adtya/configuration.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: adtya:1641f38e78b20f001532f2a924fbf2e706dc3fd2
Branches Tags
adtya:main
...
compare: adtya:d6a0b502835c04cbe0019aade01dd658df6effae
Branches Tags
adtya:main

11 commits
1641f38e78 ... d6a0b50283

Author SHA1 Message Date
Adithya Nair
d6a0b50283
wynne: configure forgejo 2024-10-29 09:54:38 +05:30
Adithya Nair
5889b175df
rico1: use redis for blocky 2024-10-29 00:51:16 +05:30
Adithya Nair
748ba54041
rico1: enable redis 2024-10-29 00:41:37 +05:30
Adithya Nair
bc3a6c308c
all: use both dns servers 2024-10-29 00:31:14 +05:30
Adithya Nair
d8313711f7
all: only log errors in caddy 2024-10-29 00:29:51 +05:30
Adithya Nair
530ec9a882
all: remove frp 2024-10-28 23:54:31 +05:30
Adithya Nair
88be51e982
rico1, rico2: redundant dns 2024-10-28 23:54:19 +05:30
Adithya Nair
2251e5fcea
rico2: move alertmanager and grafana here 2024-10-28 23:53:44 +05:30
Adithya Nair
06d36bb45a
rico0: move world accessible vhosts here 2024-10-28 23:53:01 +05:30
Adithya Nair
f0cf26941d
rico1: move ssd from rico0 2024-10-28 23:50:09 +05:30
Adithya Nair
d11db8718c
skipper: persist hcloud 2024-10-28 23:49:32 +05:30
37 changed files with 334 additions and 400 deletions
Show stats Expand all files Collapse all files

1
home/persistence.nix
View file

@ -14,6 +14,7 @@ _: {
{ directory = ".config/discord"; method = "symlink"; } { directory = ".config/discord"; method = "symlink"; }
{ directory = ".config/doctl"; method = "symlink"; } { directory = ".config/doctl"; method = "symlink"; }
{ directory = ".config/gh"; method = "symlink"; } { directory = ".config/gh"; method = "symlink"; }
{ directory = ".config/hcloud"; method = "symlink"; }
{ directory = ".config/lazygit"; method = "symlink"; } { directory = ".config/lazygit"; method = "symlink"; }
{ directory = ".config/nixos"; method = "symlink"; } { directory = ".config/nixos"; method = "symlink"; }
{ directory = ".config/nvim"; method = "symlink"; } { directory = ".config/nvim"; method = "symlink"; }

23
hosts/layne/services/apps/jellyfin.nix
View file

@ -1,7 +1,6 @@
_: _:
let let
inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge; inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
domainName = "watch.acomputer.lol";
in in
{ {
services = { services = {
@ -21,30 +20,8 @@ in
reverse_proxy 127.0.0.1:8096 reverse_proxy 127.0.0.1:8096
''; '';
}; };
"${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy 127.0.0.1:8096
'';
};
}; };
}; };
frp.settings.proxies = [
{
name = "http.${domainName}";
type = "http";
customDomains = [ domainName ];
localPort = 80;
transport.useCompression = true;
}
{
name = "https.${domainName}";
type = "https";
customDomains = [ domainName ];
localPort = 443;
transport.useCompression = true;
}
];
jellyfin = { jellyfin = {
enable = true; enable = true;
user = "mediaserver"; user = "mediaserver";

1
hosts/layne/services/default.nix
View file

@ -4,6 +4,5 @@ _: {
./btrfs.nix ./btrfs.nix
./ssh.nix ./ssh.nix
../../shared/caddy.nix ../../shared/caddy.nix
../../shared/frp.nix
]; ];
} }

6
hosts/rico0/hardware/filesystem.nix
View file

@ -31,12 +31,6 @@ _: {
options = [ "subvol=/" "compress-force=zstd" "noatime" ]; options = [ "subvol=/" "compress-force=zstd" "noatime" ];
}; };
"/mnt/data" = {
device = "/dev/disk/by-partlabel/DATA0";
fsType = "btrfs";
options = [ "subvol=/" "compress-force=zstd" "noatime" "nofail" "x-systemd.automount" "x-systemd.device-timeout=5" ];
};
"/boot" = { "/boot" = {
device = "/dev/disk/by-partlabel/RICO0_BOOT"; device = "/dev/disk/by-partlabel/RICO0_BOOT";
fsType = "vfat"; fsType = "vfat";

17
hosts/wynne/services/apps/acomputer.lol.nix → hosts/rico0/services/apps/acomputer.lol.nix
View file

