Use aciceri.dev domains for VPNs too

hosts/sisko/default.nix

@@ -11,13 +11,10 @@
       "wireguard-server"
       "mediatomb"
       "transmission"
-      # "hercules-ci"
       "home-assistant"
       "adguard-home"
       "cloudflare-dyndns"
       "sisko-proxy"
-      "invidious"
-      "searx"
       "sisko-share"
       "forgejo"
       "prometheus"
@@ -32,7 +29,6 @@
       "syncthing"
       "atticd"
       "jellyfin"
-      "firefly"
       "matrix"
       "radarr"
       "zerotier"

modules/adguard-home/default.nix

@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   services.adguardhome = {
     enable = true;
@@ -15,4 +16,13 @@
   environment.persistence."/persist".directories = [
     "/var/lib/AdGuardHome"
   ];
+
+  services.nginx.virtualHosts."adguard.sisko.wg.aciceri.dev" = {
+    forceSSL = true;
+    useACMEHost = "aciceri.dev";
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.adguardhome.port}";
+    };
+    serverAliases = [ "adguard.sisko.zt.aciceri.dev" ];
+  };
 }

modules/cloudflare-dyndns/default.nix

@@ -8,15 +8,8 @@
       "aciceri.dev"
       "git.aciceri.dev"
       "home.aciceri.dev"
-      "torrent.aciceri.dev"
-      "search.aciceri.dev"
-      "invidious.aciceri.dev"
-      "vpn.aciceri.dev"
       "photos.aciceri.dev"
-      "status.aciceri.dev"
       "jelly.aciceri.dev"
-      "firefly.aciceri.dev"
-      "import.firefly.aciceri.dev"
       "matrix.aciceri.dev"
     ];
     apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;

modules/grafana/default.nix

@@ -7,7 +7,7 @@ in
     enable = true;
     settings = {
       server = {
-        domain = "status.aciceri.dev";
+        domain = "status.sisko.aciceri.dev";
         http_addr = "127.0.0.1";
         http_port = 2342;
         root_url = "https://${config.services.grafana.settings.server.domain}:443/";
@@ -30,10 +30,11 @@ in
   ];
 
   services.nginx.virtualHosts = {
-    "status.aciceri.dev" = {
+    "status.sisko.wg.aciceri.dev" = {
-      enableACME = true;
+      useACMEHost = "aciceri.dev";
       forceSSL = true;
       locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.settings.server.http_port}";
+      serverAliases = [ "status.sisko.zt.aciceri.dev" ];
     };
   };
 }

modules/jellyfin/default.nix

@@ -15,7 +15,7 @@
     "jelly.aciceri.dev" = {
       enableACME = true;
       forceSSL = true;
-      locations."/".proxyPass = "http://127.0.0.1:8096";
+      locations."/".proxyPass = "http://127.0.0.1:8096"; # FIXME hardcoded port
     };
   };
 }

modules/matrix/default.nix

@@ -7,7 +7,6 @@
 let
   clientConfig = {
     "m.homeserver".base_url = "https://matrix.aciceri.dev";
-    # "org.matrix.msc3575.proxy".url = "https://syncv3.matrix.aciceri.dev";
   };
   serverConfig."m.server" = "matrix.aciceri.dev:443";
   mkWellKnown = data: ''
@@ -21,7 +20,7 @@ in
 
   services.nginx.virtualHosts = {
     "aciceri.dev" = {
-      enableACME = true;
+      useACMEHost = "aciceri.dev";
       forceSSL = true;
       locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
       locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
@@ -36,17 +35,6 @@ in
     };
   };
 
