From 7717317840fe7b4f69492dbadfe259f4aa11bc35 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Fri, 14 Mar 2025 15:54:48 +0100 Subject: [PATCH 1/4] Enable zerotier --- hosts/kirk/default.nix | 1 + hosts/picard/default.nix | 1 + hosts/sisko/default.nix | 1 + modules/zerotier/default.nix | 6 ++++++ 4 files changed, 9 insertions(+) create mode 100644 modules/zerotier/default.nix diff --git a/hosts/kirk/default.nix b/hosts/kirk/default.nix index 0835424..ec5d0df 100644 --- a/hosts/kirk/default.nix +++ b/hosts/kirk/default.nix @@ -35,6 +35,7 @@ "prometheus-exporters" "promtail" "syncthing" + "zerotier" ] ++ [ ./disko.nix ]; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index be6c8b7..a63fd60 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -41,6 +41,7 @@ "adb" "prometheus-exporters" "promtail" + "zerotier" ] ++ [ ./disko.nix ]; diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 8bc8e4c..456bfca 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -35,6 +35,7 @@ "firefly" "matrix" "radarr" + "zerotier" ] ++ [ ./disko.nix diff --git a/modules/zerotier/default.nix b/modules/zerotier/default.nix new file mode 100644 index 0000000..febcee3 --- /dev/null +++ b/modules/zerotier/default.nix @@ -0,0 +1,6 @@ +{ + services.zerotierone = { + enable = true; + joinNetworks = [ "632ea29085af0cb4" ]; + }; +} From fb87eabdce7f45e5189ff6ff3c0781682797664b Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Fri, 14 Mar 2025 15:55:58 +0100 Subject: [PATCH 2/4] New cloudflare token --- secrets/cloudflare-dyndns-api-token.age | 43 +++++++++---------------- 1 file changed, 15 insertions(+), 28 deletions(-) diff --git a/secrets/cloudflare-dyndns-api-token.age b/secrets/cloudflare-dyndns-api-token.age index e0ec94d..eb27ad9 100644 --- a/secrets/cloudflare-dyndns-api-token.age +++ b/secrets/cloudflare-dyndns-api-token.age @@ -1,30 +1,17 @@ age-encryption.org/v1 -> ssh-rsa /AagBw -K5GB/dRGaRFYq0dxuUFPubpdceMq6jOGSWuFuKgtRbtvC+P7qd8g56AZYTyo97jZ -oAsl8bF3wifrPN73SzCoGba1lCmpDZLCPllNd5RZL1bcAGBj9eDAA1zihYnnO7s+ -r8L8JSJ/P76AZ3JRhylU0KjgkX1TnVSIsJ/wCQGbdw+KrTuam/3zjzLXEptn2U26 -oQ4AuzWVGWtyrAKyJfRDWQQUGDwgXMB1h+7XZMm3G1eu6Wm7vuFEQLjaocFE9tO0 -8lnU3IEzXtn1NrutmiIJSoDyGk/PeRdvu2fZWY9oKRxkCA2q0fOca9ArcAP7Wr8a -+/2usaZ/wsc2fzqDQU2XoFutIU0qwvX6DtDmfb8RhMNrkj2HiR2MluYo+NqQqMOJ -7kMS22yE1Z6akvpeHo1GZ15HczQatIXXSr4DFGlF7CG0ASNbjR+2Qzws+EmZ2WGX -Ad8D9aq5DYOr9xvUdZn66NwyFyyo7FRMoXRFNL01sxJUBpu1wVkKECa8DK0GTIzz -u+qRWtD9WxJkAodW1NmE2F08HIy//exP0L/L6laAjIrDZTle12Nrk6n9ke1UUBIo -zU0RdY9HT+DAqScViGdbitv4Z+GYNWWkZfpW8O56S+B/0rmZZ6UQ8VB8GopUecBt -E14rynpvnd2A6+WlUWcft2Uwl1i7jL3IARO1F3LTsS4 --> ssh-rsa QHr3/A -Kh/yF7CW7lKTsn6JK4vX2SNyiH66JdB+oVYTFdc2efJYTXVLuj7ITK8EMP3dV267 -+D4UM3jcn8wOTeTjXIo8P01IOspGxslfC4J+Yol8K+1JA2BjB0diwzhQbkOEyxJ6 -R0uymJYXjtl8Cjx2mlyNMybG8QZYypPhdKosBRn/KELxInGsWHm4MV3XQ+w2fr9Q -xHIKvz/8QabgzodHwFbMjp29B4MJUSIkl+uxyTULQMcoOCJ5Ip5BqA+VZsFRD8zV -4dePanMQHPXIMnm3POZy3hq/M4FcwWkdJLvz3zyVDuW6mWdiOgA0k1AGpGIFTXeM -bKclRUlgL9n7C/dEh5pcKLbEeh5HSf+2izn7PAA90zAQl8++2+iYMHEIQL/Ft6LH -XnAsNR4rwnVdWu8BlyEhIPev1GgSp3wOc9eQ6TA16RO4ND1ItnLVauAmvDN4rUWI -0wc9Utgwxy4MNhypRLnRXKc555pNpsL1aoA+vcbHfxW1MiW7zviIz2z/RXBR77ut -x9kekkP+LEgMHWD4XCGidM2sMrKfKDDblb+YGKxRcdFlELQa0jHH1mcvU5YC4oY2 -IhYhWeEvyQOr21cP885Psu8IvSpaZVA0tOEdrEXNTa5+S495IGplp8YuxdjW6dz1 -trDcKVSXNsjqLtpl0CrPY8pSPRIEvUJgBcHUxB3+E/U --> ssh-ed25519 +vdRnA lCY+mIpl7nNGi4wD5Z2CJPlIpqTECUyOncW+FuKzqxs -3g0+X5fVGjo+EnETlDlO1VQl83Loi4bEBHshRz1/q0A ---- iUTAy7LeDZTABLGEMw/Bkc/qbujLcdpHdQ/TuodhmaM -Ӥ;{?