services: update caddy configs
This commit is contained in:
parent
8cbde4811f
commit
8bc7dea1ef
|
@ -77,5 +77,6 @@ in
|
|||
default = config.profile.services.telemetry.enable;
|
||||
};
|
||||
};
|
||||
technitium.enable = mkEnableOption "technitium";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -71,6 +71,7 @@
|
|||
ntfy-sh.enable = true;
|
||||
ntfy-sh.client.enable = false;
|
||||
couchdb.enable = true;
|
||||
technitium.enable = false;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,7 +6,7 @@ let
|
|||
inherit (lib) mkIf attrsets;
|
||||
ip = "10.88.1.1";
|
||||
image = "docker.io/pihole/pihole:latest";
|
||||
piholeDNSIPBind = "192.168.100.3";
|
||||
piholeDNSIPBind = "192.168.100.5";
|
||||
in
|
||||
{
|
||||
config = mkIf (podman.enable && pihole.enable) {
|
||||
|
@ -70,6 +70,7 @@ in
|
|||
ports = [
|
||||
"${piholeDNSIPBind}:53:53/udp"
|
||||
"67:67/udp"
|
||||
"2000:80/tcp"
|
||||
];
|
||||
volumes = [
|
||||
"pihole-etc:/etc/pihole"
|
||||
|
|
|
@ -16,44 +16,19 @@ let
|
|||
user = config.profile.user;
|
||||
uid = toString user.uid;
|
||||
gid = toString user.gid;
|
||||
basic_auth = {
|
||||
username = "soulseek/caddy/username";
|
||||
password = "soulseek/caddy/password";
|
||||
template = "soulseek/caddy/basic_auth";
|
||||
};
|
||||
in
|
||||
{
|
||||
config = mkIf (podman.enable && podman.${name}.enable) {
|
||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
||||
@require_auth not remote_ip private_ranges
|
||||
|
||||
basicauth @require_auth {
|
||||
{$SOULSEEK_USERNAME} {$SOULSEEK_PASSWORD}
|
||||
basic_auth @require_auth {
|
||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||
}
|
||||
|
||||
reverse_proxy ${ip}:6080
|
||||
'';
|
||||
|
||||
sops = {
|
||||
secrets =
|
||||
let
|
||||
opts = {
|
||||
sopsFile = ../../secrets/soulseek.yaml;
|
||||
};
|
||||
in
|
||||
{
|
||||
${basic_auth.username} = opts;
|
||||
${basic_auth.password} = opts;
|
||||
};
|
||||
templates = {
|
||||
${basic_auth.template}.content = # sh
|
||||
''
|
||||
SOULSEEK_USERNAME=${config.sops.placeholder.${basic_auth.username}}
|
||||
SOULSEEK_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
system.activationScripts."podman-${name}" = ''
|
||||
mkdir -p ${rootVolume}/{config,downloads,incomplete}
|
||||
chown ${uid}:${gid} ${rootVolume} ${rootVolume}/{config,downloads,incomplete}
|
||||
|
@ -67,9 +42,6 @@ in
|
|||
serviceName = "podman-${name}-autorestart";
|
||||
in
|
||||
{
|
||||
services."caddy".serviceConfig = {
|
||||
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
|
||||
};
|
||||
services.${serviceName} = {
|
||||
description = "Podman container ${name} autorestart";
|
||||
serviceConfig = {
|
||||
|
|
|
@ -68,36 +68,11 @@ let
|
|||
in
|
||||
lib.mkMerge [
|
||||
(mkIf podman.${name}.enable {
|
||||
sops = {
|
||||
secrets =
|
||||
let
|
||||
opts = { };
|
||||
in
|
||||
{
|
||||
${basic_auth.username} = opts;
|
||||
${basic_auth.password} = opts;
|
||||
"ntfy/tokens/homeserver" = {
|
||||
sopsFile = ../../secrets/ntfy.yaml;
|
||||
};
|
||||
};
|
||||
templates = {
|
||||
${basic_auth.template}.content = # sh
|
||||
''
|
||||
YTPTUBE_USERNAME=${config.sops.placeholder.${basic_auth.username}}
|
||||
YTPTUBE_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
|
||||
'';
|
||||
"ytptube/webhooks.json" = mkIf config.services.ntfy-sh.enable {
|
||||
content = webhook;
|
||||
path = "/etc/podman/${name}/webhooks.json";
|
||||
owner = config.profile.user.name;
