caddy: redo stuff

2024-11-15 11:01:33 -05:00 · 2024-11-15 11:01:33 -05:00 · c3bb3979fa
commit c3bb3979fa
parent f081e8ff27
11 changed files with 78 additions and 147 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,5 +1,5 @@
 secrets/murmur_password filter=git-crypt diff=git-crypt
 secrets/hashedPass filter=git-crypt diff=git-crypt
 secrets/mullvad.nix filter=git-crypt diff=git-crypt
 secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt
 secrets/wg0.conf filter=git-crypt diff=git-crypt
 secrets/caddy_auth.nix filter=git-crypt diff=git-crypt
--- a/configuration.nix
+++ b/configuration.nix
@ -115,6 +115,9 @@
    bottom
    htop
    doas-sudo-shim
    neofetch
    borgbackup
    smartmontools
--- a/flake.lock
+++ b/flake.lock
@ -43,11 +43,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731375802,
+        "lastModified": 1731548755,
-        "narHash": "sha256-CvWPEzrl2EA3xrtg9X6K8aqV7T5r0SaDz6PLpGA0yIY=",
+        "narHash": "sha256-kFg3S67OaYWI1SQ0tcmsPIC4PXtq7Av8AJcyf21ZxDE=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "b873a123366b9a62f9262414ada8d83b03f1f0bf",
+        "rev": "e6f7090175ae5183d84adb6192f115d8f859beaa",
        "type": "github"
      },
      "original": {
@ -74,11 +74,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731541698,
+        "lastModified": 1731682847,
-        "narHash": "sha256-o+BOgSM/jEvLACofjMvQAKdZrvKztmwOfiWiuDjOig0=",
+        "narHash": "sha256-6O0APLMLj/Zp2iDQVUVDiVTMWC1XC3TcVHuufzZ0dS0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "00205055ce9ed57333f28b4023d19a2d74b3745f",
+        "rev": "a8eb04832bed6c5cee8cd2d148a77644c5a4197f",
        "type": "github"
      },
      "original": {
@ -104,33 +104,12 @@
        "type": "github"
      }
    },
    "quadlet-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1729072507,
        "narHash": "sha256-srn/XjGNtaO34/CX6H85NVIQ1ksBDOSToMiLu+22Tek=",
        "owner": "SEIAROTg",
        "repo": "quadlet-nix",
        "rev": "5970e7be88ec6d063a79c7669a68918c4827caa0",
        "type": "github"
      },
      "original": {
        "owner": "SEIAROTg",
        "repo": "quadlet-nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nix-minecraft": "nix-minecraft",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-qbt": "nixpkgs-qbt",
        "quadlet-nix": "quadlet-nix",
        "vpn-confinement": "vpn-confinement"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@ -7,9 +7,6 @@
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
    quadlet-nix.inputs.nixpkgs.follows = "nixpkgs";
    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
    nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
@ -21,7 +18,6 @@
  outputs =
    {
      nixpkgs,
      quadlet-nix,
      nix-minecraft,
      nixos-hardware,
      vpn-confinement,
@ -33,7 +29,7 @@
      hostname = "muffin";
      eth_interface = "enp3s0";
-      service_configs = {
+      service_configs = rec {
        hdd_path = "/mnt/hdd";
        services_dir = "/tank/services";
@ -47,13 +43,14 @@
        };
        https = {
-          certs = service_configs.services_dir + "/http_certs";
+          certs = services_dir + "/http_certs";
-          data_dir = service_configs.services_dir + "/http";
+          data_dir = services_dir + "/http";
          domain = "gardling.com";
        };
        gitea = {
-          dir = service_configs.services_dir + "/gitea";
+          dir = services_dir + "/gitea";
-          domain = "git.gardling.com";
+          domain = "git.${https.domain}";
        };
        postgres = {
@ -61,29 +58,29 @@
        };
        immich = {
-          dir = service_configs.services_dir + "/immich";
+          dir = services_dir + "/immich";
        };
        minecraft = {
-          parent_dir = service_configs.services_dir + "/minecraft";
+          parent_dir = services_dir + "/minecraft";
          server_name = "main";
        };
        gluetun = {
-          dir = service_configs.services_dir + "/gluetun";
+          dir = services_dir + "/gluetun";
        };
        torrent = {
-          config_dir = service_configs.services_dir + "/qbittorrent/config";
+          SavePath = hdd_path + "/torrents";
-          download_dir = service_configs.hdd_path + "/torrents";
+          TempPath = hdd_path + "/torrents/incomplete";
        };
        jellyfin = {
-          dir = service_configs.services_dir + "/jellyfin";
+          dir = services_dir + "/jellyfin";
