pazpi/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

New host for Caddy reverse proxy

Browse source
This commit is contained in:
pazpi 2024-09-10 22:49:17 +02:00
parent e5f47681ae
commit dcac67e097
No known key found for this signature in database
GPG key ID: 0942571C4B9966BE
15 changed files with 222 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -1,5 +1,22 @@
# Papzi homelab configurations # Papzi homelab configurations
L'homelab è suddiviso in vari host configurati come container LXC su una macchina Proxmox 8.2.
## IP
La rete di casa è suddivisa in due parti, la prima gestita in DHCP ha IP fino al `.149` (compreso), mentre gli altri sono riservati per indirizzi statici.
Per comodità una volta assegnato un IP questo deve essere impostato su PiHole con dominio `.internal` per facilitare il routing.
## Hosts
### Caddy
### Arr
### Metrics
### Deadbeef
## How to ## How to
### Build ### Build

25
flake.nix
View file

@ -36,15 +36,14 @@
}; };
outputs = outputs =
{ { self
self, , nixpkgs
nixpkgs, , nixos-hardware
nixos-hardware, , lix-module
lix-module, , agenix
agenix, , colmena
colmena, , home-manager
home-manager, , ...
...
}@inputs: }@inputs:
let let
system = "x86_64-linux"; system = "x86_64-linux";
@ -79,6 +78,14 @@
]; ];
}; };
caddy.deployment = {
targetHost = "192.168.1.150";
tags = [
"lxc"
"bacco"
];
};
metrics.deployment = { metrics.deployment = {
targetHost = "192.168.1.152"; targetHost = "192.168.1.152";
tags = [ tags = [

69
hosts/caddy/default.nix Normal file
View file

@ -0,0 +1,69 @@
{ config
, pkgs
, lib
, ...
}:
let
tailscaleMagicDNS = "neon-dory.ts.net";
in
{
age.secrets = {
tailscale-authKey.file = ../../secrets/tailscale-authKey.age;
};
my = {
utils.commons.enable = true;
services.media-mgr = {
proxy = {
enable = true;
domain = "tegola.pro";
host = "arr.internal";
};
};
monitoring = {
prometheus = {
proxy = {
domain = "tegola.pro";
host = "metrics.internal";
};
};
};
networking = {
tailscale = {
enable = true;
magicDNSDomain = tailscaleMagicDNS;
authKeyFile = config.age.secrets.tailscale-authKey.path;
};
caddy.enable = true;
};
virtualisation = {
proxmox.enable = true;
};
};
time.timeZone = "Europe/Rome";
# Extra packages
environment.systemPackages = with pkgs; [ ];
services = {
openssh.enable = true;
prometheus.exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
};
};
networking.nameservers = [ "192.168.1.2" ];
system.stateVersion = "24.05";
}

24
hosts/default.nix
View file

@ -1,10 +1,9 @@
{ { nixpkgs
nixpkgs, , nixos-hardware
nixos-hardware, , agenix
agenix, , home-manager
home-manager, , lix-module
lix-module, , ...
...
}: }:
let let
agenixOverlay = final: prev: { agenix = agenix.packages.${prev.system}.default; }; agenixOverlay = final: prev: { agenix = agenix.packages.${prev.system}.default; };
@ -70,6 +69,17 @@ in
# specialArgs = { }; # specialArgs = { };
}; };
caddy = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux";
modules = [
myModule
proxmoxModule
./caddy
agenix.nixosModules.default
];
# specialArgs = { };
};
metrics = nixpkgs.lib.nixosSystem { metrics = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [

39
hosts/metrics/default.nix
View file

@ -1,8 +1,7 @@
{ { config
config, , pkgs
pkgs, , lib
lib, , ...
...
}: }:
let let
tailscaleMagicDNS = "neon-dory.ts.net"; tailscaleMagicDNS = "neon-dory.ts.net";
@ -18,20 +17,20 @@ in
services.media-mgr = { services.media-mgr = {
exportMetrics.enable = true; exportMetrics.enable = true;
proxy = { # proxy = {
enable = true; # enable = true;
domain = "tegola.pro"; # domain = "tegola.pro";
host = "arr.internal"; # host = "arr.internal";
}; # };
}; };
monitoring = { monitoring = {
prometheus = { prometheus = {
enable = true; enable = true;
proxy = { # proxy = {
domain = "tegola.pro"; # domain = "tegola.pro";
host = "metrics.internal"; # host = "metrics.internal";
}; # };
}; };
}; };
@ -42,7 +41,7 @@ in
authKeyFile = config.age.secrets.tailscale-authKey.path; authKeyFile = config.age.secrets.tailscale-authKey.path;
}; };
caddy.enable = true; # caddy.enable = true;
}; };
virtualisation = { virtualisation = {
@ -60,11 +59,17 @@ in
prometheus.scrapeConfigs = [ prometheus.scrapeConfigs = [
{ {
job_name = "metrics-host"; job_name = "host-metrics";
static_configs = [ static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
]; ];
} }
{
job_name = "host-caddy";
static_configs = [
{ targets = [ "caddy.internal:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
]; ];
prometheus.exporters = { prometheus.exporters = {
@ -75,7 +80,7 @@ in
}; };
}; };
networking.nameservers = [ "192.168.1.2" ]; # networking.nameservers = [ "192.168.1.2" ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }

69
modules/services/media-mgr.nix
View file

@ -11,52 +11,21 @@ let
containersDefinition = { containersDefinition = {
jackett = { flaresolverr = {
enable = true; enable = true;
image = "linuxserver/jackett"; image = "ghcr.io/flaresolverr/flaresolverr:v3.3.21";
autoStart = true; autoStart = true;
volumes = [ # volumes = [
"jackett_config:/config" # "jackett_data:/data"
"jackett_data:/data" # ];
];
};
radarr = {
enable = true;
image = "linuxserver/radarr";
autoStart = true;
volumes = [
"radarr_config:/config"
"radarr_data:/data"
];
};
sonarr = {
enable = true;
image = "linuxserver/sonarr";
autoStart = true;
volumes = [
"sonarr_config:/config"
"sonarr_data:/data"
];
};
prowlarr = {
enable = true;
image = "linuxserver/prowlarr";
autoStart = true;
volumes = [ "prowlarr_config:/config" ];
}; };
}; };
# Pod Definition # Pod Definition
podDefinition = { podDefinition = {
name = "download"; name = "media-manager-extra";
ports = [ ports = [
"7878:7878" # : Radarr "8191:8191" # : FlareSolverr
"8989:8989" # : Sonarr
"9117:9117" # : Jackett
"9696:9696" # : Prowlarr
]; ];
containers = containersDefinition; containers = containersDefinition;
}; };
@ -135,15 +104,15 @@ in
}; };
# my.virtualisation.podmanPods = { my.virtualisation.podmanPods = {
# inherit podDefinition; inherit podDefinition;
# }; };
# virtualisation.oci-containers.containers = virtualisation.oci-containers.containers =
# let let
# pod = config.helpers.processContainers podDefinition; pod = config.helpers.processContainers podDefinition;
# in in
# pod.containers; pod.containers;
}) })
@ -228,6 +197,8 @@ in
enable = true; enable = true;
url = "http://arr.internal:9696"; url = "http://arr.internal:9696";
port = 9701; port = 9701;
user = "exportarr";
group = "exportarr";
apiKeyFile = config.age.secrets.prowlarr-apiKey.path; apiKeyFile = config.age.secrets.prowlarr-apiKey.path;
}; };
exportarr-radarr = { exportarr-radarr = {
@ -242,18 +213,24 @@ in
enable = true; enable = true;
url = "http://arr.internal:8989"; url = "http://arr.internal:8989";
port = 9703; port = 9703;
user = "exportarr";
group = "exportarr";
apiKeyFile = config.age.secrets.sonarr-apiKey.path; apiKeyFile = config.age.secrets.sonarr-apiKey.path;
}; };
exportarr-lidarr = { exportarr-lidarr = {
enable = true; enable = true;
url = "http://arr.internal:8686"; url = "http://arr.internal:8686";
port = 9704; port = 9704;
user = "exportarr";
group = "exportarr";
apiKeyFile = config.age.secrets.lidarr-apiKey.path; apiKeyFile = config.age.secrets.lidarr-apiKey.path;
}; };
exportarr-readarr = { exportarr-readarr = {
enable = true; enable = true;
url = "http://arr.internal:8787"; url = "http://arr.internal:8787";
port = 9705; port = 9705;
user = "exportarr";
group = "exportarr";
apiKeyFile = config.age.secrets.readarr-apiKey.path; apiKeyFile = config.age.secrets.readarr-apiKey.path;
}; };
}; };