@ -17,26 +17,9 @@ in
handle /.well-known/matrix/client { handle /.well-known/matrix/client {
header Content-Type application/json header Content-Type application/json
header Access-Control-Allow-Origin * header Access-Control-Allow-Origin *
#respond `{"m.homeserver": {"base_url": "https://matrix.${domainName}:443"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.${domainName}"}}`
respond `{"m.homeserver": {"base_url": "https://matrix.${domainName}:443"}}` respond `{"m.homeserver": {"base_url": "https://matrix.${domainName}:443"}}`
} }
''; '';
}; };
frp.settings.proxies = [
{
name = "http.${domainName}";
type = "http";
customDomains = [ "${domainName}" ];
localPort = 80;
transport.useCompression = true;
}
{
name = "https.${domainName}";
type = "https";
customDomains = [ "${domainName}" ];
localPort = 443;
transport.useCompression = true;
}
];
}; };
} }

16
hosts/rico0/services/apps/adtya.xyz.nix
View file

@ -17,21 +17,5 @@ in
} }
''; '';
}; };
frp.settings.proxies = [
{
name = "http.${domainName}";
type = "http";
customDomains = [ "${domainName}" "www.${domainName}" ];
localPort = 80;
transport.useCompression = true;
}
{
name = "https.${domainName}";
type = "https";
customDomains = [ "${domainName}" "www.${domainName}" ];
localPort = 443;
transport.useCompression = true;
}
];
}; };
} }

6
hosts/rico0/services/apps/default.nix
View file

@ -1,8 +1,14 @@
_: { _: {
imports = [ imports = [
./acomputer.lol.nix
./adtya.xyz.nix ./adtya.xyz.nix
./dendrite.nix
./forgejo.nix
./jellyfin.nix
./ntfy.nix
./proofs.nix ./proofs.nix
./wiki.nix ./wiki.nix
./dendrite.nix
../../../shared/prometheus-exporters.nix ../../../shared/prometheus-exporters.nix
../../../shared/promtail.nix ../../../shared/promtail.nix
]; ];

15
hosts/rico0/services/apps/dendrite.nix Normal file
View file

@ -0,0 +1,15 @@
_:
let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "matrix.acomputer.lol";
in
{
services = {
caddy.virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy 10.10.10.13:8008
'';
};
};
}

15
hosts/rico0/services/apps/forgejo.nix Normal file
View file

@ -0,0 +1,15 @@
_:
let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "forge.acomputer.lol";
in
{
services = {
caddy.virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy 10.10.10.13:3000
'';
};
};
}

17
hosts/rico0/services/apps/jellyfin.nix Normal file
View file

@ -0,0 +1,17 @@
_:
let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "watch.acomputer.lol";
in
{
services = {
caddy.virtualHosts = {
"${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy 10.10.10.14:8096
'';
};
};
};
}

18
hosts/rico0/services/apps/ntfy.nix Normal file
View file

@ -0,0 +1,18 @@
_:
let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "ntfy.acomputer.lol";
in
{
services = {
caddy.virtualHosts = {
"${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy 10.10.10.13:8080
'';
};
};
};
}

17
hosts/rico0/services/apps/proofs.nix
View file

@ -13,22 +13,5 @@ in
''; '';
}; };
}; };
frp.settings.proxies = [
{
name = "http.${domainName}";
type = "http";
customDomains = [ "${domainName}" ];
localPort = 80;
transport.useCompression = true;
}
{
name = "https.${domainName}";
type = "https";
customDomains = [ "${domainName}" ];
localPort = 443;
transport.useCompression = true;
}
];
}; };
} }

16
hosts/rico0/services/apps/wiki.nix
View file

@ -16,21 +16,5 @@ in
} }
''; '';
}; };
frp.settings.proxies = [
{
name = "http.${domainName}";
type = "http";
customDomains = [ "${domainName}" ];
localPort = 80;
transport.useCompression = true;
}
{
name = "https.${domainName}";
type = "https";
customDomains = [ "${domainName}" ];
localPort = 443;
transport.useCompression = true;
}
];
}; };
} }

43
hosts/rico0/services/default.nix
View file

@ -1,53 +1,10 @@
_: _:
let
inherit (import ../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
in
{ {
imports = [ imports = [
./apps ./apps
./btrfs.nix ./btrfs.nix
./ssh.nix ./ssh.nix
../../shared/caddy.nix ../../shared/caddy.nix
../../shared/frp.nix
]; ];
services.caddy = {
virtualHosts = {
"gateway.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 192.168.0.1:80
'';
};
"ap1.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 192.168.1.1:80
'';
};
"ap2.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 192.168.1.2:80
'';
};
"switch.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 192.168.1.3:80
'';
};
"frp.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 10.10.10.1:7500
'';
};
};
};
} }