        };
        ollama = {
-          data_dir = service_configs.services_dir + "/ollama";
+          data_dir = services_dir + "/ollama";
        };
      };
    in
@ -98,27 +95,30 @@
            inputs
            ;
        };
-        modules = [
+        modules =
          [
            ./configuration.nix
          quadlet-nix.nixosModules.quadlet
          nixos-hardware.nixosModules.common-cpu-amd-pstate
          nixos-hardware.nixosModules.common-cpu-amd-zenpower
          nixos-hardware.nixosModules.common-pc-ssd
          nixos-hardware.nixosModules.common-gpu-intel
            vpn-confinement.nixosModules.default
            # import the `services.qbittorrent` module
            (nixpkgs-qbt + "/nixos/modules/services/torrent/qbittorrent.nix")
            # get nix-minercaft working!
            nix-minecraft.nixosModules.minecraft-servers
            (
-            { pkgs, lib, ... }:
+              { ... }:
              {
              imports = [ nix-minecraft.nixosModules.minecraft-servers ];
                nixpkgs.overlays = [ nix-minecraft.overlay ];
              }
            )
-        ];
+          ]
          ++ (with nixos-hardware.nixosModules; [
            common-cpu-amd-pstate
            common-cpu-amd-zenpower
            common-pc-ssd
            common-gpu-intel
          ]);
      };
    };
 }
--- a/secrets/caddy_auth.nix
+++ b/secrets/caddy_auth.nix
--- a/secrets/mullvad.nix
+++ b/secrets/mullvad.nix
--- a/services/bitmagnet.nix
+++ b/services/bitmagnet.nix
@ -5,13 +5,11 @@
      {
        from = service_configs.ports.bitmagnet;
        to = service_configs.ports.bitmagnet;
      }
    ];
    openVPNPorts = [
      {
        # TODO! make an issue about this variable
        port = service_configs.ports.bitmagnet;
        protocol = "both";
      }
@ -26,6 +24,7 @@
        host = service_configs.postgres.socket;
      };
      http_server = {
        # TODO! make issue about this being a string and not a `port` type
        port = ":" + (builtins.toString service_configs.ports.bitmagnet);
      };
    };
--- a/services/caddy.nix
+++ b/services/caddy.nix
@ -7,35 +7,45 @@
 {
  services.caddy = {
    enable = true;
    email = "titaniumtown@proton.me";
    globalConfig = ''
      auto_https disable_redirects
    '';
    virtualHosts = {
-      ":${builtins.toString service_configs.ports.https}".extraConfig = ''
+      ${service_configs.https.domain} = {
-        tls ${service_configs.https.certs}/cert.crt ${service_configs.https.certs}/cert.key
+        extraConfig = ''
        handle_path /torrent* {
        	reverse_proxy 192.168.15.1:${builtins.toString service_configs.ports.torrent}
        }
          root * ${service_configs.https.data_dir}
          file_server browse
        '';
-      "immich.gardling.com".extraConfig = ''
+        serverAliases = [ "www.${service_configs.https.domain}" ];
-        reverse_proxy 127.0.0.1:${builtins.toString config.services.immich.port}
+      };
      "immich.${service_configs.https.domain}".extraConfig = ''
        reverse_proxy :${builtins.toString config.services.immich.port}
      '';
-      "jellyfin.gardling.com".extraConfig = ''
+      "jellyfin.${service_configs.https.domain}".extraConfig = ''
-        reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.jellyfin}
+        reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
        request_body {
        	max_size 4096MB
        }
      '';
      ${service_configs.gitea.domain}.extraConfig = ''
-        reverse_proxy 127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
+        reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
      '';
-      "recorder.gardling.com".extraConfig = ''
+      "bitmagnet.${service_configs.https.domain}".extraConfig = ''
-        reverse_proxy 192.168.15.1:${builtins.toString service_configs.ports.bitmagnet}
+        tls internal
        ${import ../secrets/caddy_auth.nix}
        reverse_proxy http://192.168.15.1:${builtins.toString service_configs.ports.bitmagnet}
      '';
      "torrent.${service_configs.https.domain}".extraConfig = ''
        tls internal
        ${import ../secrets/caddy_auth.nix}
        reverse_proxy http://192.168.15.1:${builtins.toString service_configs.ports.torrent}
      '';
    };
  };
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@ -2,7 +2,6 @@
  pkgs,
  config,
  service_configs,
  lib,
  ...
