titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
Simon Gardling 2025-02-01 21:32:26 -05:00
parent b98adc50f6
commit a22012df2c
Signed by: titaniumtown
GPG Key ID: 9AB28AC10ECE533D
18 changed files with 102 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitattributes vendored
View File

@ -2,8 +2,8 @@ secrets/murmur_password filter=git-crypt diff=git-crypt
secrets/hashedPass filter=git-crypt diff=git-crypt
secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt
secrets/wg0.conf filter=git-crypt diff=git-crypt
secrets/caddy_auth.nix filter=git-crypt diff=git-crypt
secrets/caddy_auth filter=git-crypt diff=git-crypt
secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt
secrets/owntracks_caddy_auth.nix filter=git-crypt diff=git-crypt
secrets/owntracks_caddy_auth filter=git-crypt diff=git-crypt
secrets/secureboot.tar filter=git-crypt diff=git-crypt
secrets/zfs-key filter=git-crypt diff=git-crypt

44
configuration.nix
View File

@ -12,6 +12,7 @@
imports = [
./hardware.nix
./zfs.nix
./services/postgresql.nix
./services/jellyfin.nix
./services/caddy.nix
./services/immich.nix
@ -20,9 +21,7 @@
./services/wg.nix
./services/qbittorrent.nix
./services/bitmagnet.nix
./services/matrix.nix
./services/owntracks.nix
];
@ -209,21 +208,32 @@
systemd.services.no-rgb =
let
no-rgb = pkgs.writeScriptBin "no-rgb" ''
#!/bin/sh
set -e
no-rgb = (
pkgs.writeShellApplication {
name = "no-rgb";
runtimeInputs = with pkgs; [
openrgb
coreutils
gnugrep
];
NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.gnugrep}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l)
text = ''
#!/bin/sh
set -e
for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do
${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000
done
'';
NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ')
for i in $(seq 0 $((NUM_DEVICES - 1))); do
openrgb --noautoconnect --device "$i" --mode direct --color 000000
done
'';
}
);
in
{
description = "disable rgb";
serviceConfig = {
ExecStart = "${no-rgb}/bin/no-rgb";
ExecStart = "${no-rgb}/bin/${no-rgb.name}";
Type = "oneshot";
};
wantedBy = [ "multi-user.target" ];
@ -283,8 +293,6 @@
"wheel"
"video"
"render"
"postgres"
"media"
service_configs.torrent_group
];
@ -338,15 +346,5 @@
# };
# };
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/tank/services/sql";
};
systemd.tmpfiles.rules = [
"d ${config.services.postgresql.dataDir} 0700 postgres postgres"
];
system.stateVersion = "24.11";
}

2
disk-config.nix
View File

@ -2,8 +2,6 @@
disko.devices = {
disk = {
main = {
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/disk/by-id/some-disk-id";
type = "disk";
content = {
type = "gpt";

1
flake.nix
View File

@ -70,6 +70,7 @@
data_dir = services_dir + "/http";
domain = "gardling.com";
wg_ip = "192.168.15.1";
matrix_hostname = "matrix.${service_configs.https.domain}";
};
gitea = {

BIN
secrets/caddy_auth Normal file
View File

Binary file not shown.

BIN
secrets/caddy_auth.nix
View File

Binary file not shown.

BIN
secrets/owntracks_caddy_auth Normal file
View File

Binary file not shown.

BIN
secrets/owntracks_caddy_auth.nix
View File

Binary file not shown.

15
services/bitmagnet.nix
View File

@ -1,4 +1,9 @@
{ pkgs, service_configs, ... }:
{
pkgs,
service_configs,
config,
...
}:
{
vpnNamespaces.wg = {
portMappings = [
@ -30,6 +35,14 @@
};
};
services.caddy.virtualHosts.
"bitmagnet.${service_configs.https.domain}".extraConfig =
''
# tls internal
${builtins.readFile ../secrets/caddy_auth}
reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
'';
systemd.services.bitmagnet.vpnConfinement = {
enable = true;
vpnNamespace = "wg";

