matt1432/nixos-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(servers): only expose public apps to WAN
All checks were successful
Discord / discord commits (push) Successful in 54s
Details

Browse source
This commit is contained in:
matt1432 2024-08-11 14:53:45 -04:00
parent a2978995a3
commit c14a7906c8
11 changed files with 142 additions and 149 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

125
devices/cluster/modules/caddy.nix
View file

@ -4,7 +4,7 @@
config, config,
... ...
}: let }: let
inherit (config.vars) mainUser; inherit (config.vars) hostName mainUser;
inherit (config.sops) secrets; inherit (config.sops) secrets;
caddy = caddy-plugins.packages.${pkgs.system}.default; caddy = caddy-plugins.packages.${pkgs.system}.default;
@ -33,35 +33,68 @@ in {
clusterIP = config.services.pcsd.virtualIps.caddy-vip.ip; clusterIP = config.services.pcsd.virtualIps.caddy-vip.ip;
nosIP = "10.0.0.121"; nosIP = "10.0.0.121";
serviviIP = "10.0.0.249"; serviviIP = "10.0.0.249";
tlsConf = ''
tls {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
resolvers 1.0.0.1
}
'';
mkPublicReverseProxy = subdomain: ip: extraConf:
{
hostName = "${subdomain}.nelim.org";
reverseProxy = ip;
listenAddresses = [clusterIP];
extraConfig = tlsConf + (extraConf.extraConfig or "");
}
// (builtins.removeAttrs extraConf ["extraConfig"]);
in { in {
# Public
"Vaultwarden" = mkPublicReverseProxy "vault" "${nosIP}:8781" {};
"Hauk" = mkPublicReverseProxy "hauk" "${nosIP}:3003" {};
"Headscale" = mkPublicReverseProxy "headscale" "${clusterIP}:8085" {};
"Jellyfin" = mkPublicReverseProxy "jelly" "${nosIP}:8096" {
subDirectories.jfa-go = {
subDirName = "accounts";
reverseProxy = "${nosIP}:8056";
};
};
"Jellyseer" = mkPublicReverseProxy "seerr" "${nosIP}:5055" {};
"Gameyfin" = mkPublicReverseProxy "games" "${nosIP}:8074" {};
"Forgejo" = mkPublicReverseProxy "git" "${nosIP}:3000" {};
"Nextcloud" = mkPublicReverseProxy "cloud" "${nosIP}:8042" {
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
'';
};
"OnlyOffice" = mkPublicReverseProxy "office" "http://${nosIP}:8055" {};
"Immich" = mkPublicReverseProxy "photos" "${nosIP}:2283" {};
# Private
"nelim.org" = { "nelim.org" = {
serverAliases = ["*.nelim.org"]; serverAliases = ["*.nelim.org"];
extraConfig = '' extraConfig = tlsConf;
tls { listenAddresses = [
dns cloudflare {$CLOUDFLARE_API_TOKEN} (
resolvers 1.0.0.1 if hostName == "thingone"
} then "100.64.0.8"
''; else "100.64.0.9"
)
];
subDomains = { subDomains = {
# Misc one-liners
vault.reverseProxy = "${nosIP}:8781";
hauk.reverseProxy = "${nosIP}:3003";
headscale.reverseProxy = "${clusterIP}:8085";
pr-tracker.reverseProxy = "${serviviIP}:3000"; pr-tracker.reverseProxy = "${serviviIP}:3000";
jellyfin = {
subDomainName = "jelly";
reverseProxy = "${nosIP}:8096";
subDirectories = {
jfa-go = {
subDirName = "accounts";
reverseProxy = "${nosIP}:8056";
};
};
};
pcsd = { pcsd = {
extraConfig = '' extraConfig = ''
reverse_proxy https://${clusterIP}:2224 { reverse_proxy https://${clusterIP}:2224 {
@ -72,42 +105,14 @@ in {
''; '';
}; };
# Resume builder
resume.reverseProxy = "${nosIP}:3060";
resauth.reverseProxy = "${nosIP}:3100";
# Nextcloud & Co
office.reverseProxy = "http://${nosIP}:8055";
nextcloud = {
subDomainName = "cloud";
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
'';
reverseProxy = "${nosIP}:8042";
};
forgejo = {
subDomainName = "git";
reverseProxy = "${nosIP}:3000";
};
nix-binary-cache = { nix-binary-cache = {
subDomainName = "cache"; subDomainName = "cache";
reverseProxy = "${serviviIP}:5000"; reverseProxy = "${serviviIP}:5000";
}; };
calibre = { # Resume builder
subDomainName = "books"; resume.reverseProxy = "${nosIP}:3060";
reverseProxy = "${nosIP}:8083"; resauth.reverseProxy = "${nosIP}:3100";
};
immich = {
subDomainName = "photos";
reverseProxy = "${nosIP}:2283";
};
# FreshRSS & Co # FreshRSS & Co
bridge.reverseProxy = "${nosIP}:3006"; bridge.reverseProxy = "${nosIP}:3006";
@ -117,16 +122,6 @@ in {
reverseProxy = "${nosIP}:2800"; reverseProxy = "${nosIP}:2800";
}; };
jellyseer = {
subDomainName = "seerr";
reverseProxy = "${nosIP}:5055";
};
gameyfin = {
subDomainName = "games";
reverseProxy = "${nosIP}:8074";
};
wgui.reverseProxy = "${nosIP}:51821"; wgui.reverseProxy = "${nosIP}:51821";
lan = { lan = {
@ -137,12 +132,10 @@ in {
subDirectories = { subDirectories = {
bazarr.reverseProxy = "${nosIP}:6767"; bazarr.reverseProxy = "${nosIP}:6767";
prowlarr.reverseProxy = "${nosIP}:9696"; prowlarr.reverseProxy = "${nosIP}:9696";
radarr.reverseProxy = "${nosIP}:7878"; radarr.reverseProxy = "${nosIP}:7878";
sabnzbd.reverseProxy = "${nosIP}:8382"; sabnzbd.reverseProxy = "${nosIP}:8382";
sonarr.reverseProxy = "${nosIP}:8989"; sonarr.reverseProxy = "${nosIP}:8989";
calibre.reverseProxy = "${nosIP}:8580";
qbittorent = { qbittorent = {
subDirName = "qbt"; subDirName = "qbt";

