william/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Migrating to security.acme

Browse source
This commit is contained in:
baduhai 2022-12-20 13:00:33 -03:00
parent 36195dee41
commit 7b66f8d725
8 changed files with 329 additions and 302 deletions
Download patch file Download diff file Expand all files Collapse all files

21
flake.lock generated
View file

@ -1,5 +1,25 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1665870395,
"narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
"owner": "ryantm",
"repo": "agenix",
"rev": "a630400067c6d03c9b3e0455347dc8559db14288",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -153,6 +173,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"home-manager": "home-manager", "home-manager": "home-manager",
"home-manager-stable": "home-manager-stable", "home-manager-stable": "home-manager-stable",

2
hosts/desktops/io.nix
View file

@ -10,8 +10,6 @@
./io ./io
]; ];
age.secrets.secret1.file = ../secrets/secret1.age;
networking.hostName = "io"; networking.hostName = "io";
zramSwap = { zramSwap = {

1
hosts/servers/alexandria/default.nix
View file

@ -4,5 +4,6 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./hosted-services.nix ./hosted-services.nix
./security.nix
]; ];
} }

587
hosts/servers/alexandria/hosted-services.nix
View file

@ -1,311 +1,300 @@
{ config, pkgs, libs, ... }: { config, pkgs, libs, ... }:
{ {
services = {
# security.acme = { nginx = {
# acceptTerms = true; enable = true;
# defaults = { recommendedGzipSettings = true;
# email = "baduhai@baduhai.me"; recommendedOptimisation = true;
# server = "https://acme-staging-v02.api.letsencrypt.org/directory"; recommendedProxySettings = true;
# credentialsFile = "/var/secrets/acme"; # Transfer to secret file once I have a proper secrets solution recommendedTlsSettings = true;
# extraLegoFlags = [ "--dns" "cloudflare" "--dns.resolvers=100.100.100.100:53" ]; virtualHosts = {
# }; "baduhai.me" = { useACMEHoost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; };
# }; # "detect.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; };
# # "cinny.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; };
# services = { # "jellyfin.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; };
# nginx = { # "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; };
# enable = true; # "paperless.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; };
# recommendedGzipSettings = true; # "pyload.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; };
# recommendedOptimisation = true; # "shiori.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; };
# recommendedProxySettings = true; # "sync.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; };
# recommendedTlsSettings = true; # "whoogle.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; };
# virtualHosts = { # "adguard.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; };
# "baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; }; };
# "detect.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; }; };
# "cinny.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; }; };
# "jellyfin.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; };
# "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; };
# "paperless.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; };
# "pyload.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; };
# "shiori.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; };
# "sync.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; };
# "whoogle.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; };
# "adguard.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; };
# };
# };
# };
virtualisation = { virtualisation = {
docker.enable = true; docker.enable = true;
oci-containers = { oci-containers = {
backend = "docker"; backend = "docker";
containers = { containers = {
"traefik" = { # Reverse proxy # "traefik" = { # Reverse proxy
image = "docker.io/traefik:v2.8"; # image = "docker.io/traefik:v2.8";
cmd = [ # cmd = [
"--api" # "--api"
