Compare commits
11 commits
1641f38e78
...
d6a0b50283
Author | SHA1 | Date | |
---|---|---|---|
d6a0b50283 | |||
5889b175df | |||
748ba54041 | |||
bc3a6c308c | |||
d8313711f7 | |||
530ec9a882 | |||
88be51e982 | |||
2251e5fcea | |||
06d36bb45a | |||
f0cf26941d | |||
d11db8718c |
37 changed files with 334 additions and 400 deletions
|
@ -14,6 +14,7 @@ _: {
|
|||
{ directory = ".config/discord"; method = "symlink"; }
|
||||
{ directory = ".config/doctl"; method = "symlink"; }
|
||||
{ directory = ".config/gh"; method = "symlink"; }
|
||||
{ directory = ".config/hcloud"; method = "symlink"; }
|
||||
{ directory = ".config/lazygit"; method = "symlink"; }
|
||||
{ directory = ".config/nixos"; method = "symlink"; }
|
||||
{ directory = ".config/nvim"; method = "symlink"; }
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
_:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
|
||||
domainName = "watch.acomputer.lol";
|
||||
in
|
||||
{
|
||||
services = {
|
||||
|
@ -21,30 +20,8 @@ in
|
|||
reverse_proxy 127.0.0.1:8096
|
||||
'';
|
||||
};
|
||||
"${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
reverse_proxy 127.0.0.1:8096
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
frp.settings.proxies = [
|
||||
{
|
||||
name = "http.${domainName}";
|
||||
type = "http";
|
||||
customDomains = [ domainName ];
|
||||
localPort = 80;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
{
|
||||
name = "https.${domainName}";
|
||||
type = "https";
|
||||
customDomains = [ domainName ];
|
||||
localPort = 443;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
];
|
||||
jellyfin = {
|
||||
enable = true;
|
||||
user = "mediaserver";
|
||||
|
|
|
@ -4,6 +4,5 @@ _: {
|
|||
./btrfs.nix
|
||||
./ssh.nix
|
||||
../../shared/caddy.nix
|
||||
../../shared/frp.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -31,12 +31,6 @@ _: {
|
|||
options = [ "subvol=/" "compress-force=zstd" "noatime" ];
|
||||
};
|
||||
|
||||
"/mnt/data" = {
|
||||
device = "/dev/disk/by-partlabel/DATA0";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=/" "compress-force=zstd" "noatime" "nofail" "x-systemd.automount" "x-systemd.device-timeout=5" ];
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-partlabel/RICO0_BOOT";
|
||||
fsType = "vfat";
|
||||
|
|
|
@ -17,26 +17,9 @@ in
|
|||
handle /.well-known/matrix/client {
|
||||
header Content-Type application/json
|
||||
header Access-Control-Allow-Origin *
|
||||
#respond `{"m.homeserver": {"base_url": "https://matrix.${domainName}:443"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.${domainName}"}}`
|
||||
respond `{"m.homeserver": {"base_url": "https://matrix.${domainName}:443"}}`
|
||||
}
|
||||
'';
|
||||
};
|
||||
frp.settings.proxies = [
|
||||
{
|
||||
name = "http.${domainName}";
|
||||
type = "http";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 80;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
{
|
||||
name = "https.${domainName}";
|
||||
type = "https";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 443;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
|
@ -17,21 +17,5 @@ in
|
|||
}
|
||||
'';
|
||||
};
|
||||
frp.settings.proxies = [
|
||||
{
|
||||
name = "http.${domainName}";
|
||||
type = "http";
|
||||
customDomains = [ "${domainName}" "www.${domainName}" ];
|
||||
localPort = 80;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
{
|
||||
name = "https.${domainName}";
|
||||
type = "https";
