From a7dacb7edfe5b0b1dd8723fe92d711aba5589105 Mon Sep 17 00:00:00 2001 From: Noah Masur <7386960+nmasur@users.noreply.github.com> Date: Tue, 10 Feb 2026 22:23:34 +0000 Subject: [PATCH] murmur (mumble server) and non-caddy acme client --- flake.nix | 1 + .../modules/nmasur/presets/services/caddy.nix | 162 +++++++++--------- .../services/cloudflare/cloudflare.nix | 11 ++ .../nmasur/presets/services/murmur.nix | 41 +++++ .../nmasur/profiles/communications.nix | 1 + 5 files changed, 135 insertions(+), 81 deletions(-) create mode 100644 platforms/nixos/modules/nmasur/presets/services/murmur.nix diff --git a/flake.nix b/flake.nix index 8904fb1..3ce7bfc 100644 --- a/flake.nix +++ b/flake.nix @@ -132,6 +132,7 @@ mathesar = "mathesar.${baseName}"; metrics = "metrics.${baseName}"; minecraft = "minecraft.${baseName}"; + mumble = "mumble.${baseName}"; n8n = "n8n.${baseName}"; navidrome = "music.${baseName}"; notifications = "ntfy.${baseName}"; diff --git a/platforms/nixos/modules/nmasur/presets/services/caddy.nix b/platforms/nixos/modules/nmasur/presets/services/caddy.nix index 75a2e3b..23ee8d5 100644 --- a/platforms/nixos/modules/nmasur/presets/services/caddy.nix +++ b/platforms/nixos/modules/nmasur/presets/services/caddy.nix @@ -58,6 +58,7 @@ in { handler = "static_response"; status_code = "403"; + body = "IP not allowed"; } ]; } @@ -109,96 +110,95 @@ in apps.tls.automation.policies = cfg.tlsPolicies; # Setup logging to journal and files - logging.logs = - { - # System logs and catch-all - # Must be called `default` to override Caddy's built-in default logger - default = { - level = "INFO"; - encoder.format = "console"; - writer = { - output = "stderr"; - }; - exclude = (map (hostname: "http.log.access.${hostname}") (builtins.attrNames hostname_map)) ++ [ - "http.log.access.${default_logger_name}" - ]; + logging.logs = { + # System logs and catch-all + # Must be called `default` to override Caddy's built-in default logger + default = { + level = "INFO"; + encoder.format = "console"; + writer = { + output = "stderr"; }; - # This is for the default access logs (anything not captured by hostname) - other = { - level = "INFO"; - encoder.format = "json"; - writer = { - output = "file"; - filename = "${config.services.caddy.logDir}/other.log"; - roll = true; - inherit roll_size_mb; - }; - include = [ "http.log.access.${default_logger_name}" ]; - }; - # This is for using the Caddy API, which will probably never happen - admin = { - level = "INFO"; - encoder.format = "json"; - writer = { - output = "file"; - filename = "${config.services.caddy.logDir}/admin.log"; - roll = true; - inherit roll_size_mb; - }; - include = [ "admin" ]; - }; - # This is for TLS cert management tracking - tls = { - level = "INFO"; - encoder.format = "json"; - writer = { - output = "file"; - filename = "${config.services.caddy.logDir}/tls.log"; - roll = true; - inherit roll_size_mb; - }; - include = [ "tls" ]; - }; - # This is for debugging - debug = { - level = "DEBUG"; - encoder.format = "json"; - writer = { - output = "file"; - filename = "${config.services.caddy.logDir}/debug.log"; - roll = true; - roll_keep = 1; - inherit roll_size_mb; - }; - }; - } - # These are the access logs for individual hostnames - // (lib.mapAttrs (name: value: { + exclude = (map (hostname: "http.log.access.${hostname}") (builtins.attrNames hostname_map)) ++ [ + "http.log.access.${default_logger_name}" + ]; + }; + # This is for the default access logs (anything not captured by hostname) + other = { level = "INFO"; encoder.format = "json"; writer = { output = "file"; - filename = "${config.services.caddy.logDir}/${name}-access.log"; + filename = "${config.services.caddy.logDir}/other.log"; + roll = true; + inherit roll_size_mb; + }; + include = [ "http.log.access.