13
secrets.nix
View file

@ -2,11 +2,8 @@ let
keys = import ./ssh-keys.nix; keys = import ./ssh-keys.nix;
secrets = with keys; { secrets = with keys; {
tailscale-authKey = [ tailscale-authKey = keys.tailscale-machine;
machines.arr cloudflare-tegola-apiKey = [ machines.caddy ];
machines.metrics
];
cloudflare-tegola-apiKey = [ machines.metrics ];
prowlarr-apiKey = [ machines.metrics ]; prowlarr-apiKey = [ machines.metrics ];
radarr-apiKey = [ machines.metrics ]; radarr-apiKey = [ machines.metrics ];
sonarr-apiKey = [ machines.metrics ]; sonarr-apiKey = [ machines.metrics ];
@ -15,8 +12,10 @@ let
}; };
in in
builtins.listToAttrs ( builtins.listToAttrs (
map (secretName: { map
(secretName: {
name = "secrets/${secretName}.age"; name = "secrets/${secretName}.age";
value.publicKeys = secrets."${secretName}" ++ keys.infra-core; value.publicKeys = secrets."${secretName}" ++ keys.infra-core;
}) (builtins.attrNames secrets) })
(builtins.attrNames secrets)
) )

BIN
secrets/cloudflare-tegola-apiKey.age
View file

Binary file not shown.

BIN
secrets/lidarr-apiKey.age
View file

Binary file not shown.

BIN
secrets/prowlarr-apiKey.age
View file

Binary file not shown.

21
secrets/radarr-apiKey.age
View file

@ -1,12 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xSWWeQ BJu3flcBLis/8Ai4IC1mSoJvJq2BE5WuhjTbDhveVA0 -> ssh-ed25519 xSWWeQ osQUlwq9RbGSOMeT0CrMrPc873VsQlCPEMIGZWtlXms
H7fQDKisnuMGitFBqXLE6PqGqiuoDA844t75+M2YIdc JYh0ZOqBorChzHW0EWNXp23XW9LWCcraCrTbAUQ9ZFE
-> ssh-ed25519 Si3UKw 8wDKIo88PCXm1+lXX5LkFblN64OKF1l/yxzGX2g9aRQ -> ssh-ed25519 Si3UKw evD92WSnq4AUr6yNpickNW8f8Jq4wwbaosPE4C5uVSU
nXdSmcWijyH/P9ZfkfDpJDADV722b9ZE/ib2NPkIIgM 4dhLWbjn5mv7wnZPXNiM8sJQzmgJG6U9O69TfBMq3K0
-> ssh-ed25519 3UG3uw 55QOO9ISxtcBgP08ZnvKQ8/LdDU/wEtUflykwUHUXhE -> ssh-ed25519 3UG3uw gIR5hsyjAkAc7pJFUaMB8Y1wiorFfU2kIatoAdDghD8
QaXR29k1jQ4qTZEbuET1iLVdp5xzLZQU5wCERSLyAOg ysVDexwf3ZpXaqOGqdEM1swE53tCNhf6nK6PhrM0xXA
-> ssh-ed25519 JEhtoQ wcrBBJV6GFQu3bX4PB3JaCH/zWlIQEATrr3Y2Wb+hgk -> ssh-ed25519 JEhtoQ t5H6VaOuBBo1lwpOhf/CBRm+Ko1+LnQmcXUViUzzDTQ
YYZVClBk7KjdIXGj5aY50Uiw3eDoFOsE+Pb69c7U/z4 RYmdYN323UQYtEMqaT5edYukUvnnwMXDNsGkv6QkUmE
--- C+snFDF8ihxangd1g9HS5ISHSrEkqUqrO6McAKgGC3c --- MS+fNLA+DRxLSgpJciC37I1niuVcb9bvOjhOjY5jsZ8
‰¬©Ï×é£âñg—ìý<C3AC>Ä•€¯x#Š¢¸ jËI­¨èkY«£Öûí¼ÐrÝ¿“:†}Øtê&þº0:ÖœùãÙ<C3A3>ÑÖ±CìÊÕ%À<>²R÷š§I
—¤"çÑ4ÖÇwOÒ½vüMŸ"b†ce<63>

