mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: mjallen:87fb1c96e57747c235974239eff9a6d6b195a29a
Branches Tags
mjallen:main mjallen:stylix mjallen:bcfs mjallen:snowfall mjallen:macbook-hyprland
..
compare: mjallen:4d4808490b8c5d0819b7f76df5abc74cd9d4a490
Branches Tags
mjallen:main mjallen:stylix mjallen:bcfs mjallen:snowfall mjallen:macbook-hyprland

2 Commits
87fb1c96e5 ... 4d4808490b

Author SHA1 Message Date
mjallen18
4d4808490b fix traefik stuff 2026-02-04 20:02:32 -06:00
mjallen18
1f99318fcd stuffs like bruh wtf 2026-02-04 19:40:00 -06:00
6 changed files with 155 additions and 212 deletions
Expand all files Collapse all files

8
lib/module/default.nix
View File

@@ -154,7 +154,7 @@ rec {
mkOpt (types.attrsOf types.str) { }
"Extra environment variables for code-server";
reverseProxy = mkReverseProxyOpt;
reverseProxy = mkReverseProxyOpt name;
}
// options;
};
@@ -221,12 +221,12 @@ rec {
mkBoolOpt' = mkOpt' types.bool;
mkReverseProxyOpt = {
mkReverseProxyOpt = name: {
enable = mkBoolOpt false "Enable reverse proxy support";
subdomain = mkOpt types.str "" "subdomain of the service";
subdomain = mkOpt types.str name "subdomain of the service";
middlewares = mkOpt (types.listOf types.str) [ ] "List of middlewares to use";
middlewares = mkOpt (types.listOf types.str) [ "crowdsec" "whitelist-geoblock" ] "List of middlewares to use";
};
# Standard enable/disable patterns

128
modules/nixos/services/caddy/default.nix Normal file
View File

@@ -0,0 +1,128 @@
{
config,
lib,
pkgs,
namespace,
...
}:
with lib;
let
name = "caddy";
cfg = config.${namespace}.services.${name};
caddyPackage = pkgs.caddy.withPlugins {
plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ];
hash = "sha256-dnhEjopeA0UiI+XVYHYpsjcEI6Y1Hacbi28hVKYQURg=";
};
caddy = lib.${namespace}.mkModule {
inherit config name;
description = "caddy Service";
options = { };
moduleConfig = {
sops = {
secrets = {
"jallen-nas/traefik/crowdsec/lapi-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.caddy.name;
group = config.users.users.caddy.group;
restartUnits = [ "caddy.service" ];
};
"jallen-nas/traefik/crowdsec/capi-machine-id" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.caddy.name;
group = config.users.users.caddy.group;
restartUnits = [ "caddy.service" ];
};
"jallen-nas/traefik/crowdsec/capi-password" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.caddy.name;
group = config.users.users.caddy.group;
restartUnits = [ "caddy.service" ];
};
"jallen-nas/traefik/cloudflare-dns-api-token" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.caddy.name;
group = config.users.users.caddy.group;
restartUnits = [ "caddy.service" ];
};
"jallen-nas/traefik/cloudflare-zone-api-token" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.caddy.name;
group = config.users.users.caddy.group;
restartUnits = [ "caddy.service" ];
};
"jallen-nas/traefik/cloudflare-api-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.caddy.name;
group = config.users.users.caddy.group;
restartUnits = [ "caddy.service" ];
};
"jallen-nas/traefik/cloudflare-email" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.caddy.name;
group = config.users.users.caddy.group;
restartUnits = [ "caddy.service" ];
};
};
templates = {
"caddy.env" = {
content = ''
CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
'';
owner = config.users.users.caddy.name;
group = config.users.users.caddy.group;
restartUnits = [ "caddy.service" ];
};
};
};
services.caddy = {
enable = true;
package = caddyPackage;
environmentFile = config.sops.templates."caddy.env".path;
email = "jalle008@proton.me";
enableReload = false;
dataDir = "${cfg.configDir}/caddy";
globalConfig = ''
metrics
http_port 80
https_port 443
default_bind 0.0.0.0
''; # b710da1b0182eadcb1e569408de778f9f3c50
virtualHosts = {
"*.mjallen.dev" = {
extraConfig = ''
tls {
dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
}
@gitea host gitea.mjallen.dev
handle @gitea {
reverse_proxy http://10.0.1.3:3000
}
@jellyfin host jellyfin.mjallen.dev
handle @jellyfin {
reverse_proxy http://10.0.1.3:8096
}
@homeassistant host hass.mjallen.dev
handle @homeassistant {
reverse_proxy http://10.0.1.4:8123
}
'';
};
};
};
};
};
in
{
imports = [ caddy ];
}