 }:
 {
@ -35,11 +34,14 @@
        hash = "sha256-PpumQCgIZp9wENL1XZvf7CdUAW9W0pQP5wqtG9oOUpM=";
      }}";
      Password_PBKDF2 = "@ByteArray(U6PmgkmajHD6Nu5rLbazHw==:ycEEnAMGTxwAhkFiQtdkc6mbGArmnZ2Tkujk6wt4CCytlX0mzGgjQVLKzRb8vSV/S1Yu6+PuAO5gC8IxGR97jA==)";
 AuthSubnetWhitelist="127.0.0.1";
 AuthSubnetWhitelistEnabled = true;
        };
    serverConfig.Preferences.Downloads = {
-      SavePath = service_configs.hdd_path + "/torrents";
+      SavePath = service_configs.torrent.SavePath;
-      TempPath = service_configs.hdd_path + "/torrents/incomplete";
+      TempPath = service_configs.torrent.TempPath;
    };
    serverConfig.BitTorrent.Session = {
--- a/services/quadlet.nix
+++ b/services/quadlet.nix
@ -1,61 +0,0 @@
 { service_configs, config, ... }:
 {
  virtualisation.quadlet = {
    containers = {
      gluetun.containerConfig = {
        image = "docker.io/qmcgaw/gluetun";
        name = "gluetun";
        # autoUpdate = "registry";
        addCapabilities = [
          "NET_ADMIN"
          "MKNOD"
        ];
        environments = import ../secrets/mullvad.nix;
        publishPorts = [
          "6081:6081"
          "6081:6081/udp"
          "${builtins.toString service_configs.ports.torrent}:6011"
        ];
        volumes = [ "${service_configs.gluetun.dir}:/gluetun:z" ];
        podmanArgs = [
          "--device=/dev/net/tun"
        ];
      };
      qbittorrent = {
        containerConfig = {
          image = "lscr.io/linuxserver/qbittorrent:latest";
          name = "qbittorrent";
          autoUpdate = "registry";
          environments = {
            WEBUI_PORT = service_configs.ports.torrent;
            DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
            # PUID = config.users.users.${config.services.jellyfin.user}.uid;
            PGID = config.users.groups.${config.services.jellyfin.group}.gid;
          };
          volumes = [
            "${service_configs.torrent.config_dir}:/config:z"
            "${service_configs.torrent.download_dir}:/downloads:z"
          ];
          networks = [ "container:gluetun" ];
        };
        serviceConfig = {
          requires = [ "gluetun.service" ];
          after = [ "gluetun.service" ];
        };
      };
    };
    networks = {
      internal.networkConfig.subnets = [ "10.0.123.1/24" ];
    };
  };
 }
--- a/services/wg.nix
+++ b/services/wg.nix
@ -1,12 +1,11 @@
 { pkgs, service_configs, ... }:
 {
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    enable = true;
    wireguardConfigFile = ../secrets/wg0.conf;
    accessibleFrom = [
-      "192.168.0.0/24"
+      # "192.168.0.0/24"
    ];
  };
 }