`t8+t0m 0ܼAӣmx}Z2N2 -x<IV#WLڿ \ No newline at end of file +qbtCO62bJ2e8tUAZHoGTjyrbvp/nkh4XUeLJDeuZNVsUWuvmAyrdb43V4x8cZprl +90ac8YG6xCZ8Jjq8KYV/CtS08HSDLR09om673lrQ5huUYu1kWVUatmH2102mQYyi +tlRNx8MtYWlrEgh2cw1E24DJhzUILvW13yHfLyYH052Xaj+uXFRj/c7AyYSoOgzQ +IrfFU5yncmC6IMiO5/S9TGFLpq8zL983JzeZuYKdYXW+MiWaD15nxzsQQIgXI6YH +K8GYXcugB8O1FisjKw8edYr3bRbHYNNSK1U+v7Wu0ge9f/FXLv2eDKQszcKPxUCJ +XLHi1A6PyHmGlAvYfbj7Dns7KW4DoMmg+Low6VQ6yORbPlN1bbEcjq0qE6f+e6TJ +QQT7617PkmL1KVw2EryIql5Cq7ConTNQaaj1118mjBpW91b64vOXOmWZfOzNo+M1 +Cbsb98Q0VyK2dXDMwPNXW1dKxDb1TGOrPCg9jIwGASco98MTeHFV3/G2F8n7aKYZ +8erixoeKQjyZtNxW2Phq5Wmhjif22qmfJ/+wWvB43CSzLf/79Zcf6Y/qrdqwjzED +fI3NhbAlZVsywBXQnTpuZlN1CE+lR5h0QtJVDy4CWhj/SbucCWL7hmtG3CW8Covq +sa0CJMCtfX71m+h8F3v9oXxlg7Mh8j9c9dHGIbzAYFQ +-> ssh-ed25519 +vdRnA 0FOXCOJg0HIZ2yeW3PKHHOQxtJN6d2L1z6qtW74vxXw +6xthzPbBs09E4iTgki8bxSvp/WhnO6AqrfL8ZEfYrBI +--- eH5jp9jn2nUTrUHVdGK6WF+cyms4icim/UjLByNsUOw +2 >eo\jrY3e@q.s%>yz[9/ !B.lK4\* N=OtW]龽Չ6cR^|H+~ԝ<ӸO*T=uM~_JP[ \ No newline at end of file From a8b1fed3842b9e1dcd7a59019f59bc9776d23238 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Fri, 14 Mar 2025 15:56:05 +0100 Subject: [PATCH 3/4] Unused secret --- hosts/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/default.nix b/hosts/default.nix index c17d45f..2ba0e8c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -116,7 +116,6 @@ owner = "grafana"; group = "forgejo"; }; - "firefly-app-key".owner = "firefly-iii"; "matrix-registration-shared-secret".owner = "matrix-synapse"; }; }; From 9677a6ca777d94fd89b8c0d8f8075a631b435184 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Fri, 14 Mar 2025 15:56:29 +0100 Subject: [PATCH 4/4] Use aciceri.dev domains for VPNs too --- hosts/sisko/default.nix | 4 --- modules/adguard-home/default.nix | 10 +++++++ modules/cloudflare-dyndns/default.nix | 7 ----- modules/grafana/default.nix | 7 ++--- modules/jellyfin/default.nix | 2 +- modules/matrix/default.nix | 38 +-------------------------- modules/nginx-base/default.nix | 17 ++++++++++++ modules/paperless/default.nix | 5 ++-- modules/radarr/default.nix | 9 +++++++ modules/sisko-proxy/default.nix | 25 ++++++------------ modules/transmission/default.nix | 9 +++++++ 11 files changed, 62 insertions(+), 71 deletions(-) diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 456bfca..3d5293b 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -11,13 +11,10 @@ "wireguard-server" "mediatomb" "transmission" - # "hercules-ci" "home-assistant" "adguard-home" "cloudflare-dyndns" "sisko-proxy" - "invidious" - "searx" "sisko-share" "forgejo" "prometheus" @@ -32,7 +29,6 @@ "syncthing" "atticd" "jellyfin" - "firefly" "matrix" "radarr" "zerotier" diff --git a/modules/adguard-home/default.nix b/modules/adguard-home/default.nix index a1ec2aa..4020c07 100644 --- a/modules/adguard-home/default.nix +++ b/modules/adguard-home/default.nix @@ -1,3 +1,4 @@ +{ config, ... }: { services.adguardhome = { enable = true; @@ -15,4 +16,13 @@ environment.persistence."