6
hosts/rico1/hardware/filesystem.nix
View file

@ -31,6 +31,12 @@ _: {
options = [ "subvol=/" "compress-force=zstd" "noatime" ]; options = [ "subvol=/" "compress-force=zstd" "noatime" ];
}; };
"/mnt/data" = {
device = "/dev/disk/by-partlabel/DATA0";
fsType = "btrfs";
options = [ "subvol=/" "compress-force=zstd" "noatime" "nofail" "x-systemd.automount" "x-systemd.device-timeout=5" ];
};
"/boot" = { "/boot" = {
device = "/dev/disk/by-partlabel/RICO1_BOOT"; device = "/dev/disk/by-partlabel/RICO1_BOOT";
fsType = "vfat"; fsType = "vfat";

134
hosts/rico1/services/apps/blocky.nix
View file

@ -1,20 +1,12 @@
{ pkgs, ... }: _:
let let
inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge; inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
domainName = "blocky.labs.adtya.xyz"; domainName = "blocky.rico1.labs.adtya.xyz";
in in
{ {
networking = { imports = [
firewall = { ../../../shared/blocky.nix
allowedTCPPorts = [ ];
53 #DNS
];
allowedUDPPorts = [
53 #DNS
];
};
};
systemd.services.blocky.unitConfig.After = [ "network-online.target" "wireguard-wg0.service" ];
services = { services = {
caddy = { caddy = {
virtualHosts."${domainName}" = { virtualHosts."${domainName}" = {
@ -25,118 +17,10 @@ in
''; '';
}; };
}; };
blocky = { blocky.settings.ports = {
enable = true; dns = "192.168.1.11:53,10.10.10.11:53";
settings = { tls = "192.168.1.11:853,10.10.10.11:853";
bootstrapDns = [ "tcp+udp:1.1.1.1" ]; http = "127.0.0.1:8080";
upstreams = {
init.strategy = "blocking";
groups = {
default = [
# Cloudflare
"tcp+udp:1.1.1.1"
# Google
"tcp+udp:8.8.8.8"
"tcp+udp:8.8.4.4"
# Quad9
"tcp+udp:9.9.9.9"
"tcp+udp:149.112.112.112"
"tcp-tls:dns.quad9.net:853"
"https://dns.quad9.net/dns-query"
];
};
strategy = "parallel_best";
timeout = "2s";
userAgent = "Praise the DNS overlords!";
};
connectIPVersion = "v4";
customDNS = {
customTTL = "1h";
filterUnmappedTypes = true;
mapping = {
# Local (Home Network)
"gateway.local.adtya.xyz" = "192.168.0.1";
"ap1.local.adtya.xyz" = "192.168.1.1";
"ap2.local.adtya.xyz" = "192.168.1.2";
"switch.local.adtya.xyz" = "192.168.1.3";
"jellyfin.local.adtya.xyz" = "192.168.1.14";
# Labs (Homelab)
"gateway.labs.adtya.xyz" = "10.10.10.10";
"ap1.labs.adtya.xyz" = "10.10.10.10";
"ap2.labs.adtya.xyz" = "10.10.10.10";
"switch.labs.adtya.xyz" = "10.10.10.10";
"proxy.labs.adtya.xyz" = "10.10.10.1";
"skipper.labs.adtya.xyz" = "10.10.10.2";
"rico0.labs.adtya.xyz" = "10.10.10.10";
"rico1.labs.adtya.xyz" = "10.10.10.11";
"rico2.labs.adtya.xyz" = "10.10.10.12";
"wynne.labs.adtya.xyz" = "10.10.10.13";
"layne.labs.adtya.xyz" = "10.10.10.14";
"alertmanager.labs.adtya.xyz" = "10.10.10.11";
"blocky.labs.adtya.xyz" = "10.10.10.11";
"frp.labs.adtya.xyz" = "10.10.10.10";
"grafana.labs.adtya.xyz" = "10.10.10.11";
"loki.labs.adtya.xyz" = "10.10.10.11";
"prometheus.labs.adtya.xyz" = "10.10.10.11";
"transmission.labs.adtya.xyz" = "10.10.10.14";
"jellyfin.labs.adtya.xyz" = "10.10.10.14";
"radarr.labs.adtya.xyz" = "10.10.10.14";
"sonarr.labs.adtya.xyz" = "10.10.10.14";
"readarr.labs.adtya.xyz" = "10.10.10.14";
"jackett.labs.adtya.xyz" = "10.10.10.14";
};
};
conditional = {
fallbackUpstream = false;
mapping = {
"local.adtya.xyz" = "192.168.1.1";
"1.168.192.in-addr.arpa" = "192.168.1.1";
};
};
blocking = {
denylists = {
ads = [
"https://raw.githubusercontent.com/blocklistproject/Lists/master/ads.txt"
];
pihole = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
];
};
allowlists = {
pihole = [
(pkgs.writeText "allowlist.txt" ''
s.youtube.com
'')
];
};
clientGroupsBlock = {
default = [ "ads" "pihole" ];
};
};
clientLookup = {
upstream = "192.168.1.1";
singleNameOrder = [ 2 1 ];
};
prometheus = {
enable = true;
path = "/metrics";
};
ports = {
dns = "192.168.1.11:53,10.10.10.11:53";
tls = "192.168.1.11:853,10.10.10.11:853";
http = "127.0.0.1:8080";
};
log = {
level = "warn";
format = "json";
timestamp = true;
privacy = true;
};
};
}; };
}; };
} }

