pazpi/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

New host for Caddy reverse proxy

Browse source
This commit is contained in:
pazpi 2024-09-10 22:49:17 +02:00
parent e5f47681ae
commit dcac67e097
No known key found for this signature in database
GPG key ID: 0942571C4B9966BE
15 changed files with 222 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -1,5 +1,22 @@
# Papzi homelab configurations
L'homelab è suddiviso in vari host configurati come container LXC su una macchina Proxmox 8.2.
## IP
La rete di casa è suddivisa in due parti, la prima gestita in DHCP ha IP fino al `.149` (compreso), mentre gli altri sono riservati per indirizzi statici.
Per comodità una volta assegnato un IP questo deve essere impostato su PiHole con dominio `.internal` per facilitare il routing.
## Hosts
### Caddy
### Arr
### Metrics
### Deadbeef
## How to
### Build

25
flake.nix
View file

@ -36,15 +36,14 @@
};
outputs =
{
self,
nixpkgs,
nixos-hardware,
lix-module,
agenix,
colmena,
home-manager,
...
{ self
, nixpkgs
, nixos-hardware
, lix-module
, agenix
, colmena
, home-manager
, ...
}@inputs:
let
system = "x86_64-linux";
@ -79,6 +78,14 @@
];
};
caddy.deployment = {
targetHost = "192.168.1.150";
tags = [
"lxc"
"bacco"
];
};
metrics.deployment = {
targetHost = "192.168.1.152";
tags = [

69
hosts/caddy/default.nix Normal file
View file

@ -0,0 +1,69 @@
{ config
, pkgs
, lib
, ...
}:
let
tailscaleMagicDNS = "neon-dory.ts.net";
in
{
age.secrets = {
tailscale-authKey.file = ../../secrets/tailscale-authKey.age;
};
my = {
utils.commons.enable = true;
services.media-mgr = {
proxy = {
enable = true;
domain = "tegola.pro";
host = "arr.internal";
};
};
monitoring = {
prometheus = {
proxy = {
domain = "tegola.pro";
host = "metrics.internal";
};
};
};
networking = {
tailscale = {
enable = true;
magicDNSDomain = tailscaleMagicDNS;
authKeyFile = config.age.secrets.tailscale-authKey.path;
};
caddy.enable = true;
};
virtualisation = {
proxmox.enable = true;
};
};
time.timeZone = "Europe/Rome";
# Extra packages
environment.systemPackages = with pkgs; [ ];
services = {
openssh.enable = true;
prometheus.exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
};
};
networking.nameservers = [ "192.168.1.2" ];
system.stateVersion = "24.05";
}

24
hosts/default.nix
View file

@ -1,10 +1,9 @@
{
nixpkgs,
nixos-hardware,
agenix,
home-manager,
lix-module,
...
{ nixpkgs
, nixos-hardware
, agenix
, home-manager
, lix-module
, ...
}:
let
agenixOverlay = final: prev: { agenix = agenix.packages.${prev.system}.default; };
@ -70,6 +69,17 @@ in
# specialArgs = { };
};
caddy = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux";
modules = [
myModule
proxmoxModule
./caddy
agenix.nixosModules.default
];
# specialArgs = { };
};
metrics = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux";
modules = [

39
hosts/metrics/default.nix
View file

@ -1,8 +1,7 @@
{
config,
pkgs,
lib,
...
{ config
, pkgs
, lib
, ...
}:
let
tailscaleMagicDNS = "neon-dory.ts.net";
@ -18,20 +17,20 @@ in
services.media-mgr = {
exportMetrics.enable = true;
proxy = {
enable = true;
domain = "tegola.pro";
host = "arr.internal";
};
# proxy = {
# enable = true;
# domain = "tegola.pro";
# host = "arr.internal";
# };
};
monitoring = {
prometheus = {
enable = true;
proxy = {
domain = "tegola.pro";
host = "metrics.internal";
};
# proxy = {
# domain = "tegola.pro";
# host = "metrics.internal";
# };
};
};
@ -42,7 +41,7 @@ in
authKeyFile = config.age.secrets.tailscale-authKey.path;
};
caddy.enable = true;
# caddy.enable = true;
};
virtualisation = {
@ -60,11 +59,17 @@ in
prometheus.scrapeConfigs = [
{
job_name = "metrics-host";
job_name = "host-metrics";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
{
job_name = "host-caddy";
static_configs = [
{ targets = [ "caddy.internal:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
];
prometheus.exporters = {
@ -75,7 +80,7 @@ in
};
};
networking.nameservers = [ "192.168.1.2" ];
# networking.nameservers = [ "192.168.1.2" ];
system.stateVersion = "24.05";
}

