diff --git a/.gitattributes b/.gitattributes index 0bb32ff..4910fb3 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,5 +1,5 @@ secrets/murmur_password filter=git-crypt diff=git-crypt secrets/hashedPass filter=git-crypt diff=git-crypt -secrets/mullvad.nix filter=git-crypt diff=git-crypt secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt secrets/wg0.conf filter=git-crypt diff=git-crypt +secrets/caddy_auth.nix filter=git-crypt diff=git-crypt diff --git a/configuration.nix b/configuration.nix index 3874764..2a93976 100644 --- a/configuration.nix +++ b/configuration.nix @@ -115,6 +115,9 @@ bottom htop + doas-sudo-shim + neofetch + borgbackup smartmontools diff --git a/flake.lock b/flake.lock index 0d8c7a1..2b0c2b4 100644 --- a/flake.lock +++ b/flake.lock @@ -43,11 +43,11 @@ ] }, "locked": { - "lastModified": 1731375802, - "narHash": "sha256-CvWPEzrl2EA3xrtg9X6K8aqV7T5r0SaDz6PLpGA0yIY=", + "lastModified": 1731548755, + "narHash": "sha256-kFg3S67OaYWI1SQ0tcmsPIC4PXtq7Av8AJcyf21ZxDE=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "b873a123366b9a62f9262414ada8d83b03f1f0bf", + "rev": "e6f7090175ae5183d84adb6192f115d8f859beaa", "type": "github" }, "original": { @@ -74,11 +74,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1731541698, - "narHash": "sha256-o+BOgSM/jEvLACofjMvQAKdZrvKztmwOfiWiuDjOig0=", + "lastModified": 1731682847, + "narHash": "sha256-6O0APLMLj/Zp2iDQVUVDiVTMWC1XC3TcVHuufzZ0dS0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00205055ce9ed57333f28b4023d19a2d74b3745f", + "rev": "a8eb04832bed6c5cee8cd2d148a77644c5a4197f", "type": "github" }, "original": { @@ -104,33 +104,12 @@ "type": "github" } }, - "quadlet-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729072507, - "narHash": "sha256-srn/XjGNtaO34/CX6H85NVIQ1ksBDOSToMiLu+22Tek=", - "owner": "SEIAROTg", - "repo": "quadlet-nix", - "rev": "5970e7be88ec6d063a79c7669a68918c4827caa0", - "type": "github" - }, - "original": { - "owner": "SEIAROTg", - "repo": "quadlet-nix", - "type": "github" - } - }, "root": { "inputs": { "nix-minecraft": "nix-minecraft", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-qbt": "nixpkgs-qbt", - "quadlet-nix": "quadlet-nix", "vpn-confinement": "vpn-confinement" } }, diff --git a/flake.nix b/flake.nix index 125963b..94bccfb 100644 --- a/flake.nix +++ b/flake.nix @@ -7,9 +7,6 @@ nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - quadlet-nix.url = "github:SEIAROTg/quadlet-nix"; - quadlet-nix.inputs.nixpkgs.follows = "nixpkgs"; - nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.inputs.nixpkgs.follows = "nixpkgs"; @@ -21,7 +18,6 @@ outputs = { nixpkgs, - quadlet-nix, nix-minecraft, nixos-hardware, vpn-confinement, @@ -33,7 +29,7 @@ hostname = "muffin"; eth_interface = "enp3s0"; - service_configs = { + service_configs = rec { hdd_path = "/mnt/hdd"; services_dir = "/tank/services"; @@ -47,13 +43,14 @@ }; https = { - certs = service_configs.services_dir + "/http_certs"; - data_dir = service_configs.services_dir + "/http"; + certs = services_dir + "/http_certs"; + data_dir = services_dir + "/http"; + domain = "gardling.com"; }; gitea = { - dir = service_configs.services_dir + "/gitea"; - domain = "git.gardling.com"; + dir = services_dir + "/gitea"; + domain = "git.