blake/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removed nginx and altered caddy (build script changes too)

Browse Source
This commit is contained in:
blake
2025-10-12 13:57:35 -05:00
parent d58262a043
commit 5168f5fc3e
24 changed files with 63 additions and 557 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
bin/backup_browse.sh.bak
View File

@@ -1,173 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# --- SUDO CHECK ---
if [ "$EUID" -ne 0 ]; then
echo "This script requires root privileges. Re-running with sudo..."
exec sudo "$0" "$@"
fi
# --- HANDLE -k OPTION FOR KEY FILE ---
BORG_PASSPHRASE=""
while getopts "k:" opt; do
case "$opt" in
k)
BORG_PASSPHRASE=$(<"$OPTARG")
if [ -z "$BORG_PASSPHRASE" ]; then
echo "Error: The key file is empty."
exit 1
fi
echo "Using passphrase from key file: $OPTARG"
;;
*)
echo "Usage: $0 [-k passphrase_file] <repo>"
exit 1
;;
esac
done
shift $((OPTIND - 1))
# --- FALLBACK TO /run/secrets/borg_passwd IF NO KEY FILE ---
if [ -z "$BORG_PASSPHRASE" ]; then
if [ -f "/run/secrets/borg_passwd" ]; then
BORG_PASSPHRASE=$(<"/run/secrets/borg_passwd")
echo "Using passphrase from /run/secrets/borg_passwd"
else
# Prompt user for passphrase if neither -k nor /run/secrets/borg_passwd is available
read -s -p "Enter Borg repository passphrase: " BORG_PASSPHRASE
echo
fi
fi
export BORG_PASSPHRASE
# --- DEFAULT REPO ---
REPO="${1:-/holocron/backups}"
# --- CHECK REQUIRED COMMANDS ---
for cmd in borg fzf find tree cp mkdir; do
command -v "$cmd" >/dev/null || { echo "Error: '$cmd' is required but not installed."; exit 1; }
done
# --- LIST ARCHIVES (sorted, newest last) ---
mapfile -t archives < <(borg list --format="{archive}{NL}" "$REPO" | sort)
if [ ${#archives[@]} -eq 0 ]; then
echo "No archives found in $REPO"
exit 1
fi
# --- FZF ARCHIVE SELECT ---
selected=$(printf '%s\n' "${archives[@]}" | fzf --prompt="Select archive: " --height=40% --border --reverse)
if [ -z "$selected" ]; then
echo "No archive selected."
exit 1
fi
echo "Selected archive: $selected"
# --- GENERATE A UNIQUE, SHORTER MOUNT POINT ---
MOUNT_POINT="/tmp/borg-mount-${selected}-$(uuidgen | sha256sum | head -c 6)"
mkdir -p "$MOUNT_POINT"
# --- MOUNT ARCHIVE ---
echo "Mounting '$selected' to $MOUNT_POINT..."
borg mount "$REPO::$selected" "$MOUNT_POINT"
if [ ! -d "$MOUNT_POINT" ]; then
echo "Error: mount failed."
exit 1
fi
# --- LIST FILES AND DIRECTORIES ---
echo "Scanning files and directories..."
if command -v fd >/dev/null 2>&1; then
# List files and directories using fd (can handle both files and dirs)
files=$(fd --type f --type d . "$MOUNT_POINT" | sort)
else
# Fall back to find if fd is not available
files=$(find "$MOUNT_POINT" -type f -o -type d | sort)
fi
if [ -z "$files" ]; then
echo "No files or directories found in archive."
borg umount "$MOUNT_POINT"
rm -rf "$MOUNT_POINT"
exit 1
fi
# --- HIERARCHICAL FZF FILE/DIRECTORY SELECTION (REVERSED) ---
# We reverse the order of files to display the latest (newest) files/folders at the top.
selected_files=$(printf '%s\n' "$files" | sed "s|$MOUNT_POINT/||" | tac | fzf \
--multi \
--height=50% \
--border \
--prompt="Select files or directories to restore: " \
--preview "tree -C -L 5 $MOUNT_POINT/$(dirname {})" \
--preview-window=right:50% \
--delimiter='/' \
--with-nth=1..)
if [ -z "$selected_files" ]; then
echo "No files or directories selected. Exiting."
borg umount "$MOUNT_POINT"
rm -rf "$MOUNT_POINT"
exit 0
fi
# --- SUMMARY OF SELECTED FILES/DIRECTORIES ---
echo "Selected files and directories:"
for file in $selected_files; do
echo " $file"
done
# --- OPTIONS MENU (concise) ---
# Default to option 1 if no input is given
echo "Select restore destination: 1) Restore to ./${selected}_restore 2) Restore to original dirs 3) Quit"
read -p "Enter your choice (1/2/3) [default: 1]: " choice
# Default to option 1 if user presses Enter without providing input
choice="${choice:-1}"
# --- SET RESTORE DESTINATION BASED ON USER CHOICE ---
case "$choice" in
1)
DEST="./${selected}_restore"
;;
2)
DEST="$MOUNT_POINT"
;;
3)
echo "Quitting. No files restored."
borg umount "$MOUNT_POINT"
rm -rf "$MOUNT_POINT"
exit 0
;;
*)
echo "Invalid choice. Exiting."
borg umount "$MOUNT_POINT"
rm -rf "$MOUNT_POINT"
exit 1
;;
esac
mkdir -p "$DEST"
# --- RESTORE FILES AND DIRECTORIES ---
echo "Restoring selected files and directories..."
while IFS= read -r file; do
# Path is already stripped of /tmp, so no need for further modification
dest_path="$DEST/$file"
mkdir -p "$(dirname "$dest_path")"
# If it's a directory, we use cp -r to ensure the directory structure is restored
if [ -d "$MOUNT_POINT/$file" ]; then
cp -r "$MOUNT_POINT/$file" "$dest_path"
else
cp -a "$MOUNT_POINT/$file" "$dest_path"
fi
echo "Restored: $file"
done <<< "$selected_files"
# --- CLEANUP ---
borg umount "$MOUNT_POINT"
rm -rf "$MOUNT_POINT"
echo "Restore complete."