|
||||
customDomains = [ "${domainName}" "www.${domainName}" ];
|
||||
localPort = 443;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,14 @@
|
|||
_: {
|
||||
imports = [
|
||||
./acomputer.lol.nix
|
||||
./adtya.xyz.nix
|
||||
./dendrite.nix
|
||||
./forgejo.nix
|
||||
./jellyfin.nix
|
||||
./ntfy.nix
|
||||
./proofs.nix
|
||||
./wiki.nix
|
||||
./dendrite.nix
|
||||
../../../shared/prometheus-exporters.nix
|
||||
../../../shared/promtail.nix
|
||||
];
|
||||
|
|
15
hosts/rico0/services/apps/dendrite.nix
Normal file
15
hosts/rico0/services/apps/dendrite.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
_:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
|
||||
domainName = "matrix.acomputer.lol";
|
||||
in
|
||||
{
|
||||
services = {
|
||||
caddy.virtualHosts."${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
reverse_proxy 10.10.10.13:8008
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
15
hosts/rico0/services/apps/forgejo.nix
Normal file
15
hosts/rico0/services/apps/forgejo.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
_:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
|
||||
domainName = "forge.acomputer.lol";
|
||||
in
|
||||
{
|
||||
services = {
|
||||
caddy.virtualHosts."${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
reverse_proxy 10.10.10.13:3000
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
17
hosts/rico0/services/apps/jellyfin.nix
Normal file
17
hosts/rico0/services/apps/jellyfin.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
_:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
|
||||
domainName = "watch.acomputer.lol";
|
||||
in
|
||||
{
|
||||
services = {
|
||||
caddy.virtualHosts = {
|
||||
"${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
reverse_proxy 10.10.10.14:8096
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
18
hosts/rico0/services/apps/ntfy.nix
Normal file
18
hosts/rico0/services/apps/ntfy.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
_:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
|
||||
domainName = "ntfy.acomputer.lol";
|
||||
in
|
||||
{
|
||||
services = {
|
||||
caddy.virtualHosts = {
|
||||
|
||||
"${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
reverse_proxy 10.10.10.13:8080
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -13,22 +13,5 @@ in
|
|||
'';
|
||||
};
|
||||
};
|
||||
|
||||
frp.settings.proxies = [
|
||||
{
|
||||
name = "http.${domainName}";
|
||||
type = "http";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 80;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
{
|
||||
name = "https.${domainName}";
|
||||
type = "https";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 443;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -16,21 +16,5 @@ in
|
|||
}
|
||||
'';
|
||||
};
|
||||
frp.settings.proxies = [
|
||||
{
|
||||
name = "http.${domainName}";
|
||||
type = "http";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 80;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
{
|
||||
name = "https.${domainName}";
|
||||
type = "https";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 443;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,53 +1,10 @@
|
|||
_:
|
||||
let
|
||||
inherit (import ../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./apps
|
||||
./btrfs.nix
|
||||
./ssh.nix
|
||||
../../shared/caddy.nix
|
||||
../../shared/frp.nix
|
||||
];
|
||||
|
||||
services.caddy = {