41
hosts/rico1/services/apps/default.nix
View file

@ -1,11 +1,46 @@
_: { _:
let
inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
in
{
imports = [ imports = [
./alertmanager.nix
./blocky.nix ./blocky.nix
./grafana.nix
./prometheus.nix ./prometheus.nix
./redis.nix
./loki ./loki
../../../shared/prometheus-exporters.nix ../../../shared/prometheus-exporters.nix
../../../shared/promtail.nix ../../../shared/promtail.nix
]; ];
services.caddy = {
virtualHosts = {
"gateway.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 192.168.0.1:80
'';
};
"ap1.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 192.168.1.1:80
'';
};
"ap2.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 192.168.1.2:80
'';
};
"switch.labs.adtya.xyz" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 192.168.1.3:80
'';
};
};
};
} }

18
hosts/rico1/services/apps/prometheus.nix
View file

@ -95,18 +95,20 @@ in
{ targets = [ "layne.labs.adtya.xyz" ]; } { targets = [ "layne.labs.adtya.xyz" ]; }
]; ];
} }
{
job_name = "frp";
scheme = "https";
static_configs = [
{ targets = [ "frp.labs.adtya.xyz" ]; }
];
}
{ {
job_name = "blocky"; job_name = "blocky";
scheme = "https"; scheme = "https";
static_configs = [ static_configs = [
{ targets = [ "blocky.labs.adtya.xyz" ]; } { targets = [ "blocky.rico1.labs.adtya.xyz" ]; }
{ targets = [ "blocky.rico2.labs.adtya.xyz" ]; }
];
}
{
job_name = "redis";
scheme = "https";
metrics_path = "/redis-metrics";
static_configs = [
{ targets = [ "rico1.labs.adtya.xyz" ]; }
]; ];
} }
]; ];

21
hosts/rico1/services/apps/redis.nix Normal file
View file

@ -0,0 +1,21 @@
_: {
services = {
prometheus.exporters.redis = {
enable = true;
listenAddress = "127.0.0.1";
port = 9121;
};
redis.servers = {
blocky = {
enable = true;
bind = "10.10.10.11";
port = 6379;
};
caddy = {
enable = true;
bind = "10.10.10.11";
port = 6380;
};
};
};
}

1
hosts/rico1/services/default.nix
View file

@ -4,6 +4,5 @@ _: {
./btrfs.nix ./btrfs.nix
./ssh.nix ./ssh.nix
../../shared/caddy.nix ../../shared/caddy.nix
../../shared/frp.nix
]; ];
} }

0
hosts/rico1/services/apps/alertmanager.nix → hosts/rico2/services/apps/alertmanager.nix
View file

26
hosts/rico2/services/apps/blocky.nix Normal file
View file

@ -0,0 +1,26 @@
_:
let
inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
domainName = "blocky.rico2.labs.adtya.xyz";
in
{
imports = [
../../../shared/blocky.nix
];
services = {
caddy = {
virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = ''
${tlsAcmeDnsChallenge}
reverse_proxy 127.0.0.1:8080
'';
};
};
blocky.settings.ports = {
dns = "192.168.1.12:53,10.10.10.12:53";
tls = "192.168.1.12:853,10.10.10.12:853";
http = "127.0.0.1:8080";
};
};
}