${https.domain}"; }; postgres = { @@ -61,29 +58,29 @@ }; immich = { - dir = service_configs.services_dir + "/immich"; + dir = services_dir + "/immich"; }; minecraft = { - parent_dir = service_configs.services_dir + "/minecraft"; + parent_dir = services_dir + "/minecraft"; server_name = "main"; }; gluetun = { - dir = service_configs.services_dir + "/gluetun"; + dir = services_dir + "/gluetun"; }; torrent = { - config_dir = service_configs.services_dir + "/qbittorrent/config"; - download_dir = service_configs.hdd_path + "/torrents"; + SavePath = hdd_path + "/torrents"; + TempPath = hdd_path + "/torrents/incomplete"; }; jellyfin = { - dir = service_configs.services_dir + "/jellyfin"; + dir = services_dir + "/jellyfin"; }; ollama = { - data_dir = service_configs.services_dir + "/ollama"; + data_dir = services_dir + "/ollama"; }; }; in @@ -98,27 +95,30 @@ inputs ; }; - modules = [ - ./configuration.nix - quadlet-nix.nixosModules.quadlet - nixos-hardware.nixosModules.common-cpu-amd-pstate - nixos-hardware.nixosModules.common-cpu-amd-zenpower - nixos-hardware.nixosModules.common-pc-ssd - nixos-hardware.nixosModules.common-gpu-intel + modules = + [ + ./configuration.nix - vpn-confinement.nixosModules.default + vpn-confinement.nixosModules.default - # import the `services.qbittorrent` module - (nixpkgs-qbt + "/nixos/modules/services/torrent/qbittorrent.nix") + # import the `services.qbittorrent` module + (nixpkgs-qbt + "/nixos/modules/services/torrent/qbittorrent.nix") - ( - { pkgs, lib, ... }: - { - imports = [ nix-minecraft.nixosModules.minecraft-servers ]; - nixpkgs.overlays = [ nix-minecraft.overlay ]; - } - ) - ]; + # get nix-minercaft working! + nix-minecraft.nixosModules.minecraft-servers + ( + { ... }: + { + nixpkgs.overlays = [ nix-minecraft.overlay ]; + } + ) + ] + ++ (with nixos-hardware.nixosModules; [ + common-cpu-amd-pstate + common-cpu-amd-zenpower + common-pc-ssd + common-gpu-intel + ]); }; }; } diff --git a/secrets/caddy_auth.nix b/secrets/caddy_auth.nix new file mode 100644 index 0000000..d85fde0 Binary files /dev/null and b/secrets/caddy_auth.nix differ diff --git a/secrets/mullvad.nix b/secrets/mullvad.nix deleted file mode 100644 index 45d962b..0000000 Binary files a/secrets/mullvad.nix and /dev/null differ diff --git a/services/bitmagnet.nix b/services/bitmagnet.nix index 7a7cd53..8fcf96a 100644 --- a/services/bitmagnet.nix +++ b/services/bitmagnet.nix @@ -5,13 +5,11 @@ { from = service_configs.ports.bitmagnet; to = service_configs.ports.bitmagnet; - } ]; openVPNPorts = [ { - # TODO! make an issue about this variable port = service_configs.ports.bitmagnet; protocol = "both"; } @@ -26,6 +24,7 @@ host = service_configs.postgres.socket; }; http_server = { + # TODO! make issue about this being a string and not a `port` type port = ":" + (builtins.toString service_configs.ports.bitmagnet); }; }; diff --git a/services/caddy.nix b/services/caddy.nix index 40d596b..851bc19 100644 --- a/services/caddy.nix +++ b/services/caddy.nix @@ -7,35 +7,45 @@ { services.caddy = { enable = true; + email = "titaniumtown@proton.me"; + globalConfig = '' + auto_https disable_redirects + ''; virtualHosts = { - ":${builtins.toString service_configs.ports.https}".extraConfig = '' - tls ${service_configs.https.certs}/cert.crt ${service_configs.https.certs}/cert.key + ${service_configs.https.domain} = { + extraConfig = '' + root * ${service_configs.https.data_dir} + file_server browse + ''; - handle_path /torrent* { - reverse_proxy 192.168.15.1:${builtins.toString service_configs.ports.torrent} - } + serverAliases = [ "www.${service_configs.https.domain}" ]; + }; - root * ${service_configs.https.data_dir} - file_server browse + "immich.${service_configs.https.domain}".extraConfig = '' + reverse_proxy :${builtins.toString config.services.immich.port} ''; - "immich.gardling.com".extraConfig = '' - reverse_proxy 127.0.0.1:${builtins.toString config.services.immich.port} - ''; - - "jellyfin.gardling.com".extraConfig = '' - reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.jellyfin} + "jellyfin.