|
||||
virtualHosts = {
|
||||
"gateway.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 192.168.0.1:80
|
||||
'';
|
||||
};
|
||||
"ap1.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 192.168.1.1:80
|
||||
'';
|
||||
};
|
||||
"ap2.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 192.168.1.2:80
|
||||
'';
|
||||
};
|
||||
"switch.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 192.168.1.3:80
|
||||
'';
|
||||
};
|
||||
"frp.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 10.10.10.1:7500
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -31,6 +31,12 @@ _: {
|
|||
options = [ "subvol=/" "compress-force=zstd" "noatime" ];
|
||||
};
|
||||
|
||||
"/mnt/data" = {
|
||||
device = "/dev/disk/by-partlabel/DATA0";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=/" "compress-force=zstd" "noatime" "nofail" "x-systemd.automount" "x-systemd.device-timeout=5" ];
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-partlabel/RICO1_BOOT";
|
||||
fsType = "vfat";
|
||||
|
|
|
@ -1,20 +1,12 @@
|
|||
{ pkgs, ... }:
|
||||
_:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
|
||||
domainName = "blocky.labs.adtya.xyz";
|
||||
domainName = "blocky.rico1.labs.adtya.xyz";
|
||||
in
|
||||
{
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
53 #DNS
|
||||
imports = [
|
||||
../../../shared/blocky.nix
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
53 #DNS
|
||||
];
|
||||
};
|
||||
};
|
||||
systemd.services.blocky.unitConfig.After = [ "network-online.target" "wireguard-wg0.service" ];
|
||||
services = {
|
||||
caddy = {
|
||||
virtualHosts."${domainName}" = {
|
||||
|
@ -25,118 +17,10 @@ in
|
|||
'';
|
||||
};
|
||||
};
|
||||
blocky = {
|
||||
enable = true;
|
||||
settings = {
|
||||
bootstrapDns = [ "tcp+udp:1.1.1.1" ];
|
||||
upstreams = {
|
||||
init.strategy = "blocking";
|
||||
groups = {
|
||||
default = [
|
||||
# Cloudflare
|
||||
"tcp+udp:1.1.1.1"
|
||||
|
||||
# Google
|
||||
"tcp+udp:8.8.8.8"
|
||||
"tcp+udp:8.8.4.4"
|
||||
|
||||
# Quad9
|
||||
"tcp+udp:9.9.9.9"
|
||||
"tcp+udp:149.112.112.112"
|
||||
"tcp-tls:dns.quad9.net:853"
|
||||
"https://dns.quad9.net/dns-query"
|
||||
];
|
||||
};
|
||||
strategy = "parallel_best";
|
||||
timeout = "2s";
|
||||
userAgent = "Praise the DNS overlords!";
|
||||
};
|
||||
connectIPVersion = "v4";
|
||||
customDNS = {
|
||||
customTTL = "1h";
|
||||
filterUnmappedTypes = true;
|
||||
mapping = {
|
||||
# Local (Home Network)
|
||||
"gateway.local.adtya.xyz" = "192.168.0.1";
|
||||
"ap1.local.adtya.xyz" = "192.168.1.1";
|
||||
"ap2.local.adtya.xyz" = "192.168.1.2";
|
||||
"switch.local.adtya.xyz" = "192.168.1.3";
|
||||
"jellyfin.local.adtya.xyz" = "192.168.1.14";
|
||||
|
||||
# Labs (Homelab)
|
||||
"gateway.labs.adtya.xyz" = "10.10.10.10";
|
||||
"ap1.labs.adtya.xyz" = "10.10.10.10";
|
||||
"ap2.labs.adtya.xyz" = "10.10.10.10";
|
||||
"switch.labs.adtya.xyz" = "10.10.10.10";
|
||||
"proxy.labs.adtya.xyz" = "10.10.10.1";
|
||||
"skipper.labs.adtya.xyz" = "10.10.10.2";
|
||||
"rico0.labs.adtya.xyz" = "10.10.10.10";
|
||||
"rico1.labs.adtya.xyz" = "10.10.10.11";
|
||||
"rico2.labs.adtya.xyz" = "10.10.10.12";
|
||||
"wynne.labs.adtya.xyz" = "10.10.10.13";
|
||||
"layne.labs.adtya.xyz" = "10.10.10.14";
|
||||
"alertmanager.labs.adtya.xyz" = "10.10.10.11";
|
||||
"blocky.labs.adtya.xyz" = "10.10.10.11";
|
||||
"frp.labs.adtya.xyz" = "10.10.10.10";
|
||||
"grafana.labs.adtya.xyz" = "10.10.10.11";