64
bin/backup_browse_fzf.sh
View File

@@ -1,64 +0,0 @@
#!/usr/bin/env bash
# borg-browser.sh — fzf-based Borg archive browser with passphrase prompt
[ "$EUID" -ne 0 ] && { echo "Please run as root."; exec sudo "$0" "$@"; }
REPO="/holocron/backups"
# Prompt once for Borg passphrase
read -rs -p "Borg passphrase: " BORG_PASSPHRASE
echo
export BORG_PASSPHRASE
# Pick an archive
ARCHIVE=$(borg list --short "$REPO" | fzf --prompt="Select archive: ") || {
unset BORG_PASSPHRASE
exit
}
[ -z "$ARCHIVE" ] && { unset BORG_PASSPHRASE; exit; }
# Function to browse directories hierarchically
browse_borg_dir() {
local prefix="$1"
while true; do
# Get immediate children of the current path
ITEMS=$(borg list --format='{path}{NL}' "$REPO::$ARCHIVE" \
| awk -v p="$prefix" -F/ '
BEGIN{n=split(p,a,"/")}
index($0,p)==1 && NF>n {
if (NF==n+1) print $NF;
else print $(n+1)"/";
}' \
| sort -u)
[ -z "$ITEMS" ] && { echo "No items found in $prefix"; return; }
SELECTION=$(echo -e "../\n$ITEMS" | fzf --prompt="${prefix:-/}> ")
case "$SELECTION" in
"../")
prefix="${prefix%/*}"
prefix="${prefix%/}"
;;
"")
return
;;
*/)
prefix="${prefix:+$prefix/}${SELECTION%/}"
;;
*)
local fullpath="${prefix:+$prefix/}$SELECTION"
echo "Selected file: $fullpath"
read -rp "Extract it here? [y/N]: " yn
if [[ $yn =~ ^[Yy]$ ]]; then
borg extract "$REPO::$ARCHIVE" "$fullpath"
fi
return
;;
esac
done
}
browse_borg_dir ""
unset BORG_PASSPHRASE

