upd
This commit is contained in:
mjallen18
@@ -20,7 +20,7 @@ let
|
||||
# Setup the native NixOS Nextcloud service
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud32;
|
||||
package = pkgs.nextcloud33;
|
||||
hostName = "cloud.mjallen.dev";
|
||||
home = "${cfg.configDir}/nextcloud";
|
||||
datadir = "${cfg.dataDir}/nextcloud";
|
||||
|
||||
@@ -70,300 +70,300 @@ in
|
||||
allowedUDPPorts = forwardPorts;
|
||||
};
|
||||
|
||||
services.traefik = {
|
||||
enable = true;
|
||||
dataDir = "${configDir}/traefik";
|
||||
group = "jallen-nas"; # group;
|
||||
environmentFiles = [ config.sops.templates."traefik.env".path ];
|
||||
# services.traefik = {
|
||||
# enable = true;
|
||||
# dataDir = "${configDir}/traefik";
|
||||
# group = "jallen-nas"; # group;
|
||||
# environmentFiles = [ config.sops.templates."traefik.env".path ];
|
||||
|
||||
static = {
|
||||
# dir = "${configDir}/traefik";
|
||||
settings = {
|
||||
entryPoints = {
|
||||
web = {
|
||||
address = ":${toString httpPort}";
|
||||
asDefault = true;
|
||||
http.redirections.entrypoint = {
|
||||
to = "websecure";
|
||||
scheme = "https";
|
||||
};
|
||||
};
|
||||
# static = {
|
||||
# # dir = "${configDir}/traefik";
|
||||
# settings = {
|
||||
# entryPoints = {
|
||||
# web = {
|
||||
# address = ":${toString httpPort}";
|
||||
# asDefault = true;
|
||||
# http.redirections.entrypoint = {
|
||||
# to = "websecure";
|
||||
# scheme = "https";
|
||||
# };
|
||||
# };
|
||||
|
||||
websecure = {
|
||||
address = ":${toString httpsPort}";
|
||||
asDefault = true;
|
||||
http.tls.certResolver = "letsencrypt";
|
||||
};
|
||||
# websecure = {
|
||||
# address = ":${toString httpsPort}";
|
||||
# asDefault = true;
|
||||
# http.tls.certResolver = "letsencrypt";
|
||||
# };
|
||||
|
||||
metrics = {
|
||||
address = ":${toString metricsPort}"; # Port for metrics
|
||||
};
|
||||
};
|
||||
# metrics = {
|
||||
# address = ":${toString metricsPort}"; # Port for metrics
|
||||
# };
|
||||
# };
|
||||
|
||||
log = {
|
||||
level = "INFO";
|
||||
};
|
||||
# log = {
|
||||
# level = "INFO";
|
||||
# };
|
||||
|
||||
metrics = {
|
||||
prometheus = {
|
||||
entryPoint = "metrics";
|
||||
addEntryPointsLabels = true;
|
||||
addServicesLabels = true;
|
||||
buckets = [
|
||||
0.1
|
||||
0.3
|
||||
1.2
|
||||
5.0
|
||||
]; # Response time buckets
|
||||
};
|
||||
};
|
||||
# metrics = {
|
||||
# prometheus = {
|
||||
# entryPoint = "metrics";
|
||||
# addEntryPointsLabels = true;
|
||||
# addServicesLabels = true;
|
||||
# buckets = [
|
||||
# 0.1
|
||||
# 0.3
|
||||
# 1.2
|
||||
# 5.0
|
||||
# ]; # Response time buckets
|
||||
# };
|
||||
# };
|
||||
|
||||
certificatesResolvers.letsencrypt.acme = {
|
||||
email = letsEncryptEmail;
|
||||
storage = "${config.services.traefik.dataDir}/acme.json";
|
||||
dnsChallenge = {
|
||||
provider = "cloudflare";
|
||||
resolvers = [
|
||||
"1.1.1.1:53"
|
||||
"8.8.8.8:53"
|
||||
];
|
||||
};
|
||||
};
|
||||
# certificatesResolvers.letsencrypt.acme = {
|
||||
# email = letsEncryptEmail;
|
||||
# storage = "${config.services.traefik.dataDir}/acme.json";
|
||||
# dnsChallenge = {
|
||||
# provider = "cloudflare";
|
||||
# resolvers = [
|
||||
# "1.1.1.1:53"
|
||||
# "8.8.8.8:53"
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
# Access the Traefik dashboard on <Traefik IP>:8080
|
||||
api = {
|
||||
dashboard = true;
|
||||
insecure = true;
|
||||
};
|
||||
# # Access the Traefik dashboard on <Traefik IP>:8080
|
||||
# api = {
|
||||
# dashboard = true;
|
||||
# insecure = true;
|
||||
# };
|
||||
|
||||
experimental = {
|
||||
plugins = traefikPlugins;
|
||||
};
|
||||
};
|
||||
};
|
||||
# experimental = {
|
||||
# plugins = traefikPlugins;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
dynamic = {
