genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-05-31 23:55:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: genebean:859a573954ad91a42b70cce488e9c8162974fcf8
Branches Tags
genebean:main
genebean:cups-update
genebean:genebean-module
genebean:hm-puppet
genebean:remote_builds
genebean:fix-htts-redirects
genebean:commit-signing
genebean:create-host-smarthome
genebean:owntracks
..
compare: genebean:84a5c695b09c7c1d309eb09dac4b0e8589ebbf6d
Branches Tags
genebean:main
genebean:cups-update
genebean:genebean-module
genebean:hm-puppet
genebean:remote_builds
genebean:fix-htts-redirects
genebean:commit-signing
genebean:create-host-smarthome
genebean:owntracks

No commits in common. "859a573954ad91a42b70cce488e9c8162974fcf8" and "84a5c695b09c7c1d309eb09dac4b0e8589ebbf6d" have entirely different histories.
859a573954 ... 84a5c695b0

15 changed files with 135 additions and 353 deletions
Download patch file Download diff file Expand all files Collapse all files

37
modules/hosts/nixos/hetznix01/default.nix
View file

@ -1,6 +1,4 @@
{ {
config,
lib,
pkgs, pkgs,
username, username,
... ...
@ -8,10 +6,8 @@
{ {
imports = [ imports = [
../../../shared/nixos/nixroutes.nix ../../../shared/nixos/nixroutes.nix
../../../shared/nixos/ports.nix
./disk-config.nix ./disk-config.nix
./hardware-configuration.nix ./hardware-configuration.nix
./ports.nix
./post-install ./post-install
]; ];
@ -31,18 +27,27 @@
]; ];
networking = { networking = {
firewall = { # Open ports in the firewall.
allowedTCPPorts = lib.pipe config.dots.ports [ firewall.allowedTCPPorts = [
builtins.attrValues 22 # ssh
(builtins.filter (e: e.openFirewall && e.protocol == "tcp")) 25 # SMTP (unencrypted)
(map (e: e.port)) 80 # http to local Nginx
]; 143 # imap
allowedUDPPorts = lib.pipe config.dots.ports [ 443 # https to local Nginx
builtins.attrValues 465 # SMTP with TLS
(builtins.filter (e: e.openFirewall && e.protocol == "udp")) 587 # SMTP with STARTTLS
(map (e: e.port)) 993 # imaps
]; 1883 # mqtt
}; 8333 # Bitcoin Core
8448 # Matrix Synapse
8883 # mqtt over tls
9001 # mqtt websockets over tls
9333 # Bitcoin Knots
9735 # LND
];
# firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# firewall.enable = false;
hostId = "85d0e6cb"; # head -c4 /dev/urandom | od -A none -t x4 hostId = "85d0e6cb"; # head -c4 /dev/urandom | od -A none -t x4

82
modules/hosts/nixos/hetznix01/ports.nix
View file

@ -1,82 +0,0 @@
{
config.dots.ports = {
# Firewalled TCP services (email)
smtp = {
port = 25;
openFirewall = true;
};
imap = {
port = 143;
openFirewall = true;
};
smtp-tls = {
port = 465;
openFirewall = true;
};
smtp-starttls = {
port = 587;
openFirewall = true;
};
imaps = {
port = 993;
openFirewall = true;
};
# MQTT (via EMQX container)
mqtt = {
port = 1883;
openFirewall = true;
};
mqtt-tls = {
port = 8883;
openFirewall = true;
};
mqtt-ws = {
port = 9001;
openFirewall = true;
};
# Bitcoin / Lightning (proxied to umbrel on tailnet)
bitcoin-core = {
port = 8333;
openFirewall = true;
};
bitcoin-knots = {
port = 9333;
openFirewall = true;
};
lnd = {
port = 9735;
openFirewall = true;
};
# Matrix federation listener (nginx terminates, proxies to matrix-synapse)
matrix-federation = {
port = 8448;
openFirewall = true;
};
# Internal-only TCP services (proxied via nginx, not firewalled)
matrix-synapse = {
port = 8008;
};
owntracks-frontend = {
port = 8082;
};
owntracks-recorder = {
port = 8083;
};
plausible = {
port = 8001;
};
uptime-kuma = {
port = 3001;
};
collabora = {
port = 9980;
};
emqx-admin = {
port = 18083;
};
};
}