|
||||
"loki.labs.adtya.xyz" = "10.10.10.11";
|
||||
"prometheus.labs.adtya.xyz" = "10.10.10.11";
|
||||
"transmission.labs.adtya.xyz" = "10.10.10.14";
|
||||
"jellyfin.labs.adtya.xyz" = "10.10.10.14";
|
||||
"radarr.labs.adtya.xyz" = "10.10.10.14";
|
||||
"sonarr.labs.adtya.xyz" = "10.10.10.14";
|
||||
"readarr.labs.adtya.xyz" = "10.10.10.14";
|
||||
"jackett.labs.adtya.xyz" = "10.10.10.14";
|
||||
};
|
||||
};
|
||||
conditional = {
|
||||
fallbackUpstream = false;
|
||||
mapping = {
|
||||
"local.adtya.xyz" = "192.168.1.1";
|
||||
"1.168.192.in-addr.arpa" = "192.168.1.1";
|
||||
};
|
||||
};
|
||||
blocking = {
|
||||
denylists = {
|
||||
ads = [
|
||||
"https://raw.githubusercontent.com/blocklistproject/Lists/master/ads.txt"
|
||||
];
|
||||
pihole = [
|
||||
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
|
||||
];
|
||||
};
|
||||
allowlists = {
|
||||
pihole = [
|
||||
(pkgs.writeText "allowlist.txt" ''
|
||||
s.youtube.com
|
||||
'')
|
||||
];
|
||||
|
||||
};
|
||||
clientGroupsBlock = {
|
||||
default = [ "ads" "pihole" ];
|
||||
};
|
||||
};
|
||||
clientLookup = {
|
||||
upstream = "192.168.1.1";
|
||||
singleNameOrder = [ 2 1 ];
|
||||
};
|
||||
prometheus = {
|
||||
enable = true;
|
||||
path = "/metrics";
|
||||
};
|
||||
ports = {
|
||||
blocky.settings.ports = {
|
||||
dns = "192.168.1.11:53,10.10.10.11:53";
|
||||
tls = "192.168.1.11:853,10.10.10.11:853";
|
||||
http = "127.0.0.1:8080";
|
||||
};
|
||||
log = {
|
||||
level = "warn";
|
||||
format = "json";
|
||||
timestamp = true;
|
||||
privacy = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,11 +1,46 @@
|
|||
_: {
|
||||
_:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./alertmanager.nix
|
||||
./blocky.nix
|
||||
./grafana.nix
|
||||
./prometheus.nix
|
||||
./redis.nix
|
||||
./loki
|
||||
../../../shared/prometheus-exporters.nix
|
||||
../../../shared/promtail.nix
|
||||
];
|
||||
services.caddy = {
|
||||
virtualHosts = {
|
||||
"gateway.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 192.168.0.1:80
|
||||
'';
|
||||
};
|
||||
"ap1.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 192.168.1.1:80
|
||||
'';
|
||||
};
|
||||
"ap2.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 192.168.1.2:80
|
||||
'';
|
||||
};
|
||||
"switch.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 192.168.1.3:80
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -95,18 +95,20 @@ in
|
|||
{ targets = [ "layne.labs.adtya.xyz" ]; }
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "frp";
|
||||
scheme = "https";
|
||||
static_configs = [
|
||||
{ targets = [ "frp.labs.adtya.xyz" ]; }
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "blocky";
|
||||
scheme = "https";
|
||||
static_configs = [
|
||||
{ targets = [ "blocky.labs.adtya.xyz" ]; }
|
||||
{ targets = [ "blocky.rico1.labs.adtya.xyz" ]; }
|
||||
{ targets = [ "blocky.rico2.labs.adtya.xyz" ]; }
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "redis";
|
||||
scheme = "https";
|
||||
metrics_path = "/redis-metrics";
|
||||
static_configs = [
|
||||
{ targets = [ "rico1.labs.adtya.xyz" ]; }
|
||||
];
|
||||
}
|
||||
];
|
||||
|
|
21
hosts/rico1/services/apps/redis.nix
Normal file
21
hosts/rico1/services/apps/redis.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
_: {
|
||||
services = {
|
||||
prometheus.exporters.redis = {
|
||||
enable = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