3
hosts/rico2/services/apps/default.nix
View file

@ -1,5 +1,8 @@
_: { _: {
imports = [ imports = [
./alertmanager.nix
./blocky.nix
./grafana.nix
../../../shared/prometheus-exporters.nix ../../../shared/prometheus-exporters.nix
../../../shared/promtail.nix ../../../shared/promtail.nix
]; ];

0
hosts/rico1/services/apps/grafana.nix → hosts/rico2/services/apps/grafana.nix
View file

1
hosts/rico2/services/default.nix
View file

@ -4,7 +4,6 @@ _: {
./btrfs.nix ./btrfs.nix
./ssh.nix ./ssh.nix
../../shared/caddy.nix ../../shared/caddy.nix
../../shared/frp.nix
]; ];
} }

130
hosts/shared/blocky.nix Normal file
View file

@ -0,0 +1,130 @@
{ pkgs, ... }: {
networking = {
firewall = {
allowedTCPPorts = [
53 #DNS
];
allowedUDPPorts = [
53 #DNS
];
};
};
systemd.services.blocky.unitConfig.After = [ "network-online.target" "wireguard-wg0.service" ];
services = {
blocky = {
enable = true;
settings = {
bootstrapDns = [ "tcp+udp:1.1.1.1" ];
upstreams = {
init.strategy = "blocking";
groups = {
default = [
# Cloudflare
"tcp+udp:1.1.1.1"
# Google
"tcp+udp:8.8.8.8"
"tcp+udp:8.8.4.4"
# Quad9
"tcp+udp:9.9.9.9"
"tcp+udp:149.112.112.112"
"tcp-tls:dns.quad9.net:853"
"https://dns.quad9.net/dns-query"
];
};
strategy = "parallel_best";
timeout = "2s";
userAgent = "Praise the DNS overlords!";
};
connectIPVersion = "v4";
customDNS = {
customTTL = "1h";
filterUnmappedTypes = true;
mapping = {
# Local (Home Network)
"gateway.local.adtya.xyz" = "192.168.0.1";
"ap1.local.adtya.xyz" = "192.168.1.1";
"ap2.local.adtya.xyz" = "192.168.1.2";
"switch.local.adtya.xyz" = "192.168.1.3";
"jellyfin.local.adtya.xyz" = "192.168.1.14";
# Labs (Homelab)
"gateway.labs.adtya.xyz" = "10.10.10.11";
"ap1.labs.adtya.xyz" = "10.10.10.11";
"ap2.labs.adtya.xyz" = "10.10.10.11";
"switch.labs.adtya.xyz" = "10.10.10.11";
# Hosts
"proxy.labs.adtya.xyz" = "10.10.10.1";
"skipper.labs.adtya.xyz" = "10.10.10.2";
"rico0.labs.adtya.xyz" = "10.10.10.10";
"rico1.labs.adtya.xyz" = "10.10.10.11";
"rico2.labs.adtya.xyz" = "10.10.10.12";
"wynne.labs.adtya.xyz" = "10.10.10.13";
"layne.labs.adtya.xyz" = "10.10.10.14";
# Services
"alertmanager.labs.adtya.xyz" = "10.10.10.12";
"blocky.rico1.labs.adtya.xyz" = "10.10.10.11";
"blocky.rico2.labs.adtya.xyz" = "10.10.10.12";
"grafana.labs.adtya.xyz" = "10.10.10.12";
"jackett.labs.adtya.xyz" = "10.10.10.14";
"jellyfin.labs.adtya.xyz" = "10.10.10.14";
"loki.labs.adtya.xyz" = "10.10.10.11";
"prometheus.labs.adtya.xyz" = "10.10.10.11";
"radarr.labs.adtya.xyz" = "10.10.10.14";
"readarr.labs.adtya.xyz" = "10.10.10.14";
"sonarr.labs.adtya.xyz" = "10.10.10.14";
"transmission.labs.adtya.xyz" = "10.10.10.14";
};
};
conditional = {
fallbackUpstream = false;
mapping = {
"local.adtya.xyz" = "192.168.1.1";
"1.168.192.in-addr.arpa" = "192.168.1.1";
};
};
blocking = {
denylists = {
ads = [
"https://raw.githubusercontent.com/blocklistproject/Lists/master/ads.txt"
];
pihole = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
];
};
allowlists = {
pihole = [
(pkgs.writeText "allowlist.txt" ''
s.youtube.com
'')
];
};
clientGroupsBlock = {
default = [ "ads" "pihole" ];
};
};
clientLookup = {
upstream = "192.168.1.1";
singleNameOrder = [ 2 1 ];
};
prometheus = {
enable = true;
path = "/metrics";
};
redis = {
address = "10.10.10.11:6379";
};
log = {
level = "warn";
format = "json";
timestamp = true;
privacy = true;
};
};
};
};
}

