177 lines
4.9 KiB
Nix
177 lines
4.9 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
mainUser,
|
|
pkgs,
|
|
self,
|
|
...
|
|
}: let
|
|
inherit (lib) attrValues head removeAttrs;
|
|
|
|
inherit (config.sops) secrets;
|
|
inherit (config.networking) hostName;
|
|
in {
|
|
imports = [self.nixosModules.caddy-plus];
|
|
|
|
users.users.${mainUser}.extraGroups = ["caddy"];
|
|
|
|
boot.kernel.sysctl."net.ipv4.ip_nonlocal_bind" = 1;
|
|
|
|
systemd.services.caddy.serviceConfig = {
|
|
EnvironmentFile = secrets.caddy-cloudflare.path;
|
|
};
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
enableReload = false;
|
|
|
|
package = let
|
|
pluginsInfo = import ./plugins.nix;
|
|
in
|
|
pkgs.caddy.withPlugins {
|
|
plugins = map (x: "${x.url}@${x.version}") (attrValues pluginsInfo.plugins);
|
|
inherit (pluginsInfo) hash;
|
|
};
|
|
|
|
virtualHosts = let
|
|
clusterIP = (head config.services.pcsd.virtualIps).ip;
|
|
nosIP = "10.0.0.121";
|
|
serviviIP = "10.0.0.249";
|
|
homieIP = "100.64.0.10";
|
|
|
|
tlsConf = ''
|
|
tls {
|
|
dns cloudflare {$CLOUDFLARE_API_TOKEN}
|
|
resolvers 1.0.0.1
|
|
}
|
|
'';
|
|
|
|
mkPublicReverseProxy = subdomain: ip: extraConf:
|
|
{
|
|
hostName = "${subdomain}.nelim.org";
|
|
reverseProxy = ip;
|
|
listenAddresses = [clusterIP];
|
|
extraConfig = tlsConf + (extraConf.extraConfig or "");
|
|
}
|
|
// (removeAttrs extraConf ["extraConfig"]);
|
|
in {
|
|
# Public
|
|
"Home-Assistant" = mkPublicReverseProxy "homie" "${homieIP}:8123" {};
|
|
"Vaultwarden" = mkPublicReverseProxy "vault" "${nosIP}:8781" {};
|
|
"Hauk" = mkPublicReverseProxy "hauk" "${nosIP}:3003" {};
|
|
"Headscale" = mkPublicReverseProxy "headscale" "${clusterIP}:8085" {};
|
|
"SearXNG" = mkPublicReverseProxy "search" "${clusterIP}:8080" {};
|
|
|
|
"Jellyfin" = mkPublicReverseProxy "jelly" "${nosIP}:8096" {
|
|
subDirectories.jfa-go = {
|
|
subDirName = "accounts";
|
|
reverseProxy = "${nosIP}:8056";
|
|
};
|
|
};
|
|
|
|
"Jellyseer" = mkPublicReverseProxy "seerr" "${nosIP}:5055" {};
|
|
|
|
"Gameyfin" = mkPublicReverseProxy "games" "${nosIP}:8074" {};
|
|
|
|
"Forgejo" = mkPublicReverseProxy "git" "${nosIP}:3000" {};
|
|
|
|
"Nextcloud" = mkPublicReverseProxy "cloud" "${nosIP}:8042" {
|
|
extraConfig = ''
|
|
redir /.well-known/carddav /remote.php/dav 301
|
|
redir /.well-known/caldav /remote.php/dav 301
|
|
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
|
|
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
|
|
'';
|
|
};
|
|
"OnlyOffice" = mkPublicReverseProxy "office" "http://${nosIP}:8055" {};
|
|
|
|
"Immich" = mkPublicReverseProxy "photos" "${nosIP}:2283" {};
|
|
|
|
"ObsidianLiveSync" = mkPublicReverseProxy "livesync" "${nosIP}:5984" {};
|
|
|
|
"Binary Cache" = mkPublicReverseProxy "cache" "${serviviIP}:5000" {};
|
|
|
|
# Private
|
|
"nelim.org" = {
|
|
serverAliases = ["*.nelim.org"];
|
|
extraConfig = tlsConf;
|
|
listenAddresses = [
|
|
(
|
|
if hostName == "thingone"
|
|
then "100.64.0.8"
|
|
else "100.64.0.9"
|
|
)
|
|
];
|
|
|
|
subDomains = {
|
|
esphome.reverseProxy = "${homieIP}:6052";
|
|
pr-tracker.reverseProxy = "${serviviIP}:3000";
|
|
|
|
pcsd = {
|
|
extraConfig = ''
|
|
reverse_proxy https://${clusterIP}:2224 {
|
|
transport http {
|
|
tls_insecure_skip_verify
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
|
|
# Resume builder
|
|
resume.reverseProxy = "${nosIP}:3060";
|
|
resauth.reverseProxy = "${nosIP}:3100";
|
|
|
|
# FreshRSS & Co
|
|
bridge.reverseProxy = "${nosIP}:3006";
|
|
drss.reverseProxy = "${nosIP}:3007";
|
|
freshrss = {
|
|
subDomainName = "rss";
|
|
reverseProxy = "${nosIP}:2800";
|
|
};
|
|
|
|
wgui.reverseProxy = "${nosIP}:51821";
|
|
|
|
lan = {
|
|
reverseProxy = "${nosIP}:3020";
|
|
extraConfig = ''
|
|
redir /index.html /
|
|
'';
|
|
|
|
subDirectories = {
|
|
bazarr.reverseProxy = "${nosIP}:6767";
|
|
prowlarr.reverseProxy = "${nosIP}:9696";
|
|
radarr.reverseProxy = "${nosIP}:7878";
|
|
sabnzbd.reverseProxy = "${nosIP}:8382";
|
|
sonarr.reverseProxy = "${nosIP}:8989";
|
|
|
|
qbittorent = {
|
|
subDirName = "qbt";
|
|
experimental = true;
|
|
reverseProxy = "${nosIP}:8080";
|
|
};
|
|
|
|
vaultwarden = {
|
|
subDirName = "vault";
|
|
experimental = true;
|
|
reverseProxy = "${nosIP}:8780";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Top secret Business
|
|
joal.extraConfig = ''
|
|
route {
|
|
rewrite * /joal/ui{uri}
|
|
reverse_proxy * ${nosIP}:5656
|
|
}
|
|
'';
|
|
joalws.extraConfig = ''
|
|
route {
|
|
reverse_proxy ${nosIP}:5656
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|