mirror of
https://github.com/nmasur/dotfiles
synced 2024-12-24 02:34:52 +00:00
add more services documentation
This commit is contained in:
parent
984a47d3b1
commit
dab40e081a
@ -2,6 +2,7 @@
|
||||
|
||||
let
|
||||
|
||||
# This config specifies ports for Prometheus to scrape information
|
||||
arrConfig = {
|
||||
radarr = {
|
||||
exportarrPort = "9707";
|
||||
@ -41,6 +42,8 @@ in {
|
||||
sabnzbd = {
|
||||
enable = true;
|
||||
group = "media";
|
||||
# The config file must be editable within the application
|
||||
# It contains server configs and credentials
|
||||
configFile = "/data/downloads/sabnzbd/sabnzbd.ini";
|
||||
};
|
||||
sonarr = {
|
||||
@ -53,16 +56,23 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
# Create a media group to be shared between services
|
||||
users.groups.media = { };
|
||||
|
||||
# Give the human user access to the media group
|
||||
users.users.${config.user}.extraGroups = [ "media" ];
|
||||
|
||||
# Allows media group to read/write the sabnzbd directory
|
||||
users.users.sabnzbd.homeMode = "0770";
|
||||
|
||||
unfreePackages = [ "unrar" ]; # Required for sabnzbd
|
||||
unfreePackages = [ "unrar" ]; # Required as a dependency for sabnzbd
|
||||
|
||||
# Requires updating the base_url config value in each service
|
||||
# If you try to rewrite the URL, the service won't redirect properly
|
||||
caddy.routes = [
|
||||
{
|
||||
# Group means that routes with the same name are mutually exclusive,
|
||||
# so they are split between the appropriate services.
|
||||
group = "download";
|
||||
match = [{
|
||||
host = [ config.hostnames.download ];
|
||||
@ -70,6 +80,7 @@ in {
|
||||
}];
|
||||
handle = [{
|
||||
handler = "reverse_proxy";
|
||||
# We're able to reference the url and port of the service dynamically
|
||||
upstreams = [{ dial = arrConfig.sonarr.url; }];
|
||||
}];
|
||||
}
|
||||
@ -92,6 +103,7 @@ in {
|
||||
}];
|
||||
handle = [{
|
||||
handler = "reverse_proxy";
|
||||
# Prowlarr doesn't offer a dynamic config, so we have to hardcode it
|
||||
upstreams = [{ dial = "localhost:9696"; }];
|
||||
}];
|
||||
}
|
||||
@ -104,6 +116,7 @@ in {
|
||||
handle = [{
|
||||
handler = "reverse_proxy";
|
||||
upstreams = [{
|
||||
# Bazarr only dynamically sets the port, not the host
|
||||
dial = "localhost:${
|
||||
builtins.toString config.services.bazarr.listenPort
|
||||
}";
|
||||
@ -145,10 +158,12 @@ in {
|
||||
Type = "simple";
|
||||
DynamicUser = true;
|
||||
ExecStart = let
|
||||
# Sabnzbd doesn't accept the URI path, unlike the others
|
||||
url = if name != "sabnzbd" then
|
||||
"http://${attrs.url}/${name}"
|
||||
else
|
||||
"http://${attrs.url}";
|
||||
# Exportarr is trained to pull from the arr services
|
||||
in ''
|
||||
${pkgs.exportarr}/bin/exportarr ${name} \
|
||||
--url ${url} \
|
||||
@ -197,7 +212,7 @@ in {
|
||||
prefix = "API_KEY=";
|
||||
};
|
||||
|
||||
# Prometheus scrape targets
|
||||
# Prometheus scrape targets (expose Exportarr to Prometheus)
|
||||
prometheus.scrapeTargets = map (key:
|
||||
"127.0.0.1:${
|
||||
lib.attrsets.getAttrFromPath [ key "exportarrPort" ] arrConfig
|
||||
|
@ -1,3 +1,6 @@
|
||||
# This is my setup for backing up SQlite databases and other systems to S3 or
|
||||
# S3-equivalent services (like Backblaze B2).
|
||||
|
||||
{ config, lib, ... }: {
|
||||
|
||||
options = {
|
||||
|
@ -1,3 +1,10 @@
|
||||
# Bind is a DNS service. This allows me to resolve public domains locally so
|
||||
# when I'm at home, I don't have to travel over the Internet to reach my
|
||||
# server.
|
||||
|
||||
# To set this on all home machines, I point my router's DNS resolver to the
|
||||
# local IP address of the machine running this service (swan).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
@ -16,11 +23,19 @@ in {
|
||||
|
||||
config = lib.mkIf config.services.bind.enable {
|
||||
|
||||
# Normally I block all requests not coming from Cloudflare, so I have to also
|
||||
# allow my local network.
|
||||
caddy.cidrAllowlist = [ "192.168.0.0/16" ];
|
||||
|
||||
services.bind = {
|
||||
|
||||
# Allow requests coming from these IPs. This way I don't somehow get
|
||||
# spammed with DNS requests coming from the Internet.
|
||||
cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
|
||||
|
||||
# When making normal DNS requests, forward them to Cloudflare to resolve.
|
||||
forwarders = [ "1.1.1.1" "1.0.0.1" ];
|
||||
|
||||
ipv4Only = true;
|
||||
|
||||
# Use rpz zone as an override
|
||||
@ -47,6 +62,7 @@ in {
|
||||
|
||||
};
|
||||
|
||||
# We must allow DNS traffic to hit our machine as well
|
||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||
|
||||
|
@ -1,3 +1,14 @@
|
||||
# Caddy is a reverse proxy, like Nginx or Traefik. This creates an ingress
|
||||
# point from my local network or the public (via Cloudflare). Instead of a
|
||||
# Caddyfile, I'm using the more expressive JSON config file format. This means
|
||||
# I can source routes from other areas in my config and build the JSON file
|
||||
# using the result of the expression.
|
||||
|
||||
# Caddy helpfully provides automatic ACME cert generation and management, but
|
||||
# it requires a form of validation. We are using a custom build of Caddy
|
||||
# (compiled with an overlay) to insert a plugin for managing DNS validation
|
||||
# with Cloudflare's DNS API.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options = {
|
||||
@ -42,12 +53,17 @@
|
||||
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
|
||||
apps.http.servers.main = {
|
||||
listen = [ ":443" ];
|
||||
|
||||
# These routes are pulled from the rest of this repo
|
||||
routes = config.caddy.routes;
|
||||
errors.routes = config.caddy.blocks;
|
||||
logs = { }; # Uncomment to collect access logs
|
||||
|
||||
logs = { }; # Uncommenting collects access logs
|
||||
};
|
||||
apps.http.servers.metrics = { }; # Enables Prometheus metrics
|
||||
apps.tls.automation.policies = config.caddy.tlsPolicies;
|
||||
|
||||
# Setup logging to file
|
||||
logging.logs.main = {
|
||||
encoder = { format = "console"; };
|
||||
writer = {
|
||||
@ -58,13 +74,23 @@
|
||||
};
|
||||
level = "INFO";
|
||||
};
|
||||
|
||||
});
|
||||
|
||||
};
|
||||
|
||||
# Allows Caddy to serve lower ports (443, 80)
|
||||
systemd.services.caddy.serviceConfig.AmbientCapabilities =
|
||||
"CAP_NET_BIND_SERVICE";
|
||||
|
||||
# Required for web traffic to reach this machine
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
# HTTP/3 QUIC uses UDP (not sure if being used)
|
||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||
|
||||
# Caddy exposes Prometheus metrics with the admin API
|
||||
# https://caddyserver.com/docs/api
|
||||
prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
|
||||
|
||||
};