4
modules/hosts/nixos/hetznix01/post-install/containers/emqx.nix
View file

@ -16,10 +16,10 @@ in
]; ];
hostname = "emqx1.hetznix01.technicalissues.us"; hostname = "emqx1.hetznix01.technicalissues.us";
ports = [ ports = [
"${toString config.dots.ports.mqtt.port}:1883" "1883:1883"
#"8083:8083" #"8083:8083"
#"8084:8084" #"8084:8084"
"${toString config.dots.ports.emqx-admin.port}:18083" "18083:18083"
]; ];
volumes = [ volumes = [
"${volume_base}/data:/opt/emqx/data" "${volume_base}/data:/opt/emqx/data"

6
modules/hosts/nixos/hetznix01/post-install/default.nix
View file

@ -23,7 +23,7 @@ in
services = { services = {
collabora-online = { collabora-online = {
enable = true; enable = true;
inherit (config.dots.ports.collabora) port; port = 9980; # default
settings = { settings = {
# Rely on reverse proxy for SSL # Rely on reverse proxy for SSL
ssl = { ssl = {
@ -51,7 +51,7 @@ in
enable = true; enable = true;
configureNginx = true; configureNginx = true;
environment = { environment = {
PHOTON_API_HOST = "nixnuc.${config.private-flake.tailnetDomain}:${toString config.dots.ports.photon.port}"; PHOTON_API_HOST = "nixnuc.${config.private-flake.tailnetDomain}:2322";
PHOTON_API_USE_HTTPS = "false"; PHOTON_API_USE_HTTPS = "false";
}; };
extraEnvFiles = [ extraEnvFiles = [
@ -122,7 +122,7 @@ in
server = { server = {
baseUrl = "https://stats.${domain}"; baseUrl = "https://stats.${domain}";
disableRegistration = true; disableRegistration = true;
inherit (config.dots.ports.plausible) port; port = 8001;
# secretKeybaseFile is a path to the file which contains the secret generated # secretKeybaseFile is a path to the file which contains the secret generated
# with openssl as described above. # with openssl as described above.
secretKeybaseFile = config.sops.secrets.plausible_secret_key_base.path; secretKeybaseFile = config.sops.secrets.plausible_secret_key_base.path;

2
modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix
View file

@ -13,7 +13,7 @@
signing_key_path = config.sops.secrets.matrix_homeserver_signing_key.path; signing_key_path = config.sops.secrets.matrix_homeserver_signing_key.path;
listeners = [ listeners = [
{ {
inherit (config.dots.ports.matrix-synapse) port; port = 8008;
tls = false; tls = false;
type = "http"; type = "http";
x_forwarded = true; x_forwarded = true;

8
modules/hosts/nixos/hetznix01/post-install/monitoring.nix
View file

@ -16,7 +16,7 @@ in
{ {
job_name = "node"; job_name = "node";
static_configs = [ static_configs = [
{ targets = [ "127.0.0.1:${toString config.dots.ports.node-exporter.port}" ]; } { targets = [ "127.0.0.1:9100" ]; }
]; ];
metric_relabel_configs = [ metric_relabel_configs = [
{ {
@ -37,7 +37,7 @@ in
{ {
job_name = "nginx"; job_name = "nginx";
static_configs = [ static_configs = [
{ targets = [ "127.0.0.1:${toString config.dots.ports.nginx-exporter.port}" ]; } { targets = [ "127.0.0.1:9113" ]; }
]; ];
metric_relabel_configs = [ metric_relabel_configs = [
{ {
@ -84,7 +84,7 @@ in
prometheus.exporters.node = { prometheus.exporters.node = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
inherit (config.dots.ports.node-exporter) port; port = 9100;
enabledCollectors = [ enabledCollectors = [
"systemd" "systemd"
]; ];
@ -98,7 +98,7 @@ in
prometheus.exporters.nginx = { prometheus.exporters.nginx = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
inherit (config.dots.ports.nginx-exporter) port; port = 9113;
scrapeUri = "https://127.0.0.1/server_status"; scrapeUri = "https://127.0.0.1/server_status";
sslVerify = false; sslVerify = false;
}; };