"--providers.docker=true" # Enable the docker traefik provider # "--providers.docker=true" # Enable the docker traefik provider
"--providers.docker.exposedbydefault=false" # "--providers.docker.exposedbydefault=false"
"--api.dashboard=true" # Enable the Trafik dashboard # "--api.dashboard=true" # Enable the Trafik dashboard
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true" # Enable dns challenge # "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" # Enable dns challenge
"--certificatesresolvers.letsencrypt.acme.email=baduhai@baduhai.me" # Dummy email # "--certificatesresolvers.letsencrypt.acme.email=baduhai@baduhai.me" # Dummy email
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" # "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" # Cloudflare has my dns records # "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" # Cloudflare has my dns records
"--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=100.100.100.100:53" # Use tailscale as dns resolver # "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=100.100.100.100:53" # Use tailscale as dns resolver
"--entrypoints.web.address=:80" # Listen on port 80 # "--entrypoints.web.address=:80" # Listen on port 80
"--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect all http trafic to https # "--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect all http trafic to https
"--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect all http trafic to https # "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect all http trafic to https
"--entrypoints.websecure.address=:443" # Redirect all http trafic to https # "--entrypoints.websecure.address=:443" # Redirect all http trafic to https
"--entrypoints.websecure.http.tls=true" # Enable tls # "--entrypoints.websecure.http.tls=true" # Enable tls
"--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Use letsencrypt for tls # "--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Use letsencrypt for tls
"--entrypoints.websecure.http.tls.domains[0].main=baduhai.me" # tls for top-level domain # "--entrypoints.websecure.http.tls.domains[0].main=baduhai.me" # tls for top-level domain
"--entrypoints.websecure.http.tls.domains[0].sans=*.baduhai.me" # tls for sub-domains # "--entrypoints.websecure.http.tls.domains[0].sans=*.baduhai.me" # tls for sub-domains
"--global.sendAnonymousUsage=false" # Stop traefik from reporting usage data # "--global.sendAnonymousUsage=false" # Stop traefik from reporting usage data
"--global.checkNewVersion=false" # Don't check for new versions # "--global.checkNewVersion=false" # Don't check for new versions
]; # ];
environment = { # Transfer to secret environmentFiles once I have a proper secrets solution # environment = { # Transfer to secret environmentFiles once I have a proper secrets solution
CLOUDFLARE_EMAIL = "haiwilliam0@gmail.com"; # CLOUDFLARE_EMAIL = "haiwilliam0@gmail.com";
CLOUDFLARE_DNS_API_TOKEN = "_zorlWkGYhCBrxn3g82pqOOiy9XULTdP2j7VoMVK"; # CLOUDFLARE_DNS_API_TOKEN = "_zorlWkGYhCBrxn3g82pqOOiy9XULTdP2j7VoMVK";
}; # };
volumes = [ # volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro" # "/var/run/docker.sock:/var/run/docker.sock:ro"
"/data/traefik/certs:/letsencrypt" # "/data/traefik/certs:/letsencrypt"
]; # ];
ports = [ # ports = [
"80:80" # "80:80"
"443:443" # "443:443"
]; # ];
extraOptions = [ # extraOptions = [
"--pull=always" # "--pull=always"
"--label=traefik.enable=true" # "--label=traefik.enable=true"
"--label=traefik.http.routers.traefik.service=api@internal" # "--label=traefik.http.routers.traefik.service=api@internal"
"--label=traefik.http.routers.traefik.entrypoints=websecure" # "--label=traefik.http.routers.traefik.entrypoints=websecure"
"--label=traefik.http.routers.traefik.tls.certresolver=letsencrypt" # "--label=traefik.http.routers.traefik.tls.certresolver=letsencrypt"
"--label=traefik.http.routers.traefik.rule=Host(`traefik.baduhai.me`)" # "--label=traefik.http.routers.traefik.rule=Host(`traefik.baduhai.me`)"
]; # ];
}; # };
"changedetection" = { # Detect changes in webpages "homarr" = { # Dashboard