|
||||
};
|
||||
};
|
||||
};
|
||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
||||
@require_auth not remote_ip private_ranges
|
||||
|
||||
basicauth @require_auth {
|
||||
{$YTPTUBE_USERNAME} {$YTPTUBE_PASSWORD}
|
||||
basic_auth @require_auth {
|
||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||
}
|
||||
|
||||
reverse_proxy ${ip}:8081
|
||||
|
@ -107,10 +82,6 @@ lib.mkMerge [
|
|||
chown -R ${uid}:${gid} ${volume} /etc/podman/${name}
|
||||
'';
|
||||
|
||||
systemd.services."caddy".serviceConfig = {
|
||||
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
|
||||
};
|
||||
|
||||
systemd.services."podman-${name}".restartTriggers = [ webhook ];
|
||||
|
||||
environment.etc."podman/${name}/ytdlp.json" = {
|
||||
|
|
|
@ -20,6 +20,21 @@ in
|
|||
package = unstable.caddy;
|
||||
};
|
||||
|
||||
sops = {
|
||||
secrets = {
|
||||
"caddy/basic_auth/username" = { };
|
||||
"caddy/basic_auth/password" = { };
|
||||
};
|
||||
templates."caddy/basic_auth.env".content = ''
|
||||
AUTH_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
|
||||
AUTH_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.caddy.serviceConfig = {
|
||||
EnvironmentFile = [ config.sops.templates."caddy/basic_auth.env".path ];
|
||||
};
|
||||
|
||||
services.caddy.globalConfig = # caddy
|
||||
''
|
||||
servers {
|
||||
|
|
|
@ -19,5 +19,6 @@
|
|||
./wireguard.nix
|
||||
./photoprism.nix
|
||||
./ntfy-sh.nix
|
||||
./technitium.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -15,7 +15,7 @@ in
|
|||
services.stubby = {
|
||||
enable = true;
|
||||
settings = pkgs.stubby.passthru.settingsExample // {
|
||||
listen_addresses = [ "192.168.100.5" ];
|
||||
listen_addresses = [ "192.168.100.3" ];
|
||||
upstream_recursive_servers = [
|
||||
{
|
||||
address_data = "1.1.1.1";
|
||||
|
|
23
system/services/technitium.nix
Normal file
23
system/services/technitium.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.profile.services.technitium;
|
||||
inherit (lib) mkIf;
|
||||
in
|
||||
{
|
||||
config = mkIf cfg.enable {
|
||||
services.technitium-dns-server = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
services.caddy.virtualHosts."dns.tigor.web.id".extraConfig = ''
|
||||
@require_auth not remote_ip private_ranges
|
||||
|
||||
basic_auth @require_auth {
|
||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||
}
|
||||
|
||||
reverse_proxy localhost:5380
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -22,30 +22,11 @@ in
|
|||
extraFlags = [ ''--server.http.listen-addr=${webguiListenAddress}'' ];
|
||||
package = unstable.grafana-alloy;
|
||||
};
|
||||
|
||||
sops = {
|
||||
secrets =
|
||||
let
|
||||
opts = { };
|
||||
in
|
||||
{
|
||||
"caddy/basic_auth/username" = opts;
|
||||
"caddy/basic_auth/password" = opts;
|
||||
};
|
||||
templates = {
|
||||
"alloy-basic-auth".content = # sh
|
||||
''
|
||||
ALLOY_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
|
||||
ALLOY_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
||||
@require_auth not remote_ip private_ranges
|
||||
|
||||
basicauth @require_auth {
|
||||
{$ALLOY_USERNAME} {$ALLOY_PASSWORD}
|
||||
basic_auth @require_auth {
|
||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||
}
|
||||
|
||||
reverse_proxy ${webguiListenAddress}
|
||||
|
|
|
@ -7,39 +7,10 @@ let
|
|||
in
|
||||
{
|
||||
config = mkIf cfg.enable {
|
||||
sops =
|
||||
let
|
||||
usernameKey = "loki/caddy/basic_auth/username";