69
modules/services/media-mgr.nix
View file

@ -11,52 +11,21 @@ let
containersDefinition = {
jackett = {
flaresolverr = {
enable = true;
image = "linuxserver/jackett";
image = "ghcr.io/flaresolverr/flaresolverr:v3.3.21";
autoStart = true;
volumes = [
"jackett_config:/config"
"jackett_data:/data"
];
};
radarr = {
enable = true;
image = "linuxserver/radarr";
autoStart = true;
volumes = [
"radarr_config:/config"
"radarr_data:/data"
];
};
sonarr = {
enable = true;
image = "linuxserver/sonarr";
autoStart = true;
volumes = [
"sonarr_config:/config"
"sonarr_data:/data"
];
};
prowlarr = {
enable = true;
image = "linuxserver/prowlarr";
autoStart = true;
volumes = [ "prowlarr_config:/config" ];
# volumes = [
# "jackett_data:/data"
# ];
};
};
# Pod Definition
podDefinition = {
name = "download";
name = "media-manager-extra";
ports = [
"7878:7878" # : Radarr
"8989:8989" # : Sonarr
"9117:9117" # : Jackett
"9696:9696" # : Prowlarr
"8191:8191" # : FlareSolverr
];
containers = containersDefinition;
};
@ -135,15 +104,15 @@ in
};
# my.virtualisation.podmanPods = {
# inherit podDefinition;
# };
my.virtualisation.podmanPods = {
inherit podDefinition;
};
# virtualisation.oci-containers.containers =
# let
# pod = config.helpers.processContainers podDefinition;
# in
# pod.containers;
virtualisation.oci-containers.containers =
let
pod = config.helpers.processContainers podDefinition;
in
pod.containers;
})
@ -228,6 +197,8 @@ in
enable = true;
url = "http://arr.internal:9696";
port = 9701;
user = "exportarr";
group = "exportarr";
apiKeyFile = config.age.secrets.prowlarr-apiKey.path;
};
exportarr-radarr = {
@ -242,18 +213,24 @@ in
enable = true;
url = "http://arr.internal:8989";
port = 9703;
user = "exportarr";
group = "exportarr";
apiKeyFile = config.age.secrets.sonarr-apiKey.path;
};
exportarr-lidarr = {
enable = true;
url = "http://arr.internal:8686";
port = 9704;
user = "exportarr";
group = "exportarr";
apiKeyFile = config.age.secrets.lidarr-apiKey.path;
};
exportarr-readarr = {
enable = true;
url = "http://arr.internal:8787";
port = 9705;
user = "exportarr";
group = "exportarr";
apiKeyFile = config.age.secrets.readarr-apiKey.path;
};
};

17
secrets.nix
View file

@ -2,11 +2,8 @@ let
keys = import ./ssh-keys.nix;
secrets = with keys; {
tailscale-authKey = [
machines.arr
machines.metrics
];
cloudflare-tegola-apiKey = [ machines.metrics ];
tailscale-authKey = keys.tailscale-machine;
cloudflare-tegola-apiKey = [ machines.caddy ];
prowlarr-apiKey = [ machines.metrics ];
radarr-apiKey = [ machines.metrics ];
sonarr-apiKey = [ machines.metrics ];
@ -15,8 +12,10 @@ let
};
in
builtins.listToAttrs (
map (secretName: {
name = "secrets/${secretName}.age";
value.publicKeys = secrets."${secretName}" ++ keys.infra-core;
}) (builtins.attrNames secrets)
map
(secretName: {
name = "secrets/${secretName}.age";
value.publicKeys = secrets."${secretName}" ++ keys.infra-core;
})
(builtins.attrNames secrets)
)

BIN
secrets/cloudflare-tegola-apiKey.age
View file

Binary file not shown.

