genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-27 01:17:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

OwnTracks works now

Browse source
This commit is contained in:
Gene Liverman 2024-06-16 07:31:27 -04:00
parent c68680eff4
commit 158397df0c
5 changed files with 108 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/hosts/nixos/hetznix01/default.nix
View file

@ -1,8 +1,7 @@
{ username, ... }: {
{ pkgs, username, ... }: {
imports = [
./hardware-configuration.nix
./disk-config.nix
./owntracks.nix
./post-install-general.nix
./post-install-nginx.nix
];
@ -17,6 +16,11 @@
efiInstallAsRemovable = true;
};
environment.systemPackages = with pkgs; [
podman-tui # status of containers in the terminal
podman-compose
];
networking = {
# Open ports in the firewall.
firewall.allowedTCPPorts = [
@ -74,6 +78,7 @@
isNormalUser = true;
description = "Gene Liverman";
extraGroups = [ "networkmanager" "wheel" ];
linger = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
];

53
modules/hosts/nixos/hetznix01/owntracks.nix
View file

@ -1,9 +1,42 @@
{ config, pkgs, ... }: let
frontend_port = "8082";
in {
environment.systemPackages = with pkgs; [
owntracks-recorder
];
environment = {
etc = {
"default/ot-recorder".text = ''
OTR_USER="recorder"
OTR_PASS="toenail-madmen-nazareth-fum"
OTR_GEOKEY="opencage:b85db97221cc4239b34e0ca07e71471e"
OTR_TOPICS="owntracks/#"
OTR_HTTPHOST="127.0.0.1"
OTR_HTTPPREFIX="owntracks"
'';
};
};
services.mosquitto = {
enable = true;
persistence = true;
listeners = [
{
address = "127.0.0.1";
port = 1883;
users = {
recorder.passwordFile = config.sops.secrets.mqtt_recorder_pass.path;
};
}
];
};
users = {
groups.owntracks.gid = config.users.users.owntracks.uid;
users.owntracks = {
isSystemUser = true;
description = "OwnTracks";
group = "owntracks";
home = "/home/owntracks";
};
};
virtualisation.oci-containers.containers = {
"owntracks-frontend" = {
@ -11,10 +44,18 @@ in {
image = "docker.io/owntracks/frontend:2.15.3";
environment = {
LISTEN = frontend_port;
SERVER_HOST = config.networking.hostName;
SERVER_PORT = "8083";
SERVER_HOST = "ot-recorder";
};
ports = [ "${frontend_port}:${frontend_port}" ];
ports = [ "127.0.0.1:${frontend_port}:80" ];
};
"ot-recorder" = {
autoStart = true;
image = "docker.io/owntracks/frontend:2.15.3";
ports = [ "127.0.0.1:8083:8083" ];
volumes = [
"/etc/default/config:/config"
"/var/spool/owntracks/recorder/store:/store"
];
};
};
}

21
modules/hosts/nixos/hetznix01/post-install-general.nix
View file

@ -32,9 +32,28 @@
owner = "${username}";
path = "/home/${username}/.private-env";
};
mqtt_recorder_pass.restartUnits = ["mosquitto.service"];
owntracks_basic_auth = {
owner = config.users.users.nginx.name;
restartUnits = ["nginx.service"];
};
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
};
};
};
}
# Enable common container config files in /etc/containers
virtualisation.containers.enable = true;
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
}

50
modules/hosts/nixos/hetznix01/post-install-nginx.nix
View file

@ -3,6 +3,7 @@
http_port = 80;
https_port = 443;
in {
imports = [
../../../system/common/linux/lets-encrypt.nix
];
@ -38,7 +39,7 @@ in {
'';
};
};
"ot.${domain}}" = {
"ot.${domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
@ -47,34 +48,43 @@ in {
locations = {
# OwnTracks Frontend container
"/" = {
proxypass = "http://127.0.0.1:8082";
recommendedproxysettings = true;
proxyPass = "http://127.0.0.1:8082";
recommendedProxySettings = true;
};
};
};
"recorder.${domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
basicAuthFile = config.sops.secrets.owntracks_basic_auth.path;
locations = {
# OwnTracks Recorder
"/owntracks/" = {
proxypass = "http://127.0.0.1:8083";
recommendedproxysettings = true;
"/" = {
proxyPass = "http://127.0.0.1:8083";
recommendedProxySettings = true;
};
"/owntracks/pub" = { # Client apps need to point to this path
"/pub" = { # Client apps need to point to this path
extraConfig = "proxy_set_header X-Limit-U $remote_user;";
proxypass = "http://127.0.0.1:8083/pub";
recommendedproxysettings = true;
proxyPass = "http://127.0.0.1:8083/pub";
recommendedProxySettings = true;
};
"/owntracks/static/" = {
proxypass = "http://127.0.0.1:8083/static/";
recommendedproxysettings = true;
"/static/" = {
proxyPass = "http://127.0.0.1:8083/static/";
recommendedProxySettings = true;
};
"/owntracks/utils/" = {
proxypass = "http://127.0.0.1:8083/utils/";
recommendedproxysettings = true;
"/utils/" = {
proxyPass = "http://127.0.0.1:8083/utils/";
recommendedProxySettings = true;
};
"/owntracks/view/" = {
"/view/" = {
extraConfig = "proxy_buffering off;";
proxypass = "http://127.0.0.1:8083/view/";
recommendedproxysettings = true;
proxyPass = "http://127.0.0.1:8083/view/";
recommendedProxySettings = true;
};
"/owntracks/ws" = {
extraConfig = "rewrite ^/owntracks/(.*) /$1 break;";
"/ws" = {
extraConfig = "rewrite ^/(.*) /$1 break;";
proxyPass = "http://127.0.0.1:8083";
recommendedProxySettings = true;
};

6
modules/hosts/nixos/hetznix01/secrets.yaml
View file

@ -1,5 +1,7 @@
local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str]
local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str]
mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str]
owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str]
tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str]
sops:
kms: []
@ -16,8 +18,8 @@ sops:
WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV
W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-15T20:49:45Z"
mac: ENC[AES256_GCM,data:TPY25QfdBEoQbOMoF0kDIv9P3uwqY5pq2HyFIckhidaKvUNog5OVHmXsycpEZ+JC6NOPHWpd0wrYB8XYJI4R3ND/w3Gjl/NGEnDjX7FihkhQZOlTUap+/7UBL3gTQKR/jd0enWn1FIQuOrXmNsJ3RhPStQNpHRmgSPR5FVecJFI=,iv:dIQmQjKK7VFnxOYxkDSRDZNFpsv1+6YU9tpOr8XsTtw=,tag:FDlGiuJR2mwuci+z2Pa5rg==,type:str]
lastmodified: "2024-06-16T03:36:06Z"
mac: ENC[AES256_GCM,data:KkJ7awR2HwH8MBHrDzOifwD6ePACWsGFaNg8/eixKvb+/V4k2NkOxZPzdemcqMaCPCzhX9bGlE76MGy9y6JWvln+yKkBx7uilSdfGu5bVnMQY0JT8r2nW4tCfJ1VpLOxdvcw8pUjeK/oizvUolk7DJ1PecrPQuSmhGkOAL6h6dA=,iv:nd0F7sU9hYOu3qb0kXSstRt8M3QDmciSs5ArtiXI6XQ=,tag:gGG8NnO690UrTq6y4NnK9w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1