titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
Simon Gardling 2025-02-01 21:32:26 -05:00
parent b98adc50f6
commit a22012df2c
Signed by: titaniumtown
GPG Key ID: 9AB28AC10ECE533D
18 changed files with 102 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitattributes vendored
View File

@ -2,8 +2,8 @@ secrets/murmur_password filter=git-crypt diff=git-crypt
secrets/hashedPass filter=git-crypt diff=git-crypt secrets/hashedPass filter=git-crypt diff=git-crypt
secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt
secrets/wg0.conf filter=git-crypt diff=git-crypt secrets/wg0.conf filter=git-crypt diff=git-crypt
secrets/caddy_auth.nix filter=git-crypt diff=git-crypt secrets/caddy_auth filter=git-crypt diff=git-crypt
secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt
secrets/owntracks_caddy_auth.nix filter=git-crypt diff=git-crypt secrets/owntracks_caddy_auth filter=git-crypt diff=git-crypt
secrets/secureboot.tar filter=git-crypt diff=git-crypt secrets/secureboot.tar filter=git-crypt diff=git-crypt
secrets/zfs-key filter=git-crypt diff=git-crypt secrets/zfs-key filter=git-crypt diff=git-crypt

44
configuration.nix
View File

@ -12,6 +12,7 @@
imports = [ imports = [
./hardware.nix ./hardware.nix
./zfs.nix ./zfs.nix
./services/postgresql.nix
./services/jellyfin.nix ./services/jellyfin.nix
./services/caddy.nix ./services/caddy.nix
./services/immich.nix ./services/immich.nix
@ -20,9 +21,7 @@
./services/wg.nix ./services/wg.nix
./services/qbittorrent.nix ./services/qbittorrent.nix
./services/bitmagnet.nix ./services/bitmagnet.nix
./services/matrix.nix ./services/matrix.nix
./services/owntracks.nix ./services/owntracks.nix
]; ];
@ -209,21 +208,32 @@
systemd.services.no-rgb = systemd.services.no-rgb =
let let
no-rgb = pkgs.writeScriptBin "no-rgb" '' no-rgb = (
#!/bin/sh pkgs.writeShellApplication {
set -e name = "no-rgb";
runtimeInputs = with pkgs; [
openrgb
coreutils
gnugrep
];
NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.gnugrep}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l) text = ''
#!/bin/sh
set -e
for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ')
${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000
done for i in $(seq 0 $((NUM_DEVICES - 1))); do
''; openrgb --noautoconnect --device "$i" --mode direct --color 000000
done
'';
}
);
in in
{ {
description = "disable rgb"; description = "disable rgb";
serviceConfig = { serviceConfig = {
ExecStart = "${no-rgb}/bin/no-rgb"; ExecStart = "${no-rgb}/bin/${no-rgb.name}";
Type = "oneshot"; Type = "oneshot";
}; };
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -283,8 +293,6 @@
"wheel" "wheel"
"video" "video"
"render" "render"
"postgres"
"media"
service_configs.torrent_group service_configs.torrent_group
]; ];
@ -338,15 +346,5 @@
# }; # };
# }; # };
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/tank/services/sql";
};
systemd.tmpfiles.rules = [
"d ${config.services.postgresql.dataDir} 0700 postgres postgres"
];
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

2
disk-config.nix
View File

@ -2,8 +2,6 @@
disko.devices = { disko.devices = {
disk = { disk = {
main = { main = {
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/disk/by-id/some-disk-id";
type = "disk"; type = "disk";
content = { content = {
type = "gpt"; type = "gpt";

1
flake.nix
View File

@ -70,6 +70,7 @@
data_dir = services_dir + "/http"; data_dir = services_dir + "/http";
domain = "gardling.com"; domain = "gardling.com";
wg_ip = "192.168.15.1"; wg_ip = "192.168.15.1";
matrix_hostname = "matrix.${service_configs.https.domain}";
}; };
gitea = { gitea = {

BIN
secrets/caddy_auth Normal file
View File

Binary file not shown.

BIN
secrets/caddy_auth.nix
View File

Binary file not shown.

BIN
secrets/owntracks_caddy_auth Normal file
View File

Binary file not shown.

BIN
secrets/owntracks_caddy_auth.nix
View File

Binary file not shown.

15
services/bitmagnet.nix
View File

@ -1,4 +1,9 @@
{ pkgs, service_configs, ... }: {
pkgs,
service_configs,
config,
...
}:
{ {
vpnNamespaces.wg = { vpnNamespaces.wg = {
portMappings = [ portMappings = [
@ -30,6 +35,14 @@
}; };
}; };
services.caddy.virtualHosts.
"bitmagnet.${service_configs.https.domain}".extraConfig =
''
# tls internal
${builtins.readFile ../secrets/caddy_auth}
reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
'';
systemd.services.bitmagnet.vpnConfinement = { systemd.services.bitmagnet.vpnConfinement = {
enable = true; enable = true;
vpnNamespace = "wg"; vpnNamespace = "wg";

