services: update caddy configs

This commit is contained in:
Tigor Hutasuhut 2024-10-28 21:38:34 +07:00
parent 8cbde4811f
commit 8bc7dea1ef
13 changed files with 56 additions and 171 deletions

View file

@ -77,5 +77,6 @@ in
default = config.profile.services.telemetry.enable;
};
};
technitium.enable = mkEnableOption "technitium";
};
}

View file

@ -71,6 +71,7 @@
ntfy-sh.enable = true;
ntfy-sh.client.enable = false;
couchdb.enable = true;
technitium.enable = false;
};
};
}

View file

@ -6,7 +6,7 @@ let
inherit (lib) mkIf attrsets;
ip = "10.88.1.1";
image = "docker.io/pihole/pihole:latest";
piholeDNSIPBind = "192.168.100.3";
piholeDNSIPBind = "192.168.100.5";
in
{
config = mkIf (podman.enable && pihole.enable) {
@ -70,6 +70,7 @@ in
ports = [
"${piholeDNSIPBind}:53:53/udp"
"67:67/udp"
"2000:80/tcp"
];
volumes = [
"pihole-etc:/etc/pihole"

View file

@ -16,44 +16,19 @@ let
user = config.profile.user;
uid = toString user.uid;
gid = toString user.gid;
basic_auth = {
username = "soulseek/caddy/username";
password = "soulseek/caddy/password";
template = "soulseek/caddy/basic_auth";
};
in
{
config = mkIf (podman.enable && podman.${name}.enable) {
services.caddy.virtualHosts.${domain}.extraConfig = ''
@require_auth not remote_ip private_ranges
basicauth @require_auth {
{$SOULSEEK_USERNAME} {$SOULSEEK_PASSWORD}
basic_auth @require_auth {
{$AUTH_USERNAME} {$AUTH_PASSWORD}
}
reverse_proxy ${ip}:6080
'';
sops = {
secrets =
let
opts = {
sopsFile = ../../secrets/soulseek.yaml;
};
in
{
${basic_auth.username} = opts;
${basic_auth.password} = opts;
};
templates = {
${basic_auth.template}.content = # sh
''
SOULSEEK_USERNAME=${config.sops.placeholder.${basic_auth.username}}
SOULSEEK_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
'';
};
};
system.activationScripts."podman-${name}" = ''
mkdir -p ${rootVolume}/{config,downloads,incomplete}
chown ${uid}:${gid} ${rootVolume} ${rootVolume}/{config,downloads,incomplete}
@ -67,9 +42,6 @@ in
serviceName = "podman-${name}-autorestart";
in
{
services."caddy".serviceConfig = {
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
};
services.${serviceName} = {
description = "Podman container ${name} autorestart";
serviceConfig = {

View file

@ -68,36 +68,11 @@ let
in
lib.mkMerge [
(mkIf podman.${name}.enable {
sops = {
secrets =
let
opts = { };
in
{
${basic_auth.username} = opts;
${basic_auth.password} = opts;
"ntfy/tokens/homeserver" = {
sopsFile = ../../secrets/ntfy.yaml;
};
};
templates = {
${basic_auth.template}.content = # sh
''
YTPTUBE_USERNAME=${config.sops.placeholder.${basic_auth.username}}
YTPTUBE_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
'';
"ytptube/webhooks.json" = mkIf config.services.ntfy-sh.enable {
content = webhook;
path = "/etc/podman/${name}/webhooks.json";
owner = config.profile.user.name;
};
};
};
services.caddy.virtualHosts.${domain}.extraConfig = ''
@require_auth not remote_ip private_ranges
basicauth @require_auth {
{$YTPTUBE_USERNAME} {$YTPTUBE_PASSWORD}
basic_auth @require_auth {
{$AUTH_USERNAME} {$AUTH_PASSWORD}
}
reverse_proxy ${ip}:8081
@ -107,10 +82,6 @@ lib.mkMerge [
chown -R ${uid}:${gid} ${volume} /etc/podman/${name}
'';
systemd.services."caddy".serviceConfig = {
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
};
systemd.services."podman-${name}".restartTriggers = [ webhook ];
environment.etc."podman/${name}/ytdlp.json" = {

View file

@ -20,6 +20,21 @@ in
package = unstable.caddy;
};
sops = {
secrets = {
"caddy/basic_auth/username" = { };
"caddy/basic_auth/password" = { };
};
templates."caddy/basic_auth.env".content = ''
AUTH_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
AUTH_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
'';
};
systemd.services.caddy.serviceConfig = {
EnvironmentFile = [ config.sops.templates."caddy/basic_auth.env".path ];
};
services.caddy.globalConfig = # caddy
''
servers {

View file

@ -19,5 +19,6 @@
./wireguard.nix
./photoprism.nix
./ntfy-sh.nix
./technitium.nix
];
}

