swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: bootstrap winters

Browse source
This commit is contained in:
Swarsel 2024-09-23 22:09:33 +02:00
parent 713af5d722
commit f376490aee
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
8 changed files with 382 additions and 355 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.sops.yaml
View file

@ -4,7 +4,8 @@
# for a more complex example. # for a more complex example.
keys: keys:
- &admin_swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &admin_swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
- &server_nixos age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4 - &server_sandbox age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4
- &server_nixos age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
- &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
- &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0 - &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0
- &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej - &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej
@ -26,6 +27,7 @@ creation_rules:
- *admin_swarsel - *admin_swarsel
age: age:
- *server_nixos - *server_nixos
- *server_sandbox
- *server_surface - *server_surface
- *server_stand - *server_stand
- *server_fourside - *server_fourside
@ -36,10 +38,17 @@ creation_rules:
- *admin_swarsel - *admin_swarsel
age: age:
- *server_nixos - *server_nixos
- *server_sandbox
- *server_surface - *server_surface
- *server_stand - *server_stand
- *server_fourside - *server_fourside
- *server_transmiss - *server_transmiss
- path_regex: secrets/server/winters/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_nixos
- path_regex: secrets/surface/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/surface/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- pgp: - pgp:

707
SwarselSystems.org
View file

@ -6575,36 +6575,39 @@ Also, the system state version is set here. No need to touch it.
**** NGINX **** NGINX
#+begin_src nix :tangle profiles/server/common/nginx.nix #+begin_src nix :tangle profiles/server/common/nginx.nix
{ pkgs, config, ... }: { pkgs, config, ... }:
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lego lego
]; ];
sops = {
secrets.dnstokenfull = { owner = "acme"; };
templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
'';
};
security.acme = { users.users.acme = {};
acceptTerms = true;
preliminarySelfsigned = false;
defaults.email = "mrswarsel@gmail.com";
defaults.dnsProvider = "cloudflare";
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
};
services.nginx = { sops = {
enable = true; secrets.dnstokenfull = { owner = "acme"; };
recommendedProxySettings = true; templates."certs.secret".content = ''
recommendedTlsSettings = true; CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
recommendedOptimisation = true; '';
recommendedGzipSettings = true; };
# virtualHosts are defined in the respective sections
};
} security.acme = {
acceptTerms = true;
preliminarySelfsigned = false;
defaults.email = "mrswarsel@gmail.com";
defaults.dnsProvider = "cloudflare";
defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
# virtualHosts are defined in the respective sections
};
}
#+end_src #+end_src
**** ssh **** ssh
@ -6616,6 +6619,9 @@ Also, the system state version is set here. No need to touch it.
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
users.users.swarsel.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
]; ];
@ -6650,7 +6656,7 @@ Also, the system state version is set here. No need to touch it.
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.22:8080"; proxyPass = "http://192.168.1.2:8080";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -6687,7 +6693,7 @@ Also, the system state version is set here. No need to touch it.
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
user = "jellyfin"; user = "jellyfin";
# openFirewall = true; # this works only for the default ports openFirewall = true; # this works only for the default ports
}; };
services.nginx = { services.nginx = {
@ -6698,7 +6704,7 @@ Also, the system state version is set here. No need to touch it.
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.16:8096"; proxyPass = "http://192.168.1.2:8096";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -6715,82 +6721,83 @@ Also, the system state version is set here. No need to touch it.
**** navidrome **** navidrome
#+begin_src nix :tangle profiles/server/common/navidrome.nix #+begin_src nix :tangle profiles/server/common/navidrome.nix
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
{ {
config = lib.mkIf config.swarselsystems.server.navidrome { config = lib.mkIf config.swarselsystems.server.navidrome {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
pciutils pciutils
alsa-utils alsa-utils
mpv mpv
]; ];
users = {
groups = {
navidrome = {
gid = 61593;
};
};
users = { users = {
navidrome = { groups = {
isSystemUser = true; navidrome = {
uid = 61593; gid = 61593;
group = "navidrome"; };
extraGroups = [ "audio" "utmp" ]; };
users = {
navidrome = {
isSystemUser = true;
uid = 61593;
group = "navidrome";
extraGroups = [ "audio" "utmp" ];
};
}; };
}; };
};
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
services.navidrome = { services.navidrome = {
enable = true; enable = true;
settings = { openFirewall = true;
Address = "0.0.0.0"; settings = {
Port = 4040; Address = "0.0.0.0";
MusicFolder = "/media"; Port = 4040;
EnableSharing = true; MusicFolder = "/media";
EnableTranscodingConfig = true; EnableSharing = true;
Scanner.GroupAlbumReleases = true; EnableTranscodingConfig = true;
ScanSchedule = "@every 1d"; Scanner.GroupAlbumReleases = true;
# Insert these values locally as sops-nix does not work for them ScanSchedule = "@every 1d";
# LastFM.ApiKey = TEMPLATE; # Insert these values locally as sops-nix does not work for them
# LastFM.Secret = TEMPLATE; # LastFM.ApiKey = TEMPLATE;
# Spotify.ID = TEMPLATE; # LastFM.Secret = TEMPLATE;
# Spotify.Secret = TEMPLATE; # Spotify.ID = TEMPLATE;
UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; # Spotify.Secret = TEMPLATE;
UIWelcomeMessage = "~SwarselSound~"; UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
UIWelcomeMessage = "~SwarselSound~";
};
}; };
};
services.nginx = { services.nginx = {
virtualHosts = { virtualHosts = {
"sound.swarsel.win" = { "sound.swarsel.win" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.13:4040"; proxyPass = "http://192.168.1.2:4040";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_redirect http:// https://; proxy_redirect http:// https://;
proxy_read_timeout 600s; proxy_read_timeout 600s;
proxy_send_timeout 600s; proxy_send_timeout 600s;
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
client_max_body_size 0; client_max_body_size 0;
''; '';
};
}; };
}; };
}; };
}; };
}; };
};
} }
#+end_src #+end_src
**** spotifyd **** spotifyd
@ -6886,279 +6893,281 @@ Also, the system state version is set here. No need to touch it.
**** matrix **** matrix
#+begin_src nix :tangle profiles/server/common/matrix.nix #+begin_src nix :tangle profiles/server/common/matrix.nix
{ config, lib, pkgs, modulesPath, sops, ... }: { config, lib, pkgs, modulesPath, sops, ... }:
let let
matrixDomain = "swatrix.swarsel.win"; matrixDomain = "swatrix.swarsel.win";