|
||||
dir = "/run/traefik";
|
||||
files = {
|
||||
"serversTransports".settings.http = {
|
||||
serversTransports = {
|
||||
internal-https = {
|
||||
insecureSkipVerify = true;
|
||||
};
|
||||
http1 = {
|
||||
serverName = "localhost";
|
||||
disableHTTP2 = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
# dynamic = {
|
||||
# dir = "/run/traefik";
|
||||
# files = {
|
||||
# "serversTransports".settings.http = {
|
||||
# serversTransports = {
|
||||
# internal-https = {
|
||||
# insecureSkipVerify = true;
|
||||
# };
|
||||
# http1 = {
|
||||
# serverName = "localhost";
|
||||
# disableHTTP2 = true;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"middlewares-authentik".settings.http = {
|
||||
middlewares = {
|
||||
authentik = {
|
||||
forwardAuth = {
|
||||
tls.insecureSkipVerify = true;
|
||||
address = "${authUrl}/auth/traefik";
|
||||
trustForwardHeader = true;
|
||||
authResponseHeaders = [
|
||||
"X-authentik-username"
|
||||
"X-authentik-groups"
|
||||
"X-authentik-email"
|
||||
"X-authentik-name"
|
||||
"X-authentik-uid"
|
||||
"X-authentik-jwt"
|
||||
"X-authentik-meta-jwks"
|
||||
"X-authentik-meta-outpost"
|
||||
"X-authentik-meta-provider"
|
||||
"X-authentik-meta-app"
|
||||
"X-authentik-meta-version"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# "middlewares-authentik".settings.http = {
|
||||
# middlewares = {
|
||||
# authentik = {
|
||||
# forwardAuth = {
|
||||
# tls.insecureSkipVerify = true;
|
||||
# address = "${authUrl}/auth/traefik";
|
||||
# trustForwardHeader = true;
|
||||
# authResponseHeaders = [
|
||||
# "X-authentik-username"
|
||||
# "X-authentik-groups"
|
||||
# "X-authentik-email"
|
||||
# "X-authentik-name"
|
||||
# "X-authentik-uid"
|
||||
# "X-authentik-jwt"
|
||||
# "X-authentik-meta-jwks"
|
||||
# "X-authentik-meta-outpost"
|
||||
# "X-authentik-meta-provider"
|
||||
# "X-authentik-meta-app"
|
||||
# "X-authentik-meta-version"
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"middlewares-crowdsec".settings.http = {
|
||||
middlewares = {
|
||||
crowdsec = {
|
||||
plugin = {
|
||||
bouncer = {
|
||||
enabled = true;
|
||||
crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec/lapi-key".path;
|
||||
crowdsecLapiScheme = "http";
|
||||
crowdsecLapiHost = "localhost:8181";
|
||||
crowdsecLapiPath = "/";
|
||||
crowdsecLapiTLSInsecureVerify = false;
|
||||
crowdsecCapiMachineIdFile = config.sops.secrets."jallen-nas/traefik/crowdsec/capi-machine-id".path;
|
||||
crowdsecCapiPasswordFile = config.sops.secrets."jallen-nas/traefik/crowdsec/capi-password".path;
|
||||
crowdsecCapiScenarios = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# "middlewares-crowdsec".settings.http = {
|
||||
# middlewares = {
|
||||
# crowdsec = {
|
||||
# plugin = {
|
||||
# bouncer = {
|
||||
# enabled = true;
|
||||
# crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec/lapi-key".path;
|
||||
# crowdsecLapiScheme = "http";
|
||||
# crowdsecLapiHost = "localhost:8181";
|
||||
# crowdsecLapiPath = "/";
|
||||
# crowdsecLapiTLSInsecureVerify = false;
|
||||
# crowdsecCapiMachineIdFile = config.sops.secrets."jallen-nas/traefik/crowdsec/capi-machine-id".path;
|
||||
# crowdsecCapiPasswordFile = config.sops.secrets."jallen-nas/traefik/crowdsec/capi-password".path;
|
||||
# crowdsecCapiScenarios = [ ];
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"middlewares-geoblock".settings.http = {
|
||||
middlewares = {
|
||||
whitelist-geoblock = {
|
||||
plugin = {
|
||||
geoblock = {
|
||||
silentStartUp = false;
|
||||
allowLocalRequests = true;
|
||||
logLocalRequests = false;
|
||||
logAllowedRequests = false;
|
||||
logApiRequests = false;
|
||||
api = "https://get.geojs.io/v1/ip/country/{ip}";
|
||||
apiTimeoutMs = 500;