|
||||
passwordKey = "loki/caddy/basic_auth/password";
|
||||
in
|
||||
{
|
||||
secrets =
|
||||
let
|
||||
opts = {
|
||||
sopsFile = ../../../secrets/telemetry.yaml;
|
||||
owner = "grafana";
|
||||
};
|
||||
in
|
||||
{
|
||||
${usernameKey} = opts;
|
||||
${passwordKey} = opts;
|
||||
};
|
||||
templates = {
|
||||
"loki/caddy/basic_auth".content = # sh
|
||||
''
|
||||
LOKI_USERNAME=${config.sops.placeholder.${usernameKey}}
|
||||
LOKI_PASSWORD=${config.sops.placeholder.${passwordKey}}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."caddy".serviceConfig = {
|
||||
EnvironmentFile = [ config.sops.templates."loki/caddy/basic_auth".path ];
|
||||
};
|
||||
services.caddy.virtualHosts.${lokiDomain}.extraConfig = # caddy
|
||||
''
|
||||
basicauth {
|
||||
{$LOKI_USERNAME} {$LOKI_PASSWORD}
|
||||
basic_auth {
|
||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||
}
|
||||
reverse_proxy ${server.http_listen_address}:${toString server.http_listen_port}
|
||||
'';
|
||||
|
|
|
@ -7,28 +7,6 @@ let
|
|||
in
|
||||
{
|
||||
config = mkIf cfg.enable {
|
||||
sops = {
|
||||
secrets =
|
||||
let
|
||||
opts = { };
|
||||
in
|
||||
{
|
||||
"caddy/basic_auth/username" = opts;
|
||||
"caddy/basic_auth/password" = opts;
|
||||
};
|
||||
templates = {
|
||||
"mimir-basic-auth".content = # sh
|
||||
''
|
||||
MIMIR_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
|
||||
MIMIR_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."caddy".serviceConfig = {
|
||||
EnvironmentFile = [ config.sops.templates."mimir-basic-auth".path ];
|
||||
};
|
||||
|
||||
services.caddy.virtualHosts.${domain}.extraConfig =
|
||||
let
|
||||
mimirServerConfig = config.services.mimir.configuration.server;
|
||||
|
@ -37,8 +15,8 @@ in
|
|||
''
|
||||
@require_auth not remote_ip private_ranges
|
||||
|
||||
basicauth @require_auth {
|
||||
{$ALLOY_USERNAME} {$ALLOY_PASSWORD}
|
||||
basic_auth @require_auth {
|
||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||
}
|
||||
|
||||
reverse_proxy ${hostAddress}
|
||||
|
|
|
@ -3,45 +3,15 @@ let
|
|||
cfg = config.profile.services.telemetry.tempo;
|
||||
inherit (lib) mkIf;
|
||||
domain = "tempo.tigor.web.id";
|
||||
basic_auth = {
|
||||
username = "tempo/caddy/basic_auth/username";
|
||||
password = "tempo/caddy/basic_auth/password";
|
||||
template = "tempo/caddy/basic_auth";
|
||||
};
|
||||
server = config.services.tempo.settings.server;
|
||||
in
|
||||
{
|
||||
config = mkIf cfg.enable {
|
||||
sops = {
|
||||
secrets =
|
||||
let
|
||||
opts = {
|
||||
sopsFile = ../../../secrets/telemetry.yaml;
|
||||
owner = "grafana";
|
||||
};
|
||||
in
|
||||
{
|
||||
${basic_auth.username} = opts;
|
||||
${basic_auth.password} = opts;
|
||||
};
|
||||
templates = {
|
||||
${basic_auth.template}.content = # sh
|
||||
''
|
||||
TEMPO_USERNAME=${config.sops.placeholder.${basic_auth.username}}
|
||||
TEMPO_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."caddy".serviceConfig = {
|
||||
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
|
||||
};
|
||||
|
||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
||||
@require_auth not remote_ip private_ranges
|
||||
|
||||
basicauth @require_auth {
|
||||
{$TEMPO_USERNAME} {$TEMPO_PASSWORD}
|
||||
basic_auth @require_auth {
|
||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||
}
|
||||
|
||||
reverse_proxy ${server.http_listen_address}:3200
|
||||
|
|
Loading…
Reference in a new issue