/persist".directories = [ "/var/lib/AdGuardHome" ]; + + services.nginx.virtualHosts."adguard.sisko.wg.aciceri.dev" = { + forceSSL = true; + useACMEHost = "aciceri.dev"; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.adguardhome.port}"; + }; + serverAliases = [ "adguard.sisko.zt.aciceri.dev" ]; + }; } diff --git a/modules/cloudflare-dyndns/default.nix b/modules/cloudflare-dyndns/default.nix index 071a22b..5538150 100644 --- a/modules/cloudflare-dyndns/default.nix +++ b/modules/cloudflare-dyndns/default.nix @@ -8,15 +8,8 @@ "aciceri.dev" "git.aciceri.dev" "home.aciceri.dev" - "torrent.aciceri.dev" - "search.aciceri.dev" - "invidious.aciceri.dev" - "vpn.aciceri.dev" "photos.aciceri.dev" - "status.aciceri.dev" "jelly.aciceri.dev" - "firefly.aciceri.dev" - "import.firefly.aciceri.dev" "matrix.aciceri.dev" ]; apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path; diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix index a95e543..5466fd2 100644 --- a/modules/grafana/default.nix +++ b/modules/grafana/default.nix @@ -7,7 +7,7 @@ in enable = true; settings = { server = { - domain = "status.aciceri.dev"; + domain = "status.sisko.aciceri.dev"; http_addr = "127.0.0.1"; http_port = 2342; root_url = "https://${config.services.grafana.settings.server.domain}:443/"; @@ -30,10 +30,11 @@ in ]; services.nginx.virtualHosts = { - "status.aciceri.dev" = { - enableACME = true; + "status.sisko.wg.aciceri.dev" = { + useACMEHost = "aciceri.dev"; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.settings.server.http_port}"; + serverAliases = [ "status.sisko.zt.aciceri.dev" ]; }; }; } diff --git a/modules/jellyfin/default.nix b/modules/jellyfin/default.nix index 51e066a..c9cdeaa 100644 --- a/modules/jellyfin/default.nix +++ b/modules/jellyfin/default.nix @@ -15,7 +15,7 @@ "jelly.aciceri.dev" = { enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:8096"; + locations."/".proxyPass = "http://127.0.0.1:8096"; # FIXME hardcoded port }; }; } diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index c7d115b..c7c5917 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -7,7 +7,6 @@ let clientConfig = { "m.homeserver".base_url = "https://matrix.aciceri.dev"; - # "org.matrix.msc3575.proxy".url = "https://syncv3.matrix.aciceri.dev"; }; serverConfig."m.server" = "matrix.aciceri.dev:443"; mkWellKnown = data: '' @@ -21,7 +20,7 @@ in services.nginx.virtualHosts = { "aciceri.dev" = { - enableACME = true; + useACMEHost = "aciceri.dev"; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; @@ -36,17 +35,6 @@ in }; }; - services.postgresql = { - enable = true; - # initialScript = pkgs.writeText "synapse-init.sql" '' - # CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - # CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - # TEMPLATE template0 - # LC_COLLATE = "C" - # LC_CTYPE = "C"; - # ''; - }; - systemd.tmpfiles.rules = [ "d ${config.services.matrix-synapse.dataDir} 770 matrix-synapse matrix-synapse" ]; @@ -79,28 +67,4 @@ in }; extraConfigFiles = [ config.age.secrets.matrix-registration-shared-secret.path ]; }; - - # backup.paths = [ - # config.services.matrix-synapse.dataDir - # "/var/backup/postgresql/matrix-synapse.sql.gz" - # ]; - - # services.postgresqlBackup = { - # enable = true; - # databases = [ "matrix-synapse" ]; - # }; - - # services.matrix-sliding-sync = { - # enable = true; - # environmentFile = config.age.secrets.matrix-sliding-sync-secret.path; - # settings = { - # SYNCV3_SERVER = "http://localhost:8008"; - # }; - # }; - - # services.nginx.virtualHosts."syncv3.matrix.aciceri.dev" = { - # enableACME = true; - # forceSSL = true; - # locations."