|
||||
cacheSize = 25;
|
||||
forceMonthlyUpdate = true;
|
||||
allowUnknownCountries = false;
|
||||
unknownCountryApiResponse = "nil";
|
||||
blackListMode = false;
|
||||
countries = [
|
||||
"CA"
|
||||
"US"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# "middlewares-geoblock".settings.http = {
|
||||
# middlewares = {
|
||||
# whitelist-geoblock = {
|
||||
# plugin = {
|
||||
# geoblock = {
|
||||
# silentStartUp = false;
|
||||
# allowLocalRequests = true;
|
||||
# logLocalRequests = false;
|
||||
# logAllowedRequests = false;
|
||||
# logApiRequests = false;
|
||||
# api = "https://get.geojs.io/v1/ip/country/{ip}";
|
||||
# apiTimeoutMs = 500;
|
||||
# cacheSize = 25;
|
||||
# forceMonthlyUpdate = true;
|
||||
# allowUnknownCountries = false;
|
||||
# unknownCountryApiResponse = "nil";
|
||||
# blackListMode = false;
|
||||
# countries = [
|
||||
# "CA"
|
||||
# "US"
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"middlewares-ipallowlist".settings.http = {
|
||||
middlewares = {
|
||||
internal-ipallowlist = {
|
||||
ipAllowList = {
|
||||
sourceRange = [
|
||||
"127.0.0.1/32"
|
||||
"10.0.1.0/24"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# "middlewares-ipallowlist".settings.http = {
|
||||
# middlewares = {
|
||||
# internal-ipallowlist = {
|
||||
# ipAllowList = {
|
||||
# sourceRange = [
|
||||
# "127.0.0.1/32"
|
||||
# "10.0.1.0/24"
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"services-auth".settings.http = {
|
||||
services = {
|
||||
auth.loadBalancer.servers = [
|
||||
{
|
||||
url = authUrl;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
# "services-auth".settings.http = {
|
||||
# services = {
|
||||
# auth.loadBalancer.servers = [
|
||||
# {
|
||||
# url = authUrl;
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
"services-cache".settings.http = {
|
||||
services = {
|
||||
cache.loadBalancer = {
|
||||
servers = [
|
||||
{
|
||||
url = cacheUrl;
|
||||
}
|
||||
];
|
||||
serversTransport = "http1";
|
||||
};
|
||||
};
|
||||
};
|
||||
# "services-cache".settings.http = {
|
||||
# services = {
|
||||
# cache.loadBalancer = {
|
||||
# servers = [
|
||||
# {
|
||||
# url = cacheUrl;
|
||||
# }
|
||||
# ];
|
||||
# serversTransport = "http1";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"services-nginx".settings.http = {
|
||||
services = {
|
||||
nginx.loadBalancer.servers = [
|
||||
{
|
||||
url = "http://localhost:8188";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
# "services-nginx".settings.http = {
|
||||
# services = {
|
||||
# nginx.loadBalancer.servers = [
|
||||
# {
|
||||
# url = "http://localhost:8188";
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
"services-generated".settings.http = reverseProxyServiceConfigs;
|
||||
# "services-generated".settings.http = reverseProxyServiceConfigs;
|
||||
|
||||
"routers-auth".settings.http = {
|
||||
routers = {
|
||||
auth = {
|
||||
entryPoints = [ "websecure" ];
|
||||
rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
|
||||
service = "auth";
|
||||
middlewares = [
|
||||
"crowdsec"
|
||||
"whitelist-geoblock"
|
||||
];
|
||||
priority = 15;
|
||||
tls.certResolver = "letsencrypt";
|
||||
};
|
||||
};
|
||||
};
|
||||
# "routers-auth".settings.http = {
|
||||
# routers = {
|
||||
# auth = {
|
||||
# entryPoints = [ "websecure" ];
|
||||
# rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
|
||||
# service = "auth";
|
||||
# middlewares = [
|
||||
# "crowdsec"
|
||||
# "whitelist-geoblock"
|
||||
# ];
|
||||
# priority = 15;
|
||||
# tls.certResolver = "letsencrypt";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"routers-matrix2".settings.http = {
|
||||
routers = {
|
||||
matrix2 = {
|
||||
entryPoints = [ "websecure" ];
|
||||