47
bin/rebuild.sh
View File

@@ -1,26 +1,37 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -euo pipefail
pushd ~/.nix # your hostname (flake target)
# nvim flake.nix hostname="$(hostname)"
# alejandra . &>/dev/null old_gen=$(nixos-rebuild list-generations | grep current | awk '{print $1}')
# git diff -U0 *.nix gen=$((old_gen + 1))
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
nix_dir="$HOME/.nix"
logfile="$nix_dir/.nixos-switch-log"
# add generation comment to flake.nix pushd "$nix_dir" >/dev/null
gen=$(nixos-rebuild list-generations | grep current)
# function to get current nixos generation
get_current_generation() {
nixos-rebuild list-generations
}
echo "diffs:"
git diff
git status --short
read -rp "commit message: " commit_msg
echo "rebuilding nixos with flake.nix..."
if ! sudo nixos-rebuild switch --flake .#"$hostname" 2>&1 | tee "$logfile"; then
echo "rebuild failed; exited with no commit"
exit 1
fi
if sed -n '3p' flake.nix | grep -q '^# generation:'; then if sed -n '3p' flake.nix | grep -q '^# generation:'; then
# replace the comment on line 3 # replace the comment on line 3
sed -i "3s/^# generation:.*/# generation: $gen/" flake.nix sed -i "3s|^# generation:.*|# generation: $gen, timestamp: $timestamp|" flake.nix
else else
# insert comment on line 3 # insert comment on line 3
sed -i "3i# generation: $gen" flake.nix sed -i "3i# generation: $gen, timestamp: $timestamp" flake.nix
fi fi
echo "committing..."
git commit -m "$commit_msg"
echo "flake rebuild and commit fin"
git diff -U0 $(find . -name '*.nix')
echo "nixos rebuilding..."
#sudo nixos-rebuild switch --flake ~/.nix#snowbelle &>.nixos-switch-log || (
# cat .nixos-switch-log | grep --color error && false)
sudo nixos-rebuild switch --flake ~/.nix#snowbelle 2>&1 | tee .nixos-switch-log | grep --color=always -E "error|$" && true
git commit -am "$gen"
popd

26
bin/rebuild_legacy.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/env bash
set -e
pushd ~/.nix
# nvim flake.nix
# alejandra . &>/dev/null
# git diff -U0 *.nix
# add generation comment to flake.nix
gen=$(nixos-rebuild list-generations | grep current)
if sed -n '3p' flake.nix | grep -q '^# generation:'; then
# replace the comment on line 3
sed -i "3s/^# generation:.*/# generation: $gen/" flake.nix
else
# insert comment on line 3
sed -i "3i# generation: $gen" flake.nix
fi
git diff -U0 $(find . -name '*.nix')
echo "nixos rebuilding..."
#sudo nixos-rebuild switch --flake ~/.nix#snowbelle &>.nixos-switch-log || (
# cat .nixos-switch-log | grep --color error && false)
sudo nixos-rebuild switch --flake ~/.nix#snowbelle 2>&1 | tee .nixos-switch-log | grep --color=always -E "error|$" && true
git commit -am "$gen"
popd

2
flake.nix
View File

@@ -1,6 +1,6 @@
# flake for blakes nixos config # flake for blakes nixos config
# define new devices in outputs # define new devices in outputs
# generation: 355 current 2025-10-12 12:06:38 25.05.20251006.20c4598 6.12.50 * # generation: 359, timestamp: 2025-10-12 13:43:47
{ {
description = "blakes nix config"; description = "blakes nix config";
inputs = { inputs = {