in in
{ {
config = lib.mkIf config.swarselsystems.server.matrix { config = lib.mkIf config.swarselsystems.server.matrix {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
matrix-synapse matrix-synapse
lottieconverter lottieconverter
ffmpeg ffmpeg
];
sops = {
secrets = {
matrixsharedsecret = { owner = "matrix-synapse"; };
mautrixtelegram_as = { owner = "matrix-synapse"; };
mautrixtelegram_hs = { owner = "matrix-synapse"; };
mautrixtelegram_api_id = { owner = "matrix-synapse"; };
mautrixtelegram_api_hash = { owner = "matrix-synapse"; };
};
templates = {
"matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
'';
matrixshared = {
owner = "matrix-synapse";
content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
'';
};
mautrixtelegram = {
owner = "matrix-synapse";
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
'';
};
};
};
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse = {
enable = true;
settings = {
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
"/var/lib/matrix-synapse/signal-registration.yaml"
"/var/lib/matrix-synapse/doublepuppet.yaml"
];
server_name = matrixDomain;
public_baseurl = "https://${matrixDomain}";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
extraConfigFiles = [
config.sops.templates.matrixshared.path
]; ];
};
services.mautrix-telegram = { sops = {
enable = true; secrets = {
environmentFile = config.sops.templates.mautrixtelegram.path; matrixsharedsecret = { owner = "matrix-synapse"; };
settings = { mautrixtelegram_as = { owner = "matrix-synapse"; };
homeserver = { mautrixtelegram_hs = { owner = "matrix-synapse"; };
address = "http://localhost:8008"; mautrixtelegram_api_id = { owner = "matrix-synapse"; };
domain = matrixDomain; mautrixtelegram_api_hash = { owner = "matrix-synapse"; };
}; };
appservice = { templates = {
address = "http://localhost:29317"; "matrix_user_register.sh".content = ''
hostname = "0.0.0.0"; register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
port = "29317"; '';
provisioning.enabled = true; matrixshared = {
id = "telegram"; owner = "matrix-synapse";
# ephemeral_events = true; # not needed due to double puppeting content = ''
public = { registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
enabled = false; '';
};
mautrixtelegram = {
owner = "matrix-synapse";
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
'';
}; };
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
}; };
bridge = { };
relaybot.authless_portals = true;
allow_avatar_remove = true; services.postgresql = {
allow_contact_info = true; enable = true;
sync_channel_members = true; initialScript = pkgs.writeText "synapse-init.sql" ''
startup_sync = true; CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
sync_create_limit = 0; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
sync_direct_chats = true; TEMPLATE template0
telegram_link_preview = true; LC_COLLATE = "C"
permissions = { LC_CTYPE = "C";
"*" = "relaybot"; CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
"@swarsel:${matrixDomain}" = "admin"; CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse = {
enable = true;
settings = {
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
"/var/lib/matrix-synapse/signal-registration.yaml"
"/var/lib/matrix-synapse/doublepuppet.yaml"
];
server_name = matrixDomain;
public_baseurl = "https://${matrixDomain}";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
extraConfigFiles = [
config.sops.templates.matrixshared.path
];
};
services.mautrix-telegram = {
enable = true;
environmentFile = config.sops.templates.mautrixtelegram.path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
}; };
animated_sticker = { appservice = {
target = "gif"; address = "http://localhost:29317";
args = { hostname = "0.0.0.0";
width = 256; port = "29317";
height = 256; provisioning.enabled = true;
fps = 30; # only for webm id = "telegram";
background = "020202"; # only for gif, transparency not supported # ephemeral_events = true; # not needed due to double puppeting
public = {
enabled = false;
};
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
};
bridge = {
relaybot.authless_portals = true;
allow_avatar_remove = true;
allow_contact_info = true;
sync_channel_members = true;
startup_sync = true;
sync_create_limit = 0;
sync_direct_chats = true;
telegram_link_preview = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
};
};
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
services.mautrix-whatsapp = {
enable = true;
registerToSynapse = true;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29318";
hostname = "0.0.0.0";
port = 29318;
database = {
type = "postgres";
uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .FullName .PushName .JID}} (WA)";
history_sync = {
backfill = true;
max_initial_conversations = -1;
message_count = -1;
request_full_sync = true;
full_sync_config = {
days_limit = 900;
size_mb_limit = 5000;
storage_quota_mb = 5000;
};
};
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
sync_manual_marked_unread = true;
send_presence_on_typing = true;
parallel_member_sync = true;
url_previews = true;
caption_in_message = true;
extev_polls = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
services.mautrix-signal = {
enable = true;
registerToSynapse = true;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29328";
hostname = "0.0.0.0";
port = 29328;
database = {
type = "postgres";
uri = "postgresql:///mautrix-signal?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
caption_in_message = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
services.nginx = {
virtualHosts = {
"swatrix.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.2:8008";
extraConfig = ''
client_max_body_size 0;
'';
};
}; };
}; };
}; };
}; };
}; };
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
services.mautrix-whatsapp = {
enable = true;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29318";
hostname = "0.0.0.0";
port = 29318;
database = {
type = "postgres";
uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .FullName .PushName .JID}} (WA)";
history_sync = {
backfill = true;
max_initial_conversations = -1;
message_count = -1;
request_full_sync = true;
full_sync_config = {
days_limit = 900;
size_mb_limit = 5000;
storage_quota_mb = 5000;
};
};
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
sync_manual_marked_unread = true;
send_presence_on_typing = true;
parallel_member_sync = true;
url_previews = true;
caption_in_message = true;
extev_polls = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
services.mautrix-signal = {
enable = true;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = matrixDomain;
};
appservice = {
address = "http://localhost:29328";
hostname = "0.0.0.0";
port = 29328;
database = {
type = "postgres";
uri = "postgresql:///mautrix-signal?host=/run/postgresql";
};
};
bridge = {
displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
};
caption_in_message = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
};
};
};
};
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
systemd.services."restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
services.nginx = {
virtualHosts = {
"swatrix.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.23:8008";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
};
} }
#+end_src #+end_src