port = 9121;
|
||||
};
|
||||
redis.servers = {
|
||||
blocky = {
|
||||
enable = true;
|
||||
bind = "10.10.10.11";
|
||||
port = 6379;
|
||||
};
|
||||
caddy = {
|
||||
enable = true;
|
||||
bind = "10.10.10.11";
|
||||
port = 6380;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -4,6 +4,5 @@ _: {
|
|||
./btrfs.nix
|
||||
./ssh.nix
|
||||
../../shared/caddy.nix
|
||||
../../shared/frp.nix
|
||||
];
|
||||
}
|
||||
|
|
26
hosts/rico2/services/apps/blocky.nix
Normal file
26
hosts/rico2/services/apps/blocky.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
_:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsAcmeDnsChallenge;
|
||||
domainName = "blocky.rico2.labs.adtya.xyz";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../../../shared/blocky.nix
|
||||
];
|
||||
services = {
|
||||
caddy = {
|
||||
virtualHosts."${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
${tlsAcmeDnsChallenge}
|
||||
reverse_proxy 127.0.0.1:8080
|
||||
'';
|
||||
};
|
||||
};
|
||||
blocky.settings.ports = {
|
||||
dns = "192.168.1.12:53,10.10.10.12:53";
|
||||
tls = "192.168.1.12:853,10.10.10.12:853";
|
||||
http = "127.0.0.1:8080";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,5 +1,8 @@
|
|||
_: {
|
||||
imports = [
|
||||
./alertmanager.nix
|
||||
./blocky.nix
|
||||
./grafana.nix
|
||||
../../../shared/prometheus-exporters.nix
|
||||
../../../shared/promtail.nix
|
||||
];
|
||||
|
|
|
@ -4,7 +4,6 @@ _: {
|
|||
./btrfs.nix
|
||||
./ssh.nix
|
||||
../../shared/caddy.nix
|
||||
../../shared/frp.nix
|
||||
];
|
||||
|
||||
}
|
||||
|
|
130
hosts/shared/blocky.nix
Normal file
130
hosts/shared/blocky.nix
Normal file
|
@ -0,0 +1,130 @@
|
|||
{ pkgs, ... }: {
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
53 #DNS
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
53 #DNS
|
||||
];
|
||||
};
|
||||
};
|
||||
systemd.services.blocky.unitConfig.After = [ "network-online.target" "wireguard-wg0.service" ];
|
||||
services = {
|
||||
blocky = {
|
||||
enable = true;
|
||||
settings = {
|
||||
bootstrapDns = [ "tcp+udp:1.1.1.1" ];
|
||||
upstreams = {
|
||||
init.strategy = "blocking";
|
||||
groups = {
|
||||
default = [
|
||||
# Cloudflare
|
||||
"tcp+udp:1.1.1.1"
|
||||
|
||||
# Google
|
||||
"tcp+udp:8.8.8.8"
|
||||
"tcp+udp:8.8.4.4"
|
||||
|
||||
# Quad9
|
||||
"tcp+udp:9.9.9.9"
|
||||
"tcp+udp:149.112.112.112"
|
||||
"tcp-tls:dns.quad9.net:853"
|
||||
"https://dns.quad9.net/dns-query"
|
||||
];
|
||||
};
|
||||
strategy = "parallel_best";
|
||||
timeout = "2s";
|
||||
userAgent = "Praise the DNS overlords!";
|
||||
};
|
||||
connectIPVersion = "v4";
|
||||
customDNS = {
|
||||
customTTL = "1h";
|
||||
filterUnmappedTypes = true;
|
||||
mapping = {
|
||||
# Local (Home Network)
|
||||
"gateway.local.adtya.xyz" = "192.168.0.1";
|
||||
"ap1.local.adtya.xyz" = "192.168.1.1";
|
||||
"ap2.local.adtya.xyz" = "192.168.1.2";
|
||||
"switch.local.adtya.xyz" = "192.168.1.3";
|
||||
"jellyfin.local.adtya.xyz" = "192.168.1.14";
|
||||
|
||||
# Labs (Homelab)
|
||||
"gateway.labs.adtya.xyz" = "10.10.10.11";
|
||||
"ap1.labs.adtya.xyz" = "10.10.10.11";
|
||||
"ap2.labs.adtya.xyz" = "10.10.10.11";
|
||||
"switch.labs.adtya.xyz" = "10.10.10.11";
|
||||
|
||||
# Hosts
|
||||
"proxy.labs.adtya.xyz" = "10.10.10.1";
|
||||
"skipper.labs.adtya.xyz" = "10.10.10.2";
|
||||
"rico0.labs.adtya.xyz" = "10.10.10.10";
|
||||
"rico1.labs.adtya.xyz" = "10.10.10.11";
|
||||