image = "lscr.io/linuxserver/changedetection.io:latest"; image = "ghcr.io/ajnart/homarr:latest";
environment = { volumes = [
PUID = "1000"; "/data/homarr/configs:/app/data/configs"
PGID = "100"; "/var/run/docker.sock:/var/run/docker.sock:ro"
TZ = "Europe/Berlin"; ];
BASE_URL = "detect.baduhai.me"; ports = [
}; "8000:7575"
volumes = [ ];
"/data/changedetection:/config" extraOptions = [
]; "--pull=always"
ports = [ "--label=traefik.enable=true"
"8001:5000" "--label=traefik.http.routers.homarr.entrypoints=websecure"
]; "--label=traefik.http.routers.homarr.tls.certresolver=letsencrypt"
extraOptions = [ "--label=traefik.http.services.homarr.loadbalancer.server.port=7575"
"--pull=always" "--label=traefik.http.routers.homarr.rule=Host(`baduhai.me`)"
"--label=traefik.enable=true" ];
"--label=traefik.http.routers.detect.entrypoints=websecure" };
"--label=traefik.http.routers.detect.tls.certresolver=letsencrypt" "changedetection" = { # Detect changes in webpages
"--label=traefik.http.services.detect.loadbalancer.server.port=5000" image = "lscr.io/linuxserver/changedetection.io:latest";
"--label=traefik.http.routers.detect.rule=Host(`detect.baduhai.me`)" environment = {
]; PUID = "1000";
}; PGID = "100";
"homarr" = { # Dashboard TZ = "Europe/Berlin";
image = "ghcr.io/ajnart/homarr:latest"; BASE_URL = "detect.baduhai.me";
volumes = [ };
"/data/homarr/configs:/app/data/configs" volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro" "/data/changedetection:/config"
]; ];
ports = [ ports = [
"8000:7575" "8001:5000"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.homarr.entrypoints=websecure" "--label=traefik.http.routers.detect.entrypoints=websecure"
"--label=traefik.http.routers.homarr.tls.certresolver=letsencrypt" "--label=traefik.http.routers.detect.tls.certresolver=letsencrypt"
"--label=traefik.http.services.homarr.loadbalancer.server.port=7575" "--label=traefik.http.services.detect.loadbalancer.server.port=5000"
"--label=traefik.http.routers.homarr.rule=Host(`baduhai.me`)" "--label=traefik.http.routers.detect.rule=Host(`detect.baduhai.me`)"
]; ];
}; };
"jellyfin" = { "jellyfin" = {
image = "lscr.io/linuxserver/jellyfin:10.8.4"; image = "lscr.io/linuxserver/jellyfin:10.8.4";
environment = { environment = {
PUID = "1000"; PUID = "1000";
PGID = "100"; PGID = "100";
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
DOCKER_MODS = "linuxserver/mods:jellyfin-opencl-intel"; DOCKER_MODS = "linuxserver/mods:jellyfin-opencl-intel";
}; };
volumes = [ volumes = [
"/data/jellyfin/library:/config" "/data/jellyfin/library:/config"
"/data/jellyfin/tvseries:/data/tvshows" "/data/jellyfin/tvseries:/data/tvshows"
"/data/jellyfin/movies:/data/movies" "/data/jellyfin/movies:/data/movies"
]; ];
ports = [ ports = [
"8003:8096" "8003:8096"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--device=/dev/dri:/dev/dri" "--device=/dev/dri:/dev/dri"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.jellyfin.entrypoints=websecure" "--label=traefik.http.routers.jellyfin.entrypoints=websecure"
"--label=traefik.http.routers.jellyfin.tls.certresolver=letsencrypt" "--label=traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
"--label=traefik.http.services.jellyfin.loadbalancer.server.port=8096" "--label=traefik.http.services.jellyfin.loadbalancer.server.port=8096"
"--label=traefik.http.routers.jellyfin.rule=Host(`jellyfin.baduhai.me`)" "--label=traefik.http.routers.jellyfin.rule=Host(`jellyfin.baduhai.me`)"
]; ];
}; };
"paperless" = { # Digital document manager "paperless" = { # Digital document manager
image = "lscr.io/linuxserver/paperless-ngx:latest"; image = "lscr.io/linuxserver/paperless-ngx:latest";
environment = { environment = {
PUID = "1000"; PUID = "1000";
PGID = "100"; PGID = "100";
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
PAPERLESS_URL = "https://paperless.baduhai.me"; PAPERLESS_URL = "https://paperless.baduhai.me";
PAPERLESS_OCR_LANGUAGE = "eng+deu+por"; PAPERLESS_OCR_LANGUAGE = "eng+deu+por";
DOCKER_MODS = "linuxserver/mods:papermerge-multilangocr"; DOCKER_MODS = "linuxserver/mods:papermerge-multilangocr";
