services: update caddy configs
This commit is contained in:
parent
8cbde4811f
commit
8bc7dea1ef
|
@ -77,5 +77,6 @@ in
|
||||||
default = config.profile.services.telemetry.enable;
|
default = config.profile.services.telemetry.enable;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
technitium.enable = mkEnableOption "technitium";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -71,6 +71,7 @@
|
||||||
ntfy-sh.enable = true;
|
ntfy-sh.enable = true;
|
||||||
ntfy-sh.client.enable = false;
|
ntfy-sh.client.enable = false;
|
||||||
couchdb.enable = true;
|
couchdb.enable = true;
|
||||||
|
technitium.enable = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,7 @@ let
|
||||||
inherit (lib) mkIf attrsets;
|
inherit (lib) mkIf attrsets;
|
||||||
ip = "10.88.1.1";
|
ip = "10.88.1.1";
|
||||||
image = "docker.io/pihole/pihole:latest";
|
image = "docker.io/pihole/pihole:latest";
|
||||||
piholeDNSIPBind = "192.168.100.3";
|
piholeDNSIPBind = "192.168.100.5";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = mkIf (podman.enable && pihole.enable) {
|
config = mkIf (podman.enable && pihole.enable) {
|
||||||
|
@ -70,6 +70,7 @@ in
|
||||||
ports = [
|
ports = [
|
||||||
"${piholeDNSIPBind}:53:53/udp"
|
"${piholeDNSIPBind}:53:53/udp"
|
||||||
"67:67/udp"
|
"67:67/udp"
|
||||||
|
"2000:80/tcp"
|
||||||
];
|
];
|
||||||
volumes = [
|
volumes = [
|
||||||
"pihole-etc:/etc/pihole"
|
"pihole-etc:/etc/pihole"
|
||||||
|
|
|
@ -16,44 +16,19 @@ let
|
||||||
user = config.profile.user;
|
user = config.profile.user;
|
||||||
uid = toString user.uid;
|
uid = toString user.uid;
|
||||||
gid = toString user.gid;
|
gid = toString user.gid;
|
||||||
basic_auth = {
|
|
||||||
username = "soulseek/caddy/username";
|
|
||||||
password = "soulseek/caddy/password";
|
|
||||||
template = "soulseek/caddy/basic_auth";
|
|
||||||
};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = mkIf (podman.enable && podman.${name}.enable) {
|
config = mkIf (podman.enable && podman.${name}.enable) {
|
||||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
||||||
@require_auth not remote_ip private_ranges
|
@require_auth not remote_ip private_ranges
|
||||||
|
|
||||||
basicauth @require_auth {
|
basic_auth @require_auth {
|
||||||
{$SOULSEEK_USERNAME} {$SOULSEEK_PASSWORD}
|
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||||
}
|
}
|
||||||
|
|
||||||
reverse_proxy ${ip}:6080
|
reverse_proxy ${ip}:6080
|
||||||
'';
|
'';
|
||||||
|
|
||||||
sops = {
|
|
||||||
secrets =
|
|
||||||
let
|
|
||||||
opts = {
|
|
||||||
sopsFile = ../../secrets/soulseek.yaml;
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
${basic_auth.username} = opts;
|
|
||||||
${basic_auth.password} = opts;
|
|
||||||
};
|
|
||||||
templates = {
|
|
||||||
${basic_auth.template}.content = # sh
|
|
||||||
''
|
|
||||||
SOULSEEK_USERNAME=${config.sops.placeholder.${basic_auth.username}}
|
|
||||||
SOULSEEK_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
system.activationScripts."podman-${name}" = ''
|
system.activationScripts."podman-${name}" = ''
|
||||||
mkdir -p ${rootVolume}/{config,downloads,incomplete}
|
mkdir -p ${rootVolume}/{config,downloads,incomplete}
|
||||||
chown ${uid}:${gid} ${rootVolume} ${rootVolume}/{config,downloads,incomplete}
|
chown ${uid}:${gid} ${rootVolume} ${rootVolume}/{config,downloads,incomplete}
|
||||||
|
@ -67,9 +42,6 @@ in
|
||||||