${service_configs.https.domain}".extraConfig = '' + reverse_proxy :${builtins.toString service_configs.ports.jellyfin} request_body { max_size 4096MB } ''; ${service_configs.gitea.domain}.extraConfig = '' - reverse_proxy 127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT} + reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT} ''; - "recorder.gardling.com".extraConfig = '' - reverse_proxy 192.168.15.1:${builtins.toString service_configs.ports.bitmagnet} + "bitmagnet.${service_configs.https.domain}".extraConfig = '' + tls internal + ${import ../secrets/caddy_auth.nix} + reverse_proxy http://192.168.15.1:${builtins.toString service_configs.ports.bitmagnet} + ''; + + "torrent.${service_configs.https.domain}".extraConfig = '' + tls internal + ${import ../secrets/caddy_auth.nix} + reverse_proxy http://192.168.15.1:${builtins.toString service_configs.ports.torrent} ''; }; }; diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix index d95c3a2..cc0a2fd 100644 --- a/services/qbittorrent.nix +++ b/services/qbittorrent.nix @@ -2,7 +2,6 @@ pkgs, config, service_configs, - lib, ... }: { @@ -35,11 +34,14 @@ hash = "sha256-PpumQCgIZp9wENL1XZvf7CdUAW9W0pQP5wqtG9oOUpM="; }}"; Password_PBKDF2 = "@ByteArray(U6PmgkmajHD6Nu5rLbazHw==:ycEEnAMGTxwAhkFiQtdkc6mbGArmnZ2Tkujk6wt4CCytlX0mzGgjQVLKzRb8vSV/S1Yu6+PuAO5gC8IxGR97jA==)"; - }; + +AuthSubnetWhitelist="127.0.0.1"; +AuthSubnetWhitelistEnabled = true; + }; serverConfig.Preferences.Downloads = { - SavePath = service_configs.hdd_path + "/torrents"; - TempPath = service_configs.hdd_path + "/torrents/incomplete"; + SavePath = service_configs.torrent.SavePath; + TempPath = service_configs.torrent.TempPath; }; serverConfig.BitTorrent.Session = { diff --git a/services/quadlet.nix b/services/quadlet.nix deleted file mode 100644 index f619c85..0000000 --- a/services/quadlet.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ service_configs, config, ... }: -{ - virtualisation.quadlet = { - containers = { - gluetun.containerConfig = { - image = "docker.io/qmcgaw/gluetun"; - name = "gluetun"; - # autoUpdate = "registry"; - - addCapabilities = [ - "NET_ADMIN" - "MKNOD" - ]; - - environments = import ../secrets/mullvad.nix; - - publishPorts = [ - "6081:6081" - "6081:6081/udp" - "${builtins.toString service_configs.ports.torrent}:6011" - ]; - - volumes = [ "${service_configs.gluetun.dir}:/gluetun:z" ]; - podmanArgs = [ - "--device=/dev/net/tun" - ]; - }; - - qbittorrent = { - containerConfig = { - image = "lscr.io/linuxserver/qbittorrent:latest"; - name = "qbittorrent"; - autoUpdate = "registry"; - - environments = { - WEBUI_PORT = service_configs.ports.torrent; - DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent"; - # PUID = config.users.users.${config.services.jellyfin.user}.uid; - PGID = config.users.groups.${config.services.jellyfin.group}.gid; - }; - - volumes = [ - "${service_configs.torrent.config_dir}:/config:z" - "${service_configs.torrent.download_dir}:/downloads:z" - ]; - - networks = [ "container:gluetun" ]; - }; - - serviceConfig = { - requires = [ "gluetun.service" ]; - after = [ "gluetun.service" ]; - }; - }; - }; - - networks = { - internal.networkConfig.subnets = [ "10.0.123.1/24" ]; - }; - }; -} diff --git a/services/wg.nix b/services/wg.nix index 258a58e..83ef5a3 100644 --- a/services/wg.nix +++ b/services/wg.nix @@ -1,12 +1,11 @@ { pkgs, service_configs, ... }: { - # network namespace that is proxied through mullvad vpnNamespaces.wg = { enable = true; wireguardConfigFile = ../secrets/wg0.conf; accessibleFrom = [ - "192.168.0.0/24" + # "192.168.0.0/24" ]; }; }