OCRLANG = "eng,por,deu"; OCRLANG = "eng,por,deu";
}; };
volumes = [ volumes = [
"/data/paperless-ngx/config:/config" "/data/paperless-ngx/config:/config"
"/data/paperless-ngx/data:/data" "/data/paperless-ngx/data:/data"
]; ];
ports = [ ports = [
"8005:8000" "8005:8000"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.paperless.entrypoints=websecure" "--label=traefik.http.routers.paperless.entrypoints=websecure"
"--label=traefik.http.routers.paperless.tls.certresolver=letsencrypt" "--label=traefik.http.routers.paperless.tls.certresolver=letsencrypt"
"--label=traefik.http.services.paperless.loadbalancer.server.port=8000" "--label=traefik.http.services.paperless.loadbalancer.server.port=8000"
"--label=traefik.http.routers.paperless.rule=Host(`paperless.baduhai.me`)" "--label=traefik.http.routers.paperless.rule=Host(`paperless.baduhai.me`)"
]; ];
}; };
"pyload" = { # Download manager "pyload" = { # Download manager
image = "lscr.io/linuxserver/pyload-ng:latest"; image = "lscr.io/linuxserver/pyload-ng:latest";
environment = { environment = {
PUID = "1000"; PUID = "1000";
PGID = "100"; PGID = "100";
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
}; };
volumes = [ volumes = [
"/data/pyload/config:/config" "/data/pyload/config:/config"
"/data/pyload/downloads:/downloads" "/data/pyload/downloads:/downloads"
]; ];
ports = [ ports = [
"8006:8000" "8006:8000"
"9666:9666" "9666:9666"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.pyload.entrypoints=websecure" "--label=traefik.http.routers.pyload.entrypoints=websecure"
"--label=traefik.http.routers.pyload.tls.certresolver=letsencrypt" "--label=traefik.http.routers.pyload.tls.certresolver=letsencrypt"
"--label=traefik.http.services.pyload.loadbalancer.server.port=8000" "--label=traefik.http.services.pyload.loadbalancer.server.port=8000"
"--label=traefik.http.routers.pyload.rule=Host(`pyload.baduhai.me`)" "--label=traefik.http.routers.pyload.rule=Host(`pyload.baduhai.me`)"
]; ];
}; };
"shiori" = { # Bookmark manager "shiori" = { # Bookmark manager
image = "docker.io/nicholaswilde/shiori:latest"; image = "docker.io/nicholaswilde/shiori:latest";
environment = { environment = {
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
PUID = "1000"; PUID = "1000";
PGID = "100"; PGID = "100";
SHIORI_DIR = "/data"; SHIORI_DIR = "/data";
}; };
volumes = [ volumes = [
"/data/shiori:/data" "/data/shiori:/data"
]; ];
ports = [ ports = [
"8007:8080" "8007:8080"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.shiori.entrypoints=websecure" "--label=traefik.http.routers.shiori.entrypoints=websecure"
"--label=traefik.http.routers.shiori.tls.certresolver=letsencrypt" "--label=traefik.http.routers.shiori.tls.certresolver=letsencrypt"
"--label=traefik.http.services.shiori.loadbalancer.server.port=8080" "--label=traefik.http.services.shiori.loadbalancer.server.port=8080"
"--label=traefik.http.routers.shiori.rule=Host(`shiori.baduhai.me`)" "--label=traefik.http.routers.shiori.rule=Host(`shiori.baduhai.me`)"
]; ];
}; };
"syncthing" = { # P2P file synchronisation "syncthing" = { # P2P file synchronisation
image = "lscr.io/linuxserver/syncthing:1.20.4"; image = "lscr.io/linuxserver/syncthing:1.20.4";
environment = { environment = {
PUID = "1000"; PUID = "1000";
PGID = "100"; PGID = "100";
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
}; };
volumes = [ volumes = [
"/data/syncthing/config:/config" "/data/syncthing/config:/config"
"/data/syncthing/data1:/data1" "/data/syncthing/data1:/data1"
"/data/syncthing/data2:/data2" "/data/syncthing/data2:/data2"
"/data/syncthing/notes:/sync/notes" "/data/syncthing/notes:/sync/notes"
]; ];
ports = [ ports = [
"8008:8384" "8008:8384"
"22000:22000" "22000:22000"
"21027:21027/udp" "21027:21027/udp"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.syncthing.entrypoints=websecure" "--label=traefik.http.routers.syncthing.entrypoints=websecure"
"--label=traefik.http.routers.syncthing.tls.certresolver=letsencrypt" "--label=traefik.http.routers.syncthing.tls.certresolver=letsencrypt"
