caddy: redo stuff

.gitattributes

@@ -1,5 +1,5 @@
 secrets/murmur_password filter=git-crypt diff=git-crypt
 secrets/hashedPass filter=git-crypt diff=git-crypt
-secrets/mullvad.nix filter=git-crypt diff=git-crypt
 secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt
 secrets/wg0.conf filter=git-crypt diff=git-crypt
+secrets/caddy_auth.nix filter=git-crypt diff=git-crypt

configuration.nix

@@ -115,6 +115,9 @@
     bottom
     htop
 
+    doas-sudo-shim
+    neofetch
+
     borgbackup
     smartmontools
 

flake.lock

@@ -43,11 +43,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731375802,
+        "lastModified": 1731548755,
-        "narHash": "sha256-CvWPEzrl2EA3xrtg9X6K8aqV7T5r0SaDz6PLpGA0yIY=",
+        "narHash": "sha256-kFg3S67OaYWI1SQ0tcmsPIC4PXtq7Av8AJcyf21ZxDE=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "b873a123366b9a62f9262414ada8d83b03f1f0bf",
+        "rev": "e6f7090175ae5183d84adb6192f115d8f859beaa",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731541698,
+        "lastModified": 1731682847,
-        "narHash": "sha256-o+BOgSM/jEvLACofjMvQAKdZrvKztmwOfiWiuDjOig0=",
+        "narHash": "sha256-6O0APLMLj/Zp2iDQVUVDiVTMWC1XC3TcVHuufzZ0dS0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00205055ce9ed57333f28b4023d19a2d74b3745f",
+        "rev": "a8eb04832bed6c5cee8cd2d148a77644c5a4197f",
         "type": "github"
       },
       "original": {
@@ -104,33 +104,12 @@
         "type": "github"
       }
     },
-    "quadlet-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1729072507,
-        "narHash": "sha256-srn/XjGNtaO34/CX6H85NVIQ1ksBDOSToMiLu+22Tek=",
-        "owner": "SEIAROTg",
-        "repo": "quadlet-nix",
-        "rev": "5970e7be88ec6d063a79c7669a68918c4827caa0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "SEIAROTg",
-        "repo": "quadlet-nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "nix-minecraft": "nix-minecraft",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "nixpkgs-qbt": "nixpkgs-qbt",
-        "quadlet-nix": "quadlet-nix",
         "vpn-confinement": "vpn-confinement"
       }
     },

flake.nix

@@ -7,9 +7,6 @@
 
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
-    quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
-    quadlet-nix.inputs.nixpkgs.follows = "nixpkgs";
-
     nix-minecraft.url = "github:Infinidoge/nix-minecraft";
     nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -21,7 +18,6 @@
   outputs =
     {
       nixpkgs,
-      quadlet-nix,
       nix-minecraft,
       nixos-hardware,
       vpn-confinement,
@@ -33,7 +29,7 @@
       hostname = "muffin";
       eth_interface = "enp3s0";
 
-      service_configs = {
+      service_configs = rec {
         hdd_path = "/mnt/hdd";
         services_dir = "/tank/services";
 
@@ -47,13 +43,14 @@
         };
 
         https = {
-          certs = service_configs.services_dir + "/http_certs";
+          certs = services_dir + "/http_certs";
-          data_dir = service_configs.services_dir + "/http";
+          data_dir = services_dir + "/http";
+          domain = "gardling.com";
         };
 
         gitea = {
-          dir = service_configs.services_dir + "/gitea";
+          dir = services_dir + "/gitea";
-          domain = "git.gardling.com";
+          domain = "git.${https.domain}";
         };
 
         postgres = {
@@ -61,29 +58,29 @@
         };
 
         immich = {
-          dir = service_configs.services_dir + "/immich";
+          dir = services_dir + "/immich";
         };
 
         minecraft = {
-          parent_dir = service_configs.services_dir + "/minecraft";
+          parent_dir = services_dir + "/minecraft";
           server_name = "main";
         };
 
         gluetun = {
-          dir = service_configs.services_dir + "/gluetun";
+          dir = services_dir + "/gluetun";
         };
 
