matt1432/nixos-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(servers): only expose public apps to WAN
All checks were successful
Discord / discord commits (push) Successful in 54s
Details

Browse source
This commit is contained in:
matt1432 2024-08-11 14:53:45 -04:00
parent a2978995a3
commit c14a7906c8
11 changed files with 142 additions and 149 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

125
devices/cluster/modules/caddy.nix
View file

@ -4,7 +4,7 @@
config,
...
}: let
inherit (config.vars) mainUser;
inherit (config.vars) hostName mainUser;
inherit (config.sops) secrets;
caddy = caddy-plugins.packages.${pkgs.system}.default;
@ -33,35 +33,68 @@ in {
clusterIP = config.services.pcsd.virtualIps.caddy-vip.ip;
nosIP = "10.0.0.121";
serviviIP = "10.0.0.249";
tlsConf = ''
tls {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
resolvers 1.0.0.1
}
'';
mkPublicReverseProxy = subdomain: ip: extraConf:
{
hostName = "${subdomain}.nelim.org";
reverseProxy = ip;
listenAddresses = [clusterIP];
extraConfig = tlsConf + (extraConf.extraConfig or "");
}
// (builtins.removeAttrs extraConf ["extraConfig"]);
in {
# Public
"Vaultwarden" = mkPublicReverseProxy "vault" "${nosIP}:8781" {};
"Hauk" = mkPublicReverseProxy "hauk" "${nosIP}:3003" {};
"Headscale" = mkPublicReverseProxy "headscale" "${clusterIP}:8085" {};
"Jellyfin" = mkPublicReverseProxy "jelly" "${nosIP}:8096" {
subDirectories.jfa-go = {
subDirName = "accounts";
reverseProxy = "${nosIP}:8056";
};
};
"Jellyseer" = mkPublicReverseProxy "seerr" "${nosIP}:5055" {};
"Gameyfin" = mkPublicReverseProxy "games" "${nosIP}:8074" {};
"Forgejo" = mkPublicReverseProxy "git" "${nosIP}:3000" {};
"Nextcloud" = mkPublicReverseProxy "cloud" "${nosIP}:8042" {
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
'';
};
"OnlyOffice" = mkPublicReverseProxy "office" "http://${nosIP}:8055" {};
"Immich" = mkPublicReverseProxy "photos" "${nosIP}:2283" {};
# Private
"nelim.org" = {
serverAliases = ["*.nelim.org"];
extraConfig = ''
tls {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
resolvers 1.0.0.1
}
'';
extraConfig = tlsConf;
listenAddresses = [
(
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9"
)
];
subDomains = {
# Misc one-liners
vault.reverseProxy = "${nosIP}:8781";
hauk.reverseProxy = "${nosIP}:3003";
headscale.reverseProxy = "${clusterIP}:8085";
pr-tracker.reverseProxy = "${serviviIP}:3000";
jellyfin = {
subDomainName = "jelly";
reverseProxy = "${nosIP}:8096";
subDirectories = {
jfa-go = {
subDirName = "accounts";
reverseProxy = "${nosIP}:8056";
};
};
};
pcsd = {
extraConfig = ''
reverse_proxy https://${clusterIP}:2224 {
@ -72,42 +105,14 @@ in {
'';
};
# Resume builder
resume.reverseProxy = "${nosIP}:3060";
resauth.reverseProxy = "${nosIP}:3100";
# Nextcloud & Co
office.reverseProxy = "http://${nosIP}:8055";
nextcloud = {
subDomainName = "cloud";
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
'';
reverseProxy = "${nosIP}:8042";
};
forgejo = {
subDomainName = "git";
reverseProxy = "${nosIP}:3000";
};
nix-binary-cache = {
subDomainName = "cache";
reverseProxy = "${serviviIP}:5000";
};
calibre = {
subDomainName = "books";
reverseProxy = "${nosIP}:8083";
};
immich = {
subDomainName = "photos";
reverseProxy = "${nosIP}:2283";
};
# Resume builder
resume.reverseProxy = "${nosIP}:3060";
resauth.reverseProxy = "${nosIP}:3100";
# FreshRSS & Co
bridge.reverseProxy = "${nosIP}:3006";
@ -117,16 +122,6 @@ in {
reverseProxy = "${nosIP}:2800";
};
jellyseer = {
subDomainName = "seerr";
reverseProxy = "${nosIP}:5055";
};
gameyfin = {
subDomainName = "games";
reverseProxy = "${nosIP}:8074";
};
wgui.reverseProxy = "${nosIP}:51821";
lan = {
@ -137,12 +132,10 @@ in {
subDirectories = {
bazarr.reverseProxy = "${nosIP}:6767";
prowlarr.reverseProxy = "${nosIP}:9696";
radarr.reverseProxy = "${nosIP}:7878";
sabnzbd.reverseProxy = "${nosIP}:8382";
sonarr.reverseProxy = "${nosIP}:8989";
calibre.reverseProxy = "${nosIP}:8580";
qbittorent = {
subDirName = "qbt";