56
modules/hosts/nixos/hetznix01/post-install/nginx.nix
View file

@ -1,6 +1,8 @@
{ config, ... }: { config, ... }:
let let
domain = "technicalissues.us"; domain = "technicalissues.us";
http_port = 80;
https_port = 443;
private_btc = "umbrel.${config.private-flake.tailnetDomain}"; private_btc = "umbrel.${config.private-flake.tailnetDomain}";
in in
{ {
@ -23,13 +25,13 @@ in
streamConfig = '' streamConfig = ''
server { server {
# https://docs.emqx.com/en/emqx/latest/deploy/cluster/lb-nginx.html # https://docs.emqx.com/en/emqx/latest/deploy/cluster/lb-nginx.html
listen ${toString config.dots.ports.mqtt-tls.port} ssl; listen 8883 ssl;
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_certificate ${config.security.acme.certs."mqtt.${domain}".directory}/fullchain.pem; ssl_certificate ${config.security.acme.certs."mqtt.${domain}".directory}/fullchain.pem;
ssl_certificate_key ${config.security.acme.certs."mqtt.${domain}".directory}/key.pem; ssl_certificate_key ${config.security.acme.certs."mqtt.${domain}".directory}/key.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
proxy_pass 127.0.0.0:${toString config.dots.ports.mqtt.port}; proxy_pass 127.0.0.0:1883;
proxy_protocol on; proxy_protocol on;
proxy_connect_timeout 10s; proxy_connect_timeout 10s;
# Default keep-alive time is 10 minutes # Default keep-alive time is 10 minutes
@ -39,17 +41,17 @@ in
} }
server { server {
listen 0.0.0.0:${toString config.dots.ports.bitcoin-core.port}; listen 0.0.0.0:8333;
listen 0.0.0.0:${toString config.dots.ports.bitcoin-knots.port}; listen 0.0.0.0:9333;
listen [::]:${toString config.dots.ports.bitcoin-core.port}; listen [::]:8333;
listen [::]:${toString config.dots.ports.bitcoin-knots.port}; listen [::]:9333;
proxy_pass ${private_btc}:${toString config.dots.ports.bitcoin-core.port}; proxy_pass ${private_btc}:8333;
} }
server { server {
listen 0.0.0.0:${toString config.dots.ports.lnd.port}; listen 0.0.0.0:9735;
listen [::]:${toString config.dots.ports.lnd.port}; listen [::]:9735;
proxy_pass ${private_btc}:${toString config.dots.ports.lnd.port}; proxy_pass ${private_btc}:9735;
} }
''; '';
virtualHosts = { virtualHosts = {
@ -135,32 +137,32 @@ in
"matrix.${domain}" = { "matrix.${domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.http) port; port = http_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
} }
{ {
inherit (config.dots.ports.http) port; port = http_port;
addr = "[::]"; addr = "[::]";
} }
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "[::]"; addr = "[::]";
ssl = true; ssl = true;
} }
{ {
inherit (config.dots.ports.matrix-federation) port; port = 8448;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
{ {
inherit (config.dots.ports.matrix-federation) port; port = 8448;
addr = "[::]"; addr = "[::]";
ssl = true; ssl = true;
} }
@ -180,9 +182,9 @@ in
}; };
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here. # *must not* be used here.
"/_matrix".proxyPass = "http://[::1]:${toString config.dots.ports.matrix-synapse.port}"; "/_matrix".proxyPass = "http://[::1]:8008";
# Forward requests for e.g. SSO and password-resets. # Forward requests for e.g. SSO and password-resets.
"/_synapse/client".proxyPass = "http://[::1]:${toString config.dots.ports.matrix-synapse.port}"; "/_synapse/client".proxyPass = "http://[::1]:8008";
}; };
}; };
"mqtt.${domain}" = { "mqtt.${domain}" = {
@ -197,7 +199,7 @@ in
forceSSL = true; forceSSL = true;
basicAuthFile = config.sops.secrets.owntracks_basic_auth.path; basicAuthFile = config.sops.secrets.owntracks_basic_auth.path;
# OwnTracks Frontend container # OwnTracks Frontend container
locations."/".proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-frontend.port}"; locations."/".proxyPass = "http://127.0.0.1:8082";
}; };
"pack1828.org" = { "pack1828.org" = {
enableACME = true; enableACME = true;
@ -215,26 +217,26 @@ in
locations = { locations = {
# OwnTracks Recorder # OwnTracks Recorder
"/" = { "/" = {
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}"; proxyPass = "http://127.0.0.1:8083";
}; };
"/pub" = { "/pub" = {
# Client apps need to point to this path # Client apps need to point to this path
extraConfig = "proxy_set_header X-Limit-U $remote_user;"; extraConfig = "proxy_set_header X-Limit-U $remote_user;";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}/pub"; proxyPass = "http://127.0.0.1:8083/pub";
}; };
"/static/" = { "/static/" = {
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}/static/"; proxyPass = "http://127.0.0.1:8083/static/";
}; };
"/utils/" = { "/utils/" = {
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}/utils/"; proxyPass = "http://127.0.0.1:8083/utils/";
}; };
"/view/" = { "/view/" = {
extraConfig = "proxy_buffering off;"; extraConfig = "proxy_buffering off;";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}/view/"; proxyPass = "http://127.0.0.1:8083/view/";
}; };
"/ws" = { "/ws" = {
extraConfig = "rewrite ^/(.*) /$1 break;"; extraConfig = "rewrite ^/(.*) /$1 break;";
proxyPass = "http://127.0.0.1:${toString config.dots.ports.owntracks-recorder.port}"; proxyPass = "http://127.0.0.1:8083";
}; };
}; };
}; };
@ -242,7 +244,7 @@ in
enableACME = true; enableACME = true;
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.dots.ports.plausible.port}"; locations."/".proxyPass = "http://127.0.0.1:8001";
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
extraConfig = '' extraConfig = ''
access_log /var/log/nginx/stats.${domain}.log; access_log /var/log/nginx/stats.${domain}.log;
@ -257,7 +259,7 @@ in
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.dots.ports.uptime-kuma.port}"; locations."/".proxyPass = "http://127.0.0.1:3001";
}; };
}; # end virtualHosts }; # end virtualHosts
}; # end nginx }; # end nginx