serviceName = "podman-${name}-autorestart";
|
serviceName = "podman-${name}-autorestart";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services."caddy".serviceConfig = {
|
|
||||||
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
|
|
||||||
};
|
|
||||||
services.${serviceName} = {
|
services.${serviceName} = {
|
||||||
description = "Podman container ${name} autorestart";
|
description = "Podman container ${name} autorestart";
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
|
|
@ -68,36 +68,11 @@ let
|
||||||
in
|
in
|
||||||
lib.mkMerge [
|
lib.mkMerge [
|
||||||
(mkIf podman.${name}.enable {
|
(mkIf podman.${name}.enable {
|
||||||
sops = {
|
|
||||||
secrets =
|
|
||||||
let
|
|
||||||
opts = { };
|
|
||||||
in
|
|
||||||
{
|
|
||||||
${basic_auth.username} = opts;
|
|
||||||
${basic_auth.password} = opts;
|
|
||||||
"ntfy/tokens/homeserver" = {
|
|
||||||
sopsFile = ../../secrets/ntfy.yaml;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
templates = {
|
|
||||||
${basic_auth.template}.content = # sh
|
|
||||||
''
|
|
||||||
YTPTUBE_USERNAME=${config.sops.placeholder.${basic_auth.username}}
|
|
||||||
YTPTUBE_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
|
|
||||||
'';
|
|
||||||
"ytptube/webhooks.json" = mkIf config.services.ntfy-sh.enable {
|
|
||||||
content = webhook;
|
|
||||||
path = "/etc/podman/${name}/webhooks.json";
|
|
||||||
owner = config.profile.user.name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
||||||
@require_auth not remote_ip private_ranges
|
@require_auth not remote_ip private_ranges
|
||||||
|
|
||||||
basicauth @require_auth {
|
basic_auth @require_auth {
|
||||||
{$YTPTUBE_USERNAME} {$YTPTUBE_PASSWORD}
|
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||||
}
|
}
|
||||||
|
|
||||||
reverse_proxy ${ip}:8081
|
reverse_proxy ${ip}:8081
|
||||||
|
@ -107,10 +82,6 @@ lib.mkMerge [
|
||||||
chown -R ${uid}:${gid} ${volume} /etc/podman/${name}
|
chown -R ${uid}:${gid} ${volume} /etc/podman/${name}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
systemd.services."caddy".serviceConfig = {
|
|
||||||
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."podman-${name}".restartTriggers = [ webhook ];
|
systemd.services."podman-${name}".restartTriggers = [ webhook ];
|
||||||
|
|
||||||
environment.etc."podman/${name}/ytdlp.json" = {
|
environment.etc."podman/${name}/ytdlp.json" = {
|
||||||
|
|
|
@ -20,6 +20,21 @@ in
|
||||||
package = unstable.caddy;
|
package = unstable.caddy;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
secrets = {
|
||||||
|
"caddy/basic_auth/username" = { };
|
||||||
|
"caddy/basic_auth/password" = { };
|
||||||
|
};
|
||||||
|
templates."caddy/basic_auth.env".content = ''
|
||||||
|
AUTH_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
|
||||||
|
AUTH_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.caddy.serviceConfig = {
|
||||||
|
EnvironmentFile = [ config.sops.templates."caddy/basic_auth.env".path ];
|
||||||
|
};
|
||||||
|
|
||||||
services.caddy.globalConfig = # caddy
|
services.caddy.globalConfig = # caddy
|
||||||
''
|
''
|
||||||
servers {
|
servers {
|
||||||
|
|
|
@ -19,5 +19,6 @@
|
||||||
./wireguard.nix
|
./wireguard.nix
|
||||||
./photoprism.nix
|
./photoprism.nix
|
||||||
./ntfy-sh.nix
|
./ntfy-sh.nix
|
||||||
|
./technitium.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,7 +15,7 @@ in
|
||||||
services.stubby = {
|