125
devices/cluster/modules/unbound.nix
View file

@ -1,5 +1,24 @@
{config, ...}: let
{
config,
lib,
...
}: let
inherit (lib) foldl isList mapAttrsToList mergeAttrsWithFunc remove unique;
mergeAttrsList = list:
foldl (mergeAttrsWithFunc (a: b:
if isList a && isList b
then unique (a ++ b)
else b)) {}
list;
inherit (config.vars) mainUser hostName;
wanIP = "166.62.180.199";
serviviIP = "100.64.0.7";
caddyIp =
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9";
in {
# https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602
boot.kernel.sysctl."net.core.rmem_max" = 1048576;
@ -12,70 +31,62 @@ in {
resolveLocalQueries = false;
settings = {
server = {
interface = ["127.0.0.1"];
port = 5335;
server = let
mkLocalEntry = domain: ip: {
local-zone = ["${domain} redirect"];
local-data = ["\"${domain} IN A ${ip}\""];
};
# Custom DNS
local-zone = [
"headscale.nelim.org redirect"
"git.nelim.org redirect"
"mc.nelim.org transparent"
"cv.nelim.org transparent"
"mc2.nelim.org transparent"
"ota.nelim.org redirect"
"nelim.org redirect"
];
local-data = let
wanIP = "166.62.180.199";
caddyIp =
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9";
in [
"\"headscale.nelim.org. IN A ${wanIP}\""
mkMinecraftEntry = domain: port: {
local-zone = ["${domain} transparent"];
local-data = [
"\"${domain} IN A ${serviviIP}\""
"\"_minecraft._tcp.${domain}. 180 IN SRV 0 0 ${toString port} ${domain}.\""
];
};
"\"git.nelim.org. IN A ${wanIP}\""
publicApps = remove "nelim.org" (mapAttrsToList (n: v: v.hostName) config.services.caddy.virtualHosts);
in
mergeAttrsList (
(map (x: mkLocalEntry x wanIP) publicApps)
++ [
(mkMinecraftEntry "mc.nelim.org" 25569)
(mkMinecraftEntry "mc2.nelim.org" 25560)
(mkMinecraftEntry "cv.nelim.org" 25566)
"\"mc.nelim.org IN A 100.64.0.7\""
"\"_minecraft._tcp.mc.nelim.org. 180 IN SRV 0 0 25569 mc.nelim.org.\""
(mkLocalEntry "nelim.org" caddyIp)
"\"cv.nelim.org IN A 100.64.0.7\""
"\"_minecraft._tcp.cv.nelim.org. 180 IN SRV 0 0 25566 cv.nelim.org.\""
{
interface = ["127.0.0.1"];
port = 5335;
"\"mc2.nelim.org IN A 100.64.0.7\""
"\"_minecraft._tcp.mc2.nelim.org. 180 IN SRV 0 0 25560 mc2.nelim.org.\""
do-ip4 = true;
do-ip6 = false;
prefer-ip6 = false;
do-udp = true;
do-tcp = true;
"\"ota.nelim.org. IN A 100.64.0.5\""
# Performance
prefetch = true;
num-threads = 1;
"\"nelim.org 0 A ${caddyIp}\""
];
private-address = [
"172.16.0.0/12"
"10.0.0.0/8"
"100.64.0.0/8"
"fd00::/8"
"fe80::/10"
];
do-ip4 = true;
do-ip6 = false;
prefer-ip6 = false;
do-udp = true;
do-tcp = true;
# Performance
prefetch = true;
num-threads = 1;
private-address = [
"172.16.0.0/12"
"10.0.0.0/8"
"100.64.0.0/8"
"fd00::/8"
"fe80::/10"
];
# Default stuff
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
edns-buffer-size = 1232;
so-rcvbuf = "1m";
};
# Default stuff
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
edns-buffer-size = 1232;
so-rcvbuf = "1m";
}
]
);
};
};
}