1
hosts/snowbelle/configuration.nix
View File

@@ -30,7 +30,6 @@ in
zfs.enable = true; zfs.enable = true;
smb.enable = true; smb.enable = true;
nfs.enable = true; nfs.enable = true;
nginx-proxy.enable = false;
}; };
services = { services = {
caddy.enable = true; caddy.enable = true;

0
modules/homelab/services/default_temp.nix → modules/homelab/services/.default.nix.template
View File

10
modules/homelab/services/arr/bazarr/default.nix
View File

@@ -71,16 +71,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = '' extraConfig = ''

10
modules/homelab/services/arr/flaresolverr/default.nix
View File

@@ -67,16 +67,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = '' extraConfig = ''

10
modules/homelab/services/arr/prowlarr/default.nix
View File

@@ -73,16 +73,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = '' extraConfig = ''

10
modules/homelab/services/arr/radarr/default.nix
View File

@@ -76,16 +76,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = '' extraConfig = ''

11
modules/homelab/services/arr/sonarr/default.nix
View File

@@ -74,16 +74,7 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry # add to caddy for reverse proxy
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = '' extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path} tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}

29
modules/homelab/services/audiobookshelf/default.nix
View File

@@ -75,35 +75,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
client_max_body_size 10240M;
'';
};
};
# external reverse proxy entry
services.nginx.virtualHosts."$abs.blakedheld.xyz" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "abs.${homelab.public_domain}" ]; serverAliases = [ "abs.${homelab.public_domain}" ];

2
modules/homelab/services/caddy/default.nix
View File

@@ -46,7 +46,7 @@ in
dataDir = cfg.data_dir; dataDir = cfg.data_dir;
email = "me@blakedheld.xyz"; email = "me@blakedheld.xyz";
globalConfig = '' globalConfig = ''
auto_https ignore_loaded_certs # auto_https ignore_loaded_certs
''; '';
}; };

1
modules/homelab/services/default.nix
View File

@@ -17,7 +17,6 @@
./audiobookshelf ./audiobookshelf
./qbittorrent ./qbittorrent
./jellyfin ./jellyfin
./nginx-proxy
./caddy ./caddy
./arr/flaresolverr ./arr/flaresolverr
./home/mosquitto ./home/mosquitto

39
modules/homelab/services/gitea/default.nix
View File

@@ -91,47 +91,11 @@ in
# open firewall # open firewall
networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ]; networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig = ''
client_max_body_size 512M;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
# external reverse proxy entry
services.nginx.virtualHosts."git.blakedheld.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig = ''
client_max_body_size 512M;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "git.${homelab.public_domain}" ]; serverAliases = [ "git.${homelab.public_domain}" ];
extraConfig = '' extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path} # tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy http://127.0.0.1:${toString cfg.port} reverse_proxy http://127.0.0.1:${toString cfg.port}
''; '';
}; };
@@ -144,6 +108,7 @@ in
check-url = "http://${homelab.host_ip}:${toString cfg.port}"; check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }]; icon = "di:${service}"; }];
# manage secrets with sops
sops.secrets = { sops.secrets = {
"${service}_database_password" = { "${service}_database_password" = {
owner = "${service}"; owner = "${service}";

19
modules/homelab/services/glance/default.nix
View File

@@ -223,25 +223,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# # external reverse proxy entry
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
# forceSSL = true;
# sslCertificate = sec."ssl_blakedheld_crt".path;
# sslCertificateKey = sec."ssl_blakedheld_key".path;
# locations."/" = {
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
# };
# };
#
# sops.secrets = { # sops.secrets = {
# "${service}_" = { # "${service}_" = {
# owner = "${service}"; # owner = "${service}";

