diff --git a/.gitattributes b/.gitattributes index 8771b43..ecba705 100644 --- a/.gitattributes +++ b/.gitattributes @@ -2,8 +2,8 @@ secrets/murmur_password filter=git-crypt diff=git-crypt secrets/hashedPass filter=git-crypt diff=git-crypt secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt secrets/wg0.conf filter=git-crypt diff=git-crypt -secrets/caddy_auth.nix filter=git-crypt diff=git-crypt +secrets/caddy_auth filter=git-crypt diff=git-crypt secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt -secrets/owntracks_caddy_auth.nix filter=git-crypt diff=git-crypt +secrets/owntracks_caddy_auth filter=git-crypt diff=git-crypt secrets/secureboot.tar filter=git-crypt diff=git-crypt secrets/zfs-key filter=git-crypt diff=git-crypt diff --git a/configuration.nix b/configuration.nix index 3de7cd8..205b57f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -12,6 +12,7 @@ imports = [ ./hardware.nix ./zfs.nix + ./services/postgresql.nix ./services/jellyfin.nix ./services/caddy.nix ./services/immich.nix @@ -20,9 +21,7 @@ ./services/wg.nix ./services/qbittorrent.nix ./services/bitmagnet.nix - ./services/matrix.nix - ./services/owntracks.nix ]; @@ -209,21 +208,32 @@ systemd.services.no-rgb = let - no-rgb = pkgs.writeScriptBin "no-rgb" '' - #!/bin/sh - set -e + no-rgb = ( + pkgs.writeShellApplication { + name = "no-rgb"; + runtimeInputs = with pkgs; [ + openrgb + coreutils + gnugrep + ]; - NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.gnugrep}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l) + text = '' + #!/bin/sh + set -e - for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do - ${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000 - done - ''; + NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ') + + for i in $(seq 0 $((NUM_DEVICES - 1))); do + openrgb --noautoconnect --device "$i" --mode direct --color 000000 + done + ''; + } + ); in { description = "disable rgb"; serviceConfig = { - ExecStart = "${no-rgb}/bin/no-rgb"; + ExecStart = "${no-rgb}/bin/${no-rgb.name}"; Type = "oneshot"; }; wantedBy = [ "multi-user.target" ]; @@ -283,8 +293,6 @@ "wheel" "video" "render" - "postgres" - "media" service_configs.torrent_group ]; @@ -338,15 +346,5 @@ # }; # }; - services.postgresql = { - enable = true; - package = pkgs.postgresql_16; - dataDir = "/tank/services/sql"; - }; - - systemd.tmpfiles.rules = [ - "d ${config.services.postgresql.dataDir} 0700 postgres postgres" - ]; - system.stateVersion = "24.11"; } diff --git a/disk-config.nix b/disk-config.nix index 2782928..25580ff 100644 --- a/disk-config.nix +++ b/disk-config.nix @@ -2,8 +2,6 @@ disko.devices = { disk = { main = { - # When using disko-install, we will overwrite this value from the commandline - device = "/dev/disk/by-id/some-disk-id"; type = "disk"; content = { type = "gpt"; diff --git a/flake.nix b/flake.nix index 13ab5be..3934d81 100644 --- a/flake.nix +++ b/flake.nix @@ -70,6 +70,7 @@ data_dir = services_dir + "/http"; domain = "gardling.com"; wg_ip = "192.168.15.1"; + matrix_hostname = "matrix.${service_configs.https.domain}"; }; gitea = { diff --git a/secrets/caddy_auth b/secrets/caddy_auth new file mode 100644 index 0000000..8871a69 Binary files /dev/null and b/secrets/caddy_auth differ diff --git a/secrets/caddy_auth.nix b/secrets/caddy_auth.nix deleted file mode 100644 index d85fde0..0000000 Binary files a/secrets/caddy_auth.nix and /dev/null differ diff --git a/secrets/owntracks_caddy_auth b/secrets/owntracks_caddy_auth new file mode 100644 index 0000000..2cd6cbc Binary files /dev/null and b/secrets/owntracks_caddy_auth differ diff --git a/secrets/owntracks_caddy_auth.nix b/secrets/owntracks_caddy_auth.nix deleted file mode 100644 index f353a8b..0000000 Binary files a/secrets/owntracks_caddy_auth.nix and /dev/null differ diff --git a/services/bitmagnet.nix b/services/bitmagnet.nix index 8fcf96a..16a0d84 100644 --- a/services/bitmagnet.nix +++ b/services/bitmagnet.nix @@ -1,4 +1,9 @@ -{ pkgs, service_configs, ... }: +{ + pkgs, + service_configs, + config, + ... +}: { vpnNamespaces.wg = { portMappings = [ @@ -30,6 +35,14 @@ }; }; + services.caddy.virtualHosts. + + "bitmagnet.${service_configs.https.domain}".extraConfig = + '' + # tls internal + ${builtins.readFile ../secrets/caddy_auth} + reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet} + ''; systemd.services.bitmagnet.vpnConfinement = { enable = true; vpnNamespace = "wg"; diff --git a/services/caddy.nix b/services/caddy.nix index 1ded345..8e56c73 100644 --- a/services/caddy.nix +++ b/services/caddy.nix @@ -5,9 +5,6 @@ pkgs, ... }: -let - matrix_hostname = "matrix.${service_configs.https.domain}"; -in { services.caddy = { enable = true; @@ -15,12 +12,6 @@ in virtualHosts = { ${service_configs.https.domain} = { extraConfig = '' - - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - respond /.well-known/matrix/server `{"m.server": "${matrix_hostname}:443"}` - respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${matrix_hostname}"},"m.homeserver":{"base_url":"https://${matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}` - root * ${service_configs.https.data_dir} file_server browse ''; @@ -28,52 +19,11 @@ in serverAliases = [ "www.${service_configs.https.domain}" ]; }; - "immich.${service_configs.https.domain}".extraConfig = '' - reverse_proxy :${builtins.toString config.services.immich.port} - ''; - - "jellyfin.