services.stubby = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = pkgs.stubby.passthru.settingsExample // {
|
settings = pkgs.stubby.passthru.settingsExample // {
|
||||||
listen_addresses = [ "192.168.100.5" ];
|
listen_addresses = [ "192.168.100.3" ];
|
||||||
upstream_recursive_servers = [
|
upstream_recursive_servers = [
|
||||||
{
|
{
|
||||||
address_data = "1.1.1.1";
|
address_data = "1.1.1.1";
|
||||||
|
|
23
system/services/technitium.nix
Normal file
23
system/services/technitium.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.profile.services.technitium;
|
||||||
|
inherit (lib) mkIf;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.technitium-dns-server = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.caddy.virtualHosts."dns.tigor.web.id".extraConfig = ''
|
||||||
|
@require_auth not remote_ip private_ranges
|
||||||
|
|
||||||
|
basic_auth @require_auth {
|
||||||
|
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||||
|
}
|
||||||
|
|
||||||
|
reverse_proxy localhost:5380
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -22,30 +22,11 @@ in
|
||||||
extraFlags = [ ''--server.http.listen-addr=${webguiListenAddress}'' ];
|
extraFlags = [ ''--server.http.listen-addr=${webguiListenAddress}'' ];
|
||||||
package = unstable.grafana-alloy;
|
package = unstable.grafana-alloy;
|
||||||
};
|
};
|
||||||
|
|
||||||
sops = {
|
|
||||||
secrets =
|
|
||||||
let
|
|
||||||
opts = { };
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"caddy/basic_auth/username" = opts;
|
|
||||||
"caddy/basic_auth/password" = opts;
|
|
||||||
};
|
|
||||||
templates = {
|
|
||||||
"alloy-basic-auth".content = # sh
|
|
||||||
''
|
|
||||||
ALLOY_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
|
|
||||||
ALLOY_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
||||||
@require_auth not remote_ip private_ranges
|
@require_auth not remote_ip private_ranges
|
||||||
|
|
||||||
basicauth @require_auth {
|
basic_auth @require_auth {
|
||||||
{$ALLOY_USERNAME} {$ALLOY_PASSWORD}
|
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||||
}
|
}
|
||||||
|
|
||||||
reverse_proxy ${webguiListenAddress}
|
reverse_proxy ${webguiListenAddress}
|
||||||
|
|
|
@ -7,39 +7,10 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sops =
|
|
||||||
let
|
|
||||||
usernameKey = "loki/caddy/basic_auth/username";
|
|
||||||
passwordKey = "loki/caddy/basic_auth/password";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
secrets =
|
|
||||||
let
|
|
||||||
opts = {
|
|
||||||
sopsFile = ../../../secrets/telemetry.yaml;
|
|
||||||
owner = "grafana";
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
${usernameKey} = opts;
|
|
||||||
${passwordKey} = opts;
|
|
||||||
};
|
|
||||||
templates = {
|
|
||||||
"loki/caddy/basic_auth".content = # sh
|
|
||||||
''
|
|
||||||
LOKI_USERNAME=${config.sops.placeholder.${usernameKey}}
|
|
||||||
LOKI_PASSWORD=${config.sops.placeholder.${passwordKey}}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."caddy".serviceConfig = {
|
|
||||||
EnvironmentFile = [ config.sops.templates."loki/caddy/basic_auth".path ];
|
|
||||||
};
|
|
||||||
services.caddy.virtualHosts.${lokiDomain}.extraConfig = # caddy
|
services.caddy.virtualHosts.${lokiDomain}.extraConfig = # caddy
|
||||||
''
|
''
|
||||||
basicauth {
|
basic_auth {
|
||||||
{$LOKI_USERNAME} {$LOKI_PASSWORD}
|
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||||