37
modules/homelab/services/home/homeassistant/default.nix
View File

@@ -87,40 +87,6 @@ in
# open firewall # open firewall
networking.firewall.allowedTCPPorts = [ cfg.port 8123 ]; networking.firewall.allowedTCPPorts = [ cfg.port 8123 ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
extraConfig = ''
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig =
"proxy_set_header Upgrade $http_upgrade;" +
"proxy_set_header Connection upgrade;"
;
};
};
# external reverse proxy entry
services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
extraConfig = ''
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig =
"proxy_set_header Upgrade $http_upgrade;" +
"proxy_set_header Connection upgrade;"
;
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "${service}.${homelab.public_domain}" ]; serverAliases = [ "${service}.${homelab.public_domain}" ];
@@ -147,9 +113,6 @@ in
# here lies my tough, and I mean fucking tough, swing at # here lies my tough, and I mean fucking tough, swing at
# getting this to work bare metal, ggs ill see you again # getting this to work bare metal, ggs ill see you again
# - didnt take long # - didnt take long

27
modules/homelab/services/home/zigbee2mqtt/default.nix
View File

@@ -94,33 +94,6 @@ in
# # open firewall # # open firewall
networking.firewall.allowedTCPPorts = [ cfg.port ]; networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
extraConfig = ''
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
locations."/api" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}/api";
extraConfig = ''
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
'';
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "z2m.${homelab.public_domain}" ]; serverAliases = [ "z2m.${homelab.public_domain}" ];

21
modules/homelab/services/immich/default.nix
View File

@@ -75,27 +75,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
proxyWebsockets = true;
};
};
# external reverse proxy entry
services.nginx.virtualHosts."photos.blakedheld.xyz" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
proxyWebsockets = true;
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "photos.${homelab.public_domain}" ]; serverAliases = [ "photos.${homelab.public_domain}" ];

19
modules/homelab/services/jellyfin/default.nix
View File

@@ -71,25 +71,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# external reverse proxy entry
services.nginx.virtualHosts."media.blakedheld.xyz" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "media.${homelab.public_domain}" ]; serverAliases = [ "media.${homelab.public_domain}" ];

10
modules/homelab/services/qbittorrent/default.nix
View File

@@ -109,16 +109,6 @@ in
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = '' extraConfig = ''

32
modules/homelab/services/uptime-kuma/default.nix
View File

@@ -67,32 +67,11 @@ in
# override umask to make permissions work out # override umask to make permissions work out
systemd.services.${service}.serviceConfig = { systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
# User = "${service}";
# Group = "${service}";
}; };
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# # external reverse proxy entry
# services.nginx.virtualHosts."up.blakedheld.xyz" = {
# forceSSL = true;
# sslCertificate = sec."ssl_blakedheld_crt".path;
# sslCertificateKey = sec."ssl_blakedheld_key".path;
# locations."/" = {
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
# };
# };
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = '' extraConfig = ''
@@ -109,14 +88,9 @@ in
check-url = "http://${homelab.host_ip}:${toString cfg.port}"; check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }]; icon = "di:${service}"; }];
# sops.secrets = {
# "${service}_" = {
# owner = "${service}";
# group = "${service}";
# };
# };
# add to backups # add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
}; };
} }

20
modules/homelab/services/vaultwarden/default.nix
View File

@@ -84,25 +84,6 @@ in
# open firewall # open firewall
networking.firewall.allowedTCPPorts = [ cfg.port ]; networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# external reverse proxy entry
services.nginx.virtualHosts."pass.blakedheld.xyz" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to caddy for reverse proxy # add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = { services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "pass.${homelab.public_domain}" ]; serverAliases = [ "pass.${homelab.public_domain}" ];
@@ -111,7 +92,6 @@ in
reverse_proxy http://127.0.0.1:${toString cfg.port} reverse_proxy http://127.0.0.1:${toString cfg.port}
''; '';
}; };
# tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
# add to glance # add to glance
modules.services.glance.links.services = [{ modules.services.glance.links.services = [{