BIN
secrets/lidarr-apiKey.age
View file

Binary file not shown.

BIN
secrets/prowlarr-apiKey.age
View file

Binary file not shown.

21
secrets/radarr-apiKey.age
View file

@ -1,12 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ BJu3flcBLis/8Ai4IC1mSoJvJq2BE5WuhjTbDhveVA0
H7fQDKisnuMGitFBqXLE6PqGqiuoDA844t75+M2YIdc
-> ssh-ed25519 Si3UKw 8wDKIo88PCXm1+lXX5LkFblN64OKF1l/yxzGX2g9aRQ
nXdSmcWijyH/P9ZfkfDpJDADV722b9ZE/ib2NPkIIgM
-> ssh-ed25519 3UG3uw 55QOO9ISxtcBgP08ZnvKQ8/LdDU/wEtUflykwUHUXhE
QaXR29k1jQ4qTZEbuET1iLVdp5xzLZQU5wCERSLyAOg
-> ssh-ed25519 JEhtoQ wcrBBJV6GFQu3bX4PB3JaCH/zWlIQEATrr3Y2Wb+hgk
YYZVClBk7KjdIXGj5aY50Uiw3eDoFOsE+Pb69c7U/z4
--- C+snFDF8ihxangd1g9HS5ISHSrEkqUqrO6McAKgGC3c
‰¬©Ï×é£âñg—ìý<C3AC>Ä•€¯x#Š¢¸
—¤"çÑ4ÖÇwOÒ½vüMŸ"b†ce<63>
-> ssh-ed25519 xSWWeQ osQUlwq9RbGSOMeT0CrMrPc873VsQlCPEMIGZWtlXms
JYh0ZOqBorChzHW0EWNXp23XW9LWCcraCrTbAUQ9ZFE
-> ssh-ed25519 Si3UKw evD92WSnq4AUr6yNpickNW8f8Jq4wwbaosPE4C5uVSU
4dhLWbjn5mv7wnZPXNiM8sJQzmgJG6U9O69TfBMq3K0
-> ssh-ed25519 3UG3uw gIR5hsyjAkAc7pJFUaMB8Y1wiorFfU2kIatoAdDghD8
ysVDexwf3ZpXaqOGqdEM1swE53tCNhf6nK6PhrM0xXA
-> ssh-ed25519 JEhtoQ t5H6VaOuBBo1lwpOhf/CBRm+Ko1+LnQmcXUViUzzDTQ
RYmdYN323UQYtEMqaT5edYukUvnnwMXDNsGkv6QkUmE
--- MS+fNLA+DRxLSgpJciC37I1niuVcb9bvOjhOjY5jsZ8
jËI­¨èkY«£Öûí¼ÐrÝ¿“:†}Øtê&þº0:ÖœùãÙ<C3A3>ÑÖ±CìÊÕ%À<>²R÷š§I

