noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2026-02-15 04:39:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

murmur (mumble server) and non-caddy acme client

Browse Source
This commit is contained in:
Noah Masur
2026-02-10 22:23:34 +00:00
parent dfd3b955c0
commit a7dacb7edf
5 changed files with 135 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
platforms/nixos/modules/nmasur/presets/services/caddy.nix
View File

@@ -58,6 +58,7 @@ in
{
handler = "static_response";
status_code = "403";
body = "IP not allowed";
}
];
}
@@ -109,96 +110,95 @@ in
apps.tls.automation.policies = cfg.tlsPolicies;
# Setup logging to journal and files
logging.logs =
{
# System logs and catch-all
# Must be called `default` to override Caddy's built-in default logger
default = {
level = "INFO";
encoder.format = "console";
writer = {
output = "stderr";
};
exclude = (map (hostname: "http.log.access.${hostname}") (builtins.attrNames hostname_map)) ++ [
"http.log.access.${default_logger_name}"
];
logging.logs = {
# System logs and catch-all
# Must be called `default` to override Caddy's built-in default logger
default = {
level = "INFO";
encoder.format = "console";
writer = {
output = "stderr";
};
# This is for the default access logs (anything not captured by hostname)
other = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/other.log";
roll = true;
inherit roll_size_mb;
};
include = [ "http.log.access.${default_logger_name}" ];
};
# This is for using the Caddy API, which will probably never happen
admin = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/admin.log";
roll = true;
inherit roll_size_mb;
};
include = [ "admin" ];
};
# This is for TLS cert management tracking
tls = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/tls.log";
roll = true;
inherit roll_size_mb;
};
include = [ "tls" ];
};
# This is for debugging
debug = {
level = "DEBUG";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/debug.log";
roll = true;
roll_keep = 1;
inherit roll_size_mb;
};
};
}
# These are the access logs for individual hostnames
// (lib.mapAttrs (name: value: {
exclude = (map (hostname: "http.log.access.${hostname}") (builtins.attrNames hostname_map)) ++ [
"http.log.access.${default_logger_name}"
];
};
# This is for the default access logs (anything not captured by hostname)
other = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/${name}-access.log";
filename = "${config.services.caddy.logDir}/other.log";
roll = true;
inherit roll_size_mb;
};
include = [ "http.log.access.${default_logger_name}" ];
};
# This is for using the Caddy API, which will probably never happen
admin = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/admin.log";
roll = true;
inherit roll_size_mb;
};
include = [ "admin" ];
};
# This is for TLS cert management tracking
tls = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/tls.log";
roll = true;
inherit roll_size_mb;
};
include = [ "tls" ];
};
# This is for debugging
debug = {
level = "DEBUG";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/debug.log";
roll = true;
roll_keep = 1;
inherit roll_size_mb;
};
};
}
# These are the access logs for individual hostnames
// (lib.mapAttrs (name: value: {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/${name}-access.log";
roll = true;
inherit roll_size_mb;
};
include = [ "http.log.access.${name}" ];
}) hostname_map)
# We also capture just the errors separately for easy debugging
// (lib.mapAttrs' (name: value: {
name = "${name}-error";
value = {
level = "ERROR";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/${name}-error.log";
roll = true;
inherit roll_size_mb;
};
include = [ "http.log.access.${name}" ];
}) hostname_map)
# We also capture just the errors separately for easy debugging
// (lib.mapAttrs' (name: value: {
name = "${name}-error";
value = {
level = "ERROR";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/${name}-error.log";
roll = true;
inherit roll_size_mb;
};
include = [ "http.log.access.${name}" ];
};
}) hostname_map);
};
}) hostname_map);
}
);
};

11
platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix
View File

@@ -173,5 +173,16 @@ in
# Enable the home-made service that we created for non-proxied records
services.cloudflare-dyndns-noproxy.enable = true;
# Create certs when not using proxy
secrets.cloudflare-dns-api-prefixed = {
source = ./cloudflare-api.age;
dest = "${config.secretsDirectory}/cloudflare-dns-api-prefixed";
prefix = "CLOUDFLARE_DNS_API_TOKEN=";
};
security.acme = {
acceptTerms = true;
defaults.email = "acme@${config.nmasur.presets.programs.msmtp.domain}";
};
};
}

41
platforms/nixos/modules/nmasur/presets/services/murmur.nix Normal file
View File

@@ -0,0 +1,41 @@
# murmur is a Mumble server for hosting voice chat
{
config,
lib,
...
}:
let
inherit (config.nmasur.settings) hostnames;
cfg = config.nmasur.presets.services.murmur;
in
{
options.nmasur.presets.services.murmur.enable =
lib.mkEnableOption "murmur (mumble) voice chat service";
config = lib.mkIf cfg.enable {
services.murmur = {
enable = true;
users = 50; # Max concurrent users
bonjour = false; # Auto-connect LAN
registerUrl = "https://${hostnames.mumble}";
registerName = "Mumble";
environmentFile = null;
sslKey = "${config.security.acme.certs."${hostnames.mumble}".directory}/key.pem";
sslCert = "${config.security.acme.certs."${hostnames.mumble}".directory}/fullchain.pem";
openFirewall = true;
};
# Configure Cloudflare DNS to point to this machine
nmasur.presets.services.cloudflare.noProxyDomains = [ hostnames.mumble ];
security.acme.certs."${hostnames.mumble}" = {
dnsProvider = "cloudflare";
credentialsFile = config.secrets.cloudflare-dns-api-prefixed.dest;
group = config.services.murmur.group;
};
};
}