"rico2.labs.adtya.xyz" = "10.10.10.12";
|
||||
"wynne.labs.adtya.xyz" = "10.10.10.13";
|
||||
"layne.labs.adtya.xyz" = "10.10.10.14";
|
||||
|
||||
# Services
|
||||
"alertmanager.labs.adtya.xyz" = "10.10.10.12";
|
||||
"blocky.rico1.labs.adtya.xyz" = "10.10.10.11";
|
||||
"blocky.rico2.labs.adtya.xyz" = "10.10.10.12";
|
||||
"grafana.labs.adtya.xyz" = "10.10.10.12";
|
||||
"jackett.labs.adtya.xyz" = "10.10.10.14";
|
||||
"jellyfin.labs.adtya.xyz" = "10.10.10.14";
|
||||
"loki.labs.adtya.xyz" = "10.10.10.11";
|
||||
"prometheus.labs.adtya.xyz" = "10.10.10.11";
|
||||
"radarr.labs.adtya.xyz" = "10.10.10.14";
|
||||
"readarr.labs.adtya.xyz" = "10.10.10.14";
|
||||
"sonarr.labs.adtya.xyz" = "10.10.10.14";
|
||||
"transmission.labs.adtya.xyz" = "10.10.10.14";
|
||||
};
|
||||
};
|
||||
conditional = {
|
||||
fallbackUpstream = false;
|
||||
mapping = {
|
||||
"local.adtya.xyz" = "192.168.1.1";
|
||||
"1.168.192.in-addr.arpa" = "192.168.1.1";
|
||||
};
|
||||
};
|
||||
blocking = {
|
||||
denylists = {
|
||||
ads = [
|
||||
"https://raw.githubusercontent.com/blocklistproject/Lists/master/ads.txt"
|
||||
];
|
||||
pihole = [
|
||||
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
|
||||
];
|
||||
};
|
||||
allowlists = {
|
||||
pihole = [
|
||||
(pkgs.writeText "allowlist.txt" ''
|
||||
s.youtube.com
|
||||
'')
|
||||
];
|
||||
|
||||
};
|
||||
clientGroupsBlock = {
|
||||
default = [ "ads" "pihole" ];
|
||||
};
|
||||
};
|
||||
clientLookup = {
|
||||
upstream = "192.168.1.1";
|
||||
singleNameOrder = [ 2 1 ];
|
||||
};
|
||||
prometheus = {
|
||||
enable = true;
|
||||
path = "/metrics";
|
||||
};
|
||||
redis = {
|
||||
address = "10.10.10.11:6379";
|
||||
};
|
||||
log = {
|
||||
level = "warn";
|
||||
format = "json";
|
||||
timestamp = true;
|
||||
privacy = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -2,7 +2,7 @@
|
|||
logFormat = ''
|
||||
output stderr
|
||||
format json
|
||||
level INFO
|
||||
level ERROR
|
||||
'';
|
||||
|
||||
tlsAcmeDnsChallenge = ''
|
||||
|
|
|
@ -1,25 +0,0 @@
|
|||
{ config, lib, ... }: {
|
||||
sops.secrets = {
|
||||
"frp/token_file" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.frp.serviceConfig.EnvironmentFile = config.sops.secrets."frp/token_file".path;
|
||||
systemd.services.frp.serviceConfig.Restart = lib.mkForce "always";
|
||||
|
||||
services.frp = {
|
||||
enable = true;
|
||||
role = "client";
|
||||
settings = {
|
||||
serverAddr = "10.10.10.1";
|
||||
serverPort = 7002;
|
||||
transport.protocol = "quic";
|
||||
auth.method = "token";
|
||||
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
networking = {
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useDHCP = lib.mkDefault false;
|
||||
};
|
||||
|
|
|
@ -31,6 +31,12 @@ in
|
|||
reverse_proxy ${config.services.prometheus.exporters.postgres.listenAddress}:${toString config.services.prometheus.exporters.postgres.port}
|
||||
}
|
||||
''}
|
||||
${lib.optionalString config.services.prometheus.exporters.redis.enable ''
|
||||
handle /redis-metrics {
|
||||
uri replace /redis-metrics /metrics
|
||||
reverse_proxy ${config.services.prometheus.exporters.redis.listenAddress}:${toString config.services.prometheus.exporters.redis.port}
|
||||
}
|
||||
''}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -16,7 +16,7 @@ in
|
|||
{
|
||||
nodeconfig.wireguard = {
|
||||
inherit interface-name;
|
||||
dns = [ "10.10.10.11" ];