"--label=traefik.http.services.syncthing.loadbalancer.server.port=8384" "--label=traefik.http.services.syncthing.loadbalancer.server.port=8384"
"--label=traefik.http.routers.syncthing.rule=Host(`sync.baduhai.me`)" "--label=traefik.http.routers.syncthing.rule=Host(`sync.baduhai.me`)"
]; ];
}; };
"cinny" = { # Cinny matrix client "cinny" = { # Cinny matrix client
image = "ghcr.io/cinnyapp/cinny:latest"; image = "ghcr.io/cinnyapp/cinny:latest";
ports = [ ports = [
"8002:80" "8002:80"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.cinny.entrypoints=websecure" "--label=traefik.http.routers.cinny.entrypoints=websecure"
"--label=traefik.http.routers.cinny.tls.certresolver=letsencrypt" "--label=traefik.http.routers.cinny.tls.certresolver=letsencrypt"
"--label=traefik.http.services.cinny.loadbalancer.server.port=80" "--label=traefik.http.services.cinny.loadbalancer.server.port=80"
"--label=traefik.http.routers.cinny.rule=Host(`cinny.baduhai.me`)" "--label=traefik.http.routers.cinny.rule=Host(`cinny.baduhai.me`)"
]; ];
}; };
"librespeed" = { # Speedtest "librespeed" = { # Speedtest
image = "lscr.io/linuxserver/librespeed:latest"; image = "lscr.io/linuxserver/librespeed:latest";
environment = { environment = {
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
}; };
ports = [ ports = [
"8004:80" "8004:80"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.librespeed.entrypoints=websecure" "--label=traefik.http.routers.librespeed.entrypoints=websecure"
"--label=traefik.http.routers.librespeed.tls.certresolver=letsencrypt" "--label=traefik.http.routers.librespeed.tls.certresolver=letsencrypt"
"--label=traefik.http.services.librespeed.loadbalancer.server.port=80" "--label=traefik.http.services.librespeed.loadbalancer.server.port=80"
"--label=traefik.http.routers.librespeed.rule=Host(`librespeed.baduhai.me`)" "--label=traefik.http.routers.librespeed.rule=Host(`librespeed.baduhai.me`)"
]; ];
}; };
"whoogle" = { # Anonymised google search "whoogle" = { # Anonymised google search
image = "benbusby/whoogle-search:latest"; image = "benbusby/whoogle-search:latest";
environment = { environment = {
HTTPS_ONLY = "1"; HTTPS_ONLY = "1";
WHOOGLE_CONFIG_DISABLE = "1"; WHOOGLE_CONFIG_DISABLE = "1";
WHOOGLE_CONFIG_LANGUAGE = "lang_en"; WHOOGLE_CONFIG_LANGUAGE = "lang_en";
WHOOGLE_CONFIG_SEARCH_LANGUAGE = "lang_en"; WHOOGLE_CONFIG_SEARCH_LANGUAGE = "lang_en";
WHOOGLE_CONFIG_THEME = "system"; WHOOGLE_CONFIG_THEME = "system";
WHOOGLE_CONFIG_VIEW_IMAGE = "1"; WHOOGLE_CONFIG_VIEW_IMAGE = "1";
WHOOGLE_CONFIG_GET_ONLY = "1"; WHOOGLE_CONFIG_GET_ONLY = "1";
}; };
ports = [ ports = [
"8009:5000" "8009:5000"
]; ];
extraOptions = [ extraOptions = [
"--pull=always" "--pull=always"
"--label=traefik.enable=true" "--label=traefik.enable=true"
"--label=traefik.http.routers.whoogle.entrypoints=websecure" "--label=traefik.http.routers.whoogle.entrypoints=websecure"
"--label=traefik.http.routers.whoogle.tls.certresolver=letsencrypt" "--label=traefik.http.routers.whoogle.tls.certresolver=letsencrypt"
"--label=traefik.http.services.whoogle.loadbalancer.server.port=5000" "--label=traefik.http.services.whoogle.loadbalancer.server.port=5000"
"--label=traefik.http.routers.whoogle.rule=Host(`whoogle.baduhai.me`)" "--label=traefik.http.routers.whoogle.rule=Host(`whoogle.baduhai.me`)"
]; ];
}; };
}; };
}; };
}; };

18
hosts/servers/alexandria/security.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, pkgs, libs, ... }:
{
age.secrets.cloudflare-dns-api-key.file = ../../../secrets/cloudflare-dns-api-key.age;
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare-dns-api-key.path;
};
certs."baduhai.me" = {
extraDomainNames = "*.baduhai.me";
};
};
}

BIN
secrets/cloudflare-dns-api-key.age Normal file
View file

Binary file not shown.

BIN
secrets/secret1.age
View file

Binary file not shown.

2
secrets/secrets.nix
View file

@ -6,5 +6,5 @@ let
servers = [ alexandria ]; servers = [ alexandria ];
in in
{ {
"secret1.age".publicKeys = desktops; "cloudflare-dns-api-key.age".publicKeys = [ alexandria ];
} }