5
modules/hosts/nixos/nixnuc/containers/audiobookshelf.nix
View file

@ -1,6 +1,7 @@
{ config, ... }: _:
let let
volume_base = "/var/lib/audiobookshelf"; volume_base = "/var/lib/audiobookshelf";
http_port = "13378";
in in
{ {
# Audiobookshelf # Audiobookshelf
@ -13,7 +14,7 @@ in
AUDIOBOOKSHELF_UID = "99"; AUDIOBOOKSHELF_UID = "99";
AUDIOBOOKSHELF_GID = "100"; AUDIOBOOKSHELF_GID = "100";
}; };
ports = [ "${toString config.dots.ports.audiobookshelf.port}:80" ]; ports = [ "${http_port}:80" ];
volumes = [ volumes = [
"${volume_base}/audiobooks:/audiobooks" "${volume_base}/audiobooks:/audiobooks"
"${volume_base}/podcasts:/podcasts" "${volume_base}/podcasts:/podcasts"

3
modules/hosts/nixos/nixnuc/containers/photon.nix
View file

@ -1,6 +1,7 @@
{ config, ... }: { config, ... }:
let let
volume_base = "/orico/photon"; volume_base = "/orico/photon";
http_port = "2322";
in in
{ {
systemd.services."${config.virtualisation.oci-containers.containers.photon.serviceName}" = { systemd.services."${config.virtualisation.oci-containers.containers.photon.serviceName}" = {
@ -18,7 +19,7 @@ in
UPDATE_STRATEGY = "PARALLEL"; UPDATE_STRATEGY = "PARALLEL";
UPDATE_INTERVAL = "30d"; UPDATE_INTERVAL = "30d";
}; };
ports = [ "${toString config.dots.ports.photon.port}:2322" ]; ports = [ "${http_port}:2322" ];
volumes = [ volumes = [
"${volume_base}:/photon/data" "${volume_base}:/photon/data"
]; ];

3
modules/hosts/nixos/nixnuc/containers/psitransfer.nix
View file

@ -1,6 +1,7 @@
{ config, ... }: { config, ... }:
let let
volume_base = "/orico/psitransfer"; volume_base = "/orico/psitransfer";
http_port = "3000";
psitransfer_dot_env = "${config.sops.secrets.psitransfer_dot_env.path}"; psitransfer_dot_env = "${config.sops.secrets.psitransfer_dot_env.path}";
in in
{ {
@ -23,7 +24,7 @@ in
autoStart = true; autoStart = true;
image = "psitrax/psitransfer"; image = "psitrax/psitransfer";
environmentFiles = [ psitransfer_dot_env ]; environmentFiles = [ psitransfer_dot_env ];
ports = [ "${toString config.dots.ports.psitransfer.port}:3000" ]; ports = [ "${http_port}:3000" ];
volumes = [ volumes = [
"${volume_base}/data:/data" "${volume_base}/data:/data"
]; ];