rule = "Host(`matrix.mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
|
||||
service = "nginx";
|
||||
middlewares = [
|
||||
"crowdsec"
|
||||
"whitelist-geoblock"
|
||||
];
|
||||
priority = 1;
|
||||
tls.certResolver = "letsencrypt";
|
||||
};
|
||||
};
|
||||
};
|
||||
# "routers-matrix2".settings.http = {
|
||||
# routers = {
|
||||
# matrix2 = {
|
||||
# entryPoints = [ "websecure" ];
|
||||
# rule = "Host(`matrix.mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
|
||||
# service = "nginx";
|
||||
# middlewares = [
|
||||
# "crowdsec"
|
||||
# "whitelist-geoblock"
|
||||
# ];
|
||||
# priority = 1;
|
||||
# tls.certResolver = "letsencrypt";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"routers-matrix3".settings.http = {
|
||||
routers = {
|
||||
matrix3 = {
|
||||
entryPoints = [ "websecure" ];
|
||||
rule = "Host(`mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
|
||||
service = "nginx";
|
||||
middlewares = [
|
||||
"crowdsec"
|
||||
"whitelist-geoblock"
|
||||
];
|
||||
priority = 1;
|
||||
tls.certResolver = "letsencrypt";
|
||||
};
|
||||
};
|
||||
};
|
||||
# "routers-matrix3".settings.http = {
|
||||
# routers = {
|
||||
# matrix3 = {
|
||||
# entryPoints = [ "websecure" ];
|
||||
# rule = "Host(`mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
|
||||
# service = "nginx";
|
||||
# middlewares = [
|
||||
# "crowdsec"
|
||||
# "whitelist-geoblock"
|
||||
# ];
|
||||
# priority = 1;
|
||||
# tls.certResolver = "letsencrypt";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"routers-cache".settings.http = {
|
||||
routers = {
|
||||
cache = {
|
||||
entryPoints = [ "websecure" ];
|
||||
rule = "Host(`cache.${domain}`)";
|
||||
service = "cache";
|
||||
middlewares = [ ];
|
||||
priority = 10;
|
||||
tls.certResolver = "letsencrypt";
|
||||
};
|
||||
};
|
||||
};
|
||||
# "routers-cache".settings.http = {
|
||||
# routers = {
|
||||
# cache = {
|
||||
# entryPoints = [ "websecure" ];
|
||||
# rule = "Host(`cache.${domain}`)";
|
||||
# service = "cache";
|
||||
# middlewares = [ ];
|
||||
# priority = 10;
|
||||
# tls.certResolver = "letsencrypt";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
"home-assistant".settings.http = {
|
||||
services = {
|
||||
hass.loadBalancer.servers = [
|
||||
{
|
||||
url = hassUrl;
|
||||
}
|
||||
];
|
||||
};
|
||||
routers = {
|
||||
hass = {
|
||||
entryPoints = [ "websecure" ];
|
||||
rule = "Host(`hass.${domain}`)";
|
||||
service = "hass";
|
||||
middlewares = [
|
||||
"crowdsec"
|
||||
"whitelist-geoblock"
|
||||
# "authentik"
|
||||
];
|
||||
priority = 10;
|
||||
tls.certResolver = "letsencrypt";
|
||||
};
|
||||
};
|
||||
};
|
||||
"routers-generated".settings.http = reverseProxyRouterConfigs;
|
||||
};
|
||||
};
|
||||
};
|
||||
# "home-assistant".settings.http = {
|
||||
# services = {
|
||||
# hass.loadBalancer.servers = [
|
||||
# {
|
||||
# url = hassUrl;
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
# routers = {
|
||||
# hass = {
|
||||
# entryPoints = [ "websecure" ];
|
||||
# rule = "Host(`hass.${domain}`)";
|
||||
# service = "hass";
|
||||
# middlewares = [
|
||||
# "crowdsec"
|
||||
# "whitelist-geoblock"
|
||||
# # "authentik"
|
||||
# ];
|
||||
# priority = 10;
|
||||
# tls.certResolver = "letsencrypt";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# "routers-generated".settings.http = reverseProxyRouterConfigs;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
};
|
||||
}
|
||||
|
||||
@@ -29,7 +29,6 @@ let
|
||||
services.wyoming = {
|
||||
faster-whisper.servers.hass-whisper = {
|
||||
enable = true;
|
||||
useTransformers = false;
|
||||
device = lib.mkForce "auto";
|
||||
language = "en";
|
||||
model = "distil-large-v3";
|
||||
|
||||
Reference in New Issue
Block a user