}
|
}
|
||||||
reverse_proxy ${server.http_listen_address}:${toString server.http_listen_port}
|
reverse_proxy ${server.http_listen_address}:${toString server.http_listen_port}
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -7,28 +7,6 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sops = {
|
|
||||||
secrets =
|
|
||||||
let
|
|
||||||
opts = { };
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"caddy/basic_auth/username" = opts;
|
|
||||||
"caddy/basic_auth/password" = opts;
|
|
||||||
};
|
|
||||||
templates = {
|
|
||||||
"mimir-basic-auth".content = # sh
|
|
||||||
''
|
|
||||||
MIMIR_USERNAME=${config.sops.placeholder."caddy/basic_auth/username"}
|
|
||||||
MIMIR_PASSWORD=${config.sops.placeholder."caddy/basic_auth/password"}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."caddy".serviceConfig = {
|
|
||||||
EnvironmentFile = [ config.sops.templates."mimir-basic-auth".path ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.caddy.virtualHosts.${domain}.extraConfig =
|
services.caddy.virtualHosts.${domain}.extraConfig =
|
||||||
let
|
let
|
||||||
mimirServerConfig = config.services.mimir.configuration.server;
|
mimirServerConfig = config.services.mimir.configuration.server;
|
||||||
|
@ -37,8 +15,8 @@ in
|
||||||
''
|
''
|
||||||
@require_auth not remote_ip private_ranges
|
@require_auth not remote_ip private_ranges
|
||||||
|
|
||||||
basicauth @require_auth {
|
basic_auth @require_auth {
|
||||||
{$ALLOY_USERNAME} {$ALLOY_PASSWORD}
|
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||||
}
|
}
|
||||||
|
|
||||||
reverse_proxy ${hostAddress}
|
reverse_proxy ${hostAddress}
|
||||||
|
|
|
@ -3,45 +3,15 @@ let
|
||||||
cfg = config.profile.services.telemetry.tempo;
|
cfg = config.profile.services.telemetry.tempo;
|
||||||
inherit (lib) mkIf;
|
inherit (lib) mkIf;
|
||||||
domain = "tempo.tigor.web.id";
|
domain = "tempo.tigor.web.id";
|
||||||
basic_auth = {
|
|
||||||
username = "tempo/caddy/basic_auth/username";
|
|
||||||
password = "tempo/caddy/basic_auth/password";
|
|
||||||
template = "tempo/caddy/basic_auth";
|
|
||||||
};
|
|
||||||
server = config.services.tempo.settings.server;
|
server = config.services.tempo.settings.server;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sops = {
|
|
||||||
secrets =
|
|
||||||
let
|
|
||||||
opts = {
|
|
||||||
sopsFile = ../../../secrets/telemetry.yaml;
|
|
||||||
owner = "grafana";
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
${basic_auth.username} = opts;
|
|
||||||
${basic_auth.password} = opts;
|
|
||||||
};
|
|
||||||
templates = {
|
|
||||||
${basic_auth.template}.content = # sh
|
|
||||||
''
|
|
||||||
TEMPO_USERNAME=${config.sops.placeholder.${basic_auth.username}}
|
|
||||||
TEMPO_PASSWORD=${config.sops.placeholder.${basic_auth.password}}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."caddy".serviceConfig = {
|
|
||||||
EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
||||||
@require_auth not remote_ip private_ranges
|
@require_auth not remote_ip private_ranges
|
||||||
|
|
||||||
basicauth @require_auth {
|
basic_auth @require_auth {
|
||||||
{$TEMPO_USERNAME} {$TEMPO_PASSWORD}
|
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
||||||
}
|
}
|
||||||
|
|
||||||
reverse_proxy ${server.http_listen_address}:3200
|
reverse_proxy ${server.http_listen_address}:3200
|
||||||
|
|
Loading…
Reference in a new issue