${default_logger_name}" ]; + }; + # This is for using the Caddy API, which will probably never happen + admin = { + level = "INFO"; + encoder.format = "json"; + writer = { + output = "file"; + filename = "${config.services.caddy.logDir}/admin.log"; + roll = true; + inherit roll_size_mb; + }; + include = [ "admin" ]; + }; + # This is for TLS cert management tracking + tls = { + level = "INFO"; + encoder.format = "json"; + writer = { + output = "file"; + filename = "${config.services.caddy.logDir}/tls.log"; + roll = true; + inherit roll_size_mb; + }; + include = [ "tls" ]; + }; + # This is for debugging + debug = { + level = "DEBUG"; + encoder.format = "json"; + writer = { + output = "file"; + filename = "${config.services.caddy.logDir}/debug.log"; + roll = true; + roll_keep = 1; + inherit roll_size_mb; + }; + }; + } + # These are the access logs for individual hostnames + // (lib.mapAttrs (name: value: { + level = "INFO"; + encoder.format = "json"; + writer = { + output = "file"; + filename = "${config.services.caddy.logDir}/${name}-access.log"; + roll = true; + inherit roll_size_mb; + }; + include = [ "http.log.access.${name}" ]; + }) hostname_map) + # We also capture just the errors separately for easy debugging + // (lib.mapAttrs' (name: value: { + name = "${name}-error"; + value = { + level = "ERROR"; + encoder.format = "json"; + writer = { + output = "file"; + filename = "${config.services.caddy.logDir}/${name}-error.log"; roll = true; inherit roll_size_mb; }; include = [ "http.log.access.${name}" ]; - }) hostname_map) - # We also capture just the errors separately for easy debugging - // (lib.mapAttrs' (name: value: { - name = "${name}-error"; - value = { - level = "ERROR"; - encoder.format = "json"; - writer = { - output = "file"; - filename = "${config.services.caddy.logDir}/${name}-error.log"; - roll = true; - inherit roll_size_mb; - }; - include = [ "http.log.access.${name}" ]; - }; - }) hostname_map); + }; + }) hostname_map); } ); }; diff --git a/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix b/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix index 92e86c2..40ceb7c 100644 --- a/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix +++ b/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix @@ -173,5 +173,16 @@ in # Enable the home-made service that we created for non-proxied records services.cloudflare-dyndns-noproxy.enable = true; + # Create certs when not using proxy + secrets.cloudflare-dns-api-prefixed = { + source = ./cloudflare-api.age; + dest = "${config.secretsDirectory}/cloudflare-dns-api-prefixed"; + prefix = "CLOUDFLARE_DNS_API_TOKEN="; + }; + security.acme = { + acceptTerms = true; + defaults.email = "acme@${config.nmasur.presets.programs.msmtp.domain}"; + }; + }; } diff --git a/platforms/nixos/modules/nmasur/presets/services/murmur.nix b/platforms/nixos/modules/nmasur/presets/services/murmur.nix new file mode 100644 index 0000000..dfce4fc --- /dev/null +++ b/platforms/nixos/modules/nmasur/presets/services/murmur.nix @@ -0,0 +1,41 @@ +# murmur is a Mumble server for hosting voice chat + +{ + config, + lib, + ... +}: +let + inherit (config.nmasur.settings) hostnames; + cfg = config.nmasur.presets.services.murmur; +in + +{ + + options.nmasur.presets.services.murmur.enable = + lib.mkEnableOption "murmur (mumble) voice chat service"; + + config = lib.mkIf cfg.enable { + + services.murmur = { + enable = true; + users = 50; # Max concurrent users + bonjour = false; # Auto-connect LAN + registerUrl = "https://${hostnames.mumble}"; + registerName = "Mumble"; + environmentFile = null; + sslKey = "${config.security.acme.certs."${hostnames.mumble}".directory}/key.pem"; + sslCert = "${config.security.acme.certs."${hostnames.mumble}".directory}/fullchain.pem"; + openFirewall = true; + }; + + # Configure Cloudflare DNS to point to this machine + nmasur.presets.services.cloudflare.noProxyDomains = [ hostnames.mumble ]; + + security.acme.certs."${hostnames.mumble}" = { + dnsProvider = "cloudflare"; + credentialsFile = config.secrets.cloudflare-dns-api-prefixed.dest; + group = config.services.murmur.group; + }; + }; +} diff --git a/platforms/nixos/modules/nmasur/profiles/communications.nix b/platforms/nixos/modules/nmasur/profiles/communications.nix index adb12a7..9e52df6 100644 --- a/platforms/nixos/modules/nmasur/profiles/communications.nix +++ b/platforms/nixos/modules/nmasur/profiles/communications.nix @@ -32,6 +32,7 @@ in mathesar.enable = lib.mkDefault true; mealie.enable = lib.mkDefault true; minecraft-server.enable = lib.mkDefault false; + murmur.enable = lib.mkDefault true; n8n.enable = lib.mkDefault true; nix-autoupgrade.enable = lib.mkDefault true; # On by default for communications ntfy-sh.enable = lib.mkDefault true;