8
devices/nos/modules/docker/freshrss/compose.nix
View file

@ -17,10 +17,6 @@ in {
restart = "always";
ports = ["2800:80"];
extraHosts = [
"drss.nelim.org:10.0.0.130"
"bridge.nelim.org:10.0.0.130"
];
networks = ["proxy_net"];
volumes = let
@ -70,7 +66,7 @@ in {
};
};
"docker-hub-rss" = {
"drss.nelim.org" = {
image = import ./images/docker-hub-rss.nix pkgs;
restart = "always";
ports = ["3007:3000"];
@ -78,7 +74,7 @@ in {
networks = ["proxy_net"];
};
"rss-bridge" = {
"bridge.nelim.org" = {
image = import ./images/rss-bridge.nix pkgs;
restart = "always";

24
devices/nos/modules/docker/homepage/services.nix
View file

@ -95,74 +95,74 @@
{
"video automation" = [
{
qbit = rec {
qbit = {
href = "https://lan.nelim.org/qbt";
icon = "qbittorrent.png";
description = "torrent client";
widget = {
type = "qbittorrent";
url = href;
url = "http://10.0.0.121:8080";
username = "admin";
password = "{{HOMEPAGE_VAR_QBIT_PASS}}";
};
};
}
{
sabnzbd = rec {
sabnzbd = {
href = "https://lan.nelim.org/sabnzbd";
icon = "sabnzbd.png";
description = "nzb client";
widget = {
type = "sabnzbd";
url = href;
url = "http://10.0.0.121:8382";
key = "{{HOMEPAGE_VAR_SAB_API}}";
};
};
}
{
sonarr = rec {
sonarr = {
href = "https://lan.nelim.org/sonarr";
icon = "sonarr.png";
description = "fetches tv shows";
widget = {
type = "sonarr";
url = href;
url = "http://sonarr:8989";
key = "{{HOMEPAGE_VAR_SONARR_API}}";
};
};
}
{
radarr = rec {
radarr = {
href = "https://lan.nelim.org/radarr";
icon = "radarr.png";
description = "fetches movies";
widget = {
type = "radarr";
url = href;
url = "http://radarr:7878";
key = "{{HOMEPAGE_VAR_RADARR_API}}";
};
};
}
{
bazarr = rec {
bazarr = {
href = "https://lan.nelim.org/bazarr";
icon = "bazarr.png";
description = "fetches subs";
widget = {
type = "bazarr";
url = href;
url = "http://bazarr:6767/bazarr";
key = "{{HOMEPAGE_VAR_BAZARR_API}}";
};
};
}
{
prowlarr = rec {
prowlarr = {
href = "https://lan.nelim.org/prowlarr";
icon = "prowlarr.png";
description = "fetches tracker queries";
widget = {
type = "prowlarr";
url = href;
url = "http://prowlarr:9696";
key = "{{HOMEPAGE_VAR_PROWLARR_API}}";
};
};

1
devices/nos/modules/docker/media/bazarr/compose.nix
View file

@ -20,7 +20,6 @@ in {
TZ = "America/New_York";
};
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = [
"6767:6767"
];

1
devices/nos/modules/docker/media/joal/compose.nix
View file

@ -15,7 +15,6 @@ in {
restart = "always";
volumes = ["${rwPath}/data:/data"];
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["5656:5656"];
cmd = [

3
devices/nos/modules/docker/media/prowlarr/compose.nix
View file

@ -22,7 +22,7 @@ in {
};
volumes = ["${rwPath}/data:/config"];
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["9696:9696"];
networks = ["proxy_net"];
};
@ -38,7 +38,6 @@ in {
TZ = "America/New_York";
};
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["8191:8191"];
dependsOn = ["prowlarr"];

1
devices/nos/modules/docker/media/radarr/compose.nix
View file

@ -14,7 +14,6 @@ in {
image = import ./images/radarr.nix pkgs;
restart = "always";
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["7878:7878"];
environment = {

1
devices/nos/modules/docker/media/sabnzbd/compose.nix
View file

@ -14,7 +14,6 @@ in {
image = import ./images/sabnzbd.nix pkgs;
restart = "always";
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["8382:8082"];
environment = {

1
devices/nos/modules/docker/media/seerr/compose.nix
View file

@ -23,7 +23,6 @@ in {
"${rwPath}/data:/app/config"
];
extraHosts = ["lan.nelim.org:10.0.0.130"];
networks = ["proxy_net"];
ports = ["5055:5055"];
};

1
devices/nos/modules/docker/media/sonarr/compose.nix
View file

@ -14,7 +14,6 @@ in {
image = import ./images/sonarr.nix pkgs;
restart = "always";
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["8989:8989"];
environment = {