4
modules/hosts/nixos/nixnuc/cup-collector.nix
View file

@ -22,9 +22,9 @@ in
]; ];
migrationsDir = inputs.cup-collector.packages.${pkgs.stdenv.hostPlatform.system}.migrations; migrationsDir = inputs.cup-collector.packages.${pkgs.stdenv.hostPlatform.system}.migrations;
pbBindIp = "0.0.0.0"; pbBindIp = "0.0.0.0";
pbPort = config.dots.ports.pocketbase.port; # override default due to conflict pbPort = 8091; # override default due to conflict
pocketidIssuerUrl = config.services.pocket-id.settings.APP_URL; pocketidIssuerUrl = config.services.pocket-id.settings.APP_URL;
inherit (config.dots.ports.cup-collector) port; # override default due to conflict port = 3010; # override default due to conflict
}; };
restic.backups.daily = { restic.backups.daily = {

94
modules/hosts/nixos/nixnuc/default.nix
View file

@ -1,12 +1,12 @@
{ {
inputs, inputs,
config, config,
lib,
pkgs, pkgs,
username, username,
... ...
}: }:
let let
https_port = 443;
home_domain = "home.technicalissues.us"; home_domain = "home.technicalissues.us";
backend_ip = "127.0.0.1"; backend_ip = "127.0.0.1";
restic_backup_time = "02:00"; restic_backup_time = "02:00";
@ -20,10 +20,8 @@ in
./containers/psitransfer.nix ./containers/psitransfer.nix
./cup-collector.nix ./cup-collector.nix
./monitoring-stack.nix ./monitoring-stack.nix
./ports.nix
./zfs-datasets.nix ./zfs-datasets.nix
../../../shared/nixos/lets-encrypt.nix ../../../shared/nixos/lets-encrypt.nix
../../../shared/nixos/ports.nix
../../../shared/nixos/restic.nix ../../../shared/nixos/restic.nix
]; ];
@ -73,18 +71,36 @@ in
}; };
networking = { networking = {
# Open ports in the firewall.
firewall = { firewall = {
allowedTCPPorts = lib.pipe config.dots.ports [ allowedTCPPorts = [
builtins.attrValues 22 # ssh
(builtins.filter (e: e.openFirewall && e.protocol == "tcp")) 80 # http to local Nginx
(map (e: e.port)) 443 # https to local Nginx
2322 # Photon geocoder in oci-container
3000 # PsiTransfer in oci-container
3001 # immich-kiosk in compose
3002 # grafana
3005 # Firefly III
3006 # Firefly III Data Importer
3010 # Cup Collector
3030 # Forgejo
3087 # Youtarr in docker compose
8001 # Tube Archivist
8384 # Syncthing gui
8888 # Atuin
8090 # Wallabag in docker compose
8091 # PocketBase
8945 # Pinchflat
13378 # Audiobookshelf in oci-container
]; ];
allowedUDPPorts = lib.pipe config.dots.ports [ allowedUDPPorts = [
builtins.attrValues 1900 # Jellyfin service auto-discovery
(builtins.filter (e: e.openFirewall && e.protocol == "udp")) 7359 # Jellyfin auto-discovery
(map (e: e.port))
]; ];
}; };
# Or disable the firewall altogether.
# firewall.enable = false;
hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4 hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4
@ -161,7 +177,7 @@ in
enable = true; enable = true;
enableNginx = true; enableNginx = true;
settings = { settings = {
FIREFLY_III_URL = "http://localhost:${toString config.dots.ports.fireflyiii.port}"; FIREFLY_III_URL = "http://localhost:3005";
VANITY_URL_FILE = "${config.sops.secrets.firefly_vanity_url.path}"; VANITY_URL_FILE = "${config.sops.secrets.firefly_vanity_url.path}";
FIREFLY_III_ACCESS_TOKEN_FILE = "${config.sops.secrets.firefly_pat_data_import.path}"; FIREFLY_III_ACCESS_TOKEN_FILE = "${config.sops.secrets.firefly_pat_data_import.path}";
SIMPLEFIN_TOKEN_FILE = "${config.sops.secrets.firefly_simplefin_token.path}"; SIMPLEFIN_TOKEN_FILE = "${config.sops.secrets.firefly_simplefin_token.path}";
@ -187,7 +203,7 @@ in
}; };
server = { server = {
DOMAIN = "git.${home_domain}"; DOMAIN = "git.${home_domain}";
HTTP_PORT = config.dots.ports.forgejo.port; HTTP_PORT = 3030;
LANDING_PAGE = "explore"; LANDING_PAGE = "explore";
ROOT_URL = "https://git.${home_domain}/"; ROOT_URL = "https://git.${home_domain}/";
}; };
@ -206,7 +222,7 @@ in
enable = true; enable = true;
credentialsFile = config.sops.secrets.mealie.path; credentialsFile = config.sops.secrets.mealie.path;
listenAddress = "0.0.0.0"; listenAddress = "0.0.0.0";
inherit (config.dots.ports.mealie) port; port = 9000;
settings = { settings = {
ALLOW_SIGNUP = "false"; ALLOW_SIGNUP = "false";
BASE_URL = "https://mealie.${home_domain}"; BASE_URL = "https://mealie.${home_domain}";
@ -298,7 +314,7 @@ in
]; ];
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -323,7 +339,7 @@ in
"ab.${home_domain}" = { "ab.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -332,7 +348,7 @@ in
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.audiobookshelf.port}"; locations."/".proxyPass = "http://${backend_ip}:13378";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -340,7 +356,7 @@ in
"atuin.${home_domain}" = { "atuin.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -348,19 +364,19 @@ in