-  services.postgresql = {
-    enable = true;
-    # initialScript = pkgs.writeText "synapse-init.sql" ''
-    #   CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-    #   CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-    # TEMPLATE template0
-    # LC_COLLATE = "C"
-    # LC_CTYPE = "C";
-    # '';
-  };
-
   systemd.tmpfiles.rules = [
     "d ${config.services.matrix-synapse.dataDir} 770 matrix-synapse matrix-synapse"
   ];
@@ -79,28 +67,4 @@ in
     };
     extraConfigFiles = [ config.age.secrets.matrix-registration-shared-secret.path ];
   };
-
-  # backup.paths = [
-  #   config.services.matrix-synapse.dataDir
-  #   "/var/backup/postgresql/matrix-synapse.sql.gz"
-  # ];
-
-  # services.postgresqlBackup = {
-  #   enable = true;
-  # databases = [ "matrix-synapse" ];
-  # };
-
-  # services.matrix-sliding-sync = {
-  #   enable = true;
-  #   environmentFile = config.age.secrets.matrix-sliding-sync-secret.path;
-  #   settings = {
-  #     SYNCV3_SERVER = "http://localhost:8008";
-  #   };
-  # };
-
-  # services.nginx.virtualHosts."syncv3.matrix.aciceri.dev" = {
-  #   enableACME = true;
-  #   forceSSL = true;
-  #   locations."/".proxyPass = config.services.matrix-sliding-sync.settings.SYNCV3_SERVER;
-  # };
 }

modules/nginx-base/default.nix

@@ -1,7 +1,23 @@
+{ config, ... }:
 {
   security.acme = {
     acceptTerms = true;
     defaults.email = "andrea.ciceri@autistici.org";
+    certs = {
+      "aciceri.dev" = {
+        reloadServices = [ "nginx.service" ];
+        domain = "aciceri.dev";
+        extraDomainNames = [
+          "*.sisko.zt.aciceri.dev"
+          "*.sisko.wg.aciceri.dev"
+        ];
+        dnsProvider = "cloudflare";
+        # dnsResolver = "1.1.1.1:53";
+        dnsPropagationCheck = true;
+        group = config.services.nginx.group;
+        environmentFile = config.age.secrets.cloudflare-dyndns-api-token.path;
+      };
+    };
   };
 
   networking.firewall.allowedTCPPorts = [
@@ -11,6 +27,7 @@
 
   services.nginx = {
     enable = true;
+    statusPage = true;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;

modules/paperless/default.nix

@@ -25,14 +25,15 @@
 
   imports = [ ../nginx-base ];
 
-  services.nginx.virtualHosts."paper.aciceri.dev" = {
+  services.nginx.virtualHosts."paper.sisko.wg.aciceri.dev" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "aciceri.dev";
     locations."/" = {
       proxyPass = "http://localhost:${builtins.toString config.services.paperless.port}";
     };
     extraConfig = ''
       client_max_body_size 50000M;
     '';
+    serverAliases = [ "paper.sisko.zt.aciceri.dev" ];
   };
 }

modules/radarr/default.nix

@@ -2,4 +2,13 @@
   services.radarr = {
     enable = true;
   };
+
+  services.nginx.virtualHosts."radarr.sisko.wg.aciceri.dev" = {
+    forceSSL = true;
+    useACMEHost = "aciceri.dev";
+    locations."/" = {
+      proxyPass = "http://localhost:7878"; # FIXME hardcoded port
+    };
+    serverAliases = [ "radarr.sisko.zt.aciceri.dev" ];
+  };
 }

modules/sisko-proxy/default.nix

@@ -15,26 +15,17 @@
         proxy_set_header    Connection  $connection_upgrade;
       '';
     };
-    "torrent.aciceri.dev" = {
+    "home.sisko.aciceri.dev" = {
       forceSSL = true;
-      enableACME = true;
+      useACMEHost = "aciceri.dev";
       locations."/" = {
-        proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}";
+        proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}";
-      };
+        proxyWebsockets = true;
-    };
-    "search.aciceri.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://localhost:8888";
-      };
-    };
-    "invidious.aciceri.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://localhost:${builtins.toString config.services.invidious.port}";
       };
+      extraConfig = ''
+        proxy_set_header    Upgrade     $http_upgrade;
+        proxy_set_header    Connection  $connection_upgrade;
+      '';
     };
     "photos.aciceri.dev" = {
       extraConfig = ''

modules/transmission/default.nix

@@ -48,4 +48,13 @@
   environment.persistence."/persist".directories = [
     config.services.transmission.home
   ];
+
+  services.nginx.virtualHosts."torrent.sisko.wg.aciceri.dev" = {
+    forceSSL = true;
+    useACMEHost = "aciceri.dev";
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}";
+    };
+    serverAliases = [ "torrent.sisko.zt.aciceri.dev" ];
+  };
 }