50
services/caddy.nix
View File

@ -5,9 +5,6 @@
pkgs,
...
}:
let
matrix_hostname = "matrix.${service_configs.https.domain}";
in
{
services.caddy = {
enable = true;
@ -15,12 +12,6 @@ in
virtualHosts = {
${service_configs.https.domain} = {
extraConfig = ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server": "${matrix_hostname}:443"}`
respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${matrix_hostname}"},"m.homeserver":{"base_url":"https://${matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}`
root * ${service_configs.https.data_dir}
file_server browse
'';
@ -28,52 +19,11 @@ in
serverAliases = [ "www.${service_configs.https.domain}" ];
};
"immich.${service_configs.https.domain}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.immich.port}
'';
"jellyfin.${service_configs.https.domain}".extraConfig = ''
reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
request_body {
max_size 4096MB
}
'';
"${service_configs.gitea.domain}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
'';
"bitmagnet.${service_configs.https.domain}".extraConfig = ''
# tls internal
${import ../secrets/caddy_auth.nix}
reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
'';
"torrent.${service_configs.https.domain}".extraConfig = ''
# tls internal
${import ../secrets/caddy_auth.nix}
reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort}
'';
"map.${service_configs.https.domain}".extraConfig = ''
# tls internal
root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web
file_server browse
'';
"${matrix_hostname}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
'';
# Exact duplicate of matrix.DOMAIN_NAME
"${matrix_hostname}:8448".extraConfig =
config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
}".extraConfig;
"owntracks.${service_configs.https.domain}".extraConfig = ''
${import ../secrets/owntracks_caddy_auth.nix}
reverse_proxy :${builtins.toString service_configs.ports.owntracks}
'';
};
};

4
services/gitea.nix
View File

@ -30,6 +30,10 @@
};
};
services.caddy.virtualHosts."${service_configs.gitea.domain}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
'';
systemd.tmpfiles.rules = [
"d ${config.services.gitea.stateDir} 0770 ${config.services.gitea.user} ${config.services.gitea.group}"
];

4
services/immich.nix
View File

@ -17,6 +17,10 @@
};
};
services.caddy.virtualHosts."immich.${service_configs.https.domain}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.immich.port}
'';
systemd.tmpfiles.rules = [
"d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}"
];

7
services/jellyfin.nix
View File

@ -22,6 +22,13 @@
cacheDir = dataDir + "_cache";
};
services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = ''
reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
request_body {
max_size 4096MB
}
'';
systemd.tmpfiles.rules = [
"d ${config.services.jellyfin.dataDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
"d ${config.services.jellyfin.cacheDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"

17
services/matrix.nix
View File

@ -2,6 +2,7 @@
pkgs,
config,
service_configs,
lib,
...
}:
{
@ -9,6 +10,22 @@
../secrets/matrix_reg_token.nix
];
services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server": "${service_configs.https.matrix_hostname}:443"}`
respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.https.matrix_hostname}"},"m.homeserver":{"base_url":"https://${service_configs.https.matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}`
'';
services.caddy.virtualHosts."${service_configs.https.matrix_hostname}".extraConfig = ''
reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
'';
# Exact duplicate
services.caddy.virtualHosts."${service_configs.https.matrix_hostname}:8448".extraConfig =
config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
}".extraConfig;
services.matrix-conduit = {
enable = true;
package = pkgs.conduwuit;

5
services/owntracks.nix
View File

@ -37,6 +37,11 @@ in
"d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
];
services.caddy.virtualHosts."owntracks.${service_configs.https.domain}".extraConfig = ''
${builtins.readFile ../secrets/owntracks_caddy_auth}
reverse_proxy :${builtins.toString service_configs.ports.owntracks}
'';
users.users.${username}.extraGroups = [
"owntracks"
];

21
services/postgresql.nix Normal file
View File

@ -0,0 +1,21 @@
{
pkgs,
config,
username,
...
}:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/tank/services/sql";
};
systemd.tmpfiles.rules = [
"d ${config.services.postgresql.dataDir} 0700 postgresql postgresql"
];
users.users.${username}.extraGroups = [
"postgresql"
];
}

6
services/qbittorrent.nix
View File

@ -92,6 +92,12 @@
vpnNamespace = "wg";
};
services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''
# tls internal
${builtins.readFile ../secrets/caddy_auth}
reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort}
'';
users.users.${config.services.qbittorrent.user}.extraGroups = [
service_configs.torrent_group
];

1
zfs.nix
View File

@ -1,6 +1,5 @@
{
service_configs,
config,
pkgs,
...
}: