {
        	dns porkbun {
        		api_key {env.PORKBUN_API_KEY}
        		api_secret_key {env.PORKBUN_SECRET_KEY}
        	}
        }
         reverse_proxy localhost:${builtins.toString port}
      '';
    };
  };
  mkVHosts = baseUrl: hosts: builtins.listToAttrs (builtins.map (mkVHost baseUrl) hosts);
 in {
  imports = [
    ../common
    ./hardware-configuration.nix
@@ -26,6 +48,7 @@
    interfaces.ens3.useDHCP = true;
    firewall = {
      allowedTCPPorts = [80 8448 443];
      allowedTCPPortRanges = [
        {
          from = 12500;
@@ -46,6 +69,8 @@
    };
  };
  services.tailscale.permitCertUid = "caddy";
  services.syncthing = {
    settings = {
      gui = {
@@ -55,6 +80,105 @@
    guiAddress = "localhost:8387";
  };
  users.groups."media".name = "media";
  age.secrets = {
    caddy_porkbun_api_env.file = ../../secrets/caddy_porkbun_api_env.age;
  };
  services.sabnzbd = {
    enable = true;
    group = "media";
  };
  services.radarr = {
    enable = true;
    group = "media";
  };
  services.caddy = {
    enable = true;
    enableReload = false;
    environmentFile = config.age.secrets.caddy_porkbun_api_env.path;
    package = pkgs.caddy.withPlugins {
      plugins = ["github.com/caddy-dns/porkbun@v0.2.1"];
      hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg=";
    };
    logFormat = "level INFO";
    virtualHosts =
      (mkVHosts "broccoli.town" [
        {
          service = "radarr";
          port = 7878;
        }
        {
          service = "sonarr";
          port = 8989;
        }
        {
          service = "sab";
          port = 8085;
        }
        {
          service = "transmission";
          port = 9091;
        }
      ])
      // {
        "danielpatterson.dev" = {
          extraConfig = ''
            header {
            	proof proven.lol/de4a14
            }
            root * /srv/site/danielpatterson.dev
            encode zstd gzip
            file_server
          '';
        };
        "movies.danielpatterson.dev" = {
          extraConfig = ''
            reverse_proxy localhost:8096
          '';
        };
        "git.broccoli.town" = {
          extraConfig = ''
            reverse_proxy localhost:3030
          '';
        };
      };
  };
  # containers.radarr = {
  #   autoStart = false;
  #   bindMounts = {
  #     "/data" = {
  #       hostPath = "/var/media";
  #       mountPoint = "/data";
  #       isReadOnly = false;
  #     };
  #   };
  #   forwardPorts = [
  #     {
  #       containerPort = 7878;
  #       hostPort = 7979;
  #     }
  #   ];
  #   config = {config, pkgs, lib, ...}: {
  #     services.radarr = {
  #       enable = true;
  #     };
  #   };
  # };
  services.sonarr = {
    enable = true;
    group = "media";
  };
  services.prowlarr = {
    enable = true;
  };
  environment.systemPackages = with pkgs; [
    helix
    kitty # For terminfo
--- a/modules/caddy/Caddyfile
+++ b/modules/caddy/Caddyfile
@@ -2,16 +2,12 @@
 	log {
 		level ERROR
 	}
-	admin off
+	# admin off
 	servers {
 		metrics
 	}
 }
 http://localhost:2019 {
 	metrics /metrics
 }
 matrix.broccoli.town {
 	reverse_proxy /_matrix/* http://localhost:8008
 	reverse_proxy /_synapse/client/* http://localhost:8008
@@ -25,26 +21,56 @@ broccoli.town:8448 {
 	reverse_proxy http://localhost:8008
 }
