diff --git a/hosts/ds9/containers.nix b/hosts/ds9/containers.nix index a28b659f..705724d0 100644 --- a/hosts/ds9/containers.nix +++ b/hosts/ds9/containers.nix @@ -207,6 +207,7 @@ in ]; }; + networking.firewall.interfaces."podman0".allowedTCPPorts = [ 9090 ]; virtualisation.oci-containers.containers.grafana = { image = "grafana/grafana-oss:latest"; extraOptions = [ @@ -219,11 +220,11 @@ in [users] allow_sign_up = false auto_assign_org = true - auto_assign_org_role = Editor + auto_assign_org_role = Viewer [auth.proxy] enabled = true - headers = Name:X-Authentik-Username Email:X-Authentik-Email Groups:X-Authentik-Groups + headers = Name:X-Authentik-Username Email:X-Authentik-Email Role:X-Grafana-Role header_name = X-Authentik-Username header_property = username auto_sign_up = true @@ -258,6 +259,8 @@ in "--network=podman" "--mount" "type=bind,source=/data/media,destination=/media,ro=true,relabel=private" + "-p" + "127.0.0.1:8096:8096" ]; volumes = [ "jellyfin-config:/config" diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix index 8ea40318..86a53c9e 100644 --- a/hosts/ds9/default.nix +++ b/hosts/ds9/default.nix @@ -1,34 +1,40 @@ -{ config, inputs, pkgs, lib, ... }: +{ + config, + inputs, + pkgs, + lib, + ... +}: let pubkeys = import ../../data/pubkeys.nix; caddy-with-plugins = import ./custom-caddy.nix { inherit pkgs; }; in { - imports = - [ - ./hardware-configuration.nix + imports = [ + ./hardware-configuration.nix - ./containers.nix - ./backup.nix - # ./plex.nix - ./samba.nix - ./paperless.nix + ./containers.nix + ./backup.nix + # ./plex.nix + ./samba.nix + ./paperless.nix + ./maubot.nix - ../../nixos-modules/networking/tailscale.nix - ../../nixos-modules/services/docker.nix - ../../nixos-modules/services/libvirt.nix - ../../nixos-modules/services/msmtp.nix - # ../../nixos-modules/services/paperless.nix - # ../../nixos-modules/services/photoprism.nix - ../../nixos-modules/services/samba.nix - ../../nixos-modules/services/ssh.nix - ../../nixos-modules/services/caddy - ../../nixos-modules/system/agenix.nix - ../../nixos-modules/system/fs.nix - ../../nixos-modules/system/persist.nix - ../../nixos-modules/system/security.nix - ../../nixos-modules/user - ]; + ../../nixos-modules/networking/tailscale.nix + ../../nixos-modules/services/docker.nix + ../../nixos-modules/services/libvirt.nix + ../../nixos-modules/services/msmtp.nix + # ../../nixos-modules/services/paperless.nix + # ../../nixos-modules/services/photoprism.nix + ../../nixos-modules/services/samba.nix + ../../nixos-modules/services/ssh.nix + ../../nixos-modules/services/caddy + ../../nixos-modules/system/agenix.nix + ../../nixos-modules/system/fs.nix + ../../nixos-modules/system/persist.nix + ../../nixos-modules/system/security.nix + ../../nixos-modules/user + ]; # Don't Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -51,7 +57,12 @@ in }; networking.bridges."br0".interfaces = [ ]; networking.hostId = "7b4c2932"; - networking.firewall.allowedTCPPorts = [ 9000 25565 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 9000 + 25565 + 80 + 443 + ]; networking.firewall.allowedUDPPorts = [ 443 ]; # http3 :3 boot.initrd.network = { enable = true; @@ -80,7 +91,11 @@ in users.users.nia = { createHome = true; isNormalUser = true; - extraGroups = [ "docker" "podman" "wheel" ]; + extraGroups = [ + "docker" + "podman" + "wheel" + ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDq+jk1Bi8/x0lYDiVi/iVnp9nEleocoQ+xHmlpDt9Qs" ]; @@ -101,7 +116,11 @@ in group = "minecraft"; }; users.groups.minecraft = { }; - environment.systemPackages = [ pkgs.jdk17 pkgs.borgbackup pkgs.beets ]; + environment.systemPackages = [ + pkgs.jdk17 + pkgs.borgbackup + pkgs.beets + ]; services.smartd = { enable = true; @@ -129,18 +148,17 @@ in # dyndns