206
modules/nixos/services/traefik/default.nix
View File

@@ -28,9 +28,16 @@ let
let
makeRouter =
router:
let
hostRule =
if router.subdomain == "" then
"Host(`${domain}`)"
else
"Host(`${router.subdomain}.${domain}`)";
in
nameValuePair router.subdomain {
entryPoints = router.entryPoints;
rule = "Host(`${router.subdomain}.${domain}`)";
rule = hostRule;
service = router.service;
middlewares = router.middlewares ++ [
"crowdsec"
@@ -60,19 +67,9 @@ let
# Forward services
authUrl = "http://${serverIp}:9000/outpost.goauthentik.io";
authentikUrl = "http://${serverIp}:9000";
cacheUrl = "http://${serverIp}:9012";
cloudUrl = "http:/10.0.1.3:9200";
# cloudUrl = "http://${config.containers.nextcloud.localAddress}:80";
hassUrl = "http://10.0.1.4:8123";
immichUrl = "http://${serverIp}:${toString config.services.immich.port}";
jellyfinUrl = "http://${serverIp}:8096";
jellyseerrUrl = "http://10.0.1.3:${toString config.services.jellyseerr.port}";
lubeloggerUrl = "http://${serverIp}:6754";
# onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
onlyofficeUrl = "http://10.0.1.3:9980";
openWebUIUrl = "http://${serverIp}:8888";
paperlessUrl = "http://${serverIp}:${toString config.services.paperless.port}";
# Plugins
traefikPlugins = {
@@ -260,17 +257,6 @@ in
# };
http = {
serversTransports = {
internal-https = {
insecureSkipVerify = true;
};
attich1 = {
serverName = "localhost";
disableHTTP2 = true;
};
};
middlewares = {
authentik = {
forwardAuth = {
@@ -382,88 +368,18 @@ in
url = authUrl;
}
];
gitea.loadBalancer.servers = [
{
url = "http://10.0.1.3:3000";
}
];
actual.loadBalancer.servers = [
{
url = "http://10.0.1.3:3333";
}
];
matrix.loadBalancer.servers = [
{
url = "http://10.0.1.3:8448";
}
];
authentik.loadBalancer.servers = [
{
url = authentikUrl;
}
];
cache.loadBalancer = {
servers = [
{
url = cacheUrl;
}
];
serversTransport = "attich1";
};
chat.loadBalancer.servers = [
{
url = openWebUIUrl;
}
];
cloud.loadBalancer = {
servers = [
{
url = cloudUrl;
}
];
};
hass.loadBalancer.servers = [
{
url = hassUrl;
}
];
immich.loadBalancer.servers = [
{
url = immichUrl;
}
];
jellyfin.loadBalancer.servers = [
{
url = jellyfinUrl;
}
];
jellyseerr.loadBalancer.servers = [
{
url = jellyseerrUrl;
}
];
lubelogger.loadBalancer.servers = [
{
url = lubeloggerUrl;
}
];
onlyoffice.loadBalancer = {
servers = [
{
url = onlyofficeUrl;
}
];
passHostHeader = true;
};
paperless.loadBalancer.servers = [
{
url = paperlessUrl;
}
];
}
// extraServiceConfigs
// reverseProxyServiceConfigs;
@@ -481,49 +397,6 @@ in
tls.certResolver = "letsencrypt";
};
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.${domain}`)";
service = "gitea";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
actual = {
entryPoints = [ "websecure" ];
rule = "Host(`actual.${domain}`)";
service = "actual";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
matrix = {
entryPoints = [ "websecure" ];
rule = "Host(`matrix.${domain}`)";
service = "matrix";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
authentik = {
entryPoints = [ "websecure" ];
rule = "Host(`authentik.${domain}`)";
service = "authentik";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
cache = {
entryPoints = [ "websecure" ];
rule = "Host(`cache.${domain}`)";
@@ -532,16 +405,7 @@ in
priority = 10;
tls.certResolver = "letsencrypt";
};
cloud = {
entryPoints = [ "websecure" ];
rule = "Host(`cloud.${domain}`)";
service = "cloud";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
hass = {
entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)";
@@ -554,58 +418,6 @@ in
priority = 10;
tls.certResolver = "letsencrypt";
};
immich = {
entryPoints = [ "websecure" ];
rule = "Host(`immich.${domain}`)";
service = "immich";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
jellyfin = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyfin.${domain}`)";
service = "jellyfin";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
jellyseerr = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyseerr.${domain}`)";
service = "jellyseerr";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
lubelogger = {
entryPoints = [ "websecure" ];
rule = "Host(`lubelogger.${domain}`)";
service = "lubelogger";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
onlyoffice = {
entryPoints = [ "websecure" ];
rule = "Host(`office.${domain}`)";
service = "onlyoffice";
middlewares = [
"crowdsec"
"whitelist-geoblock"
# "onlyoffice-headers"
"collabora-headers"
];
tls.certResolver = "letsencrypt";
};
}
// extraRouterConfigs
// reverseProxyRouterConfigs;