-broccoli.town {
+radarr.broccoli.town {
-	header /.well-known/* "Access-Control-Allow-Origin" "*"
+	bind 100.91.249.54
-	respond /.well-known/matrix/client `{ "m.homeserver": { "base_url": "https://broccoli.town" } }`
+	tls {
 		dns porkbun {
 			api_key {env.PORKBUN_API_KEY}
 			api_secret_key {env.PORKBUN_SECRET_KEY}
 		}
 	}
-	reverse_proxy /_matrix/* http://localhost:8008
+	reverse_proxy http://localhost:7878
 	reverse_proxy /_synapse/client/* http://localhost:8008
 	redir / https://chat.broccoli.town
 }
-chat.broccoli.town {
+sab.broccoli.town {
-	header {
+	bind 100.91.249.54
-		X-Frame-Options "SAMEORIGIN"
+
-		X-XSS-Protection "1; mode=block"
+	tls {
-		X-Content-Type-Options "nosniff"
+		dns porkbun {
-		X-Robots-Tag "noindex, noarchive, nofollow"
+			api_key {env.PORKBUN_API_KEY}
 			api_secret_key {env.PORKBUN_SECRET_KEY}
 		}
 	}
-	root * @element@
+
-	file_server
+	reverse_proxy http://localhost:8085
 }
 sonarr.broccoli.town {
 	bind 100.91.249.54
 	tls {
 		dns porkbun {
 			api_key {env.PORKBUN_API_KEY}
 			api_secret_key {env.PORKBUN_SECRET_KEY}
 		}
 	}
 	reverse_proxy localhost:8989
 }
 transmission.broccoli.town {
 	bind 100.91.249.54
 	tls {
 		dns porkbun {
 			api_key {env.PORKBUN_API_KEY}
 			api_secret_key {env.PORKBUN_SECRET_KEY}
 		}
 	}
 	reverse_proxy localhost:9091
 }
 danielpatterson.dev {
@@ -69,19 +95,14 @@ git.broccoli.town {
 }
 http://bigding:8384 {
 	bind 100.91.249.54
 	reverse_proxy localhost:8387
 }
 bigding.squirrel-clownfish.ts.net {
 	tls {
 		get_certificate tailscale
 	}
 	reverse_proxy localhost:9091
 }
 http://bigding {
-	reverse_proxy /transmission localhost:9091
+	bind 100.91.249.54
-	reverse_proxy /transmission/* localhost:9091
+
 	handle_path /prometheus/* {
 		reverse_proxy localhost:9090
 	}
--- a/modules/caddy/default.nix
+++ b/modules/caddy/default.nix
@@ -1,36 +1,20 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: {
  networking.firewall.allowedTCPPorts = [80 8448 443];
-  services.tailscale.permitCertUid = "caddy";
+  services.caddy = {
-
+    package = pkgs.caddy.withPlugins {
-  services.caddy = let
+      plugins = ["github.com/caddy-dns/porkbun@v0.2.1"];
-    catppuccin = builtins.fromJSON (builtins.readFile (pkgs.fetchurl {
+      hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg=";
      url = "https://raw.githubusercontent.com/catppuccin/element/main/config.json";
      hash = "sha256-jaH6E2YO2np3Ewv6JQWbGRiRqsL75rIEJuKfXv95W6Y=";
    }));
    element = pkgs.element-web.override {
      conf =
        {
          default_server_config."m.homeserver" = {
            "base_url" = "https://broccoli.town";
            "server_name" = "broccoli.town";
          };
        }
        // catppuccin;
    };
    config = pkgs.substituteAll {
      inherit element;
      src = ./Caddyfile;
    };
  in {
    enable = true;
-    configFile = config;
+    enableReload = false;
    adapter = "caddyfile";
    environmentFile = config.age.secrets.caddy_porkbun_api_env.path;
    configFile = ./Caddyfile;
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -2,7 +2,7 @@
  bigding = {
    imports = [
      ./backups/bigding
-      ./caddy
+      # ./caddy
      ./dungflix
      ./fail2ban
      ./gitea
--- a/modules/dungflix/default.nix
+++ b/modules/dungflix/default.nix
@@ -4,26 +4,15 @@
  ...