20
secrets/readarr-apiKey.age
View file

@ -1,11 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ NASyXumDFN12xV+kCqRuJJeUKYPMeRuycSJvAiH9/xI
ILiqV1vCYl+CJQQUEcM0a1b2ne1bEmm2c6Q2AYxpO2w
-> ssh-ed25519 Si3UKw HlSnOktOG6W/ZVyqI1UMdk7pxpe+sNclAze/lR03aXU
9MT6At2lR6/Zb3hHiWGNbRrN+EiZ79IJ/XhK5W54dMU
-> ssh-ed25519 3UG3uw lHTvFsN00Cj0eoGucE9RcZvZ6Od7EOlIzbT1Yfc9tig
do3zYm1FboG12QtF/2KN9iOxWK83TowJTNcYWAVc9cc
-> ssh-ed25519 JEhtoQ 8xzv06CE8Dtuzq9Ivirbx+WbYL01XoZKLmf1NIROmks
BYGHnnKMo/k9PrOMPGHvHksPTce5I9uIC3jS7e/Qff8
--- SoO3M/eHTHaTW3OwzIyWn5B8WBIPZ8xelWxkLjOxyNM
üŢ>ç`ađśű©O¨±ĎlÎ0ó0gŢ?tşéŞ´“e`çŚSÁ“†Ď6Ţsş“Ëâ1@ë–Óľű3Ńu)«Ĺ
-> ssh-ed25519 xSWWeQ RI4jxDgN4+uFqa+lHlgk78VdS1cHyxCJTHNeuu+3Lxo
fbv3NihABbrmSLNkC5/zNAaIWW7cOxzrsLNynat/JL0
-> ssh-ed25519 Si3UKw PiSQZUk4oZJxUAhhZ375zlU/RD3v256jzJfBkkfLUxA
uyGDZ+vSiHIg/GF99nPqRrlOUdEUFOc8iLUw9haUiNQ
-> ssh-ed25519 3UG3uw enlt9XUtJDhpYMDUnmhHc5paWWrTGfSgnJIWvlnOExA
3nXzjJHlhUrt35WWm7c7vUCPVEne34lmsggiamKo6BI
-> ssh-ed25519 JEhtoQ 00jccXMXMOX6Z3jw74bn7MUqmpFtmFEIL8UdLmhWlAc
KVGgCb+3eOm088Ru3apqm4unqfyWCCFTwHJv3vac2EU
--- eWDxUZAIvC2rYVZWKnShOQy9ZK9/kTahsNIZFxCn9es
W©”Z¼f0EfWW<EFBFBD>žD@kOrÆoý ­Š3T<33>Vç<>o¬¹P(pkÓû‡^òã”ò¶C%$ªJ󻢻wì÷Ü9—Ç

20
secrets/sonarr-apiKey.age
View file

@ -1,11 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ uLHoKxMTVjvyjMNLyG8MyhMEUQ3rw1nY2no4erJBDX0
NPqgmdLgKc+SeWGW5RRO6HbO1AE55s8BuKEsHjZq5Do
-> ssh-ed25519 Si3UKw P9pMnSKrJhKr+rZkde9wO3GX4GS7yNX2cVUOYd/JMHg
+BALAaGYeJwo1VG4kzsbuYERi4JwrR640TK7p5VEq+g
-> ssh-ed25519 3UG3uw TmIgCfN66iEstmFhIdqOL4rtfM5ZC4SutX6jWLRpxgE
3IobYkFLp9/c1Cta3esmob7EioATUqDan3O34DgLiTo
-> ssh-ed25519 JEhtoQ utDyShWrKbTS54kbYTtNQFuMFfDURYvjmjlDtevOeTI
cqLiVeH1D45q8WGwHDEUIu+VSmdVBBA6U8TVe4TOtXU
--- nG5QAE6zNkan8ISAjM8YWne9LPeE9n5d/oqPyafyC9A
8naŸ„‡×m6>¨Ögζ§'›¥‘{”<>‡y§W%âõläùØßÐWJwD<77>/<1A>ÙMþÈÍ 4–æÒTͽ @‡·¤
-> ssh-ed25519 xSWWeQ SmgOrIZIEkpYmtdE21RkKww0qY78QwcJoU2vrdZ7RVQ
xKmvo127yM9kQfFoipC7NDj6JkZo9vyJs5N1sQ7Szek
-> ssh-ed25519 Si3UKw zoEEt3+X0iIlkLzhPnqFZq4u4fU6srR4SluQLO9Y3T4
E0zYd1pcytVBmRezMwhBXzYLv+fvLs9SIJqnzChDp4M
-> ssh-ed25519 3UG3uw QQjKuxvT0Sca8keACNbHPBfSh1EAyO8ZBdcgkhZyizU
D8XeaeitLD70fcWo1xNZsd7u+e8WVMXmtIxyYMgu3xk
-> ssh-ed25519 JEhtoQ hMKJ71f7Xk0fh2ama/+SUeyPrY5OMAf/hdHkb3sOpUo
SaSrqD/Fel6wu4KQXyuAZA1zEiYkodxNsILxb9M69DE
--- bgC5YtjAfz49d7GrGleT1QDNJDFHpH+YoyCC97Gul7M
£ú çÍð @Ú ŒHŒˆ8~f»¯˜#}zCÖÆȘí<CB9C>ÆÇ<C386>×È-|:yšOÝÌö;nÏåéÏïŒq+1Ãô6^Å