22
systems/x86_64-linux/jallen-nas/apps.nix
View File

@@ -14,14 +14,7 @@ in
enable = true;
port = 3333;
createUser = true;
reverseProxy = {
enable = true;
subdomain = "actual";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
};
reverseProxy = enabled;
};
ai = enabled;
arrs = {
@@ -38,6 +31,7 @@ in
enable = false;
configureDb = true;
port = 9000;
reverseProxy = enabled;
environmentFile = "/run/secrets/jallen-nas/authentik-env";
redis = {
enable = true;
@@ -49,6 +43,7 @@ in
port = 4822;
# environmentFile = "/run/secrets/jallen-nas/authentik-env"; # TODO
};
caddy = disabled;
calibre = {
enable = false;
port = 8084;
@@ -88,6 +83,7 @@ in
gitea = {
enable = true;
port = 3000;
reverseProxy = enabled;
};
glance = {
enable = true;
@@ -106,19 +102,23 @@ in
immich = {
enable = true;
port = 2283;
reverseProxy = enabled;
};
jellyfin = {
enable = true;
port = 8096;
reverseProxy = enabled;
};
jellyseerr = {
enable = true;
port = 5055;
createUser = true;
reverseProxy = enabled;
};
lubelogger = {
enable = true;
port = 6754;
reverseProxy = enabled;
};
manyfold = {
enable = true;
@@ -127,7 +127,7 @@ in
matrix = {
enable = false;
port = 8448;
reverseProxy.enable = true;
reverseProxy = enabled;
};
minecraft = disabled;
mongodb = disabled;
@@ -143,7 +143,7 @@ in
enable = true;
port = 2586;
createUser = true;
reverseProxy.enable = true;
reverseProxy = enabled;
};
ocis = disabled;
onlyoffice = {
@@ -153,7 +153,7 @@ in
opencloud = {
enable = false;
port = 9200;
reverseProxy.enable = true;
reverseProxy.enable = false;
};
orca-slicer = {
enable = false;

2
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -143,6 +143,8 @@ in
allowPing = true;
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [
80
443
8008 # restic
9000 # authentik
2342 # grafana

1
systems/x86_64-linux/jallen-nas/vpn.nix
View File

@@ -110,6 +110,7 @@
openvpn = {
servers = {
"us.protonvpn.udp" = lib.mkForce {
autoStart = false;
authUserPass = config.sops.templates."protonvpn".path;
updateResolvConf = lib.mkForce true;
config = ''