50
services/caddy.nix
View File

@ -5,9 +5,6 @@
pkgs, pkgs,
... ...
}: }:
let
matrix_hostname = "matrix.${service_configs.https.domain}";
in
{ {
services.caddy = { services.caddy = {
enable = true; enable = true;
@ -15,12 +12,6 @@ in
virtualHosts = { virtualHosts = {
${service_configs.https.domain} = { ${service_configs.https.domain} = {
extraConfig = '' extraConfig = ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server": "${matrix_hostname}:443"}`
respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${matrix_hostname}"},"m.homeserver":{"base_url":"https://${matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}`
root * ${service_configs.https.data_dir} root * ${service_configs.https.data_dir}
file_server browse file_server browse
''; '';
@ -28,52 +19,11 @@ in
serverAliases = [ "www.${service_configs.https.domain}" ]; serverAliases = [ "www.${service_configs.https.domain}" ];
}; };
"immich.${service_configs.https.domain}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.immich.port}
'';
"jellyfin.${service_configs.https.domain}".extraConfig = ''
reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
request_body {
max_size 4096MB
}
'';
"${service_configs.gitea.domain}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
'';
"bitmagnet.${service_configs.https.domain}".extraConfig = ''
# tls internal
${import ../secrets/caddy_auth.nix}
reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
'';
"torrent.${service_configs.https.domain}".extraConfig = ''
# tls internal
${import ../secrets/caddy_auth.nix}
reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort}
'';
"map.${service_configs.https.domain}".extraConfig = '' "map.${service_configs.https.domain}".extraConfig = ''
# tls internal # tls internal
root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web
file_server browse file_server browse
''; '';
"${matrix_hostname}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
'';
# Exact duplicate of matrix.DOMAIN_NAME
"${matrix_hostname}:8448".extraConfig =
config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
}".extraConfig;
"owntracks.${service_configs.https.domain}".extraConfig = ''
${import ../secrets/owntracks_caddy_auth.nix}
reverse_proxy :${builtins.toString service_configs.ports.owntracks}
'';
}; };
}; };

4
services/gitea.nix
View File

@ -30,6 +30,10 @@
}; };
}; };
services.caddy.virtualHosts."${service_configs.gitea.domain}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
'';
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${config.services.gitea.stateDir} 0770 ${config.services.gitea.user} ${config.services.gitea.group}" "d ${config.services.gitea.stateDir} 0770 ${config.services.gitea.user} ${config.services.gitea.group}"
]; ];

4
services/immich.nix
View File

@ -17,6 +17,10 @@
}; };
}; };
services.caddy.virtualHosts."immich.${service_configs.https.domain}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.immich.port}
'';
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}" "d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}"
]; ];

7
services/jellyfin.nix
View File

@ -22,6 +22,13 @@
cacheDir = dataDir + "_cache"; cacheDir = dataDir + "_cache";
}; };
services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = ''
reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
request_body {
max_size 4096MB
}
'';
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${config.services.jellyfin.dataDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" "d ${config.services.jellyfin.dataDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
"d ${config.services.jellyfin.cacheDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" "d ${config.services.jellyfin.cacheDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"

17
services/matrix.nix
View File

@ -2,6 +2,7 @@
pkgs, pkgs,
config, config,
service_configs, service_configs,
lib,
... ...
}: }:
{ {
@ -9,6 +10,22 @@
../secrets/matrix_reg_token.nix ../secrets/matrix_reg_token.nix
]; ];
services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server": "${service_configs.https.matrix_hostname}:443"}`
respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.https.matrix_hostname}"},"m.homeserver":{"base_url":"https://${service_configs.https.matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}`
'';
services.caddy.virtualHosts."${service_configs.https.matrix_hostname}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
'';
# Exact duplicate
services.caddy.virtualHosts."${service_configs.https.matrix_hostname}:8448".extraConfig =
config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
}".extraConfig;
services.matrix-conduit = { services.matrix-conduit = {
enable = true; enable = true;
package = pkgs.conduwuit; package = pkgs.conduwuit;

5
services/owntracks.nix
View File

@ -37,6 +37,11 @@ in
"d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks" "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
]; ];
services.caddy.virtualHosts."owntracks.${service_configs.https.domain}".extraConfig = ''
${builtins.readFile ../secrets/owntracks_caddy_auth}
reverse_proxy :${builtins.toString service_configs.ports.owntracks}
'';
users.users.${username}.extraGroups = [ users.users.${username}.extraGroups = [
"owntracks" "owntracks"
]; ];

21
services/postgresql.nix Normal file
View File

@ -0,0 +1,21 @@
{
pkgs,
config,
username,
...
}:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/tank/services/sql";
};
systemd.tmpfiles.rules = [
"d ${config.services.postgresql.dataDir} 0700 postgresql postgresql"
];
users.users.${username}.extraGroups = [
"postgresql"
];
}

6
services/qbittorrent.nix
View File

@ -92,6 +92,12 @@
vpnNamespace = "wg"; vpnNamespace = "wg";
}; };
services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''
# tls internal
${builtins.readFile ../secrets/caddy_auth}
reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort}
'';
users.users.${config.services.qbittorrent.user}.extraGroups = [ users.users.${config.services.qbittorrent.user}.extraGroups = [
service_configs.torrent_group service_configs.torrent_group
]; ];

1
zfs.nix
View File

@ -1,6 +1,5 @@
{ {
service_configs, service_configs,
config,
pkgs, pkgs,
... ...
}: }: