From 7b66f8d725e567c043eb7b31ddc5afa1d444e0b4 Mon Sep 17 00:00:00 2001 From: baduhai Date: Tue, 20 Dec 2022 13:00:33 -0300 Subject: [PATCH] Migrating to security.acme --- flake.lock | 21 + hosts/desktops/io.nix | 2 - hosts/servers/alexandria/default.nix | 1 + hosts/servers/alexandria/hosted-services.nix | 587 +++++++++---------- hosts/servers/alexandria/security.nix | 18 + secrets/cloudflare-dns-api-key.age | Bin 0 -> 292 bytes secrets/secret1.age | Bin 489 -> 0 bytes secrets/secrets.nix | 2 +- 8 files changed, 329 insertions(+), 302 deletions(-) create mode 100644 hosts/servers/alexandria/security.nix create mode 100644 secrets/cloudflare-dns-api-key.age delete mode 100644 secrets/secret1.age diff --git a/flake.lock b/flake.lock index fcc4f7c..8a62204 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1665870395, + "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=", + "owner": "ryantm", + "repo": "agenix", + "rev": "a630400067c6d03c9b3e0455347dc8559db14288", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -153,6 +173,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "deploy-rs": "deploy-rs", "home-manager": "home-manager", "home-manager-stable": "home-manager-stable", diff --git a/hosts/desktops/io.nix b/hosts/desktops/io.nix index f51e2d5..3dea7b1 100644 --- a/hosts/desktops/io.nix +++ b/hosts/desktops/io.nix @@ -10,8 +10,6 @@ ./io ]; - age.secrets.secret1.file = ../secrets/secret1.age; - networking.hostName = "io"; zramSwap = { diff --git a/hosts/servers/alexandria/default.nix b/hosts/servers/alexandria/default.nix index 7ba884b..03c9a84 100644 --- a/hosts/servers/alexandria/default.nix +++ b/hosts/servers/alexandria/default.nix @@ -4,5 +4,6 @@ imports = [ ./hardware-configuration.nix ./hosted-services.nix + ./security.nix ]; } diff --git a/hosts/servers/alexandria/hosted-services.nix b/hosts/servers/alexandria/hosted-services.nix index b6c5582..0c4d854 100644 --- a/hosts/servers/alexandria/hosted-services.nix +++ b/hosts/servers/alexandria/hosted-services.nix @@ -1,311 +1,300 @@ { config, pkgs, libs, ... }: { - - # security.acme = { - # acceptTerms = true; - # defaults = { - # email = "baduhai@baduhai.me"; - # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - # credentialsFile = "/var/secrets/acme"; # Transfer to secret file once I have a proper secrets solution - # extraLegoFlags = [ "--dns" "cloudflare" "--dns.resolvers=100.100.100.100:53" ]; - # }; - # }; -# - # services = { - # nginx = { - # enable = true; - # recommendedGzipSettings = true; - # recommendedOptimisation = true; - # recommendedProxySettings = true; - # recommendedTlsSettings = true; - # virtualHosts = { - # "baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; }; - # "detect.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; }; - # "cinny.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; }; - # "jellyfin.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; }; - # "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; }; - # "paperless.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; }; - # "pyload.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; }; - # "shiori.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; }; - # "sync.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; }; - # "whoogle.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; }; - # "adguard.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; }; - # }; - # }; - # }; + services = { + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "baduhai.me" = { useACMEHoost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; }; +# "detect.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; }; +# "cinny.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; }; +# "jellyfin.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; }; +# "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; }; +# "paperless.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; }; +# "pyload.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; }; +# "shiori.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; }; +# "sync.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; }; +# "whoogle.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; }; +# "adguard.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; }; + }; + }; + }; virtualisation = { docker.enable = true; oci-containers = { backend = "docker"; containers = { - "traefik" = { # Reverse proxy - image = "docker.io/traefik:v2.8"; - cmd = [ - "--api" - "--providers.docker=true" # Enable the docker traefik provider - "--providers.docker.exposedbydefault=false" - "--api.dashboard=true" # Enable the Trafik dashboard - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" # Enable dns challenge - "--certificatesresolvers.letsencrypt.acme.email=baduhai@baduhai.me" # Dummy email - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" # Cloudflare has my dns records - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=100.100.100.100:53" # Use tailscale as dns resolver - "--entrypoints.web.address=:80" # Listen on port 80 - "--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect all http trafic to https - "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect all http trafic to https - "--entrypoints.websecure.address=:443" # Redirect all http trafic to https - "--entrypoints.websecure.http.tls=true" # Enable tls - "--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Use letsencrypt for tls - "--entrypoints.websecure.http.tls.domains[0].main=baduhai.me" # tls for top-level domain - "--entrypoints.websecure.http.tls.domains[0].sans=*.baduhai.me" # tls for sub-domains - "--global.sendAnonymousUsage=false" # Stop traefik from reporting usage data - "--global.checkNewVersion=false" # Don't check for new versions - ]; - environment = { # Transfer to secret environmentFiles once I have a proper secrets solution - CLOUDFLARE_EMAIL = "haiwilliam0@gmail.com"; - CLOUDFLARE_DNS_API_TOKEN = "_zorlWkGYhCBrxn3g82pqOOiy9XULTdP2j7VoMVK"; - }; - volumes = [ - "/var/run/docker.sock:/var/run/docker.sock:ro" - "/data/traefik/certs:/letsencrypt" - ]; - ports = [ - "80:80" - "443:443" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.traefik.service=api@internal" - "--label=traefik.http.routers.traefik.entrypoints=websecure" - "--label=traefik.http.routers.traefik.tls.certresolver=letsencrypt" - "--label=traefik.http.routers.traefik.rule=Host(`traefik.baduhai.me`)" - ]; - }; - "changedetection" = { # Detect changes in webpages - image = "lscr.io/linuxserver/changedetection.io:latest"; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - BASE_URL = "detect.baduhai.me"; - }; - volumes = [ - "/data/changedetection:/config" - ]; - ports = [ - "8001:5000" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.detect.entrypoints=websecure" - "--label=traefik.http.routers.detect.tls.certresolver=letsencrypt" - "--label=traefik.http.services.detect.loadbalancer.server.port=5000" - "--label=traefik.http.routers.detect.rule=Host(`detect.baduhai.me`)" - ]; - }; - "homarr" = { # Dashboard - image = "ghcr.io/ajnart/homarr:latest"; - volumes = [ - "/data/homarr/configs:/app/data/configs" - "/var/run/docker.sock:/var/run/docker.sock:ro" - ]; - ports = [ - "8000:7575" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.homarr.entrypoints=websecure" - "--label=traefik.http.routers.homarr.tls.certresolver=letsencrypt" - "--label=traefik.http.services.homarr.loadbalancer.server.port=7575" - "--label=traefik.http.routers.homarr.rule=Host(`baduhai.me`)" - ]; - }; - "jellyfin" = { - image = "lscr.io/linuxserver/jellyfin:10.8.4"; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - DOCKER_MODS = "linuxserver/mods:jellyfin-opencl-intel"; - }; - volumes = [ - "/data/jellyfin/library:/config" - "/data/jellyfin/tvseries:/data/tvshows" - "/data/jellyfin/movies:/data/movies" - ]; - ports = [ - "8003:8096" - ]; - extraOptions = [ - "--pull=always" - "--device=/dev/dri:/dev/dri" - "--label=traefik.enable=true" - "--label=traefik.http.routers.jellyfin.entrypoints=websecure" - "--label=traefik.http.routers.jellyfin.tls.certresolver=letsencrypt" - "--label=traefik.http.services.jellyfin.loadbalancer.server.port=8096" - "--label=traefik.http.routers.jellyfin.rule=Host(`jellyfin.baduhai.me`)" - ]; - }; - "paperless" = { # Digital document manager - image = "lscr.io/linuxserver/paperless-ngx:latest"; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - PAPERLESS_URL = "https://paperless.baduhai.me"; - PAPERLESS_OCR_LANGUAGE = "eng+deu+por"; - DOCKER_MODS = "linuxserver/mods:papermerge-multilangocr"; - OCRLANG = "eng,por,deu"; - }; - volumes = [ - "/data/paperless-ngx/config:/config" - "/data/paperless-ngx/data:/data" - ]; - ports = [ - "8005:8000" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.paperless.entrypoints=websecure" - "--label=traefik.http.routers.paperless.tls.certresolver=letsencrypt" - "--label=traefik.http.services.paperless.loadbalancer.server.port=8000" - "--label=traefik.http.routers.paperless.rule=Host(`paperless.baduhai.me`)" - ]; - }; - "pyload" = { # Download manager - image = "lscr.io/linuxserver/pyload-ng:latest"; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - }; - volumes = [ - "/data/pyload/config:/config" - "/data/pyload/downloads:/downloads" - ]; - ports = [ - "8006:8000" - "9666:9666" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.pyload.entrypoints=websecure" - "--label=traefik.http.routers.pyload.tls.certresolver=letsencrypt" - "--label=traefik.http.services.pyload.loadbalancer.server.port=8000" - "--label=traefik.http.routers.pyload.rule=Host(`pyload.baduhai.me`)" - ]; - }; - "shiori" = { # Bookmark manager - image = "docker.io/nicholaswilde/shiori:latest"; - environment = { - TZ = "Europe/Berlin"; - PUID = "1000"; - PGID = "100"; - SHIORI_DIR = "/data"; - }; - volumes = [ - "/data/shiori:/data" - ]; - ports = [ - "8007:8080" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.shiori.entrypoints=websecure" - "--label=traefik.http.routers.shiori.tls.certresolver=letsencrypt" - "--label=traefik.http.services.shiori.loadbalancer.server.port=8080" - "--label=traefik.http.routers.shiori.rule=Host(`shiori.baduhai.me`)" - ]; - }; - "syncthing" = { # P2P file synchronisation - image = "lscr.io/linuxserver/syncthing:1.20.4"; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - }; - volumes = [ - "/data/syncthing/config:/config" - "/data/syncthing/data1:/data1" - "/data/syncthing/data2:/data2" - "/data/syncthing/notes:/sync/notes" - ]; - ports = [ - "8008:8384" - "22000:22000" - "21027:21027/udp" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.syncthing.entrypoints=websecure" - "--label=traefik.http.routers.syncthing.tls.certresolver=letsencrypt" - "--label=traefik.http.services.syncthing.loadbalancer.server.port=8384" - "--label=traefik.http.routers.syncthing.rule=Host(`sync.baduhai.me`)" - ]; - }; - "cinny" = { # Cinny matrix client - image = "ghcr.io/cinnyapp/cinny:latest"; - ports = [ - "8002:80" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.cinny.entrypoints=websecure" - "--label=traefik.http.routers.cinny.tls.certresolver=letsencrypt" - "--label=traefik.http.services.cinny.loadbalancer.server.port=80" - "--label=traefik.http.routers.cinny.rule=Host(`cinny.baduhai.me`)" - ]; - }; - "librespeed" = { # Speedtest - image = "lscr.io/linuxserver/librespeed:latest"; - environment = { - TZ = "Europe/Berlin"; - }; - ports = [ - "8004:80" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.librespeed.entrypoints=websecure" - "--label=traefik.http.routers.librespeed.tls.certresolver=letsencrypt" - "--label=traefik.http.services.librespeed.loadbalancer.server.port=80" - "--label=traefik.http.routers.librespeed.rule=Host(`librespeed.baduhai.me`)" - ]; - }; - "whoogle" = { # Anonymised google search - image = "benbusby/whoogle-search:latest"; - environment = { - HTTPS_ONLY = "1"; - WHOOGLE_CONFIG_DISABLE = "1"; - WHOOGLE_CONFIG_LANGUAGE = "lang_en"; - WHOOGLE_CONFIG_SEARCH_LANGUAGE = "lang_en"; - WHOOGLE_CONFIG_THEME = "system"; - WHOOGLE_CONFIG_VIEW_IMAGE = "1"; - WHOOGLE_CONFIG_GET_ONLY = "1"; - }; - ports = [ - "8009:5000" - ]; - extraOptions = [ - "--pull=always" - "--label=traefik.enable=true" - "--label=traefik.http.routers.whoogle.entrypoints=websecure" - "--label=traefik.http.routers.whoogle.tls.certresolver=letsencrypt" - "--label=traefik.http.services.whoogle.loadbalancer.server.port=5000" - "--label=traefik.http.routers.whoogle.rule=Host(`whoogle.baduhai.me`)" - ]; - }; +# "traefik" = { # Reverse proxy +# image = "docker.io/traefik:v2.8"; +# cmd = [ +# "--api" +# "--providers.docker=true" # Enable the docker traefik provider +# "--providers.docker.exposedbydefault=false" +# "--api.dashboard=true" # Enable the Trafik dashboard +# "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" # Enable dns challenge +# "--certificatesresolvers.letsencrypt.acme.email=baduhai@baduhai.me" # Dummy email +# "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" +# "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" # Cloudflare has my dns records +# "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=100.100.100.100:53" # Use tailscale as dns resolver +# "--entrypoints.web.address=:80" # Listen on port 80 +# "--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect all http trafic to https +# "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect all http trafic to https +# "--entrypoints.websecure.address=:443" # Redirect all http trafic to https +# "--entrypoints.websecure.http.tls=true" # Enable tls +# "--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Use letsencrypt for tls +# "--entrypoints.websecure.http.tls.domains[0].main=baduhai.me" # tls for top-level domain +# "--entrypoints.websecure.http.tls.domains[0].sans=*.baduhai.me" # tls for sub-domains +# "--global.sendAnonymousUsage=false" # Stop traefik from reporting usage data +# "--global.checkNewVersion=false" # Don't check for new versions +# ]; +# environment = { # Transfer to secret environmentFiles once I have a proper secrets solution +# CLOUDFLARE_EMAIL = "haiwilliam0@gmail.com"; +# CLOUDFLARE_DNS_API_TOKEN = "_zorlWkGYhCBrxn3g82pqOOiy9XULTdP2j7VoMVK"; +# }; +# volumes = [ +# "/var/run/docker.sock:/var/run/docker.sock:ro" +# "/data/traefik/certs:/letsencrypt" +# ]; +# ports = [ +# "80:80" +# "443:443" +# ]; +# extraOptions = [ +# "--pull=always" +# "--label=traefik.enable=true" +# "--label=traefik.http.routers.traefik.service=api@internal" +# "--label=traefik.http.routers.traefik.entrypoints=websecure" +# "--label=traefik.http.routers.traefik.tls.certresolver=letsencrypt" +# "--label=traefik.http.routers.traefik.rule=Host(`traefik.baduhai.me`)" +# ]; +# }; + "homarr" = { # Dashboard + image = "ghcr.io/ajnart/homarr:latest"; + volumes = [ + "/data/homarr/configs:/app/data/configs" + "/var/run/docker.sock:/var/run/docker.sock:ro" + ]; + ports = [ + "8000:7575" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.homarr.entrypoints=websecure" + "--label=traefik.http.routers.homarr.tls.certresolver=letsencrypt" + "--label=traefik.http.services.homarr.loadbalancer.server.port=7575" + "--label=traefik.http.routers.homarr.rule=Host(`baduhai.me`)" + ]; + }; + "changedetection" = { # Detect changes in webpages + image = "lscr.io/linuxserver/changedetection.io:latest"; + environment = { + PUID = "1000"; + PGID = "100"; + TZ = "Europe/Berlin"; + BASE_URL = "detect.baduhai.me"; + }; + volumes = [ + "/data/changedetection:/config" + ]; + ports = [ + "8001:5000" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.detect.entrypoints=websecure" + "--label=traefik.http.routers.detect.tls.certresolver=letsencrypt" + "--label=traefik.http.services.detect.loadbalancer.server.port=5000" + "--label=traefik.http.routers.detect.rule=Host(`detect.baduhai.me`)" + ]; + }; + "jellyfin" = { + image = "lscr.io/linuxserver/jellyfin:10.8.4"; + environment = { + PUID = "1000"; + PGID = "100"; + TZ = "Europe/Berlin"; + DOCKER_MODS = "linuxserver/mods:jellyfin-opencl-intel"; + }; + volumes = [ + "/data/jellyfin/library:/config" + "/data/jellyfin/tvseries:/data/tvshows" + "/data/jellyfin/movies:/data/movies" + ]; + ports = [ + "8003:8096" + ]; + extraOptions = [ + "--pull=always" + "--device=/dev/dri:/dev/dri" + "--label=traefik.enable=true" + "--label=traefik.http.routers.jellyfin.entrypoints=websecure" + "--label=traefik.http.routers.jellyfin.tls.certresolver=letsencrypt" + "--label=traefik.http.services.jellyfin.loadbalancer.server.port=8096" + "--label=traefik.http.routers.jellyfin.rule=Host(`jellyfin.baduhai.me`)" + ]; + }; + "paperless" = { # Digital document manager + image = "lscr.io/linuxserver/paperless-ngx:latest"; + environment = { + PUID = "1000"; + PGID = "100"; + TZ = "Europe/Berlin"; + PAPERLESS_URL = "https://paperless.baduhai.me"; + PAPERLESS_OCR_LANGUAGE = "eng+deu+por"; + DOCKER_MODS = "linuxserver/mods:papermerge-multilangocr"; + OCRLANG = "eng,por,deu"; + }; + volumes = [ + "/data/paperless-ngx/config:/config" + "/data/paperless-ngx/data:/data" + ]; + ports = [ + "8005:8000" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.paperless.entrypoints=websecure" + "--label=traefik.http.routers.paperless.tls.certresolver=letsencrypt" + "--label=traefik.http.services.paperless.loadbalancer.server.port=8000" + "--label=traefik.http.routers.paperless.rule=Host(`paperless.baduhai.me`)" + ]; + }; + "pyload" = { # Download manager + image = "lscr.io/linuxserver/pyload-ng:latest"; + environment = { + PUID = "1000"; + PGID = "100"; + TZ = "Europe/Berlin"; + }; + volumes = [ + "/data/pyload/config:/config" + "/data/pyload/downloads:/downloads" + ]; + ports = [ + "8006:8000" + "9666:9666" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.pyload.entrypoints=websecure" + "--label=traefik.http.routers.pyload.tls.certresolver=letsencrypt" + "--label=traefik.http.services.pyload.loadbalancer.server.port=8000" + "--label=traefik.http.routers.pyload.rule=Host(`pyload.baduhai.me`)" + ]; + }; + "shiori" = { # Bookmark manager + image = "docker.io/nicholaswilde/shiori:latest"; + environment = { + TZ = "Europe/Berlin"; + PUID = "1000"; + PGID = "100"; + SHIORI_DIR = "/data"; + }; + volumes = [ + "/data/shiori:/data" + ]; + ports = [ + "8007:8080" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.shiori.entrypoints=websecure" + "--label=traefik.http.routers.shiori.tls.certresolver=letsencrypt" + "--label=traefik.http.services.shiori.loadbalancer.server.port=8080" + "--label=traefik.http.routers.shiori.rule=Host(`shiori.baduhai.me`)" + ]; + }; + "syncthing" = { # P2P file synchronisation + image = "lscr.io/linuxserver/syncthing:1.20.4"; + environment = { + PUID = "1000"; + PGID = "100"; + TZ = "Europe/Berlin"; + }; + volumes = [ + "/data/syncthing/config:/config" + "/data/syncthing/data1:/data1" + "/data/syncthing/data2:/data2" + "/data/syncthing/notes:/sync/notes" + ]; + ports = [ + "8008:8384" + "22000:22000" + "21027:21027/udp" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.syncthing.entrypoints=websecure" + "--label=traefik.http.routers.syncthing.tls.certresolver=letsencrypt" + "--label=traefik.http.services.syncthing.loadbalancer.server.port=8384" + "--label=traefik.http.routers.syncthing.rule=Host(`sync.baduhai.me`)" + ]; + }; + "cinny" = { # Cinny matrix client + image = "ghcr.io/cinnyapp/cinny:latest"; + ports = [ + "8002:80" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.cinny.entrypoints=websecure" + "--label=traefik.http.routers.cinny.tls.certresolver=letsencrypt" + "--label=traefik.http.services.cinny.loadbalancer.server.port=80" + "--label=traefik.http.routers.cinny.rule=Host(`cinny.baduhai.me`)" + ]; + }; + "librespeed" = { # Speedtest + image = "lscr.io/linuxserver/librespeed:latest"; + environment = { + TZ = "Europe/Berlin"; + }; + ports = [ + "8004:80" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.librespeed.entrypoints=websecure" + "--label=traefik.http.routers.librespeed.tls.certresolver=letsencrypt" + "--label=traefik.http.services.librespeed.loadbalancer.server.port=80" + "--label=traefik.http.routers.librespeed.rule=Host(`librespeed.baduhai.me`)" + ]; + }; + "whoogle" = { # Anonymised google search + image = "benbusby/whoogle-search:latest"; + environment = { + HTTPS_ONLY = "1"; + WHOOGLE_CONFIG_DISABLE = "1"; + WHOOGLE_CONFIG_LANGUAGE = "lang_en"; + WHOOGLE_CONFIG_SEARCH_LANGUAGE = "lang_en"; + WHOOGLE_CONFIG_THEME = "system"; + WHOOGLE_CONFIG_VIEW_IMAGE = "1"; + WHOOGLE_CONFIG_GET_ONLY = "1"; + }; + ports = [ + "8009:5000" + ]; + extraOptions = [ + "--pull=always" + "--label=traefik.enable=true" + "--label=traefik.http.routers.whoogle.entrypoints=websecure" + "--label=traefik.http.routers.whoogle.tls.certresolver=letsencrypt" + "--label=traefik.http.services.whoogle.loadbalancer.server.port=5000" + "--label=traefik.http.routers.whoogle.rule=Host(`whoogle.baduhai.me`)" + ]; + }; }; }; }; diff --git a/hosts/servers/alexandria/security.nix b/hosts/servers/alexandria/security.nix new file mode 100644 index 0000000..972867b --- /dev/null +++ b/hosts/servers/alexandria/security.nix @@ -0,0 +1,18 @@ +{ config, pkgs, libs, ... }: + +{ + age.secrets.cloudflare-dns-api-key.file = ../../../secrets/cloudflare-dns-api-key.age; + + security.acme = { + acceptTerms = true; + defaults = { + email = "baduhai@proton.me"; + dnsResolver = "1.1.1.1:53"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.cloudflare-dns-api-key.path; + }; + certs."baduhai.me" = { + extraDomainNames = "*.baduhai.me"; + }; + }; +} diff --git a/secrets/cloudflare-dns-api-key.age b/secrets/cloudflare-dns-api-key.age new file mode 100644 index 0000000000000000000000000000000000000000..b1238d2e5001d0a4c659a7649626a321b2d7833a GIT binary patch literal 292 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlGAjuSaa3?L&dCTW z2yzXrbk7a*ag1^^$q2}d3O7y3GYBcmOv-W3$*Qt2DA!J^4CPA7@N^7_Ovx=OaW0H7 z3^oh$2rH5=N`nGwjPtE;PE5bmX&9cU01mS<34o|&4Lo8%GTlk=UwR+9GcJ7SG{*bV#)7Tfl7{=&jH1auEJa13Vu|dp)+%Jr)sB?UgPJwhF4Mv o1uswh@>aHgILpp!x_D8cxc2GX3sTB^?0N5a>NfQ;6tw;T03iTqy8r+H literal 0 HcmV?d00001 diff --git a/secrets/secret1.age b/secrets/secret1.age deleted file mode 100644 index cf6213ed938c2e1b968dada64774aef382c842f4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 489 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+4zNr!b5zK74NLaW zPAm(KEC?)hEzT@0Np~tV%yn_IEO9MLO!Q51HH^qFGITO^bL6Th49zXfad%Agtgtk6 zOb*IO%quq3&&rA_4)%0Q%PP$=j7*HuHgfcE3I*9#QIzRxo1>dvl$uzas$gB9pq*>s z;isHt%ViX06j4wW>Yn1978sBc;i#SM7*LU0Q4(yK>1LeHrK_u}P*P~_;*u2@l2Tll zk)NI8Zil4@93X6fdU6{4S#l^apcl^(OEl;x#WAiwea50kR;xf0$~ zK6v#k`?Pai8naBEPhBdXL&&wnq_(2y!;|&g`%}e!-}&$VZN^rMmt5PsFTRgGlC<-b z^&;^lFWRLUu1xrx{r=gWq9VntZTVc;g-u%@#8=2oTeN(+@wMlg%ipNA#