genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-27 09:27:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #396 from genebean/nixnuc-fixing

Browse source 
Fixing a random breakage on nixnuc
This commit is contained in:
Gene Liverman 2024-06-29 20:07:11 -04:00 committed by GitHub
commit 8e8f092221
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 155 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix
View file

@ -54,6 +54,9 @@ in {
localAddress = "192.168.23.21/24"; localAddress = "192.168.23.21/24";
config = { config, pkgs, lib, ... }: { config = { config, pkgs, lib, ... }: {
system.stateVersion = "23.11"; system.stateVersion = "23.11";
programs.traceroute.enable = true;
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;

201
modules/hosts/nixos/nixnuc/default.nix
View file

@ -1,9 +1,15 @@
{ compose2nix, config, pkgs, username, ... }: { { compose2nix, config, pkgs, username, ... }: let
http_port = 80;
https_port = 443;
home_domain = "home.technicalissues.us";
backend_ip = "127.0.0.1";
mini_watcher = "192.168.23.20";
in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./containers/audiobookshelf.nix ./containers/audiobookshelf.nix
./containers/psitransfer.nix ./containers/psitransfer.nix
./containers/nginx-proxy.nix ../../../system/common/linux/lets-encrypt.nix
../../../system/common/linux/restic.nix ../../../system/common/linux/restic.nix
]; ];
@ -52,6 +58,7 @@
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [
22 # ssh 22 # ssh
80 # http to local Nginx 80 # http to local Nginx
443 # https to local Nginx
3000 # PsiTransfer in oci-container 3000 # PsiTransfer in oci-container
8080 # Tandoor in docker compose 8080 # Tandoor in docker compose
8090 # Wallabag in docker compose 8090 # Wallabag in docker compose
@ -64,20 +71,14 @@
hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4 hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4
useDHCP = false; useDHCP = false;
networkmanager.enable = true; networkmanager.enable = false;
useNetworkd = true;
vlans = { vlans = {
vlan23 = { id = 23; interface = "eno1"; }; vlan23 = { id = 23; interface = "eno1"; };
}; };
bridges = {
br1-23 = { interfaces = [ "vlan23" ]; };
};
interfaces = { interfaces = {
eno1.useDHCP = true; eno1.useDHCP = true;
br1-23 = { vlan23.ipv4.addresses = [{ address = "192.168.23.21"; prefixLength = 24; }];
useDHCP = false;
# This enables the container attached to the bridge to be reachable
ipv4.routes = [{ address = "192.168.23.21"; prefixLength = 32; }];
};
}; };
}; };
@ -107,6 +108,30 @@
# List services that you want to enable: # List services that you want to enable:
services = { services = {
##
## Gandi (gandi.net)
##
## Single host update
# protocol=gandi
# zone=example.com
# password=my-gandi-access-token
# use-personal-access-token=yes
# ttl=10800 # optional
# myhost.example.com
ddclient = {
enable = true;
protocol = "gandi";
zone = "technicalissues.us";
domains = [ home_domain ];
username = "unused";
extraConfig = ''
usev4=webv4
#usev6=webv6
#use-personal-access-token=yes
ttl=300
'';
passwordFile = "${config.sops.secrets.gandi_api.path}";
};
fwupd.enable = true; fwupd.enable = true;
jellyfin = { jellyfin = {
enable = true; enable = true;
@ -115,33 +140,125 @@
lldpd.enable = true; lldpd.enable = true;
nginx = { nginx = {
enable = true; enable = true;
virtualHosts."jellyfin" = { recommendedGzipSettings = true;
default = true; recommendedOptimisation = true;
listen = [ recommendedProxySettings = true;
{ recommendedTlsSettings = true;
addr = "0.0.0.0"; appendHttpConfig = ''
port = 80; # Add HSTS header with preloading to HTTPS requests.
} # Adding this header to HTTP requests is discouraged
]; map $scheme $hsts_header {
locations = { https "max-age=31536000 always;";
"= /" = { }
return = "302 http://$host/web/"; add_header Strict-Transport-Security $hsts_header;
'';
virtualHosts = {
"jellyfin" = {
listen = [
{
addr = "0.0.0.0";
port = 8099;
}
];
locations = {
"= /" = {
return = "302 http://$host/web/";
};
"/" = {
proxyPass = "http://127.0.0.1:8096";
recommendedProxySettings = true;
extraConfig = "proxy_buffering off;";
};
"= /web/" = {
proxyPass = "http://127.0.0.1:8096/web/index.html";
recommendedProxySettings = true;
};
"/socket" = {
proxyPass = "http://127.0.0.1:8096";
recommendedProxySettings = true;
proxyWebsockets = true;
};
}; };
"/" = { };
proxyPass = "http://127.0.0.1:8096";
recommendedProxySettings = true; "${home_domain}" = {
extraConfig = "proxy_buffering off;"; default = true;
}; serverAliases = [ "nix-tester.${home_domain}" ];
"= /web/" = { listen = [
proxyPass = "http://127.0.0.1:8096/web/index.html"; { port = http_port; addr = "0.0.0.0"; }
recommendedProxySettings = true; { port = https_port; addr = "0.0.0.0"; ssl = true; }
}; ];
"/socket" = { enableACME = true;
proxyPass = "http://127.0.0.1:8096"; acmeRoot = null;
recommendedProxySettings = true; addSSL = true;
proxyWebsockets = true; forceSSL = false;
locations."/" = {
return = "200 '<h1>Hello world ;)</h1>'";
extraConfig = ''
add_header Content-Type text/html;
'';
}; };
}; };
"ab.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://${backend_ip}:13378";
extraConfig = ''
client_max_body_size 0;
'';
};
"atuin.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://${mini_watcher}:9999";
};
"nc.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
extraConfig = ''
client_max_body_size 0;
underscores_in_headers on;
'';
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://${mini_watcher}:8081";
locations."/".extraConfig = ''
# these are added per https://www.nicemicro.com/tutorials/debian-snap-nextcloud.html
add_header Front-End-Https on;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
proxy_buffering off;
proxy_max_temp_file_size 0;
'';
};
"onlyoffice.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://${mini_watcher}:8888";
};
"readit.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:8090";
};
"tandoor.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:8080";
};
}; };
}; };
resolved.enable = true; resolved.enable = true;
@ -151,17 +268,6 @@
"${config.users.users.${username}.home}/compose-files/tandoor" "${config.users.users.${username}.home}/compose-files/tandoor"
"${config.users.users.${username}.home}/compose-files/wallabag" "${config.users.users.${username}.home}/compose-files/wallabag"
]; ];
tailscale = {
enable = true;
authKeyFile = config.sops.secrets.tailscale_key.path;
extraUpFlags = [
"--advertise-exit-node"
"--operator=${username}"
"--ssh"
"--advertise-routes=192.168.20.0/22"
];
useRoutingFeatures = "both";
};
zfs.autoScrub.enable = true; zfs.autoScrub.enable = true;
}; };
@ -177,9 +283,6 @@
owner = "${username}"; owner = "${username}";
path = "/home/${username}/.private-env"; path = "/home/${username}/.private-env";
}; };
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
};
}; };
}; };