|
||||
|
@ -1,3 +1,9 @@
|
||||
# Calibre-web is an E-Book library and management tool.
|
||||
|
||||
# - Exposed to the public via Caddy.
|
||||
# - Hostname defined with config.hostnames.books
|
||||
# - File directory backed up to S3 on a cron schedule.
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
@ -26,6 +32,7 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
# Allow web traffic to Caddy
|
||||
caddy.routes = [{
|
||||
match = [{ host = [ config.hostnames.books ]; }];
|
||||
handle = [{
|
||||
@ -35,6 +42,8 @@ in {
|
||||
builtins.toString config.services.calibre-web.listen.port
|
||||
}";
|
||||
}];
|
||||
# This is required when calibre-web is behind a reverse proxy
|
||||
# https://github.com/janeczku/calibre-web/issues/19
|
||||
headers.request.add."X-Script-Name" = [ "/calibre-web" ];
|
||||
}];
|
||||
}];
|
||||
|
@ -1,3 +1,12 @@
|
||||
# Cloudflare Tunnel is a service for accessing the network even behind a
|
||||
# firewall, through outbound-only requests. It works by installing an agent on
|
||||
# our machines that exposes services through Cloudflare Access (Zero Trust),
|
||||
# similar to something like Tailscale.
|
||||
|
||||
# In this case, we're using Cloudflare Tunnel to enable SSH access over a web
|
||||
# browser even when outside of my network. This is probably not the safest
|
||||
# choice but I feel comfortable enough with it anyway.
|
||||
|
||||
{ config, lib, ... }:
|
||||
|
||||
# First time setup:
|
||||
@ -40,23 +49,28 @@
|
||||
tunnels = {
|
||||
"${config.cloudflareTunnel.id}" = {
|
||||
credentialsFile = config.secrets.cloudflared.dest;
|
||||
# Catch-all if no match (should never happen anyway)
|
||||
default = "http_status:404";
|
||||
# Match from ingress of any valid server name to SSH access
|
||||
ingress = { "*.masu.rs" = "ssh://localhost:22"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Grant Cloudflare access to SSH into this server
|
||||
environment.etc = {
|
||||
"ssh/ca.pub".text = ''
|
||||
${config.cloudflareTunnel.ca}
|
||||
'';
|
||||
|
||||
# Must match the username of the email address in Cloudflare Access
|
||||
# Must match the username portion of the email address in Cloudflare
|
||||
# Access
|
||||
"ssh/authorized_principals".text = ''
|
||||
${config.user}
|
||||
'';
|
||||
};
|
||||
|
||||
# Adjust SSH config to allow access from Cloudflare's certificate
|
||||
services.openssh.extraConfig = ''
|
||||
PubkeyAuthentication yes
|
||||
TrustedUserCAKeys /etc/ssh/ca.pub
|
||||
|
@ -1,5 +1,13 @@
|
||||
# This module is necessary for hosts that are serving through Cloudflare.
|
||||
|
||||
# Cloudflare is a CDN service that is used to serve the domain names and
|
||||
# caching for my websites and services. Since Cloudflare acts as our proxy, we
|
||||
# must allow access over the Internet from Cloudflare's IP ranges.
|
||||
|
||||
# We also want to validate our HTTPS certificates from Caddy. We'll use Caddy's
|
||||
# DNS validation plugin to connect to Cloudflare and automatically create
|
||||
# validation DNS records for our generated certificates.
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
@ -59,10 +67,9 @@ in {
|
||||
};
|
||||
}];
|
||||
}];
|
||||
# Allow Caddy to read Cloudflare API key for DNS validation
|
||||
systemd.services.caddy.serviceConfig.EnvironmentFile =
|
||||
config.secrets.cloudflareApi.dest;
|
||||
systemd.services.caddy.serviceConfig.AmbientCapabilities =
|
||||
"CAP_NET_BIND_SERVICE";
