diff --git a/lib/module/default.nix b/lib/module/default.nix index a4ecd7f..cf02a38 100644 --- a/lib/module/default.nix +++ b/lib/module/default.nix @@ -50,15 +50,19 @@ rec { defaultConfig = { # Caddy reverse proxy: when reverseProxy.enable = true, contribute this - # service's virtual host block to the Caddy config. The TLS wildcard - # cert is handled via a (cloudflare_tls) snippet defined in globalConfig. - # services.caddy.virtualHosts.${fqdn} = lib.mkIf cfg.reverseProxy.enable { - # extraConfig = '' - # import cloudflare_tls - # reverse_proxy ${upstreamUrl} - # ${cfg.reverseProxy.extraCaddyConfig} - # ''; - # }; + # service's named-matcher block into the shared wildcard virtual host. + # The TLS block stays in the caddy module itself; all services merge + # their handle blocks into the same "*.${domain}" extraConfig via the + # lines type (which concatenates automatically). + services.caddy.virtualHosts."*.${cfg.reverseProxy.domain}" = lib.mkIf cfg.reverseProxy.enable { + extraConfig = '' + @${name} host ${fqdn} + handle @${name} { + reverse_proxy ${upstreamUrl} + ${cfg.reverseProxy.extraCaddyConfig} + } + ''; + }; # Open firewall networking.firewall = lib.mkIf cfg.openFirewall { @@ -112,11 +116,19 @@ rec { # # "d ${cfg.configDir}/server-files 0775 ${name} ${name} - -" # # "d ${cfg.configDir}/user-files 0775 ${name} ${name} - -" # ]; - } - // moduleConfig; + }; in { lib, ... }: { + imports = [ + # defaultConfig and moduleConfig are kept as separate inline modules so + # the NixOS module system handles all merging (mkIf, mkForce, mkMerge, + # etc.) correctly, rather than merging raw attrsets with // or + # recursiveUpdate which can silently clobber mkIf wrappers. + { config = lib.mkIf cfg.enable defaultConfig; } + { config = lib.mkIf cfg.enable moduleConfig; } + ]; + options.${namespace}.${domain}.${name} = lib.mkOption { type = lib.types.submodule { options = { @@ -167,8 +179,6 @@ rec { }; default = { }; }; - - config = lib.mkIf cfg.enable defaultConfig; }; # container diff --git a/modules/nixos/services/caddy/default.nix b/modules/nixos/services/caddy/default.nix index 71cd0fd..f56da2e 100644 --- a/modules/nixos/services/caddy/default.nix +++ b/modules/nixos/services/caddy/default.nix @@ -42,78 +42,6 @@ let tls { dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN} } - - @authentik host authentik.mjallen.dev - handle @authentik { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.authentik.port} - } - - @cache host cache.mjallen.dev - handle @cache { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.attic.port} - } - - @cloud host cloud.mjallen.dev - handle @cloud { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.nextcloud.port} { - header_up Host {upstream_hostport} - } - - header { - Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" - X-Robots-Tag "noindex, nofollow" - } - } - - @gitea host gitea.mjallen.dev - handle @gitea { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.gitea.port} - } - - @homeassistant host hass.mjallen.dev - handle @homeassistant { - reverse_proxy http://nuc-nixos.local:8123 - } - - @immich host immich.mjallen.dev - handle @immich { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.immich.port} - } - - @jellyfin host jellyfin.mjallen.dev - handle @jellyfin { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.jellyfin.port} - } - - @jellyseerr host jellyseerr.mjallen.dev - handle @jellyseerr { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.jellyseerr.port} - } - - @lubelogger host lubelogger.mjallen.dev - handle @lubelogger { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.lubelogger.port} - } - - @matrix host matrix.mjallen.dev - handle @matrix { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.matrix.port} - } - - @ntfy host ntfy.mjallen.dev - handle @ntfy { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.ntfy.port} - } - - @office host office.mjallen.dev - handle @office { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.collabora.port} - } - - @termix host termix.mjallen.dev - handle @termix { - reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.termix.port} - } ''; }; }; diff --git a/modules/nixos/services/tunarr/default.nix b/modules/nixos/services/tunarr/default.nix index 963abf7..af0c4b9 100644 --- a/modules/nixos/services/tunarr/default.nix +++ b/modules/nixos/services/tunarr/default.nix @@ -21,6 +21,7 @@ let extraOptions = [ "--device=/dev/dri" ]; volumes = [ "${cfg.configDir}/tunarr:/config/tunarr" + "${cfg.configDir}/tunarr:/root/.local/share/tunarr" "${cfg.dataDir}/movies:/libraries/movies" "${cfg.dataDir}/tv:/libraries/tv" "${cfg.configDir}/transcode:/transcode" diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix index 647c6ed..f1a47dc 100755 --- a/systems/x86_64-linux/jallen-nas/default.nix +++ b/systems/x86_64-linux/jallen-nas/default.nix @@ -162,6 +162,7 @@ in 3001 3333 5201 # iperf + 5432 # postgresql 8400 9200 # elasticsearch / attic 9233