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
endpoint = "165.232.180.97:51821";
|
||||
endpoint-publickey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
||||
allowed-ips = if hostName == "skipper" then [ "10.10.10.0/24" ] else [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ];
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
_: {
|
||||
imports = [
|
||||
./dendrite
|
||||
./acomputer.lol.nix
|
||||
./forgejo.nix
|
||||
./ntfy.nix
|
||||
./postgresql.nix
|
||||
|
|
|
@ -1,8 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
inherit (import ../../../../shared/caddy-helpers.nix) logFormat;
|
||||
domainName = "matrix.acomputer.lol";
|
||||
in
|
||||
{
|
||||
sops = {
|
||||
secrets = {
|
||||
|
@ -13,43 +9,6 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
services = {
|
||||
caddy.virtualHosts."${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
reverse_proxy /client/* 127.0.0.1:8009
|
||||
# reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync 127.0.0.1:8009
|
||||
reverse_proxy /_matrix/* 127.0.0.1:8008
|
||||
reverse_proxy /_dendrite/* 127.0.0.1:8008
|
||||
reverse_proxy /_synapse/* 127.0.0.1:8008
|
||||
'';
|
||||
};
|
||||
frp.settings.proxies = [
|
||||
{
|
||||
name = "http.${domainName}";
|
||||
type = "http";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 80;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
{
|
||||
name = "https.${domainName}";
|
||||
type = "https";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 443;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
];
|
||||
#matrix-sliding-sync = {
|
||||
#enable = true;
|
||||
#settings = {
|
||||
# SYNCV3_SERVER = "https://${domainName}";
|
||||
# SYNCV3_BINDADDR = "127.0.0.1:8009";
|
||||
# SYNCV3_DB = "postgresql://dendrite@localhost/dendrite?sslmode=disable";
|
||||
#};
|
||||
#environmentFile = config.sops.secrets."matrix/syncv3_secret".path;
|
||||
#};
|
||||
};
|
||||
systemd.services.dendrite =
|
||||
let
|
||||
dendrite_package = pkgs.dendrite;
|
||||
|
@ -69,7 +28,7 @@ in
|
|||
RuntimeDirectoryMode = "0700";
|
||||
LimitNOFILE = 65535;
|
||||
ExecStart = ''
|
||||
${dendrite_package}/bin/dendrite -http-bind-address 127.0.0.1:8008 -config ${./config.yaml}
|
||||
${dendrite_package}/bin/dendrite -http-bind-address 10.10.10.13:8008 -config ${./config.yaml}
|
||||
'';
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
Restart = "on-failure";
|
||||
|
|
|
@ -1,33 +1,10 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
|
||||
domainName = "forge.acomputer.lol";
|
||||
cfg = config.services.forgejo;
|
||||
domainName = "forge.acomputer.lol";
|
||||
in
|
||||
{
|
||||
services = {
|
||||
caddy.virtualHosts."${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
reverse_proxy ${cfg.settings.server.HTTP_ADDR}:${toString cfg.settings.server.HTTP_PORT}
|
||||
'';
|
||||
};
|
||||
frp.settings.proxies = [
|
||||
{
|
||||
name = "http.${domainName}";
|
||||
type = "http";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 80;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
{
|
||||
name = "https.${domainName}";
|
||||
type = "https";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 443;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
];
|
||||
forgejo = {
|
||||
enable = true;
|
||||
stateDir = "/mnt/data/Forgejo";
|
||||
|
@ -41,8 +18,12 @@ in
|
|||
server = {
|
||||
ROOT_URL = "https://${domainName}";
|
||||
PROTOCOL = "http";
|
||||