${service_configs.https.domain}".extraConfig = '' - reverse_proxy :${builtins.toString service_configs.ports.jellyfin} - request_body { - max_size 4096MB - } - ''; - - "${service_configs.gitea.domain}".extraConfig = '' - reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT} - ''; - - "bitmagnet.${service_configs.https.domain}".extraConfig = '' - # tls internal - ${import ../secrets/caddy_auth.nix} - reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet} - ''; - - "torrent.${service_configs.https.domain}".extraConfig = '' - # tls internal - ${import ../secrets/caddy_auth.nix} - reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort} - ''; - "map.${service_configs.https.domain}".extraConfig = '' # tls internal root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web file_server browse ''; - - "${matrix_hostname}".extraConfig = '' - reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port} - ''; - - # Exact duplicate of matrix.DOMAIN_NAME - "${matrix_hostname}:8448".extraConfig = - config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name - }".extraConfig; - - "owntracks.${service_configs.https.domain}".extraConfig = '' - ${import ../secrets/owntracks_caddy_auth.nix} - reverse_proxy :${builtins.toString service_configs.ports.owntracks} - ''; }; }; diff --git a/services/gitea.nix b/services/gitea.nix index 013c2b4..e5b07fb 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -30,6 +30,10 @@ }; }; + services.caddy.virtualHosts."${service_configs.gitea.domain}".extraConfig = '' + reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT} + ''; + systemd.tmpfiles.rules = [ "d ${config.services.gitea.stateDir} 0770 ${config.services.gitea.user} ${config.services.gitea.group}" ]; diff --git a/services/immich.nix b/services/immich.nix index 9228ed5..37634da 100644 --- a/services/immich.nix +++ b/services/immich.nix @@ -17,6 +17,10 @@ }; }; + services.caddy.virtualHosts."immich.${service_configs.https.domain}".extraConfig = '' + reverse_proxy :${builtins.toString config.services.immich.port} + ''; + systemd.tmpfiles.rules = [ "d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}" ]; diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 8008002..d67cfe6 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -22,6 +22,13 @@ cacheDir = dataDir + "_cache"; }; + services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = '' + reverse_proxy :${builtins.toString service_configs.ports.jellyfin} + request_body { + max_size 4096MB + } + ''; + systemd.tmpfiles.rules = [ "d ${config.services.jellyfin.dataDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" "d ${config.services.jellyfin.cacheDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" diff --git a/services/matrix.nix b/services/matrix.nix index a00ede6..cb05217 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -2,6 +2,7 @@ pkgs, config, service_configs, + lib, ... }: { @@ -9,6 +10,22 @@ ../secrets/matrix_reg_token.nix ]; + services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore '' + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `{"m.server": "${service_configs.https.matrix_hostname}:443"}` + respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.https.matrix_hostname}"},"m.homeserver":{"base_url":"https://${service_configs.https.matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}` + ''; + + services.caddy.virtualHosts."${service_configs.https.matrix_hostname}".extraConfig = '' + reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port} + ''; + + # Exact duplicate + services.caddy.virtualHosts."${service_configs.https.matrix_hostname}:8448".extraConfig = + config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name + }".extraConfig; + services.matrix-conduit = { enable = true; package = pkgs.conduwuit; diff --git a/services/owntracks.nix b/services/owntracks.nix index c246e10..3def720 100644 --- a/services/owntracks.nix +++ b/services/owntracks.nix @@ -37,6 +37,11 @@ in "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks" ]; + services.caddy.virtualHosts."owntracks.${service_configs.https.domain}".extraConfig = '' + ${builtins.readFile ../secrets/owntracks_caddy_auth} + reverse_proxy :${builtins.toString service_configs.ports.owntracks} + ''; + users.users.${username}.extraGroups = [ "owntracks" ]; diff --git a/services/postgresql.nix b/services/postgresql.nix new file mode 100644 index 0000000..b120aa0 --- /dev/null +++ b/services/postgresql.nix @@ -0,0 +1,21 @@ +{ + pkgs, + config, + username, + ... +}: +{ + services.postgresql = { + enable = true; + package = pkgs.postgresql_16; + dataDir = "/tank/services/sql"; + }; + + systemd.tmpfiles.rules = [ + "d ${config.services.postgresql.dataDir} 0700 postgresql postgresql" + ]; + + users.users.${username}.extraGroups = [ + "postgresql" + ]; +} diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix index 592f52b..a594dc8 100644 --- a/services/qbittorrent.nix +++ b/services/qbittorrent.nix @@ -92,6 +92,12 @@ vpnNamespace = "wg"; }; + services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = '' + # tls internal + ${builtins.readFile ../secrets/caddy_auth} + reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort} + ''; + users.users.${config.services.qbittorrent.user}.extraGroups = [ service_configs.torrent_group ]; diff --git a/zfs.nix b/zfs.nix index eb0c215..1aa8ae7 100644 --- a/zfs.nix +++ b/zfs.nix @@ -1,6 +1,5 @@ { service_configs, - config, pkgs, ... }: