From 8bc7dea1ef073e2fe948143ec366e28ce0884e75 Mon Sep 17 00:00:00 2001 From: Tigor Hutasuhut Date: Mon, 28 Oct 2024 21:38:34 +0700 Subject: [PATCH] services: update caddy configs --- options/services.nix | 1 + profiles/homeserver.nix | 1 + system/podman/pihole.nix | 3 ++- system/podman/soulseek.nix | 32 ++------------------------- system/podman/ytptube.nix | 33 ++-------------------------- system/services/caddy.nix | 15 +++++++++++++ system/services/default.nix | 1 + system/services/stubby.nix | 2 +- system/services/technitium.nix | 23 +++++++++++++++++++ system/services/telemetry/alloy.nix | 23 ++----------------- system/services/telemetry/loki.nix | 33 ++-------------------------- system/services/telemetry/mimir.nix | 26 ++-------------------- system/services/telemetry/tempo.nix | 34 ++--------------------------- 13 files changed, 56 insertions(+), 171 deletions(-) create mode 100644 system/services/technitium.nix diff --git a/options/services.nix b/options/services.nix index 75e5a01..5969e49 100644 --- a/options/services.nix +++ b/options/services.nix @@ -77,5 +77,6 @@ in default = config.profile.services.telemetry.enable; }; }; + technitium.enable = mkEnableOption "technitium"; }; } diff --git a/profiles/homeserver.nix b/profiles/homeserver.nix index 8aebc99..939e1da 100644 --- a/profiles/homeserver.nix +++ b/profiles/homeserver.nix @@ -71,6 +71,7 @@ ntfy-sh.enable = true; ntfy-sh.client.enable = false; couchdb.enable = true; + technitium.enable = false; }; }; } diff --git a/system/podman/pihole.nix b/system/podman/pihole.nix index 5457d09..3bbba7c 100644 --- a/system/podman/pihole.nix +++ b/system/podman/pihole.nix @@ -6,7 +6,7 @@ let inherit (lib) mkIf attrsets; ip = "10.88.1.1"; image = "docker.io/pihole/pihole:latest"; - piholeDNSIPBind = "192.168.100.3"; + piholeDNSIPBind = "192.168.100.5"; in { config = mkIf (podman.enable && pihole.enable) { @@ -70,6 +70,7 @@ in ports = [ "${piholeDNSIPBind}:53:53/udp" "67:67/udp" + "2000:80/tcp" ]; volumes = [ "pihole-etc:/etc/pihole" diff --git a/system/podman/soulseek.nix b/system/podman/soulseek.nix index 57d7026..24cf66c 100644 --- a/system/podman/soulseek.nix +++ b/system/podman/soulseek.nix @@ -16,44 +16,19 @@ let user = config.profile.user; uid = toString user.uid; gid = toString user.gid; - basic_auth = { - username = "soulseek/caddy/username"; - password = "soulseek/caddy/password"; - template = "soulseek/caddy/basic_auth"; - }; in { config = mkIf (podman.enable && podman.${name}.enable) { services.caddy.virtualHosts.${domain}.extraConfig = '' @require_auth not remote_ip private_ranges - basicauth @require_auth { - {$SOULSEEK_USERNAME} {$SOULSEEK_PASSWORD} + basic_auth @require_auth { + {$AUTH_USERNAME} {$AUTH_PASSWORD} } reverse_proxy ${ip}:6080 ''; - sops = { - secrets = - let - opts = { - sopsFile = ../../secrets/soulseek.yaml; - }; - in - { - ${basic_auth.username} = opts; - ${basic_auth.password} = opts; - }; - templates = { - ${basic_auth.template}.content = # sh - '' - SOULSEEK_USERNAME=${config.sops.placeholder.${basic_auth.username}} - SOULSEEK_PASSWORD=${config.sops.placeholder.${basic_auth.password}} - ''; - }; - }; - system.activationScripts."podman-${name}" = '' mkdir -p ${rootVolume}/{config,downloads,incomplete} chown ${uid}:${gid} ${rootVolume} ${rootVolume}/{config,downloads,incomplete} @@ -67,9 +42,6 @@ in serviceName = "podman-${name}-autorestart"; in { - services."caddy".serviceConfig = { - EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ]; - }; services.${serviceName} = { description = "Podman container ${name} autorestart"; serviceConfig = { diff --git a/system/podman/ytptube.nix b/system/podman/ytptube.nix index 60caced..04a22e3 100644 --- a/system/podman/ytptube.nix +++ b/system/podman/ytptube.nix @@ -68,36 +68,11 @@ let in lib.mkMerge [ (mkIf podman.${name}.enable { - sops = { - secrets = - let - opts = { }; - in - { - ${basic_auth.username} = opts; - ${basic_auth.password} = opts; - "ntfy/tokens/homeserver" = { - sopsFile = ../../secrets/ntfy.yaml; - }; - }; - templates = { - ${basic_auth.template}.content = # sh - '' - YTPTUBE_USERNAME=${config.sops.placeholder.${basic_auth.username}} - YTPTUBE_PASSWORD=${config.sops.placeholder.${basic_auth.password}} - ''; - "ytptube/webhooks.json" = mkIf config.services.ntfy-sh.enable { - content = webhook; - path = "/etc/podman/${name}/webhooks.json"; - owner = config.profile.user.name; - }; - }; - }; services.caddy.virtualHosts.${domain}.extraConfig = '' @require_auth not remote_ip private_ranges - basicauth @require_auth { - {$YTPTUBE_USERNAME} {$YTPTUBE_PASSWORD} + basic_auth @require_auth { + {$AUTH_USERNAME} {$AUTH_PASSWORD} } reverse_proxy ${ip}:8081 @@ -107,10 +82,6 @@ lib.mkMerge [ chown -R ${uid}:${gid} ${volume} /etc/podman/${name} ''; - systemd.services."caddy".serviceConfig = { - EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ]; - }; - systemd.services."podman-${name}".restartTriggers = [ webhook ]; environment.etc."podman/${name}/ytdlp.json" = { diff --git a/system/services/caddy.nix b/system/services/caddy.nix index b99ea45..743c254 100644 --- a/system/services/caddy.nix +++ b/system/services/caddy.nix @@ -20,6 +20,21 @@ in package = unstable.caddy; }; + sops = { + secrets = { + "caddy/basic_auth/username" = { }; + "caddy/basic_auth/password" = { }; + }; + templates."caddy/basic_auth.env".content = '' + AUTH_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"} + AUTH_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"} + ''; + }; + + systemd.services.caddy.serviceConfig = { + EnvironmentFile = [ config.sops.templates."caddy/basic_auth.env".path ]; + }; + services.caddy.globalConfig = # caddy '' servers { diff --git a/system/services/default.nix b/system/services/default.nix index 9260c45..f308e09 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -19,5 +19,6 @@ ./wireguard.nix ./photoprism.nix ./ntfy-sh.nix + ./technitium.nix ]; } diff --git a/system/services/stubby.nix b/system/services/stubby.nix index f34715c..8f5d7c5 100644 --- a/system/services/stubby.nix +++ b/system/services/stubby.nix @@ -15,7 +15,7 @@ in services.stubby = { enable = true; settings = pkgs.stubby.passthru.settingsExample // { - listen_addresses = [ "192.168.100.5" ]; + listen_addresses = [ "192.168.100.3" ]; upstream_recursive_servers = [ { address_data = "1.1.1.1"; diff --git a/system/services/technitium.nix b/system/services/technitium.nix new file mode 100644 index 0000000..941d4a2 --- /dev/null +++ b/system/services/technitium.nix @@ -0,0 +1,23 @@ +{ config, lib, ... }: +let + cfg = config.profile.services.technitium; + inherit (lib) mkIf; +in +{ + config = mkIf cfg.enable { + services.technitium-dns-server = { + enable = true; + openFirewall = true; + }; + + services.caddy.virtualHosts."dns.tigor.web.id".extraConfig = '' + @require_auth not remote_ip private_ranges + + basic_auth @require_auth { + {$AUTH_USERNAME} {$AUTH_PASSWORD} + } + + reverse_proxy localhost:5380 + ''; + }; +} diff --git a/system/services/telemetry/alloy.nix b/system/services/telemetry/alloy.nix index 02b8873..62cbacd 100644 --- a/system/services/telemetry/alloy.nix +++ b/system/services/telemetry/alloy.nix @@ -22,30 +22,11 @@ in extraFlags = [ ''--server.http.listen-addr=${webguiListenAddress}'' ]; package = unstable.grafana-alloy; }; - - sops = { - secrets = - let - opts = { }; - in - { - "caddy/basic_auth/username" = opts; - "caddy/basic_auth/password" = opts; - }; - templates = { - "alloy-basic-auth".content = # sh - '' - ALLOY_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"} - ALLOY_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"} - ''; - }; - }; - services.caddy.virtualHosts.