/".proxyPass = config.services.matrix-sliding-sync.settings.SYNCV3_SERVER; - # }; } diff --git a/modules/nginx-base/default.nix b/modules/nginx-base/default.nix index fa8dd61..f201630 100644 --- a/modules/nginx-base/default.nix +++ b/modules/nginx-base/default.nix @@ -1,7 +1,23 @@ +{ config, ... }: { security.acme = { acceptTerms = true; defaults.email = "andrea.ciceri@autistici.org"; + certs = { + "aciceri.dev" = { + reloadServices = [ "nginx.service" ]; + domain = "aciceri.dev"; + extraDomainNames = [ + "*.sisko.zt.aciceri.dev" + "*.sisko.wg.aciceri.dev" + ]; + dnsProvider = "cloudflare"; + # dnsResolver = "1.1.1.1:53"; + dnsPropagationCheck = true; + group = config.services.nginx.group; + environmentFile = config.age.secrets.cloudflare-dyndns-api-token.path; + }; + }; }; networking.firewall.allowedTCPPorts = [ @@ -11,6 +27,7 @@ services.nginx = { enable = true; + statusPage = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; diff --git a/modules/paperless/default.nix b/modules/paperless/default.nix index e1e01fb..eea062d 100644 --- a/modules/paperless/default.nix +++ b/modules/paperless/default.nix @@ -25,14 +25,15 @@ imports = [ ../nginx-base ]; - services.nginx.virtualHosts."paper.aciceri.dev" = { + services.nginx.virtualHosts."paper.sisko.wg.aciceri.dev" = { forceSSL = true; - enableACME = true; + useACMEHost = "aciceri.dev"; locations."/" = { proxyPass = "http://localhost:${builtins.toString config.services.paperless.port}"; }; extraConfig = '' client_max_body_size 50000M; ''; + serverAliases = [ "paper.sisko.zt.aciceri.dev" ]; }; } diff --git a/modules/radarr/default.nix b/modules/radarr/default.nix index 321b7a5..77ee804 100644 --- a/modules/radarr/default.nix +++ b/modules/radarr/default.nix @@ -2,4 +2,13 @@ services.radarr = { enable = true; }; + + services.nginx.virtualHosts."radarr.sisko.wg.aciceri.dev" = { + forceSSL = true; + useACMEHost = "aciceri.dev"; + locations."/" = { + proxyPass = "http://localhost:7878"; # FIXME hardcoded port + }; + serverAliases = [ "radarr.sisko.zt.aciceri.dev" ]; + }; } diff --git a/modules/sisko-proxy/default.nix b/modules/sisko-proxy/default.nix index 353af1b..f35fcd1 100644 --- a/modules/sisko-proxy/default.nix +++ b/modules/sisko-proxy/default.nix @@ -15,26 +15,17 @@ proxy_set_header Connection $connection_upgrade; ''; }; - "torrent.aciceri.dev" = { + "home.sisko.aciceri.dev" = { forceSSL = true; - enableACME = true; + useACMEHost = "aciceri.dev"; locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}"; - }; - }; - "search.aciceri.dev" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:8888"; - }; - }; - "invidious.aciceri.dev" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.invidious.port}"; + proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; + proxyWebsockets = true; }; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; }; "photos.aciceri.dev" = { extraConfig = '' diff --git a/modules/transmission/default.nix b/modules/transmission/default.nix index 0a7b3fd..eda7055 100644 --- a/modules/transmission/default.nix +++ b/modules/transmission/default.nix @@ -48,4 +48,13 @@ environment.persistence."/persist".directories = [ config.services.transmission.home ]; + + services.nginx.virtualHosts."torrent.sisko.wg.aciceri.dev" = { + forceSSL = true; + useACMEHost = "aciceri.dev"; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}"; + }; + serverAliases = [ "torrent.sisko.zt.aciceri.dev" ]; + }; }