 }: let
  mountdir = "/var/media/danflix";
  rclone_config = pkgs.writeText "" ''
    [danflix-storage-box]
    type = sftp
    sftp_md5sum_command = md5sum
    sftp_sha1sum_command = sha1sum
    [danflix-crypto]
    type = crypt
    remote = danflix-storage-box:danflix
  '';
 in {
  age.secrets = {
    danflix_storage_box_crypt_obscured_pw.file = ../../secrets/danflix_storage_box_crypt_obscured_pw.age;
    danflix_hetzner_storage_box_pub_key.file = ../../secrets/danflix_hetzner_storage_box_pub_key.age;
-    danflix_env_file.file = ../../secrets/danflix_env_file.age;
+    danflix_rclone_config.file = ../../secrets/danflix_rclone_config.age;
  };
  services = {
    jellyfin.enable = true;
    jellyfin.group = "media";
    transmission = {
      enable = true;
@@ -55,7 +44,7 @@ in {
      "RCLONE_SFTP_KEY_FILE" = config.age.secrets.danflix_hetzner_storage_box_pub_key.path;
    };
    script = ''
-      ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount danflix-crypto: ${mountdir} \
+      ${pkgs.rclone}/bin/rclone --config="${config.age.secrets.danflix_rclone_config.path}" mount danflix-union: ${mountdir} \
         --vfs-cache-mode full \
         --vfs-cache-max-age 336h \
         --vfs-cache-max-size 60G \
@@ -70,14 +59,13 @@ in {
    '';
    postStart = ''
      sleep 5
-      ${pkgs.rclone}/bin/rclone --config="${rclone_config}" rc vfs/refresh recursive=true _async=true
+      ${pkgs.rclone}/bin/rclone --config="${config.age.secrets.danflix_rclone_config.path}" rc vfs/refresh recursive=true _async=true
    '';
    postStop = ''
      sleep 3
      ${pkgs.fuse3}/bin/fusermount -u ${mountdir}
    '';
    serviceConfig = {
      EnvironmentFile = config.age.secrets.danflix_env_file.path;
      Restart = "on-failure";
    };
  };
--- a/modules/synapse/default.nix
+++ b/modules/synapse/default.nix
@@ -7,7 +7,7 @@
  fqdn = "matrix.broccoli.town";
 in {
  services.postgresql = {
-    enable = true;
+    enable = false;
    package = pkgs.postgresql_16;
    ensureUsers = [
    ];
@@ -20,7 +20,7 @@ in {
  };
  services.matrix-synapse = {
-    enable = true;
+    enable = false;
    settings = {
      enable_metrics = true;
      server_name = "broccoli.town";
--- a/secrets/caddy_porkbun_api_env.age
+++ b/secrets/caddy_porkbun_api_env.age
--- a/secrets/danflix_rclone_config.age
+++ b/secrets/danflix_rclone_config.age
--- a/secrets/danflix_storage_box_crypt_pw.age
+++ b/secrets/danflix_storage_box_crypt_pw.age
@@ -1,18 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 eYYv1Q olD4OIi8YC5KZN7rVfOcis+OOvmJI27FsXN19tEX5lk