${domain}.extraConfig = '' @require_auth not remote_ip private_ranges - basicauth @require_auth { - {$ALLOY_USERNAME} {$ALLOY_PASSWORD} + basic_auth @require_auth { + {$AUTH_USERNAME} {$AUTH_PASSWORD} } reverse_proxy ${webguiListenAddress} diff --git a/system/services/telemetry/loki.nix b/system/services/telemetry/loki.nix index 4aa92e7..3b29992 100644 --- a/system/services/telemetry/loki.nix +++ b/system/services/telemetry/loki.nix @@ -7,39 +7,10 @@ let in { config = mkIf cfg.enable { - sops = - let - usernameKey = "loki/caddy/basic_auth/username"; - passwordKey = "loki/caddy/basic_auth/password"; - in - { - secrets = - let - opts = { - sopsFile = ../../../secrets/telemetry.yaml; - owner = "grafana"; - }; - in - { - ${usernameKey} = opts; - ${passwordKey} = opts; - }; - templates = { - "loki/caddy/basic_auth".content = # sh - '' - LOKI_USERNAME=${config.sops.placeholder.${usernameKey}} - LOKI_PASSWORD=${config.sops.placeholder.${passwordKey}} - ''; - }; - }; - - systemd.services."caddy".serviceConfig = { - EnvironmentFile = [ config.sops.templates."loki/caddy/basic_auth".path ]; - }; services.caddy.virtualHosts.${lokiDomain}.extraConfig = # caddy '' - basicauth { - {$LOKI_USERNAME} {$LOKI_PASSWORD} + basic_auth { + {$AUTH_USERNAME} {$AUTH_PASSWORD} } reverse_proxy ${server.http_listen_address}:${toString server.http_listen_port} ''; diff --git a/system/services/telemetry/mimir.nix b/system/services/telemetry/mimir.nix index 3865a65..059e579 100644 --- a/system/services/telemetry/mimir.nix +++ b/system/services/telemetry/mimir.nix @@ -7,28 +7,6 @@ let in { config = mkIf cfg.enable { - sops = { - secrets = - let - opts = { }; - in - { - "caddy/basic_auth/username" = opts; - "caddy/basic_auth/password" = opts; - }; - templates = { - "mimir-basic-auth".content = # sh - '' - MIMIR_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"} - MIMIR_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"} - ''; - }; - }; - - systemd.services."caddy".serviceConfig = { - EnvironmentFile = [ config.sops.templates."mimir-basic-auth".path ]; - }; - services.caddy.virtualHosts.${domain}.extraConfig = let mimirServerConfig = config.services.mimir.configuration.server; @@ -37,8 +15,8 @@ in '' @require_auth not remote_ip private_ranges - basicauth @require_auth { - {$ALLOY_USERNAME} {$ALLOY_PASSWORD} + basic_auth @require_auth { + {$AUTH_USERNAME} {$AUTH_PASSWORD} } reverse_proxy ${hostAddress} diff --git a/system/services/telemetry/tempo.nix b/system/services/telemetry/tempo.nix index 1ce4402..c6765c0 100644 --- a/system/services/telemetry/tempo.nix +++ b/system/services/telemetry/tempo.nix @@ -3,45 +3,15 @@ let cfg = config.profile.services.telemetry.tempo; inherit (lib) mkIf; domain = "tempo.tigor.web.id"; - basic_auth = { - username = "tempo/caddy/basic_auth/username"; - password = "tempo/caddy/basic_auth/password"; - template = "tempo/caddy/basic_auth"; - }; server = config.services.tempo.settings.server; in { config = mkIf cfg.enable { - sops = { - secrets = - let - opts = { - sopsFile = ../../../secrets/telemetry.yaml; - owner = "grafana"; - }; - in - { - ${basic_auth.username} = opts; - ${basic_auth.password} = opts; - }; - templates = { - ${basic_auth.template}.content = # sh - '' - TEMPO_USERNAME=${config.sops.placeholder.${basic_auth.username}} - TEMPO_PASSWORD=${config.sops.placeholder.${basic_auth.password}} - ''; - }; - }; - - systemd.services."caddy".serviceConfig = { - EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ]; - }; - services.caddy.virtualHosts.${domain}.extraConfig = '' @require_auth not remote_ip private_ranges - basicauth @require_auth { - {$TEMPO_USERNAME} {$TEMPO_PASSWORD} + basic_auth @require_auth { + {$AUTH_USERNAME} {$AUTH_PASSWORD} } reverse_proxy ${server.http_listen_address}:3200