enableACME = true; enableACME = true;
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.atuin.port}"; locations."/".proxyPass = "http://${backend_ip}:8888";
}; };
# budget.${home_domain} # budget.${home_domain}
"${config.services.firefly-iii.virtualHost}".listen = [ "${config.services.firefly-iii.virtualHost}".listen = [
{ {
inherit (config.dots.ports.fireflyiii) port; port = 3005;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = false; ssl = false;
} }
]; ];
"${config.services.firefly-iii-data-importer.virtualHost}".listen = [ "${config.services.firefly-iii-data-importer.virtualHost}".listen = [
{ {
inherit (config.dots.ports.fireflyiii-importer) port; port = 3006;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = false; ssl = false;
} }
@ -368,7 +384,7 @@ in
"git.${home_domain}" = { "git.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -376,7 +392,7 @@ in
enableACME = true; enableACME = true;
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.forgejo.port}"; locations."/".proxyPass = "http://${backend_ip}:3030";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -384,7 +400,7 @@ in
"id.${home_domain}" = { "id.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -392,7 +408,7 @@ in
enableACME = true; enableACME = true;
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.pocket-id.port}"; locations."/".proxyPass = "http://${backend_ip}:1411";
extraConfig = '' extraConfig = ''
proxy_busy_buffers_size 512k; proxy_busy_buffers_size 512k;
proxy_buffers 4 512k; proxy_buffers 4 512k;
@ -402,7 +418,7 @@ in
"immich.${home_domain}" = { "immich.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -410,7 +426,7 @@ in
enableACME = true; enableACME = true;
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.immich.port}"; locations."/".proxyPass = "http://${backend_ip}:2283";
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
@ -422,7 +438,7 @@ in
"immich-kiosk.${home_domain}" = { "immich-kiosk.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -431,7 +447,7 @@ in
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
basicAuthFile = config.sops.secrets.immich_kiosk_basic_auth.path; basicAuthFile = config.sops.secrets.immich_kiosk_basic_auth.path;
locations."/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.immich-kiosk.port}"; locations."/".proxyPass = "http://${backend_ip}:3001";
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
@ -443,7 +459,7 @@ in
"jellyfin.${home_domain}" = { "jellyfin.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -453,14 +469,14 @@ in
forceSSL = true; forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${backend_ip}:${toString config.dots.ports.jellyfin.port}"; proxyPass = "http://${backend_ip}:8096";
extraConfig = '' extraConfig = ''
proxy_buffering off; proxy_buffering off;
proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Protocol $scheme;
''; '';
}; };
"/socket" = { "/socket" = {
proxyPass = "http://${backend_ip}:${toString config.dots.ports.jellyfin.port}"; proxyPass = "http://${backend_ip}:8096";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Protocol $scheme;
@ -474,7 +490,7 @@ in
"mealie.${home_domain}" = { "mealie.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -482,7 +498,7 @@ in
enableACME = true; enableACME = true;
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.mealie.port}"; locations."/".proxyPass = "http://${backend_ip}:9000";
extraConfig = '' extraConfig = ''
client_max_body_size 10M; client_max_body_size 10M;
''; '';
@ -490,7 +506,7 @@ in
"monitoring.${home_domain}" = { "monitoring.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -499,10 +515,10 @@ in
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations = { locations = {
"/grafana/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.grafana.port}/grafana/"; "/grafana/".proxyPass = "http://${backend_ip}:3002/grafana/";
"/remotewrite" = { "/remotewrite" = {
basicAuthFile = config.sops.secrets.nginx_basic_auth.path; basicAuthFile = config.sops.secrets.nginx_basic_auth.path;
proxyPass = "http://127.0.0.1:${toString config.dots.ports.victoriametrics.port}/api/v1/write"; proxyPass = "http://127.0.0.1:8428/api/v1/write";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -515,7 +531,7 @@ in
"readit.${home_domain}" = { "readit.${home_domain}" = {
listen = [ listen = [
{ {
inherit (config.dots.ports.https) port; port = https_port;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
} }
@ -523,7 +539,7 @@ in
enableACME = true; enableACME = true;
acmeRoot = null; acmeRoot = null;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:${toString config.dots.ports.wallabag.port}"; locations."/".proxyPass = "http://${backend_ip}:8090";
}; };
}; };
}; };