         torrent = {
-          config_dir = service_configs.services_dir + "/qbittorrent/config";
+          SavePath = hdd_path + "/torrents";
-          download_dir = service_configs.hdd_path + "/torrents";
+          TempPath = hdd_path + "/torrents/incomplete";
         };
 
         jellyfin = {
-          dir = service_configs.services_dir + "/jellyfin";
+          dir = services_dir + "/jellyfin";
         };
 
         ollama = {
-          data_dir = service_configs.services_dir + "/ollama";
+          data_dir = services_dir + "/ollama";
         };
       };
     in
@@ -98,27 +95,30 @@
             inputs
             ;
         };
-        modules = [
+        modules =
-          ./configuration.nix
+          [
-          quadlet-nix.nixosModules.quadlet
+            ./configuration.nix
-          nixos-hardware.nixosModules.common-cpu-amd-pstate
-          nixos-hardware.nixosModules.common-cpu-amd-zenpower
-          nixos-hardware.nixosModules.common-pc-ssd
-          nixos-hardware.nixosModules.common-gpu-intel
 
-          vpn-confinement.nixosModules.default
+            vpn-confinement.nixosModules.default
 
-          # import the `services.qbittorrent` module
+            # import the `services.qbittorrent` module
-          (nixpkgs-qbt + "/nixos/modules/services/torrent/qbittorrent.nix")
+            (nixpkgs-qbt + "/nixos/modules/services/torrent/qbittorrent.nix")
 
-          (
+            # get nix-minercaft working!
-            { pkgs, lib, ... }:
+            nix-minecraft.nixosModules.minecraft-servers
-            {
+            (
-              imports = [ nix-minecraft.nixosModules.minecraft-servers ];
+              { ... }:
-              nixpkgs.overlays = [ nix-minecraft.overlay ];
+              {
-            }
+                nixpkgs.overlays = [ nix-minecraft.overlay ];
-          )
+              }
-        ];
+            )
+          ]
+          ++ (with nixos-hardware.nixosModules; [
+            common-cpu-amd-pstate
+            common-cpu-amd-zenpower
+            common-pc-ssd
+            common-gpu-intel
+          ]);
       };
     };
 }

services/bitmagnet.nix

@@ -5,13 +5,11 @@
       {
         from = service_configs.ports.bitmagnet;
         to = service_configs.ports.bitmagnet;
-
       }
     ];
 
     openVPNPorts = [
       {
-        # TODO! make an issue about this variable
         port = service_configs.ports.bitmagnet;
         protocol = "both";
       }
@@ -26,6 +24,7 @@
         host = service_configs.postgres.socket;
       };
       http_server = {
+        # TODO! make issue about this being a string and not a `port` type
         port = ":" + (builtins.toString service_configs.ports.bitmagnet);
       };
     };

services/caddy.nix

@@ -7,35 +7,45 @@
 {
   services.caddy = {
     enable = true;
+    email = "titaniumtown@proton.me";
+    globalConfig = ''
+      auto_https disable_redirects
+    '';
     virtualHosts = {
-      ":${builtins.toString service_configs.ports.https}".extraConfig = ''
+      ${service_configs.https.domain} = {
-        tls ${service_configs.https.certs}/cert.crt ${service_configs.https.certs}/cert.key
+        extraConfig = ''
+          root * ${service_configs.https.data_dir}
+          file_server browse
+        '';
 
-        handle_path /torrent* {
+        serverAliases = [ "www.${service_configs.https.domain}" ];
-        	reverse_proxy 192.168.15.1:${builtins.toString service_configs.ports.torrent}
+      };
-        }
 
-        root * ${service_configs.https.data_dir}
+      "immich.${service_configs.https.domain}".extraConfig = ''
-        file_server browse
+        reverse_proxy :${builtins.toString config.services.immich.port}
       '';
 
-      "immich.gardling.com".extraConfig = ''
+      "jellyfin.${service_configs.https.domain}".extraConfig = ''
-        reverse_proxy 127.0.0.1:${builtins.toString config.services.immich.port}
+        reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
-      '';
-
-      "jellyfin.gardling.com".extraConfig = ''
-        reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.jellyfin}
         request_body {
         	max_size 4096MB
         }
       '';
 