20
secrets/readarr-apiKey.age
View file

@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xSWWeQ NASyXumDFN12xV+kCqRuJJeUKYPMeRuycSJvAiH9/xI -> ssh-ed25519 xSWWeQ RI4jxDgN4+uFqa+lHlgk78VdS1cHyxCJTHNeuu+3Lxo
ILiqV1vCYl+CJQQUEcM0a1b2ne1bEmm2c6Q2AYxpO2w fbv3NihABbrmSLNkC5/zNAaIWW7cOxzrsLNynat/JL0
-> ssh-ed25519 Si3UKw HlSnOktOG6W/ZVyqI1UMdk7pxpe+sNclAze/lR03aXU -> ssh-ed25519 Si3UKw PiSQZUk4oZJxUAhhZ375zlU/RD3v256jzJfBkkfLUxA
9MT6At2lR6/Zb3hHiWGNbRrN+EiZ79IJ/XhK5W54dMU uyGDZ+vSiHIg/GF99nPqRrlOUdEUFOc8iLUw9haUiNQ
-> ssh-ed25519 3UG3uw lHTvFsN00Cj0eoGucE9RcZvZ6Od7EOlIzbT1Yfc9tig -> ssh-ed25519 3UG3uw enlt9XUtJDhpYMDUnmhHc5paWWrTGfSgnJIWvlnOExA
do3zYm1FboG12QtF/2KN9iOxWK83TowJTNcYWAVc9cc 3nXzjJHlhUrt35WWm7c7vUCPVEne34lmsggiamKo6BI
-> ssh-ed25519 JEhtoQ 8xzv06CE8Dtuzq9Ivirbx+WbYL01XoZKLmf1NIROmks -> ssh-ed25519 JEhtoQ 00jccXMXMOX6Z3jw74bn7MUqmpFtmFEIL8UdLmhWlAc
BYGHnnKMo/k9PrOMPGHvHksPTce5I9uIC3jS7e/Qff8 KVGgCb+3eOm088Ru3apqm4unqfyWCCFTwHJv3vac2EU
--- SoO3M/eHTHaTW3OwzIyWn5B8WBIPZ8xelWxkLjOxyNM --- eWDxUZAIvC2rYVZWKnShOQy9ZK9/kTahsNIZFxCn9es
üŢ>ç`ađśű©O¨±ĎlÎ0ó0gŢ?tşéŞ´“e`çŚSÁ“†Ď6Ţsş“Ëâ1@ë–Óľű3Ńu)«Ĺ W©”Z¼f0EfWW<EFBFBD>žD@kOrÆoý ­Š3T<33>Vç<>o¬¹P(pkÓû‡^òã”ò¶C%$ªJ󻢻wì÷Ü9—Ç

20
secrets/sonarr-apiKey.age
View file

@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xSWWeQ uLHoKxMTVjvyjMNLyG8MyhMEUQ3rw1nY2no4erJBDX0 -> ssh-ed25519 xSWWeQ SmgOrIZIEkpYmtdE21RkKww0qY78QwcJoU2vrdZ7RVQ
NPqgmdLgKc+SeWGW5RRO6HbO1AE55s8BuKEsHjZq5Do xKmvo127yM9kQfFoipC7NDj6JkZo9vyJs5N1sQ7Szek
-> ssh-ed25519 Si3UKw P9pMnSKrJhKr+rZkde9wO3GX4GS7yNX2cVUOYd/JMHg -> ssh-ed25519 Si3UKw zoEEt3+X0iIlkLzhPnqFZq4u4fU6srR4SluQLO9Y3T4
+BALAaGYeJwo1VG4kzsbuYERi4JwrR640TK7p5VEq+g E0zYd1pcytVBmRezMwhBXzYLv+fvLs9SIJqnzChDp4M
-> ssh-ed25519 3UG3uw TmIgCfN66iEstmFhIdqOL4rtfM5ZC4SutX6jWLRpxgE -> ssh-ed25519 3UG3uw QQjKuxvT0Sca8keACNbHPBfSh1EAyO8ZBdcgkhZyizU
3IobYkFLp9/c1Cta3esmob7EioATUqDan3O34DgLiTo D8XeaeitLD70fcWo1xNZsd7u+e8WVMXmtIxyYMgu3xk
-> ssh-ed25519 JEhtoQ utDyShWrKbTS54kbYTtNQFuMFfDURYvjmjlDtevOeTI -> ssh-ed25519 JEhtoQ hMKJ71f7Xk0fh2ama/+SUeyPrY5OMAf/hdHkb3sOpUo
cqLiVeH1D45q8WGwHDEUIu+VSmdVBBA6U8TVe4TOtXU SaSrqD/Fel6wu4KQXyuAZA1zEiYkodxNsILxb9M69DE
--- nG5QAE6zNkan8ISAjM8YWne9LPeE9n5d/oqPyafyC9A --- bgC5YtjAfz49d7GrGleT1QDNJDFHpH+YoyCC97Gul7M
8naŸ„‡×m6>¨Ögζ§'›¥‘{”<>‡y§W%âõläùØßÐWJwD<77>/<1A>ÙMþÈÍ 4–æÒTͽ @‡·¤ £ú çÍð @Ú ŒHŒˆ8~f»¯˜#}zCÖÆȘí<CB9C>ÆÇ<C386>×È-|:yšOÝÌö;nÏåéÏïŒq+1Ãô6^Å