22
modules/hosts/nixos/nixnuc/monitoring-stack.nix
View file

@ -49,9 +49,9 @@ in
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"127.0.0.1:${toString config.dots.ports.node-exporter.port}" # nixnuc "127.0.0.1:9100" # nixnuc
"192.168.22.22:${toString config.dots.ports.node-exporter.port}" # home assistant "192.168.22.22:9100" # home assistant
"umbrel:${toString config.dots.ports.node-exporter.port}" "umbrel:9100"
]; ];
} }
]; ];
@ -89,7 +89,7 @@ in
{ {
job_name = "cadvisor"; job_name = "cadvisor";
static_configs = [ static_configs = [
{ targets = [ "127.0.0.1:${toString config.dots.ports.cadvisor.port}" ]; } { targets = [ "127.0.0.1:8081" ]; }
]; ];
metric_relabel_configs = [ metric_relabel_configs = [
{ {
@ -110,7 +110,7 @@ in
{ {
job_name = "nginx"; job_name = "nginx";
static_configs = [ static_configs = [
{ targets = [ "127.0.0.1:${toString config.dots.ports.nginx-exporter.port}" ]; } { targets = [ "127.0.0.1:9113" ]; }
]; ];
metric_relabel_configs = [ metric_relabel_configs = [
{ {
@ -181,7 +181,7 @@ in
}; };
# Remote write to VictoriaMetrics # Remote write to VictoriaMetrics
remoteWrite.url = "http://127.0.0.1:${toString config.dots.ports.victoriametrics.port}/api/v1/write"; remoteWrite.url = "http://127.0.0.1:8428/api/v1/write";
extraArgs = [ extraArgs = [
# Pass other remote write flags the module does not expose natively: # Pass other remote write flags the module does not expose natively:
@ -219,7 +219,7 @@ in
name = "VictoriaMetrics"; name = "VictoriaMetrics";
type = "victoriametrics-metrics-datasource"; type = "victoriametrics-metrics-datasource";
access = "proxy"; access = "proxy";
url = "http://127.0.0.1:${toString config.dots.ports.victoriametrics.port}"; url = "http://127.0.0.1:8428";
isDefault = true; isDefault = true;
uid = "VictoriaMetrics"; # Set explicit UID for use in alert rules uid = "VictoriaMetrics"; # Set explicit UID for use in alert rules
} }
@ -272,7 +272,7 @@ in
server = { server = {
domain = "monitoring.${home_domain}"; domain = "monitoring.${home_domain}";
http_addr = "0.0.0.0"; http_addr = "0.0.0.0";
http_port = config.dots.ports.grafana.port; http_port = 3002;
root_url = "https://monitoring.${home_domain}/grafana/"; root_url = "https://monitoring.${home_domain}/grafana/";
serve_from_sub_path = true; serve_from_sub_path = true;
}; };
@ -295,7 +295,7 @@ in
prometheus.exporters.node = { prometheus.exporters.node = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
inherit (config.dots.ports.node-exporter) port; port = 9100;
enabledCollectors = [ enabledCollectors = [
"zfs" "zfs"
"systemd" "systemd"
@ -310,7 +310,7 @@ in
prometheus.exporters.nginx = { prometheus.exporters.nginx = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
inherit (config.dots.ports.nginx-exporter) port; port = 9113;
scrapeUri = "https://127.0.0.1/server_status"; scrapeUri = "https://127.0.0.1/server_status";
sslVerify = false; sslVerify = false;
}; };
@ -319,7 +319,7 @@ in
cadvisor = { cadvisor = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
inherit (config.dots.ports.cadvisor) port; port = 8081;
extraOptions = [ extraOptions = [
"--docker_only=true" "--docker_only=true"
"--housekeeping_interval=30s" "--housekeeping_interval=30s"