125
devices/cluster/modules/unbound.nix
View file

@ -1,5 +1,24 @@
{config, ...}: let {
config,
lib,
...
}: let
inherit (lib) foldl isList mapAttrsToList mergeAttrsWithFunc remove unique;
mergeAttrsList = list:
foldl (mergeAttrsWithFunc (a: b:
if isList a && isList b
then unique (a ++ b)
else b)) {}
list;
inherit (config.vars) mainUser hostName; inherit (config.vars) mainUser hostName;
wanIP = "166.62.180.199";
serviviIP = "100.64.0.7";
caddyIp =
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9";
in { in {
# https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602 # https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602
boot.kernel.sysctl."net.core.rmem_max" = 1048576; boot.kernel.sysctl."net.core.rmem_max" = 1048576;
@ -12,70 +31,62 @@ in {
resolveLocalQueries = false; resolveLocalQueries = false;
settings = { settings = {
server = { server = let
interface = ["127.0.0.1"]; mkLocalEntry = domain: ip: {
port = 5335; local-zone = ["${domain} redirect"];
local-data = ["\"${domain} IN A ${ip}\""];
};
# Custom DNS mkMinecraftEntry = domain: port: {
local-zone = [ local-zone = ["${domain} transparent"];
"headscale.nelim.org redirect" local-data = [
"git.nelim.org redirect" "\"${domain} IN A ${serviviIP}\""
"mc.nelim.org transparent" "\"_minecraft._tcp.${domain}. 180 IN SRV 0 0 ${toString port} ${domain}.\""
"cv.nelim.org transparent" ];
"mc2.nelim.org transparent" };
"ota.nelim.org redirect"
"nelim.org redirect"
];
local-data = let
wanIP = "166.62.180.199";
caddyIp =
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9";
in [
"\"headscale.nelim.org. IN A ${wanIP}\""
"\"git.nelim.org. IN A ${wanIP}\"" publicApps = remove "nelim.org" (mapAttrsToList (n: v: v.hostName) config.services.caddy.virtualHosts);
in
mergeAttrsList (
(map (x: mkLocalEntry x wanIP) publicApps)
++ [
(mkMinecraftEntry "mc.nelim.org" 25569)
(mkMinecraftEntry "mc2.nelim.org" 25560)
(mkMinecraftEntry "cv.nelim.org" 25566)
"\"mc.nelim.org IN A 100.64.0.7\"" (mkLocalEntry "nelim.org" caddyIp)
"\"_minecraft._tcp.mc.nelim.org. 180 IN SRV 0 0 25569 mc.nelim.org.\""
"\"cv.nelim.org IN A 100.64.0.7\"" {
"\"_minecraft._tcp.cv.nelim.org. 180 IN SRV 0 0 25566 cv.nelim.org.\"" interface = ["127.0.0.1"];
port = 5335;
"\"mc2.nelim.org IN A 100.64.0.7\"" do-ip4 = true;
"\"_minecraft._tcp.mc2.nelim.org. 180 IN SRV 0 0 25560 mc2.nelim.org.\"" do-ip6 = false;
prefer-ip6 = false;
do-udp = true;
do-tcp = true;
"\"ota.nelim.org. IN A 100.64.0.5\"" # Performance
prefetch = true;
num-threads = 1;
"\"nelim.org 0 A ${caddyIp}\"" private-address = [
]; "172.16.0.0/12"
"10.0.0.0/8"
"100.64.0.0/8"
"fd00::/8"
"fe80::/10"
];
do-ip4 = true; # Default stuff
do-ip6 = false; harden-glue = true;
prefer-ip6 = false; harden-dnssec-stripped = true;
do-udp = true; use-caps-for-id = false;
do-tcp = true; edns-buffer-size = 1232;
so-rcvbuf = "1m";
# Performance }
prefetch = true; ]
num-threads = 1; );
private-address = [
"172.16.0.0/12"
"10.0.0.0/8"
"100.64.0.0/8"
"fd00::/8"
"fe80::/10"
];
# Default stuff
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
edns-buffer-size = 1232;
so-rcvbuf = "1m";
};
}; };
}; };
} }

