diff --git a/flake.lock b/flake.lock index d261e83..5109d40 100644 --- a/flake.lock +++ b/flake.lock @@ -26,11 +26,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1741914590, - "narHash": "sha256-R8Bxh/AMD6nvmQrC43DkUkuwDmTWlyvNAzJ0Riq5w5U=", + "lastModified": 1741732420, + "narHash": "sha256-szO/TCc+UrjEtxi4K3GyoAv5/DKDkUeRtpTZTJY+zI4=", "owner": "catppuccin", "repo": "nix", - "rev": "1e3fe44bc13809f62c2ef0aa864a304a6c8ebea4", + "rev": "a3f70463fb5e3df32d2d52a2705606db03843de2", "type": "github" }, "original": { @@ -122,11 +122,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1741945480, - "narHash": "sha256-D80QGijmeVxm/4fJVd53dP8MHCLcn+JjtgniaGKIXvg=", + "lastModified": 1741771598, + "narHash": "sha256-nEfO1JskMvwDa0cf13LHdQO/QCM1ioCr8nU+ZOIO+ug=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "5d6c484290f0754ce745ea6f7e2b7d037bdc7b76", + "rev": "04d8748de599621ca0ae7f9766c489adf45d63de", "type": "github" }, "original": { @@ -387,11 +387,11 @@ ] }, "locked": { - "lastModified": 1741955947, - "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=", + "lastModified": 1741791118, + "narHash": "sha256-4Y427uj0eql4yRU5rely3EcOlB9q457UDbG9omPtXiA=", "owner": "nix-community", "repo": "home-manager", - "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4", + "rev": "18780912345970e5b546b1b085385789b6935a83", "type": "github" }, "original": { @@ -464,11 +464,11 @@ "lix": { "flake": false, "locked": { - "lastModified": 1741957871, - "narHash": "sha256-BSim3favVai9y7eMaFWNNDbIJ0mdRp5TMcJvHWdjC1s=", + "lastModified": 1741730072, + "narHash": "sha256-bHsQBdUz2l+DKXcNrCgul1fdMo8MO2YaJo+Lp84GL00=", "ref": "refs/heads/main", - "rev": "af15a446ea88a2244e3c5a50eab776c33ab3bd80", - "revCount": 17649, + "rev": "85a140accb5592c9b5a73f5ea2156f5b0c853d1c", + "revCount": 17639, "type": "git", "url": "https://git@git.lix.systems/lix-project/lix" }, @@ -489,11 +489,11 @@ ] }, "locked": { - "lastModified": 1741894565, - "narHash": "sha256-2FD0NDJbEjUHloVrtEIms5miJsj1tvQCc/0YK5ambyc=", + "lastModified": 1738176840, + "narHash": "sha256-NG3IRvRs3u3btVCN861FqHvgOwqcNT/Oy6PBG86F5/E=", "ref": "refs/heads/main", - "rev": "a6da43f8193d9e329bba1795c42590c27966082e", - "revCount": 136, + "rev": "621aae0f3cceaffa6d73a4fb0f89c08d338d729e", + "revCount": 133, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -569,11 +569,11 @@ }, "nixosHardware": { "locked": { - "lastModified": 1741792691, - "narHash": "sha256-f0BVt1/cvA0DQ/q3rB+HY4g4tKksd03ZkzI4xehC2Ew=", + "lastModified": 1741790591, + "narHash": "sha256-sZvDvHJ97HuSePn9Pve5gStXWAws+lNGbLSzQt3bpS4=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "e1f12151258b12c567f456d8248e4694e9390613", + "rev": "d25dac1bd5eed6fbf67eb79d1f15d624e5a2c032", "type": "github" }, "original": { @@ -647,11 +647,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1741862977, - "narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=", + "lastModified": 1741600792, + "narHash": "sha256-yfDy6chHcM7pXpMF4wycuuV+ILSTG486Z/vLx/Bdi6Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0", + "rev": "ebe2788eafd539477f83775ef93c3c7e244421d3", "type": "github" }, "original": { @@ -695,11 +695,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1741851582, - "narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=", + "lastModified": 1741513245, + "narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6607cf789e541e7873d40d3a8f7815ea92204f32", + "rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1", "type": "github" }, "original": { diff --git a/hosts/default.nix b/hosts/default.nix index 2ba0e8c..c17d45f 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -116,6 +116,7 @@ owner = "grafana"; group = "forgejo"; }; + "firefly-app-key".owner = "firefly-iii"; "matrix-registration-shared-secret".owner = "matrix-synapse"; }; }; diff --git a/hosts/kirk/default.nix b/hosts/kirk/default.nix index ec5d0df..0835424 100644 --- a/hosts/kirk/default.nix +++ b/hosts/kirk/default.nix @@ -35,7 +35,6 @@ "prometheus-exporters" "promtail" "syncthing" - "zerotier" ] ++ [ ./disko.nix ]; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index a63fd60..be6c8b7 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -41,7 +41,6 @@ "adb" "prometheus-exporters" "promtail" - "zerotier" ] ++ [ ./disko.nix ]; diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 3d5293b..d15f43a 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -11,10 +11,13 @@ "wireguard-server" "mediatomb" "transmission" + # "hercules-ci" "home-assistant" "adguard-home" "cloudflare-dyndns" "sisko-proxy" + "invidious" + "searx" "sisko-share" "forgejo" "prometheus" @@ -29,9 +32,8 @@ "syncthing" "atticd" "jellyfin" + "firefly" "matrix" - "radarr" - "zerotier" ] ++ [ ./disko.nix diff --git a/modules/adguard-home/default.nix b/modules/adguard-home/default.nix index 4020c07..a1ec2aa 100644 --- a/modules/adguard-home/default.nix +++ b/modules/adguard-home/default.nix @@ -1,4 +1,3 @@ -{ config, ... }: { services.adguardhome = { enable = true; @@ -16,13 +15,4 @@ environment.persistence."/persist".directories = [ "/var/lib/AdGuardHome" ]; - - services.nginx.virtualHosts."adguard.sisko.wg.aciceri.dev" = { - forceSSL = true; - useACMEHost = "aciceri.dev"; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.adguardhome.port}"; - }; - serverAliases = [ "adguard.sisko.zt.aciceri.dev" ]; - }; } diff --git a/modules/cloudflare-dyndns/default.nix b/modules/cloudflare-dyndns/default.nix index 5538150..071a22b 100644 --- a/modules/cloudflare-dyndns/default.nix +++ b/modules/cloudflare-dyndns/default.nix @@ -8,8 +8,15 @@ "aciceri.dev" "git.aciceri.dev" "home.aciceri.dev" + "torrent.aciceri.dev" + "search.aciceri.dev" + "invidious.aciceri.dev" + "vpn.aciceri.dev" "photos.aciceri.dev" + "status.aciceri.dev" "jelly.aciceri.dev" + "firefly.aciceri.dev" + "import.firefly.aciceri.dev" "matrix.aciceri.dev" ]; apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path; diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix index 5466fd2..a95e543 100644 --- a/modules/grafana/default.nix +++ b/modules/grafana/default.nix @@ -7,7 +7,7 @@ in enable = true; settings = { server = { - domain = "status.sisko.aciceri.dev"; + domain = "status.aciceri.dev"; http_addr = "127.0.0.1"; http_port = 2342; root_url = "https://${config.services.grafana.settings.server.domain}:443/"; @@ -30,11 +30,10 @@ in ]; services.nginx.virtualHosts = { - "status.sisko.wg.aciceri.dev" = { - useACMEHost = "aciceri.dev"; + "status.aciceri.dev" = { + enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.settings.server.http_port}"; - serverAliases = [ "status.sisko.zt.aciceri.dev" ]; }; }; } diff --git a/modules/jellyfin/default.nix b/modules/jellyfin/default.nix index c9cdeaa..51e066a 100644 --- a/modules/jellyfin/default.nix +++ b/modules/jellyfin/default.nix @@ -15,7 +15,7 @@ "jelly.aciceri.dev" = { enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:8096"; # FIXME hardcoded port + locations."/".proxyPass = "http://127.0.0.1:8096"; }; }; } diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index c7c5917..c7d115b 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -7,6 +7,7 @@ let clientConfig = { "m.homeserver".base_url = "https://matrix.aciceri.dev"; + # "org.matrix.msc3575.proxy".url = "https://syncv3.matrix.aciceri.dev"; }; serverConfig."m.server" = "matrix.aciceri.dev:443"; mkWellKnown = data: '' @@ -20,7 +21,7 @@ in services.nginx.virtualHosts = { "aciceri.dev" = { - useACMEHost = "aciceri.dev"; + enableACME = true; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; @@ -35,6 +36,17 @@ in }; }; + services.postgresql = { + enable = true; + # initialScript = pkgs.writeText "synapse-init.sql" '' + # CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + # CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + # TEMPLATE template0 + # LC_COLLATE = "C" + # LC_CTYPE = "C"; + # ''; + }; + systemd.tmpfiles.rules = [ "d ${config.services.matrix-synapse.dataDir} 770 matrix-synapse matrix-synapse" ]; @@ -67,4 +79,28 @@ in }; extraConfigFiles = [ config.age.secrets.matrix-registration-shared-secret.path ]; }; + + # backup.paths = [ + # config.services.matrix-synapse.dataDir + # "/var/backup/postgresql/matrix-synapse.sql.gz" + # ]; + + # services.postgresqlBackup = { + # enable = true; + # databases = [ "matrix-synapse" ]; + # }; + + # services.matrix-sliding-sync = { + # enable = true; + # environmentFile = config.age.secrets.matrix-sliding-sync-secret.path; + # settings = { + # SYNCV3_SERVER = "http://localhost:8008"; + # }; + # }; + + # services.nginx.virtualHosts."syncv3.matrix.aciceri.dev" = { + # enableACME = true; + # forceSSL = true; + # locations."/".proxyPass = config.services.matrix-sliding-sync.settings.SYNCV3_SERVER; + # }; } diff --git a/modules/nginx-base/default.nix b/modules/nginx-base/default.nix index f201630..fa8dd61 100644 --- a/modules/nginx-base/default.nix +++ b/modules/nginx-base/default.nix @@ -1,23 +1,7 @@ -{ config, ... }: { security.acme = { acceptTerms = true; defaults.email = "andrea.ciceri@autistici.org"; - certs = { - "aciceri.dev" = { - reloadServices = [ "nginx.service" ]; - domain = "aciceri.dev"; - extraDomainNames = [ - "*.sisko.zt.aciceri.dev" - "*.sisko.wg.aciceri.dev" - ]; - dnsProvider = "cloudflare"; - # dnsResolver = "1.1.1.1:53"; - dnsPropagationCheck = true; - group = config.services.nginx.group; - environmentFile = config.age.secrets.cloudflare-dyndns-api-token.path; - }; - }; }; networking.firewall.allowedTCPPorts = [ @@ -27,7 +11,6 @@ services.nginx = { enable = true; - statusPage = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; diff --git a/modules/paperless/default.nix b/modules/paperless/default.nix index eea062d..e1e01fb 100644 --- a/modules/paperless/default.nix +++ b/modules/paperless/default.nix @@ -25,15 +25,14 @@ imports = [ ../nginx-base ]; - services.nginx.virtualHosts."paper.sisko.wg.aciceri.dev" = { + services.nginx.virtualHosts."paper.aciceri.dev" = { forceSSL = true; - useACMEHost = "aciceri.dev"; + enableACME = true; locations."/" = { proxyPass = "http://localhost:${builtins.toString config.services.paperless.port}"; }; extraConfig = '' client_max_body_size 50000M; ''; - serverAliases = [ "paper.sisko.zt.aciceri.dev" ]; }; } diff --git a/modules/radarr/default.nix b/modules/radarr/default.nix deleted file mode 100644 index 77ee804..0000000 --- a/modules/radarr/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - services.radarr = { - enable = true; - }; - - services.nginx.virtualHosts."radarr.sisko.wg.aciceri.dev" = { - forceSSL = true; - useACMEHost = "aciceri.dev"; - locations."/" = { - proxyPass = "http://localhost:7878"; # FIXME hardcoded port - }; - serverAliases = [ "radarr.sisko.zt.aciceri.dev" ]; - }; -} diff --git a/modules/sisko-proxy/default.nix b/modules/sisko-proxy/default.nix index f35fcd1..353af1b 100644 --- a/modules/sisko-proxy/default.nix +++ b/modules/sisko-proxy/default.nix @@ -15,17 +15,26 @@ proxy_set_header Connection $connection_upgrade; ''; }; - "home.sisko.aciceri.dev" = { + "torrent.aciceri.dev" = { forceSSL = true; - useACMEHost = "aciceri.dev"; + enableACME = true; locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; - proxyWebsockets = true; + proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}"; + }; + }; + "search.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8888"; + }; + }; + "invidious.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.invidious.port}"; }; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; }; "photos.aciceri.dev" = { extraConfig = '' diff --git a/modules/transmission/default.nix b/modules/transmission/default.nix index eda7055..b049158 100644 --- a/modules/transmission/default.nix +++ b/modules/transmission/default.nix @@ -8,8 +8,6 @@ download-dir = "/mnt/hd/torrent"; incomplete-dir = "/mnt/hd/torrent/.incomplete"; - download-queue-enabled = false; - rpc-bind-address = "0.0.0.0"; peer-port = 51413; # Forward both TCP and UDP on router traffic from router rpc-whitelist-enabled = false; @@ -48,13 +46,4 @@ environment.persistence."