102
modules/hosts/nixos/nixnuc/ports.nix
View file

@ -1,102 +0,0 @@
{
config.dots.ports = {
# Override global photon default: open the firewall on this host
photon = {
openFirewall = true;
};
# Firewalled TCP services
psitransfer = {
port = 3000;
openFirewall = true;
};
immich-kiosk = {
port = 3001;
openFirewall = true;
};
grafana = {
port = 3002;
openFirewall = true;
};
fireflyiii = {
port = 3005;
openFirewall = true;
};
fireflyiii-importer = {
port = 3006;
openFirewall = true;
};
cup-collector = {
port = 3010;
openFirewall = true;
};
forgejo = {
port = 3030;
openFirewall = true;
};
youtarr = {
port = 3087;
openFirewall = true;
};
tube-archivist = {
port = 8001;
openFirewall = true;
};
syncthing-gui = {
port = 8384;
openFirewall = true;
};
atuin = {
port = 8888;
openFirewall = true;
};
wallabag = {
port = 8090;
openFirewall = true;
};
pocketbase = {
port = 8091;
openFirewall = true;
};
pinchflat = {
port = 8945;
openFirewall = true;
};
audiobookshelf = {
port = 13378;
openFirewall = true;
};
# Internal-only TCP services (proxied via nginx, not firewalled)
pocket-id = {
port = 1411;
};
immich = {
port = 2283;
};
cadvisor = {
port = 8081;
};
victoriametrics = {
port = 8428;
};
jellyfin = {
port = 8096;
};
mealie = {
port = 9000;
};
# UDP services
jellyfin-ssdp = {
port = 1900;
protocol = "udp";
openFirewall = true;
};
jellyfin-discovery = {
port = 7359;
protocol = "udp";
openFirewall = true;
};
};
}

60
modules/shared/nixos/ports.nix
View file

@ -1,60 +0,0 @@
{ lib, ... }:
{
options.dots.ports = lib.mkOption {
description = "Fleet-wide service port registry";
default = { };
type = lib.types.attrsOf (
lib.types.submodule {
options = {
port = lib.mkOption {
type = lib.types.port;
description = "Port number";
};
protocol = lib.mkOption {
type = lib.types.enum [
"tcp"
"udp"
];
default = "tcp";
description = "Transport protocol";
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Open this port in the host firewall";
};
};
}
);
};
# Ports known fleet-wide: either universal (ssh/http/https) or referenced
# by multiple hosts (e.g. hetznix01 references photon to configure Dawarich).
# openFirewall is false by default; each host's ports.nix sets it to true
# for the ports that host actually exposes.
config.dots.ports = {
ssh = {
port = 22;
openFirewall = true;
};
http = {
port = 80;
openFirewall = true;
};
https = {
port = 443;
openFirewall = true;
};
# nixnuc service; hetznix01 references this port for Dawarich's PHOTON_API_HOST.
photon = {
port = 2322;
};
# Standard defaults for prometheus exporters, used on all monitored hosts.
node-exporter = {
port = 9100;
};
nginx-exporter = {
port = 9113;
};
};
}