2
hosts/shared/caddy-helpers.nix
View file

@ -2,7 +2,7 @@
logFormat = '' logFormat = ''
output stderr output stderr
format json format json
level INFO level ERROR
''; '';
tlsAcmeDnsChallenge = '' tlsAcmeDnsChallenge = ''

25
hosts/shared/frp.nix
View file

@ -1,25 +0,0 @@
{ config, lib, ... }: {
sops.secrets = {
"frp/token_file" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
systemd.services.frp.serviceConfig.EnvironmentFile = config.sops.secrets."frp/token_file".path;
systemd.services.frp.serviceConfig.Restart = lib.mkForce "always";
services.frp = {
enable = true;
role = "client";
settings = {
serverAddr = "10.10.10.1";
serverPort = 7002;
transport.protocol = "quic";
auth.method = "token";
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
};
};
}

1
hosts/shared/network.nix
View file

@ -2,6 +2,7 @@
networking = { networking = {
nameservers = [ nameservers = [
"10.10.10.11" "10.10.10.11"
"10.10.10.12"
]; ];
useDHCP = lib.mkDefault false; useDHCP = lib.mkDefault false;
}; };

6
hosts/shared/prometheus-exporters.nix
View file

@ -31,6 +31,12 @@ in
reverse_proxy ${config.services.prometheus.exporters.postgres.listenAddress}:${toString config.services.prometheus.exporters.postgres.port} reverse_proxy ${config.services.prometheus.exporters.postgres.listenAddress}:${toString config.services.prometheus.exporters.postgres.port}
} }
''} ''}
${lib.optionalString config.services.prometheus.exporters.redis.enable ''
handle /redis-metrics {
uri replace /redis-metrics /metrics
reverse_proxy ${config.services.prometheus.exporters.redis.listenAddress}:${toString config.services.prometheus.exporters.redis.port}
}
''}
''; '';
}; };
}; };

2
hosts/shared/wireguard.nix
View file

@ -16,7 +16,7 @@ in
{ {
nodeconfig.wireguard = { nodeconfig.wireguard = {
inherit interface-name; inherit interface-name;
dns = [ "10.10.10.11" ]; dns = [ "10.10.10.11" "10.10.10.12" ];
endpoint = "165.232.180.97:51821"; endpoint = "165.232.180.97:51821";
endpoint-publickey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; endpoint-publickey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
allowed-ips = if hostName == "skipper" then [ "10.10.10.0/24" ] else [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ]; allowed-ips = if hostName == "skipper" then [ "10.10.10.0/24" ] else [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ];

1
hosts/wynne/services/apps/default.nix
View file

@ -1,7 +1,6 @@
_: { _: {
imports = [ imports = [
./dendrite ./dendrite
./acomputer.lol.nix
./forgejo.nix ./forgejo.nix
./ntfy.nix ./ntfy.nix
./postgresql.nix ./postgresql.nix

43
hosts/wynne/services/apps/dendrite/default.nix
View file

@ -1,8 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
inherit (import ../../../../shared/caddy-helpers.nix) logFormat;
domainName = "matrix.acomputer.lol";
in
{ {
sops = { sops = {
secrets = { secrets = {
@ -13,43 +9,6 @@ in
}; };
}; };
}; };
services = {
caddy.virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy /client/* 127.0.0.1:8009
# reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync 127.0.0.1:8009
reverse_proxy /_matrix/* 127.0.0.1:8008
reverse_proxy /_dendrite/* 127.0.0.1:8008
reverse_proxy /_synapse/* 127.0.0.1:8008
'';
};
frp.settings.proxies = [
{
name = "http.${domainName}";
type = "http";
customDomains = [ "${domainName}" ];
localPort = 80;
transport.useCompression = true;
}
{
name = "https.${domainName}";
type = "https";
customDomains = [ "${domainName}" ];
localPort = 443;
transport.useCompression = true;
}
];
#matrix-sliding-sync = {
#enable = true;
#settings = {
# SYNCV3_SERVER = "https://${domainName}";
# SYNCV3_BINDADDR = "127.0.0.1:8009";
# SYNCV3_DB = "postgresql://dendrite@localhost/dendrite?sslmode=disable";
#};
#environmentFile = config.sops.secrets."matrix/syncv3_secret".path;
#};
};
systemd.services.dendrite = systemd.services.dendrite =
let let
dendrite_package = pkgs.dendrite; dendrite_package = pkgs.dendrite;
@ -69,7 +28,7 @@ in
RuntimeDirectoryMode = "0700"; RuntimeDirectoryMode = "0700";
LimitNOFILE = 65535; LimitNOFILE = 65535;
ExecStart = '' ExecStart = ''
${dendrite_package}/bin/dendrite -http-bind-address 127.0.0.1:8008 -config ${./config.yaml} ${dendrite_package}/bin/dendrite -http-bind-address 10.10.10.13:8008 -config ${./config.yaml}
''; '';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "on-failure"; Restart = "on-failure";