       ${service_configs.gitea.domain}.extraConfig = ''
-        reverse_proxy 127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
+        reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
       '';
 
-      "recorder.gardling.com".extraConfig = ''
+      "bitmagnet.${service_configs.https.domain}".extraConfig = ''
-        reverse_proxy 192.168.15.1:${builtins.toString service_configs.ports.bitmagnet}
+        tls internal
+        ${import ../secrets/caddy_auth.nix}
+        reverse_proxy http://192.168.15.1:${builtins.toString service_configs.ports.bitmagnet}
+      '';
+
+      "torrent.${service_configs.https.domain}".extraConfig = ''
+        tls internal
+        ${import ../secrets/caddy_auth.nix}
+        reverse_proxy http://192.168.15.1:${builtins.toString service_configs.ports.torrent}
       '';
     };
   };

services/qbittorrent.nix

@@ -2,7 +2,6 @@
   pkgs,
   config,
   service_configs,
-  lib,
   ...
 }:
 {
@@ -35,11 +34,14 @@
         hash = "sha256-PpumQCgIZp9wENL1XZvf7CdUAW9W0pQP5wqtG9oOUpM=";
       }}";
       Password_PBKDF2 = "@ByteArray(U6PmgkmajHD6Nu5rLbazHw==:ycEEnAMGTxwAhkFiQtdkc6mbGArmnZ2Tkujk6wt4CCytlX0mzGgjQVLKzRb8vSV/S1Yu6+PuAO5gC8IxGR97jA==)";
-    };
+
+AuthSubnetWhitelist="127.0.0.1";
+AuthSubnetWhitelistEnabled = true;
+        };
 
     serverConfig.Preferences.Downloads = {
-      SavePath = service_configs.hdd_path + "/torrents";
+      SavePath = service_configs.torrent.SavePath;
-      TempPath = service_configs.hdd_path + "/torrents/incomplete";
+      TempPath = service_configs.torrent.TempPath;
     };
 
     serverConfig.BitTorrent.Session = {

services/quadlet.nix

@@ -1,61 +0,0 @@
-{ service_configs, config, ... }:
-{
-  virtualisation.quadlet = {
-    containers = {
-      gluetun.containerConfig = {
-        image = "docker.io/qmcgaw/gluetun";
-        name = "gluetun";
-        # autoUpdate = "registry";
-
-        addCapabilities = [
-          "NET_ADMIN"
-          "MKNOD"
-        ];
-
-        environments = import ../secrets/mullvad.nix;
-
-        publishPorts = [
-          "6081:6081"
-          "6081:6081/udp"
-          "${builtins.toString service_configs.ports.torrent}:6011"
-        ];
-
-        volumes = [ "${service_configs.gluetun.dir}:/gluetun:z" ];
-        podmanArgs = [
-          "--device=/dev/net/tun"
-        ];
-      };
-
-      qbittorrent = {
-        containerConfig = {
-          image = "lscr.io/linuxserver/qbittorrent:latest";
-          name = "qbittorrent";
-          autoUpdate = "registry";
-
-          environments = {
-            WEBUI_PORT = service_configs.ports.torrent;
-            DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
-            # PUID = config.users.users.${config.services.jellyfin.user}.uid;
-            PGID = config.users.groups.${config.services.jellyfin.group}.gid;
-          };
-
-          volumes = [
-            "${service_configs.torrent.config_dir}:/config:z"
-            "${service_configs.torrent.download_dir}:/downloads:z"
-          ];
-
-          networks = [ "container:gluetun" ];
-        };
-
-        serviceConfig = {
-          requires = [ "gluetun.service" ];
-          after = [ "gluetun.service" ];
-        };
-      };
-    };
-
-    networks = {
-      internal.networkConfig.subnets = [ "10.0.123.1/24" ];
-    };
-  };
-}

services/wg.nix

@@ -1,12 +1,11 @@
 { pkgs, service_configs, ... }:
 {
-
   # network namespace that is proxied through mullvad
   vpnNamespaces.wg = {
     enable = true;
     wireguardConfigFile = ../secrets/wg0.conf;
     accessibleFrom = [
-      "192.168.0.0/24"
+      # "192.168.0.0/24"
     ];
   };
 }