View file

@ -15,7 +15,7 @@ in
services.stubby = {
enable = true;
settings = pkgs.stubby.passthru.settingsExample // {
listen_addresses = [ "192.168.100.5" ];
listen_addresses = [ "192.168.100.3" ];
upstream_recursive_servers = [
{
address_data = "1.1.1.1";

View file

@ -0,0 +1,23 @@
{ config, lib, ... }:
let
cfg = config.profile.services.technitium;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
services.technitium-dns-server = {
enable = true;
openFirewall = true;
};
services.caddy.virtualHosts."dns.tigor.web.id".extraConfig = ''
@require_auth not remote_ip private_ranges
basic_auth @require_auth {
{$AUTH_USERNAME} {$AUTH_PASSWORD}
}
reverse_proxy localhost:5380
'';
};
}

View file

@ -22,30 +22,11 @@ in
extraFlags = [ ''--server.http.listen-addr=${webguiListenAddress}'' ];
package = unstable.grafana-alloy;
};
sops = {
secrets =
let
opts = { };
in
{
"caddy/basic_auth/username" = opts;
"caddy/basic_auth/password" = opts;
};
templates = {
"alloy-basic-auth".content = # sh
''
ALLOY_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
ALLOY_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
'';
};
};
services.caddy.virtualHosts.${domain}.extraConfig = ''
@require_auth not remote_ip private_ranges
basicauth @require_auth {
{$ALLOY_USERNAME} {$ALLOY_PASSWORD}
basic_auth @require_auth {
{$AUTH_USERNAME} {$AUTH_PASSWORD}
}
reverse_proxy ${webguiListenAddress}

View file

@ -7,39 +7,10 @@ let
in
{
config = mkIf cfg.enable {
sops =
let
usernameKey = "loki/caddy/basic_auth/username";
passwordKey = "loki/caddy/basic_auth/password";
in
{
secrets =
let
opts = {
sopsFile = ../../../secrets/telemetry.yaml;
owner = "grafana";
};
in
{
${usernameKey} = opts;
${passwordKey} = opts;
};
templates = {
"loki/caddy/basic_auth".content = # sh
''
LOKI_USERNAME=${config.sops.placeholder.${usernameKey}}
LOKI_PASSWORD=${config.sops.placeholder.${passwordKey}}
'';
};
};
systemd.services."caddy".serviceConfig = {
EnvironmentFile = [ config.sops.templates."loki/caddy/basic_auth".path ];
};
services.caddy.virtualHosts.${lokiDomain}.extraConfig = # caddy
''
basicauth {
{$LOKI_USERNAME} {$LOKI_PASSWORD}
basic_auth {
{$AUTH_USERNAME} {$AUTH_PASSWORD}
}
reverse_proxy ${server.http_listen_address}:${toString server.http_listen_port}
'';

View file

@ -7,28 +7,6 @@ let
in
{
config = mkIf cfg.enable {
sops = {
secrets =
let
opts = { };
in
{
"caddy/basic_auth/username" = opts;
"caddy/basic_auth/password" = opts;
};
templates = {
"mimir-basic-auth".content = # sh
''
MIMIR_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
MIMIR_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
'';
};
};
systemd.services."caddy".serviceConfig = {
EnvironmentFile = [ config.sops.templates."mimir-basic-auth".path ];
};
services.caddy.virtualHosts.${domain}.extraConfig =
let
mimirServerConfig = config.services.mimir.configuration.server;
@ -37,8 +15,8 @@ in
''
@require_auth not remote_ip private_ranges
basicauth @require_auth {
{$ALLOY_USERNAME} {$ALLOY_PASSWORD}
basic_auth @require_auth {
{$AUTH_USERNAME} {$AUTH_PASSWORD}
}
reverse_proxy ${hostAddress}

View file

@ -3,45 +3,15 @@ let
cfg = config.profile.services.telemetry.tempo;
inherit (lib) mkIf;
domain = "tempo.tigor.web.id";
basic_auth = {
username = "tempo/caddy/basic_auth/username";
password = "tempo/caddy/basic_auth/password";
template = "tempo/caddy/basic_auth";
};
server = config.services.tempo.settings.server;
in
{
config = mkIf cfg.enable {
sops = {
secrets =
let
opts = {
sopsFile = ../../../secrets/telemetry.yaml;
owner = "grafana";
};
in
{
${basic_auth.username} = opts;
${basic_auth.password} = opts;
};
templates = {
${basic_auth.template}.content = # sh
''
TEMPO_USERNAME=${config.sops.placeholder.${basic_auth.username}}
TEMPO_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
'';
};
};
systemd.services."caddy".serviceConfig = {
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
};
services.caddy.virtualHosts.${domain}.extraConfig = ''
@require_auth not remote_ip private_ranges
basicauth @require_auth {
{$TEMPO_USERNAME} {$TEMPO_PASSWORD}
basic_auth @require_auth {
{$AUTH_USERNAME} {$AUTH_PASSWORD}
}
reverse_proxy ${server.http_listen_address}:3200