26
secrets/tailscale-authKey.age
View file

@ -1,14 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 1nWE1Q J7LFA/+OWjALgurxCaCsrNIsiCz6Y/GBnAO8xznDdgI
Z8/shqTX6tepqfrktQLxTn1XYzph0cnhf8bmr53Pl2o
-> ssh-ed25519 xSWWeQ zTbGFK9uT1UmRByKdhsDikj9isQg08k4cxM3+HGXZWE
eWrkdsYiCw6Lk9UMEs0+yby7ZheJmIx04vL7I+8q+LA
-> ssh-ed25519 Si3UKw Jl+O+cygmKLA9IAyNBg9qr0d4H5f9ygnTBI6M/uoZxw
ZaJAhdhn/7Tm/xIw1w0yI5D/4j2e/8K6x7Phlis9AOc
-> ssh-ed25519 3UG3uw boXDEDh2enEx2a/6DczJ/4b6XvaGs2b6rhrkzK5L9Uc
9qPpJ2cr+/7Br8xVROFCbj8F6vkEPkmCNMWi5JbnbBw
-> ssh-ed25519 JEhtoQ 1d7BDdYIJe0IxDLUrZ+Um/R0cusQQzIMy2RWnb+lSCw
Q8eWTIwkw85KvnKinh4YoKQ/PpHLa4ELrdFGMKsGWSo
--- 9Lam+CKmN6dyxPwwJqDjJW7tL/zGTQhkomsKFZohqsI
|Ö¨‰aƒôÔöˆ.Ÿ{<7B>'¸™ªd>|ßšõëh<C3AB>¥Ôšµ\Þ½%«w“
:dxõ²…®W.vš<76>­ËíÆlLjSfÒ[<5B>ðéIøƒwß ¨g°d(]™PÁRd»}ô›%
-> ssh-ed25519 BFt3Fg Lvsryegz6tZoK0xHJtKcGOwCxowPmtgN1GFP41TveXY
Ze9LLPZd9MHXSP4uhVOgwxsiG+ly1PxGLnz+YYQqFsk
-> ssh-ed25519 xSWWeQ Y8AKOq6yfUQIirYnzA642qYrsMti08F+YJVGeWe/ZCk
Z7oddgzRGeeVpQgp8u/XqTrvHi+e7hcV5dWBk+nIbI0
-> ssh-ed25519 Si3UKw eu853w/oZ56Xde+PI4Zfq7JBMzdSgoy9WIXnMTes8D0
8s5MokfSqpYCiiRckWkuHRqUxqpkRPsYNTJaz2RR/yQ
-> ssh-ed25519 3UG3uw A7Dx9d5EVjBieB1kXGF6GIX5m/vEP1VUsSUkGjEg3nE
eHl+og2VBh4MNo6aOWaU3VGqig2XQxi+UhLdSX/f6tg
-> ssh-ed25519 JEhtoQ I2aDrigMNdzuNGqIagnHW5L/6fvpMz/2EC8L5gHs1HI
2O7ZiXEVFSJ7ous94Nk23gF8Y4B6rIDxPH+tZ2Vbta0
--- DvMRu0m59h7lYnevgpEchnxpRxza7WVHgpwiPKUMf/I
¦ľÂů!É<>Žş"Ëpl` S<>„8tňţ°vfěÍĆa¶Öń$Ľő$R ďMÇ^F…Ă]÷Z;ĎôdŻ­«/ľĺj,ZÔo©ÔÔŞź˝¤ý$a<>óŹ˘<E28099>•ü
R

7
ssh-keys.nix
View file

@ -8,6 +8,7 @@ rec {
# The key are found executing `ssh-keyscan <ip-address>`
machines = {
arr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjAFjbSGaeWnImPFBEQ/PeGz7hgpLhUYgZg5Hb/JJ42";
caddy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfgwx+fiwkMAhzdS3WhoeoIGowKgwem8HB/NCyF60Ff";
metrics = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFRY4bpw1gCJAWMtBTSm2/09gcniFkSyCKCKPyGHVbr";
};
@ -17,8 +18,14 @@ rec {
krzo
];
tailscale-machine = [
machines.caddy
machines.metrics
];
infra-machine = [
machines.arr
machines.caddy
machines.metrics
];