8
devices/nos/modules/docker/freshrss/compose.nix
View file

@ -17,10 +17,6 @@ in {
restart = "always"; restart = "always";
ports = ["2800:80"]; ports = ["2800:80"];
extraHosts = [
"drss.nelim.org:10.0.0.130"
"bridge.nelim.org:10.0.0.130"
];
networks = ["proxy_net"]; networks = ["proxy_net"];
volumes = let volumes = let
@ -70,7 +66,7 @@ in {
}; };
}; };
"docker-hub-rss" = { "drss.nelim.org" = {
image = import ./images/docker-hub-rss.nix pkgs; image = import ./images/docker-hub-rss.nix pkgs;
restart = "always"; restart = "always";
ports = ["3007:3000"]; ports = ["3007:3000"];
@ -78,7 +74,7 @@ in {
networks = ["proxy_net"]; networks = ["proxy_net"];
}; };
"rss-bridge" = { "bridge.nelim.org" = {
image = import ./images/rss-bridge.nix pkgs; image = import ./images/rss-bridge.nix pkgs;
restart = "always"; restart = "always";

24
devices/nos/modules/docker/homepage/services.nix
View file

@ -95,74 +95,74 @@
{ {
"video automation" = [ "video automation" = [
{ {
qbit = rec { qbit = {
href = "https://lan.nelim.org/qbt"; href = "https://lan.nelim.org/qbt";
icon = "qbittorrent.png"; icon = "qbittorrent.png";
description = "torrent client"; description = "torrent client";
widget = { widget = {
type = "qbittorrent"; type = "qbittorrent";
url = href; url = "http://10.0.0.121:8080";
username = "admin"; username = "admin";
password = "{{HOMEPAGE_VAR_QBIT_PASS}}"; password = "{{HOMEPAGE_VAR_QBIT_PASS}}";
}; };
}; };
} }
{ {
sabnzbd = rec { sabnzbd = {
href = "https://lan.nelim.org/sabnzbd"; href = "https://lan.nelim.org/sabnzbd";
icon = "sabnzbd.png"; icon = "sabnzbd.png";
description = "nzb client"; description = "nzb client";
widget = { widget = {
type = "sabnzbd"; type = "sabnzbd";
url = href; url = "http://10.0.0.121:8382";
key = "{{HOMEPAGE_VAR_SAB_API}}"; key = "{{HOMEPAGE_VAR_SAB_API}}";
}; };
}; };
} }
{ {
sonarr = rec { sonarr = {
href = "https://lan.nelim.org/sonarr"; href = "https://lan.nelim.org/sonarr";
icon = "sonarr.png"; icon = "sonarr.png";
description = "fetches tv shows"; description = "fetches tv shows";
widget = { widget = {
type = "sonarr"; type = "sonarr";
url = href; url = "http://sonarr:8989";
key = "{{HOMEPAGE_VAR_SONARR_API}}"; key = "{{HOMEPAGE_VAR_SONARR_API}}";
}; };
}; };
} }
{ {
radarr = rec { radarr = {
href = "https://lan.nelim.org/radarr"; href = "https://lan.nelim.org/radarr";
icon = "radarr.png"; icon = "radarr.png";
description = "fetches movies"; description = "fetches movies";
widget = { widget = {
type = "radarr"; type = "radarr";
url = href; url = "http://radarr:7878";
key = "{{HOMEPAGE_VAR_RADARR_API}}"; key = "{{HOMEPAGE_VAR_RADARR_API}}";
}; };
}; };
} }
{ {
bazarr = rec { bazarr = {
href = "https://lan.nelim.org/bazarr"; href = "https://lan.nelim.org/bazarr";
icon = "bazarr.png"; icon = "bazarr.png";
description = "fetches subs"; description = "fetches subs";
widget = { widget = {
type = "bazarr"; type = "bazarr";
url = href; url = "http://bazarr:6767/bazarr";
key = "{{HOMEPAGE_VAR_BAZARR_API}}"; key = "{{HOMEPAGE_VAR_BAZARR_API}}";
}; };
}; };
} }
{ {
prowlarr = rec { prowlarr = {
href = "https://lan.nelim.org/prowlarr"; href = "https://lan.nelim.org/prowlarr";
icon = "prowlarr.png"; icon = "prowlarr.png";
description = "fetches tracker queries"; description = "fetches tracker queries";
widget = { widget = {
type = "prowlarr"; type = "prowlarr";
url = href; url = "http://prowlarr:9696";
key = "{{HOMEPAGE_VAR_PROWLARR_API}}"; key = "{{HOMEPAGE_VAR_PROWLARR_API}}";
}; };
}; };