/persist".directories = [ config.services.transmission.home ]; - - services.nginx.virtualHosts."torrent.sisko.wg.aciceri.dev" = { - forceSSL = true; - useACMEHost = "aciceri.dev"; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}"; - }; - serverAliases = [ "torrent.sisko.zt.aciceri.dev" ]; - }; } diff --git a/modules/zerotier/default.nix b/modules/zerotier/default.nix deleted file mode 100644 index febcee3..0000000 --- a/modules/zerotier/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - services.zerotierone = { - enable = true; - joinNetworks = [ "632ea29085af0cb4" ]; - }; -} diff --git a/secrets/cloudflare-dyndns-api-token.age b/secrets/cloudflare-dyndns-api-token.age index eb27ad9..e0ec94d 100644 --- a/secrets/cloudflare-dyndns-api-token.age +++ b/secrets/cloudflare-dyndns-api-token.age @@ -1,17 +1,30 @@ age-encryption.org/v1 -> ssh-rsa /AagBw -qbtCO62bJ2e8tUAZHoGTjyrbvp/nkh4XUeLJDeuZNVsUWuvmAyrdb43V4x8cZprl -90ac8YG6xCZ8Jjq8KYV/CtS08HSDLR09om673lrQ5huUYu1kWVUatmH2102mQYyi -tlRNx8MtYWlrEgh2cw1E24DJhzUILvW13yHfLyYH052Xaj+uXFRj/c7AyYSoOgzQ -IrfFU5yncmC6IMiO5/S9TGFLpq8zL983JzeZuYKdYXW+MiWaD15nxzsQQIgXI6YH -K8GYXcugB8O1FisjKw8edYr3bRbHYNNSK1U+v7Wu0ge9f/FXLv2eDKQszcKPxUCJ -XLHi1A6PyHmGlAvYfbj7Dns7KW4DoMmg+Low6VQ6yORbPlN1bbEcjq0qE6f+e6TJ -QQT7617PkmL1KVw2EryIql5Cq7ConTNQaaj1118mjBpW91b64vOXOmWZfOzNo+M1 -Cbsb98Q0VyK2dXDMwPNXW1dKxDb1TGOrPCg9jIwGASco98MTeHFV3/G2F8n7aKYZ -8erixoeKQjyZtNxW2Phq5Wmhjif22qmfJ/+wWvB43CSzLf/79Zcf6Y/qrdqwjzED -fI3NhbAlZVsywBXQnTpuZlN1CE+lR5h0QtJVDy4CWhj/SbucCWL7hmtG3CW8Covq -sa0CJMCtfX71m+h8F3v9oXxlg7Mh8j9c9dHGIbzAYFQ --> ssh-ed25519 +vdRnA 0FOXCOJg0HIZ2yeW3PKHHOQxtJN6d2L1z6qtW74vxXw -6xthzPbBs09E4iTgki8bxSvp/WhnO6AqrfL8ZEfYrBI ---- eH5jp9jn2nUTrUHVdGK6WF+cyms4icim/UjLByNsUOw -2 >eo\jrY3e@q.s%>yz[9/ !B.lK4\* N=OtW]龽Չ6cR^|H+~ԝ<ӸO*T=uM~_JP[ \ No newline at end of file +K5GB/dRGaRFYq0dxuUFPubpdceMq6jOGSWuFuKgtRbtvC+P7qd8g56AZYTyo97jZ +oAsl8bF3wifrPN73SzCoGba1lCmpDZLCPllNd5RZL1bcAGBj9eDAA1zihYnnO7s+ +r8L8JSJ/P76AZ3JRhylU0KjgkX1TnVSIsJ/wCQGbdw+KrTuam/3zjzLXEptn2U26 +oQ4AuzWVGWtyrAKyJfRDWQQUGDwgXMB1h+7XZMm3G1eu6Wm7vuFEQLjaocFE9tO0 +8lnU3IEzXtn1NrutmiIJSoDyGk/PeRdvu2fZWY9oKRxkCA2q0fOca9ArcAP7Wr8a ++/2usaZ/wsc2fzqDQU2XoFutIU0qwvX6DtDmfb8RhMNrkj2HiR2MluYo+NqQqMOJ +7kMS22yE1Z6akvpeHo1GZ15HczQatIXXSr4DFGlF7CG0ASNbjR+2Qzws+EmZ2WGX +Ad8D9aq5DYOr9xvUdZn66NwyFyyo7FRMoXRFNL01sxJUBpu1wVkKECa8DK0GTIzz +u+qRWtD9WxJkAodW1NmE2F08HIy//exP0L/L6laAjIrDZTle12Nrk6n9ke1UUBIo +zU0RdY9HT+DAqScViGdbitv4Z+GYNWWkZfpW8O56S+B/0rmZZ6UQ8VB8GopUecBt +E14rynpvnd2A6+WlUWcft2Uwl1i7jL3IARO1F3LTsS4 +-> ssh-rsa QHr3/A +Kh/yF7CW7lKTsn6JK4vX2SNyiH66JdB+oVYTFdc2efJYTXVLuj7ITK8EMP3dV267 ++D4UM3jcn8wOTeTjXIo8P01IOspGxslfC4J+Yol8K+1JA2BjB0diwzhQbkOEyxJ6 +R0uymJYXjtl8Cjx2mlyNMybG8QZYypPhdKosBRn/KELxInGsWHm4MV3XQ+w2fr9Q +xHIKvz/8QabgzodHwFbMjp29B4MJUSIkl+uxyTULQMcoOCJ5Ip5BqA+VZsFRD8zV +4dePanMQHPXIMnm3POZy3hq/M4FcwWkdJLvz3zyVDuW6mWdiOgA0k1AGpGIFTXeM +bKclRUlgL9n7C/dEh5pcKLbEeh5HSf+2izn7PAA90zAQl8++2+iYMHEIQL/Ft6LH +XnAsNR4rwnVdWu8BlyEhIPev1GgSp3wOc9eQ6TA16RO4ND1ItnLVauAmvDN4rUWI +0wc9Utgwxy4MNhypRLnRXKc555pNpsL1aoA+vcbHfxW1MiW7zviIz2z/RXBR77ut +x9kekkP+LEgMHWD4XCGidM2sMrKfKDDblb+YGKxRcdFlELQa0jHH1mcvU5YC4oY2 +IhYhWeEvyQOr21cP885Psu8IvSpaZVA0tOEdrEXNTa5+S495IGplp8YuxdjW6dz1 +trDcKVSXNsjqLtpl0CrPY8pSPRIEvUJgBcHUxB3+E/U +-> ssh-ed25519 +vdRnA lCY+mIpl7nNGi4wD5Z2CJPlIpqTECUyOncW+FuKzqxs +3g0+X5fVGjo+EnETlDlO1VQl83Loi4bEBHshRz1/q0A +--- iUTAy7LeDZTABLGEMw/Bkc/qbujLcdpHdQ/TuodhmaM +Ӥ;{?`t8+t0m 0ܼAӣmx}Z2N2 +x<IV#WLڿ \ No newline at end of file