4
profiles/server/common/jellyfin.nix
View file

@ -19,7 +19,7 @@
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
user = "jellyfin"; user = "jellyfin";
# openFirewall = true; # this works only for the default ports openFirewall = true; # this works only for the default ports
}; };
services.nginx = { services.nginx = {
@ -30,7 +30,7 @@
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.16:8096"; proxyPass = "http://192.168.1.2:8096";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

2
profiles/server/common/kavita.nix
View file

@ -22,7 +22,7 @@
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.22:8080"; proxyPass = "http://192.168.1.2:8080";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

4
profiles/server/common/matrix.nix
View file

@ -151,6 +151,7 @@ in
services.mautrix-whatsapp = { services.mautrix-whatsapp = {
enable = true; enable = true;
registerToSynapse = true;
settings = { settings = {
homeserver = { homeserver = {
address = "http://localhost:8008"; address = "http://localhost:8008";
@ -197,6 +198,7 @@ in
services.mautrix-signal = { services.mautrix-signal = {
enable = true; enable = true;
registerToSynapse = true;
settings = { settings = {
homeserver = { homeserver = {
address = "http://localhost:8008"; address = "http://localhost:8008";
@ -258,7 +260,7 @@ in
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.23:8008"; proxyPass = "http://192.168.1.2:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

3
profiles/server/common/navidrome.nix
View file

@ -29,6 +29,7 @@
services.navidrome = { services.navidrome = {
enable = true; enable = true;
openFirewall = true;
settings = { settings = {
Address = "0.0.0.0"; Address = "0.0.0.0";
Port = 4040; Port = 4040;
@ -55,7 +56,7 @@
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.13:4040"; proxyPass = "http://192.168.1.2:4040";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_redirect http:// https://; proxy_redirect http:// https://;

3
profiles/server/common/nginx.nix
View file

@ -3,6 +3,9 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lego lego
]; ];
users.users.acme = { };
sops = { sops = {
secrets.dnstokenfull = { owner = "acme"; }; secrets.dnstokenfull = { owner = "acme"; };
templates."certs.secret".content = '' templates."certs.secret".content = ''

3
profiles/server/common/ssh.nix
View file

@ -4,6 +4,9 @@ _:
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
users.users.swarsel.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
]; ];