1
devices/nos/modules/docker/media/bazarr/compose.nix
View file

@ -20,7 +20,6 @@ in {
TZ = "America/New_York"; TZ = "America/New_York";
}; };
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = [ ports = [
"6767:6767" "6767:6767"
]; ];

1
devices/nos/modules/docker/media/joal/compose.nix
View file

@ -15,7 +15,6 @@ in {
restart = "always"; restart = "always";
volumes = ["${rwPath}/data:/data"]; volumes = ["${rwPath}/data:/data"];
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["5656:5656"]; ports = ["5656:5656"];
cmd = [ cmd = [

3
devices/nos/modules/docker/media/prowlarr/compose.nix
View file

@ -22,7 +22,7 @@ in {
}; };
volumes = ["${rwPath}/data:/config"]; volumes = ["${rwPath}/data:/config"];
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["9696:9696"]; ports = ["9696:9696"];
networks = ["proxy_net"]; networks = ["proxy_net"];
}; };
@ -38,7 +38,6 @@ in {
TZ = "America/New_York"; TZ = "America/New_York";
}; };
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["8191:8191"]; ports = ["8191:8191"];
dependsOn = ["prowlarr"]; dependsOn = ["prowlarr"];

1
devices/nos/modules/docker/media/radarr/compose.nix
View file

@ -14,7 +14,6 @@ in {
image = import ./images/radarr.nix pkgs; image = import ./images/radarr.nix pkgs;
restart = "always"; restart = "always";
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["7878:7878"]; ports = ["7878:7878"];
environment = { environment = {

1
devices/nos/modules/docker/media/sabnzbd/compose.nix
View file

@ -14,7 +14,6 @@ in {
image = import ./images/sabnzbd.nix pkgs; image = import ./images/sabnzbd.nix pkgs;
restart = "always"; restart = "always";
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["8382:8082"]; ports = ["8382:8082"];
environment = { environment = {

1
devices/nos/modules/docker/media/seerr/compose.nix
View file

@ -23,7 +23,6 @@ in {
"${rwPath}/data:/app/config" "${rwPath}/data:/app/config"
]; ];
extraHosts = ["lan.nelim.org:10.0.0.130"];
networks = ["proxy_net"]; networks = ["proxy_net"];
ports = ["5055:5055"]; ports = ["5055:5055"];
}; };

1
devices/nos/modules/docker/media/sonarr/compose.nix
View file

@ -14,7 +14,6 @@ in {
image = import ./images/sonarr.nix pkgs; image = import ./images/sonarr.nix pkgs;
restart = "always"; restart = "always";
extraHosts = ["lan.nelim.org:10.0.0.130"];
ports = ["8989:8989"]; ports = ["8989:8989"];
environment = { environment = {