|
||||
|
||||
# API key must have access to modify Cloudflare DNS records
|
||||
secrets.cloudflareApi = {
|
||||
|
@ -1,3 +1,6 @@
|
||||
# This file imports all the other files in this directory for use as modules in
|
||||
# my config.
|
||||
|
||||
{ ... }: {
|
||||
|
||||
imports = [
|
||||
|
@ -1,3 +1,9 @@
|
||||
# Gitea Actions is a CI/CD service for the Gitea source code server, meaning it
|
||||
# allows us to run code operations (such as testing or deploys) when our git
|
||||
# repositories are updated. Any machine can act as a Gitea Action Runner, so
|
||||
# the Runners don't necessarily need to be running Gitea. All we need is an API
|
||||
# key for Gitea to connect to it and register ourselves as a Runner.
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
|
@ -11,11 +11,21 @@ in {
|
||||
actions.ENABLED = true;
|
||||
metrics.ENABLED = true;
|
||||
repository = {
|
||||
# Pushing to a repo that doesn't exist automatically creates one as
|
||||
# private.
|
||||
DEFAULT_PUSH_CREATE_PRIVATE = true;
|
||||
|
||||
# Allow git over HTTP.
|
||||
DISABLE_HTTP_GIT = false;
|
||||
|
||||
# Allow requests hitting the specified hostname.
|
||||
ACCESS_CONTROL_ALLOW_ORIGIN = config.hostnames.git;
|
||||
|
||||
# Automatically create viable users/orgs on push.
|
||||
ENABLE_PUSH_CREATE_USER = true;
|
||||
ENABLE_PUSH_CREATE_ORG = true;
|
||||
|
||||
# Default when creating new repos.
|
||||
DEFAULT_BRANCH = "main";
|
||||
};
|
||||
server = {
|
||||
@ -25,11 +35,15 @@ in {
|
||||
SSH_PORT = 22;
|
||||
START_SSH_SERVER = false; # Use sshd instead
|
||||
DISABLE_SSH = false;
|
||||
# SSH_LISTEN_HOST = "0.0.0.0";
|
||||
# SSH_LISTEN_PORT = 122;
|
||||
};
|
||||
|
||||
# Don't allow public users to register accounts.
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
|
||||
# Force using HTTPS for all session access.
|
||||
session.COOKIE_SECURE = true;
|
||||
|
||||
# Hide users' emails.
|
||||
ui.SHOW_USER_EMAIL = false;
|
||||
};
|
||||
extraConfig = null;
|
||||
@ -39,6 +53,7 @@ in {
|
||||
users.users.${config.user}.extraGroups = [ "gitea" ];
|
||||
|
||||
caddy.routes = [
|
||||
# Prevent public access to Prometheus metrics.
|
||||
{
|
||||
match = [{
|
||||
host = [ config.hostnames.git ];
|
||||
@ -49,6 +64,7 @@ in {
|
||||
status_code = "403";
|
||||
}];
|
||||
}
|
||||
# Allow access to primary server.
|
||||
{
|
||||
match = [{ host = [ config.hostnames.git ]; }];
|
||||
handle = [{
|
||||
@ -63,6 +79,7 @@ in {
|
||||
}
|
||||
];
|
||||
|
||||
# Scrape the metrics endpoint for Prometheus.
|
||||
prometheus.scrapeTargets = [
|
||||
"127.0.0.1:${
|
||||
builtins.toString config.services.gitea.settings.server.HTTP_PORT
|
||||
|
@ -1,3 +1,5 @@
|
||||
# GPG is an encryption tool. This isn't really in use for me at the moment.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options.gpg.enable = lib.mkEnableOption "GnuPG encryption.";
|
||||
|
@ -7,6 +7,7 @@ in {
|
||||
|
||||
config = lib.mkIf config.services.grafana.enable {
|
||||
|
||||
# Allow Grafana to connect to email service
|
||||
secrets.mailpass-grafana = {
|
||||
source = ../../../private/mailpass-grafana.age;
|
||||
dest = "${config.secretsDirectory}/mailpass-grafana";
|
||||
|
@ -1,7 +1,10 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
# This is a tool for blocking IPs of anyone who attempts to scan all of my
|
||||
# ports.
|
||||
|
||||
# Currently has some issues that don't make this viable.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
# Taken from:
|
||||
# https://dataswamp.org/~solene/2022-09-29-iblock-implemented-in-nixos.html
|
||||
|
||||
|
@ -1,3 +1,8 @@
|
||||
# InfluxDB is a timeseries database similar to Prometheus. While
|
||||
# VictoriaMetrics can also act as an InfluxDB, this version of it allows for
|
||||
# infinite retention separate from our other metrics, which can be nice for
|
||||
# recording health information, for example.
|
||||
|
||||
{ config, lib, ... }: {
|
||||
|
||||
config = {
|
||||
|
@ -1,3 +1,6 @@
|
||||
# Jellyfin is a self-hosted video streaming service. This means I can play my
|
||||
# server's videos from a webpage, mobile app, or TV client.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
config = lib.mkIf config.services.jellyfin.enable {
|
||||
@ -6,6 +9,7 @@
|
||||
users.users.jellyfin = { isSystemUser = true; };