26
secrets/tailscale-authKey.age
View file

@ -1,14 +1,14 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 1nWE1Q J7LFA/+OWjALgurxCaCsrNIsiCz6Y/GBnAO8xznDdgI -> ssh-ed25519 BFt3Fg Lvsryegz6tZoK0xHJtKcGOwCxowPmtgN1GFP41TveXY
Z8/shqTX6tepqfrktQLxTn1XYzph0cnhf8bmr53Pl2o Ze9LLPZd9MHXSP4uhVOgwxsiG+ly1PxGLnz+YYQqFsk
-> ssh-ed25519 xSWWeQ zTbGFK9uT1UmRByKdhsDikj9isQg08k4cxM3+HGXZWE -> ssh-ed25519 xSWWeQ Y8AKOq6yfUQIirYnzA642qYrsMti08F+YJVGeWe/ZCk
eWrkdsYiCw6Lk9UMEs0+yby7ZheJmIx04vL7I+8q+LA Z7oddgzRGeeVpQgp8u/XqTrvHi+e7hcV5dWBk+nIbI0
-> ssh-ed25519 Si3UKw Jl+O+cygmKLA9IAyNBg9qr0d4H5f9ygnTBI6M/uoZxw -> ssh-ed25519 Si3UKw eu853w/oZ56Xde+PI4Zfq7JBMzdSgoy9WIXnMTes8D0
ZaJAhdhn/7Tm/xIw1w0yI5D/4j2e/8K6x7Phlis9AOc 8s5MokfSqpYCiiRckWkuHRqUxqpkRPsYNTJaz2RR/yQ
-> ssh-ed25519 3UG3uw boXDEDh2enEx2a/6DczJ/4b6XvaGs2b6rhrkzK5L9Uc -> ssh-ed25519 3UG3uw A7Dx9d5EVjBieB1kXGF6GIX5m/vEP1VUsSUkGjEg3nE
9qPpJ2cr+/7Br8xVROFCbj8F6vkEPkmCNMWi5JbnbBw eHl+og2VBh4MNo6aOWaU3VGqig2XQxi+UhLdSX/f6tg
-> ssh-ed25519 JEhtoQ 1d7BDdYIJe0IxDLUrZ+Um/R0cusQQzIMy2RWnb+lSCw -> ssh-ed25519 JEhtoQ I2aDrigMNdzuNGqIagnHW5L/6fvpMz/2EC8L5gHs1HI
Q8eWTIwkw85KvnKinh4YoKQ/PpHLa4ELrdFGMKsGWSo 2O7ZiXEVFSJ7ous94Nk23gF8Y4B6rIDxPH+tZ2Vbta0
--- 9Lam+CKmN6dyxPwwJqDjJW7tL/zGTQhkomsKFZohqsI --- DvMRu0m59h7lYnevgpEchnxpRxza7WVHgpwiPKUMf/I
|Ö¨‰aƒôÔöˆ.Ÿ{<7B>'¸™ªd>|ßšõëh<C3AB>¥Ôšµ\Þ½%«w“ ¦ľÂů!É<>Žş"Ëpl` S<>„8tňţ°vfěÍĆa¶Öń$Ľő$R ďMÇ^F…Ă]÷Z;ĎôdŻ­«/ľĺj,ZÔo©ÔÔŞź˝¤ý$a<>óŹ˘<E28099>•ü
:dxõ²…®W.vš<76>­ËíÆlLjSfÒ[<5B>ðéIøƒwß ¨g°d(]™PÁRd»}ô›% R

7
ssh-keys.nix
View file

@ -8,6 +8,7 @@ rec {
# The key are found executing `ssh-keyscan <ip-address>` # The key are found executing `ssh-keyscan <ip-address>`
machines = { machines = {
arr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjAFjbSGaeWnImPFBEQ/PeGz7hgpLhUYgZg5Hb/JJ42"; arr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjAFjbSGaeWnImPFBEQ/PeGz7hgpLhUYgZg5Hb/JJ42";
caddy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfgwx+fiwkMAhzdS3WhoeoIGowKgwem8HB/NCyF60Ff";
metrics = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFRY4bpw1gCJAWMtBTSm2/09gcniFkSyCKCKPyGHVbr"; metrics = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFRY4bpw1gCJAWMtBTSm2/09gcniFkSyCKCKPyGHVbr";
}; };
@ -17,8 +18,14 @@ rec {
krzo krzo
]; ];
tailscale-machine = [
machines.caddy
machines.metrics
];
infra-machine = [ infra-machine = [
machines.arr machines.arr
machines.caddy
machines.metrics machines.metrics
]; ];