+-> ssh-ed25519 eYYv1Q vLmVCfQl4olGGQ8kjiC/qSNkRvFCGvtGDDBnd7hOelk
-493ZDJgwYbzPsthtQtIzzHpVtj9ocje15w9wq5JtHSI
+NLP/1UpjbKJcbpDYFGG6hPS1K8dUz0K1IiMUTXkBrL0
-> ssh-ed25519 Bp5IaA FbriZLB/tTQflwwqgMrJUgcMibx6vG+UI841ZjiOmlM
+-> ssh-ed25519 Bp5IaA KwnFb0LjUEaOylWWlAixGkxrstf6iy6MMZHRB39/2yc
-l/rutNoo4EnL6qr3wkMNGbDHcIC+CGZgfOcsoSoHCAE
+jREraVOqYqplbMMsvbPYI3haIlHdx0KKMBxKRQr4xKk
-> ssh-ed25519 T/DpgA M+PqxOvScPQU58bYwQqtQaLykzKW5fIibAfoKNDPUHM
+-> ssh-ed25519 T/DpgA c+GZB1UC3HFrGnqKmAlgAOLxLdP2ipMeUyYlLa42aT4
-1l2ZBg3naogcGeQhzDgonuPEFA+zjL/tZBCMwa6rIDY
+LkZpsQsQdyJgDlEx/zkMO848nb3iv4XRhHQvhEVIJck
-> ssh-ed25519 qMgRFg e3SJOsknOfqOdyqXvqTJ3+xo6ueWYSEyicj34+ufjDs
+-> ssh-ed25519 qMgRFg HpEFdzSYpe9O3xRjbQOXIXcNbddIIdDEbU04ilEDO1Y
-oOGb2SzADeydEtCO5eDyYGxJG0ZCLseAwslR3E6LsUs
+OK9/cZY/uyWAMX0CrYarfoAkdOetd3n3jPQrFy4ePjc
-> ssh-ed25519 dMZXNw N/D2EAYhGZkwtiDDf+0Krb/pOVjG66PLLBdeSAWqo1k
+-> ssh-ed25519 dMZXNw yNlqlhu7rMy+0T4/1ofR8VKfJ8FqHjC0OVTPTP7ms1I
-vs2fnH6CAcyvoDuPTmgjmMkUcIK9VHmQGfHOcpy71hU
+t6YwA0VOu/ltKmSnOvC0k5bPvzvrVcy0DddshxkDQWk
-> ssh-ed25519 70Nt2Q tr8TufTCMfU+8KtIdkFjyczVRiKUvFZ6rwGOPYUObVY
+-> ssh-ed25519 70Nt2Q 0nHQLz3eBe5hlvzTVYtrJeYk/cXauAiFkf1mEOPX7ic
-+akmkrm1+GIONvR3dR+Sj9d3Ajj+PqzYVn4SWWEKmo8
+hdTIFUfwMi7QhSwse2InTVZ9DNmZ1K89iQ590CUeGUc
-> *_-grease |uf+h
+--- q1czXHzSy3OkDWSM2BC5kRZpnzKXf/y4tFFPqqaqC18
-NP9bxjUd03lJnmXKlH7wx0+1E2fQit01FsnXk8MtCzbSzf3DZUi5pHk0KAOUIpOE
+<EFBFBD>9NhpYLӵ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>fR<>ٗ<EFBFBD>;4=<3D>3<EFBFBD>y6,EK<45>ڜ<01>B<EFBFBD><06><>T@t<><74>%<25><>)9㵻Ai<41>1<EFBFBD><31><EFBFBD>o<EFBFBD>M<EFBFBD>1<EFBFBD><31><1D><16><19>
 uu81CrNA4J7InBlX56qNDqGMuQ
 --- vE2U4+bAt/AmUZdwD05PYzzxeVl6IVGHjEOgNfqfAWI
 <EFBFBD><EFBFBD> <20><>k1K<11>q<EFBFBD><71><EFBFBD>_<EFBFBD>?<3F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Tp8w1<77>0<<3C>hjX<6A>Q<EFBFBD><51><EFBFBD><EFBFBD>Օ<EFBFBD><D595>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -32,4 +32,6 @@ in {
  "danflix_storage_box_crypt_pw.age".publicKeys = users ++ [system4];
  "danflix_storage_box_crypt_obscured_pw.age".publicKeys = users ++ [system4];
  "danflix_env_file.age".publicKeys = users ++ [system4];
  "danflix_rclone_config.age".publicKeys = users ++ [system4];
  "caddy_porkbun_api_env.age".publicKeys = users ++ [system4];
 }
--- a/users/daniel/host-specific/pingbox/default.nix
+++ b/users/daniel/host-specific/pingbox/default.nix
@@ -24,6 +24,5 @@
  services.easyeffects = {
    enable = true;
  };
 }