|
||||
|
||||
caddy.routes = [
|
||||
# Prevent public access to Prometheus metrics.
|
||||
{
|
||||
match = [{
|
||||
host = [ config.hostnames.stream ];
|
||||
@ -16,6 +20,7 @@
|
||||
status_code = "403";
|
||||
}];
|
||||
}
|
||||
# Allow access to normal route.
|
||||
{
|
||||
match = [{ host = [ config.hostnames.stream ]; }];
|
||||
handle = [{
|
||||
|
@ -1,3 +1,6 @@
|
||||
# Keybase is an encrypted communications tool with a synchronized encrypted
|
||||
# filestore that can be mounted onto a machine's filesystem.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options.keybase.enable = lib.mkEnableOption "Keybase.";
|
||||
|
@ -1,3 +1,5 @@
|
||||
# Mullvad is a VPN service. This isn't currently in use for me at the moment.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options.mullvad.enable = lib.mkEnableOption "Mullvad VPN.";
|
||||
|
@ -1,3 +1,6 @@
|
||||
# n8n is an automation integration tool for connecting data from services
|
||||
# together with triggers.
|
||||
|
||||
{ config, lib, ... }: {
|
||||
|
||||
options = {
|
||||
|
@ -1,3 +1,6 @@
|
||||
# Netdata is an out-of-the-box monitoring tool that exposes many different
|
||||
# metrics. Not currently in use, in favor of VictoriaMetrics and Grafana.
|
||||
|
||||
{ config, lib, ... }: {
|
||||
|
||||
options.netdata.enable = lib.mkEnableOption "Netdata metrics.";
|
||||
|
@ -16,12 +16,14 @@
|
||||
};
|
||||
extraOptions = {
|
||||
default_phone_region = "US";
|
||||
# Allow access when hitting either of these hosts or IPs
|
||||
trusted_domains = [ config.hostnames.content ];
|
||||
trusted_proxies = [ "127.0.0.1" ];
|
||||
};
|
||||
extraAppsEnable = true;
|
||||
extraApps = with config.services.nextcloud.package.packages.apps; {
|
||||
inherit calendar contacts;
|
||||
# These apps are defined and pinned by overlay in flake.
|
||||
news = pkgs.nextcloudApps.news;
|
||||
external = pkgs.nextcloudApps.external;
|
||||
cookbook = pkgs.nextcloudApps.cookbook;
|
||||
|
@ -1,3 +1,5 @@
|
||||
# Paperless-ngx is a document scanning and management solution.
|
||||
|
||||
{ config, lib, ... }: {
|
||||
|
||||
config = lib.mkIf config.services.paperless.enable {
|
||||
|
@ -1,3 +1,9 @@
|
||||
# Prometheus is a timeseries database that exposes system and service metrics
|
||||
# for use in visualizing, monitoring, and alerting (with Grafana).
|
||||
|
||||
# Instead of running traditional Prometheus, I generally run VictoriaMetrics as
|
||||
# a more efficient drop-in replacement.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options.prometheus = {
|
||||
|
@ -1,3 +1,5 @@
|
||||
# Samba is a Windows-compatible file-sharing service.
|
||||
|
||||
{ config, lib, ... }: {
|
||||
|
||||
config = {
|
||||
|
@ -1,3 +1,5 @@
|
||||
# SSHD service for allowing SSH access to my machines.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options = {
|
||||
|
@ -1,3 +1,6 @@
|
||||
# Transmission is a bittorrent client, which can run in the background for
|
||||
# automated downloads with a web GUI.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options = {
|
||||
|
@ -1,3 +1,7 @@
|
||||
# Vaultwarden is an implementation of the Bitwarden password manager backend
|
||||
# service, which allows for self-hosting the synchronization of a Bitwarden
|
||||
# password manager client.
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let vaultwardenPath = "/var/lib/bitwarden_rs"; # Default service directory
|
||||
|
@ -1,3 +1,6 @@
|
||||
# VictoriaMetrics is a more efficient drop-in replacement for Prometheus and
|
||||
# InfluxDB (timeseries databases built for monitoring system metrics).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
|
@ -1,3 +1,6 @@
|
||||
# Wireguard is a VPN protocol that can be setup to create a mesh network
|
||||
# between machines on different LANs. This is currently not in use in my setup.
|
||||
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options.wireguard.enable = lib.mkEnableOption "Wireguard VPN setup.";
|
||||
|
Loading…
Reference in New Issue
Block a user