31
hosts/wynne/services/apps/forgejo.nix
View file

@ -1,33 +1,10 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "forge.acomputer.lol";
cfg = config.services.forgejo; cfg = config.services.forgejo;
domainName = "forge.acomputer.lol";
in in
{ {
services = { services = {
caddy.virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy ${cfg.settings.server.HTTP_ADDR}:${toString cfg.settings.server.HTTP_PORT}
'';
};
frp.settings.proxies = [
{
name = "http.${domainName}";
type = "http";
customDomains = [ "${domainName}" ];
localPort = 80;
transport.useCompression = true;
}
{
name = "https.${domainName}";
type = "https";
customDomains = [ "${domainName}" ];
localPort = 443;
transport.useCompression = true;
}
];
forgejo = { forgejo = {
enable = true; enable = true;
stateDir = "/mnt/data/Forgejo"; stateDir = "/mnt/data/Forgejo";
@ -41,8 +18,12 @@ in
server = { server = {
ROOT_URL = "https://${domainName}"; ROOT_URL = "https://${domainName}";
PROTOCOL = "http"; PROTOCOL = "http";
DISABLE_SSH = false;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "forge";
SSH_PORT = 42069; SSH_PORT = 42069;
HTTP_ADDR = "127.0.0.1"; SSH_LISTEN_HOST = "10.10.10.13";
HTTP_ADDR = "10.10.10.13";
HTTP_PORT = 3000; HTTP_PORT = 3000;
DOMAIN = domainName; DOMAIN = domainName;
}; };

24
hosts/wynne/services/apps/ntfy.nix
View file

@ -6,12 +6,6 @@ in
{ {
services = { services = {
caddy.virtualHosts = { caddy.virtualHosts = {
"${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy ${config.services.ntfy-sh.settings.listen-http}
'';
};
"${config.networking.hostName}.labs.adtya.xyz" = { "${config.networking.hostName}.labs.adtya.xyz" = {
inherit logFormat; inherit logFormat;
extraConfig = '' extraConfig = ''
@ -24,27 +18,11 @@ in
}; };
}; };
frp.settings.proxies = [
{
name = "http.${domainName}";
type = "http";
customDomains = [ "${domainName}" ];
localPort = 80;
transport.useCompression = true;
}
{
name = "https.${domainName}";
type = "https";
customDomains = [ "${domainName}" ];
localPort = 443;
transport.useCompression = true;
}
];
ntfy-sh = { ntfy-sh = {
enable = true; enable = true;
settings = { settings = {
base-url = "https://${domainName}"; base-url = "https://${domainName}";
listen-http = "127.0.0.1:8080"; listen-http = "10.10.10.13:8080";
metrics-listen-http = "127.0.0.1:8081"; metrics-listen-http = "127.0.0.1:8081";
auth-file = "/mnt/data/ntfy-sh/user.db"; auth-file = "/mnt/data/ntfy-sh/user.db";
attachment-cache-dir = "/mnt/data/ntfy-sh/attachments"; attachment-cache-dir = "/mnt/data/ntfy-sh/attachments";

1
hosts/wynne/services/default.nix
View file

@ -4,6 +4,5 @@ _: {
./btrfs.nix ./btrfs.nix
./ssh.nix ./ssh.nix
../../shared/caddy.nix ../../shared/caddy.nix
../../shared/frp.nix
]; ];
} }