systemd.services."dyndns-refresh" = { - script = '' - set -eu - export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin - ${pkgs.bash}/bin/bash ${config.age.secrets.ds9DynDns.path} - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; + script = '' + set -eu + export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin + ${pkgs.bash}/bin/bash ${config.age.secrets.ds9DynDns.path} + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + startAt = "*:0/10"; }; - startAt = "*:0/10"; -}; - # services.tailscaleAuth.enable = true; # services.tailscaleAuth.group = config.services.caddy.group; @@ -181,7 +199,7 @@ in resolvers 10.88.0.1 # podman dns } uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version + copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Grafana-Role } reverse_proxy {args[:]} { transport http { @@ -195,6 +213,12 @@ in acme_dns desec { token "{$TOKEN}" } + metrics { + per_host + } + servers { + trusted_proxies static 100.96.45.2/32 fd7a:115c:a1e0:ab12:4843:cd96:6260:2d02/128 + } ''; virtualHosts."*.hailsatan.eu ".logFormat = '' output file ${config.services.caddy.logDir}/access-*hailsatan.eu_internet.log @@ -203,8 +227,15 @@ in import blockBots @jellyfin host j.hailsatan.eu handle @jellyfin { + handle /metrics* { + abort + } import podmanRedir http://jellyfin:8096 } + @mautrix-signal host mautrix-signal.hailsatan.eu + handle @mautrix-signal { + import podmanRedir http://mautrix-signal:29328 + } @auth host auth.hailsatan.eu handle @auth { import podmanRedir http://authentik-server:9000 @@ -248,12 +279,18 @@ in } @copyparty host c.hailsatan.eu handle @copyparty { + @proxy { + header_regexp Cookie authentik_proxy_([a-zA-Z0-9]) + } + handle @proxy { + import podmanRedirWithAuth http://copyparty:3923 + } handle /shr/* { import podmanRedir http://copyparty:3923 } @noauth { method GET OPTIONS HEAD - path /noauth/* + path_regexp ^\/(noauth(\/.*|)|[a-z.]+\.(css|js)|[1-9].png)$ } handle @noauth { import podmanRedir http://copyparty:3923 @@ -268,22 +305,73 @@ in ''; }; - home-manager.users.ragon = { pkgs, lib, inputs, config, ... }: { - imports = [ - # ../../hm-modules/nvim - ../../hm-modules/helix - # ../../hm-modules/zsh - ../../hm-modules/tmux - # ../../hm-modules/xonsh - ../../hm-modules/cli.nix - ../../hm-modules/files.nix - ]; - # ragon.xonsh.enable = true; + services.prometheus = { + enable = true; + exporters.node = { + enable = true; + enabledCollectors = [ "systemd" ]; + }; + scrapeConfigs = [ - programs.home-manager.enable = true; - home.stateVersion = "23.11"; + { + job_name = "jellyfin"; + static_configs = [ + { + targets = [ + "127.0.0.1:8096" + ]; + } + ]; + } + { + job_name = "caddy"; + static_configs = [ + { + targets = [ + "localhost:2019" + "picard.kangaroo-galaxy.ts.net:2019" + ]; + } + ]; + } + { + job_name = "node"; + static_configs = [ + { + targets = [ + "localhost:${toString config.services.prometheus.exporters.node.port}" + "picard.kangaroo-galaxy.ts.net:${toString config.services.prometheus.exporters.node.port}" + ]; + } + ]; + } + ]; }; + home-manager.users.ragon = + { + pkgs, + lib, + inputs, + config, + ... + }: + { + imports = [ + # ../../hm-modules/nvim + ../../hm-modules/helix + # ../../hm-modules/zsh + ../../hm-modules/tmux + # ../../hm-modules/xonsh + ../../hm-modules/cli.nix + ../../hm-modules/files.nix + ]; + # ragon.xonsh.enable = true; + + programs.home-manager.enable = true; + home.stateVersion = "23.11"; + }; + # begin kube # services.k3s = { # enable = true; @@ -297,7 +385,16 @@ in agenix.secrets."ds9DynDns" = { }; user.enable = true; persist.enable = true; - persist.extraDirectories = [ "/home/nia" "/var/lib/syncthing" "/var/lib/minecraft" "/var/lib/bzzt" "/var/lib/rancher" "/etc/rancher" "/root/.cache" ]; + persist.extraDirectories = [ + "/home/nia" + "/var/lib/syncthing" + "/var/lib/minecraft" + "/var/lib/bzzt" + "/var/lib/rancher" + "/etc/rancher" + "/root/.cache" + "/var/lib/${config.services.prometheus.stateDir}" + ]; services = { caddy.enable = true; diff --git a/hosts/ds9/maubot.nix b/hosts/ds9/maubot.nix new file mode 100644 index 00000000..e9a44832 --- /dev/null +++ b/hosts/ds9/maubot.nix @@ -0,0 +1,25 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + virtualisation.quadlet = { + containers = { + mautrix-signal = { + containerConfig.image = "dock.mau.dev/mautrix/signal:latest"; + containerConfig.volumes = [ + "mautrix-signal:/data" + ]; + # containerConfig.publishPorts = [ + # "100.83.96.25:29328:29328" + # ]; + containerConfig.networks = [ + "podman" + "db-net" + ]; + }; + }; + }; +} diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 193916cb..b674cb91 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -68,6 +68,7 @@ systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path; networking.firewall.allowedTCPPorts = [ 80 443 config.services.forgejo.settings.server.SSH_PORT 25 143 465 587 993 ]; networking.firewall.allowedUDPPorts = [ 443 ]; + services.prometheus.exporters.node = { enable = true; enabledCollectors = [ "systemd" ]; }; services.caddy = { logFormat = "level INFO"; enable = true; @@ -76,9 +77,17 @@ acme_dns desec { token "{$TOKEN}" } + admin :2019 + metrics { + per_host + } ''; virtualHosts."*.hailsatan.eu".extraConfig = '' - reverse_proxy https://j.hailsatan.eu + reverse_proxy https://ds9.kangaroo-galaxy.ts.net { + transport http { + tls_server_name {host} + } + } ''; virtualHosts."l621.net".extraConfig = '' reverse_proxy http://127.0.0.1:8186 diff --git a/hosts/picard/xynospace-matrix.nix b/hosts/picard/xynospace-matrix.nix index 099628bd..97c94245 100644 --- a/hosts/picard/xynospace-matrix.nix +++ b/hosts/picard/xynospace-matrix.nix @@ -77,6 +77,9 @@ in settings.database.args.database = "matrix-synapse-xynospace"; settings.database.args.host = hostAddress; settings.database.args.password = "synapse"; + settings.app_service_config_files = [ + "/var/lib/signalbot.yaml" + ]; settings.listeners = [ { port = 8008; diff --git a/nixos-modules/services/caddy/custom-caddy.nix b/nixos-modules/services/caddy/custom-caddy.nix index fb7cc5e8..4c92e8b1 100644 --- a/nixos-modules/services/caddy/custom-caddy.nix +++ b/nixos-modules/services/caddy/custom-caddy.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: with pkgs; @@ -13,12 +13,12 @@ caddy.override { nativeBuildInputs = [ cacert + git go ]; plugins = [ - "github.com/caddy-dns/ionos@751e8e24162290ee74bea465ae733a2bf49551a6" - "github.com/caddy-dns/desec@822a6a2014b221e8fa589fbcfd0395abe9ee90f6" + "github.com/caddy-dns/desec@v1.0.1" ]; configurePhase = '' @@ -28,7 +28,7 @@ caddy.override { ''; buildPhase = '' - ${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins} + ${xcaddy}/bin/xcaddy build "${lib.last (lib.splitString "/" caddy.src.rev)}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins} cd buildenv* go mod vendor ''; @@ -37,7 +37,7 @@ caddy.override { cp -r --reflink=auto . $out ''; - outputHash = "sha256-Z2KQu4qayqaRudKfcxK4tLQ383//JZJ8q5vtX9/IX0I="; + outputHash = "sha256-ZNimtuxtSz1mRZ9V0h/0jAyvwGb+OvfZSzHRaySTEWU="; outputHashMode = "recursive"; }; diff --git a/nixos-modules/services/caddy/default.nix b/nixos-modules/services/caddy/default.nix index 274b6456..c00b8765 100644 --- a/nixos-modules/services/caddy/default.nix +++ b/nixos-modules/services/caddy/default.nix @@ -7,7 +7,7 @@ in config = lib.mkIf cfg.enable { services.caddy = { enable = true; - package = import ./custom-caddy.nix { inherit pkgs; }; + package = import ./custom-caddy.nix { inherit lib; pkgs = pkgs.unstable; }; }; ragon.persist.extraDirectories = [ config.services.caddy.dataDir ]; };