meow

2025-01-31 18:40:25 +01:00 · 2025-01-31 18:40:25 +01:00 · c6fad213b4
commit c6fad213b4
parent 61b4ceedfa
3 changed files with 105 additions and 77 deletions
--- a/hosts/ds9/containers.nix
+++ b/hosts/ds9/containers.nix
@ -125,19 +125,31 @@ in
    ];
  };
  # navidrome
-  virtualisation.oci-containers.containers.navidrome = {
+  virtualisation.oci-containers.containers.lms = {
-    user = "1000:100";
+    # don't tell mom
-    image = "deluan/navidrome:latest";
+    # user = "1000:100";
    image = "epoupon/lms:latest";
    cmd = ["/lms.conf"];
    extraOptions = [ "--network=podman" ];
-    volumes = [
+    volumes =
-      "navidrome-data:/data"
+      let
-      "/data/media/music:/music:ro"
+        lmsConfig = pkgs.writeText "lms-config" ''
-    ];
+          original-ip-header = "X-Forwarded-For";
-    environment = {
+          behind-reverse-proxy = true;
-      ND_SCANSCHEDULE = "1h";
+          trusted-proxies =
-      ND_SESSIONTIMEOUT = "900h";
+          (
-      ND_BASEURL = "https://nd.hailsatan.eu";
+          	"10.88.0.1"
-    };
+          );
          authentication-backend = "http-headers";
          http-headers-login-field = "X-Webauth-User";
        '';
      in
      [
        "lightweight-music-server-data:/var/lms:rw"
        "${lmsConfig}:/lms.conf"
        "/data/media/beets/music:/music:ro"
      ];
    environment = { };
  };
  # changedetection
@ -176,7 +188,7 @@ in
  virtualisation.oci-containers.containers.jellyfin = {
    image = "jellyfin/jellyfin:latest";
    user = "1000:100";
-    extraOptions = [ "--network=podman" "--mount" "type=bind,source=/data/media,destination=/media,ro=true,relabel=private"];
+    extraOptions = [ "--network=podman" "--mount" "type=bind,source=/data/media,destination=/media,ro=true,relabel=private" ];
    volumes = [
      "jellyfin-config:/config"
      "jellyfin-cache:/cache"
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -120,6 +120,8 @@ in
    ZED_SCRUB_AFTER_RESILVER = true;
  };
  services.tailscaleAuth.enable = true;
  services.tailscaleAuth.group = config.services.caddy.group;
  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path;
  services.caddy = {
    # ragon.services.caddy is enabled
@ -146,69 +148,83 @@ in
      }
    '';
    virtualHosts."*.hailsatan.eu".extraConfig = ''
-      @immich host immich.hailsatan.eu
+            @immich host immich.hailsatan.eu
-      handle @immich {
+            handle @immich {
-        reverse_proxy http://immich-server:3001 {
+              reverse_proxy http://immich-server:3001 {
-          transport http {
+                transport http {
-            resolvers 10.88.0.1 # podman dns
+                  resolvers 10.88.0.1 # podman dns
-          }
+                }
-        }
+              }
-      }
+            }
-      @nd host nd.hailsatan.eu
+            @lms host lms.hailsatan.eu
-      handle @nd {
+            handle @lms {
-        reverse_proxy http://navidrome:4533 {
+              forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
-          transport http {
+      	        uri /auth
-            resolvers 10.88.0.1 # podman dns
+      	        header_up Remote-Addr {remote_host}
-          }
+      	        header_up Remote-Port {remote_port}
-        }
+      	        header_up Original-URI {uri}
-      }
+      	        copy_headers {
-      @cd host cd.hailsatan.eu
+      	        	Tailscale-User>X-Webauth-User
-      handle @cd {
+      	        	Tailscale-Name>X-Webauth-Name
-        reverse_proxy http://changedetection:5000 {
+      	        	Tailscale-Login>X-Webauth-Login
-          transport http {
+      	        	Tailscale-Tailnet>X-Webauth-Tailnet
-            resolvers 10.88.0.1 # podman dns
+      	        	Tailscale-Profile-Picture>X-Webauth-Profile-Picture
-          }
+      	        }
-        }
+              } 
-      }
+
-      @grafana host grafana.hailsatan.eu
+              reverse_proxy http://lms:5082 {
-      handle @grafana {
+                transport http {
-        reverse_proxy http://grafana:3000 {
+                  resolvers 10.88.0.1 # podman dns
-          transport http {
+                }
-            resolvers 10.88.0.1 # podman dns
+              }
-          }
+            }
-        }
+            @cd host cd.hailsatan.eu
-      }
+            handle @cd {
-      @node-red host node-red.hailsatan.eu
+              reverse_proxy http://changedetection:5000 {
-      handle @node-red {
+                transport http {
-        reverse_proxy http://node-red:1880 {
+                  resolvers 10.88.0.1 # podman dns
-          transport http {
+                }
-            resolvers 10.88.0.1 # podman dns
+              }
-          }
+            }
-        }
+            @grafana host grafana.hailsatan.eu
-      }
+            handle @grafana {
-      @bzzt-api host bzzt-api.hailsatan.eu
+              reverse_proxy http://grafana:3000 {
-      handle @bzzt-api {
+                transport http {
-        reverse_proxy http://127.0.0.1:5001
+                  resolvers 10.88.0.1 # podman dns
-      }
+                }
-      @bzzt-lcg host bzzt-lcg.hailsatan.eu
+              }
-      handle @bzzt-lcg {
+            }
-        reverse_proxy http://127.0.0.1:5003
+            @node-red host node-red.hailsatan.eu
-      }
+            handle @node-red {
-      @bzzt host bzzt.hailsatan.eu
+              reverse_proxy http://node-red:1880 {
-      handle @bzzt {
+                transport http {
-        reverse_proxy http://127.0.0.1:5002
+                  resolvers 10.88.0.1 # podman dns
-      }
+                }
-      @jellyfin host j.hailsatan.eu
+              }
-      handle @jellyfin {
+            }
-        reverse_proxy http://jellyfin:8096 {
+            @bzzt-api host bzzt-api.hailsatan.eu
-          transport http {
+            handle @bzzt-api {
-            resolvers 10.88.0.1 # podman dns
+              reverse_proxy http://127.0.0.1:5001
-          }
+            }
-        }
+            @bzzt-lcg host bzzt-lcg.hailsatan.eu
-      }
+            handle @bzzt-lcg {
-      handle {
+              reverse_proxy http://127.0.0.1:5003
-        abort
+            }
-      }
+            @bzzt host bzzt.hailsatan.eu
            handle @bzzt {
              reverse_proxy http://127.0.0.1:5002
            }
            @jellyfin host j.hailsatan.eu
            handle @jellyfin {
              reverse_proxy http://jellyfin:8096 {
                transport http {
                  resolvers 10.88.0.1 # podman dns
                }
              }
            }
            handle {
              abort
            }
    '';
  };
--- a/hosts/theseus/default.nix
+++ b/hosts/theseus/default.nix
@ -306,7 +306,7 @@
        location.extraConfig.before_backup = [ "notify-send -u low -a borgmatic borgmatic \"starting backup\" -t 10000" ];
        location.extraConfig.after_backup = [ "notify-send -u low -a borgmatic borgmatic \"finished backup\" -t 10000" ];
        location.extraConfig.on_error = [ "notify-send -u critical -a borgmatic borgmatic \"backup failed\"" ];
-        location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519";
+        # location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519";
        location.extraConfig.one_file_system = true;
        retention = {
          keepHourly = 24;