DISABLE_SSH = false;
|
||||
START_SSH_SERVER = true;
|
||||
BUILTIN_SSH_SERVER_USER = "forge";
|
||||
SSH_PORT = 42069;
|
||||
HTTP_ADDR = "127.0.0.1";
|
||||
SSH_LISTEN_HOST = "10.10.10.13";
|
||||
HTTP_ADDR = "10.10.10.13";
|
||||
HTTP_PORT = 3000;
|
||||
DOMAIN = domainName;
|
||||
};
|
||||
|
|
|
@ -6,12 +6,6 @@ in
|
|||
{
|
||||
services = {
|
||||
caddy.virtualHosts = {
|
||||
"${domainName}" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
reverse_proxy ${config.services.ntfy-sh.settings.listen-http}
|
||||
'';
|
||||
};
|
||||
"${config.networking.hostName}.labs.adtya.xyz" = {
|
||||
inherit logFormat;
|
||||
extraConfig = ''
|
||||
|
@ -24,27 +18,11 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
frp.settings.proxies = [
|
||||
{
|
||||
name = "http.${domainName}";
|
||||
type = "http";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 80;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
{
|
||||
name = "https.${domainName}";
|
||||
type = "https";
|
||||
customDomains = [ "${domainName}" ];
|
||||
localPort = 443;
|
||||
transport.useCompression = true;
|
||||
}
|
||||
];
|
||||
ntfy-sh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
base-url = "https://${domainName}";
|
||||
listen-http = "127.0.0.1:8080";
|
||||
listen-http = "10.10.10.13:8080";
|
||||
metrics-listen-http = "127.0.0.1:8081";
|
||||
auth-file = "/mnt/data/ntfy-sh/user.db";
|
||||
attachment-cache-dir = "/mnt/data/ntfy-sh/attachments";
|
||||
|
|
|
@ -4,6 +4,5 @@ _: {
|
|||
./btrfs.nix
|
||||
./ssh.nix
|
||||
../../shared/caddy.nix
|
||||
../../shared/frp.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -20,8 +20,6 @@ wireguard:
|
|||
layne:
|
||||
pk: ENC[AES256_GCM,data:tmuYhe/7n65asRwmXXk7ZeYeS8SDovkLpaysXTmNvL+40IZw71Ju1lpJIrI=,iv:B4fhKqOkLwTWBpHD557Xrtn5GgTJJpWlFYCzNU1/Ipc=,tag:HBFGG35FB/UWkuVQWqo1EA==,type:str]
|
||||
psk: ENC[AES256_GCM,data:5psT1pbRMDCBXHYg4z5zqsYTmgQgg0Df+xEtbEhf1YBzl6qEYyjLDhvpvaQ=,iv:wH9CqNBmLjlGlDPFZtTQ+tCVYBTkhLfwLc2nWNhlYCM=,tag:YWtFcx4YD6gh5qDnIYshfQ==,type:str]
|
||||
frp:
|
||||
token_file: ENC[AES256_GCM,data:y8QgggTJaQ2STMGNGT0RagUhBgA6H20plzEwd9jNhdXl1098URUV0288YoTnQcc=,iv:/BYWC2WYvXrlvNc97RJTfhf1IratSRU0vHcaxLXJ+V4=,tag:PlStSrzm09fW442uBHAiUg==,type:str]
|
||||
matrix:
|
||||
syncv3_secret: ENC[AES256_GCM,data:05lLSSolNO55VjJQL3nLNGo2jiZUZht2FKNvc2O2dCccSfglrwm6J5Guzns9ZlT8X9j74lvlWlbM6Q==,iv:1zARbgZ9GJV1UMJ+WjFPNYPqhRjGVj4iLYMpfsRjrko=,tag:fQ9Vg1xD1k2eYlEbtF6q8A==,type:str]
|
||||
caddy:
|
||||
|
@ -97,8 +95,8 @@ sops:
|
|||
YzdpTitkMHh6VUFtV2FodVF6OWJkTU0KBjC+esgHZ8hTWXwZ+cy4++jLP+gsruHM
|
||||
fmRDhvQu0MNHkjQ8q4VmwRVl10uc8CyTDFTuyDoAhvmnzXHtrg1wpA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-10-27T19:07:41Z"
|
||||
mac: ENC[AES256_GCM,data:VldQSd/lVeo09BeY1rmWG3bSixtDTqqs5TLI3GqyUOaRAgFz2Hnwl7LwZaz7JTKCCqyLZZnpsipNAGH75MykZdTlrolt2BgSz4q5WBwFwF8RJIZNoKkvTZyozhDyzSfLcCIM/40pNfStmpJXGL3+kn2q0+oTyKEhfza1fMal/Qo=,iv:MeVgaZp0pnKTs9HYWYrzf/T2CiuKoPNxAXrLYMACcDw=,tag:LMs1wLRZ/n6XoOIDZSBt+w==,type:str]
|
||||
lastmodified: "2024-10-28T11:23:04Z"
|
||||
mac: ENC[AES256_GCM,data:J2PFw2F3K7QqCL509L+D9YTSiWKafuWbKymfpGXLc4gkkqvu2Uk15pL5mcqgxz39plZ/hxKQDAtqDRaBXgrpGuyLftd4xrGs8O6BZUQygU5YTNiaF7LHbSFhu3XuwSm0PkV3fpee8GUvwF51lPly5aZIIFhIfALJSeilScEH7qs=,iv:ufwva8whVXQytx9Yb8HOpoHkSRm6xkA6qeBoniu6aAQ=,tag:fd9A5cnyxR3e8hsSeHYbfw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
||||
|
|
Loading…
Reference in a new issue