6
secrets.yaml
View file

@ -20,8 +20,6 @@ wireguard:
layne: layne:
pk: ENC[AES256_GCM,data:tmuYhe/7n65asRwmXXk7ZeYeS8SDovkLpaysXTmNvL+40IZw71Ju1lpJIrI=,iv:B4fhKqOkLwTWBpHD557Xrtn5GgTJJpWlFYCzNU1/Ipc=,tag:HBFGG35FB/UWkuVQWqo1EA==,type:str] pk: ENC[AES256_GCM,data:tmuYhe/7n65asRwmXXk7ZeYeS8SDovkLpaysXTmNvL+40IZw71Ju1lpJIrI=,iv:B4fhKqOkLwTWBpHD557Xrtn5GgTJJpWlFYCzNU1/Ipc=,tag:HBFGG35FB/UWkuVQWqo1EA==,type:str]
psk: ENC[AES256_GCM,data:5psT1pbRMDCBXHYg4z5zqsYTmgQgg0Df+xEtbEhf1YBzl6qEYyjLDhvpvaQ=,iv:wH9CqNBmLjlGlDPFZtTQ+tCVYBTkhLfwLc2nWNhlYCM=,tag:YWtFcx4YD6gh5qDnIYshfQ==,type:str] psk: ENC[AES256_GCM,data:5psT1pbRMDCBXHYg4z5zqsYTmgQgg0Df+xEtbEhf1YBzl6qEYyjLDhvpvaQ=,iv:wH9CqNBmLjlGlDPFZtTQ+tCVYBTkhLfwLc2nWNhlYCM=,tag:YWtFcx4YD6gh5qDnIYshfQ==,type:str]
frp:
token_file: ENC[AES256_GCM,data:y8QgggTJaQ2STMGNGT0RagUhBgA6H20plzEwd9jNhdXl1098URUV0288YoTnQcc=,iv:/BYWC2WYvXrlvNc97RJTfhf1IratSRU0vHcaxLXJ+V4=,tag:PlStSrzm09fW442uBHAiUg==,type:str]
matrix: matrix:
syncv3_secret: ENC[AES256_GCM,data:05lLSSolNO55VjJQL3nLNGo2jiZUZht2FKNvc2O2dCccSfglrwm6J5Guzns9ZlT8X9j74lvlWlbM6Q==,iv:1zARbgZ9GJV1UMJ+WjFPNYPqhRjGVj4iLYMpfsRjrko=,tag:fQ9Vg1xD1k2eYlEbtF6q8A==,type:str] syncv3_secret: ENC[AES256_GCM,data:05lLSSolNO55VjJQL3nLNGo2jiZUZht2FKNvc2O2dCccSfglrwm6J5Guzns9ZlT8X9j74lvlWlbM6Q==,iv:1zARbgZ9GJV1UMJ+WjFPNYPqhRjGVj4iLYMpfsRjrko=,tag:fQ9Vg1xD1k2eYlEbtF6q8A==,type:str]
caddy: caddy:
@ -97,8 +95,8 @@ sops:
YzdpTitkMHh6VUFtV2FodVF6OWJkTU0KBjC+esgHZ8hTWXwZ+cy4++jLP+gsruHM YzdpTitkMHh6VUFtV2FodVF6OWJkTU0KBjC+esgHZ8hTWXwZ+cy4++jLP+gsruHM
fmRDhvQu0MNHkjQ8q4VmwRVl10uc8CyTDFTuyDoAhvmnzXHtrg1wpA== fmRDhvQu0MNHkjQ8q4VmwRVl10uc8CyTDFTuyDoAhvmnzXHtrg1wpA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-27T19:07:41Z" lastmodified: "2024-10-28T11:23:04Z"
mac: ENC[AES256_GCM,data:VldQSd/lVeo09BeY1rmWG3bSixtDTqqs5TLI3GqyUOaRAgFz2Hnwl7LwZaz7JTKCCqyLZZnpsipNAGH75MykZdTlrolt2BgSz4q5WBwFwF8RJIZNoKkvTZyozhDyzSfLcCIM/40pNfStmpJXGL3+kn2q0+oTyKEhfza1fMal/Qo=,iv:MeVgaZp0pnKTs9HYWYrzf/T2CiuKoPNxAXrLYMACcDw=,tag:LMs1wLRZ/n6XoOIDZSBt+w==,type:str] mac: ENC[AES256_GCM,data:J2PFw2F3K7QqCL509L+D9YTSiWKafuWbKymfpGXLc4gkkqvu2Uk15pL5mcqgxz39plZ/hxKQDAtqDRaBXgrpGuyLftd4xrGs8O6BZUQygU5YTNiaF7LHbSFhu3XuwSm0PkV3fpee8GUvwF51lPly5aZIIFhIfALJSeilScEH7qs=,iv:ufwva8whVXQytx9Yb8HOpoHkSRm6xkA6qeBoniu6aAQ=,tag:fd9A5cnyxR3e8hsSeHYbfw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1