From 4344fa207a70df1d19c327c9ebf9a23bb579e1e9 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 19:19:12 -0500 Subject: [PATCH 01/21] feat: removed some bunk services --- modules/config/instances/config/podgrab.nix | 35 ---------- modules/nixos/services/acme/default.nix | 1 - modules/nixos/services/podgrab/default.nix | 77 --------------------- 3 files changed, 113 deletions(-) delete mode 100755 modules/config/instances/config/podgrab.nix delete mode 100755 modules/nixos/services/podgrab/default.nix diff --git a/modules/config/instances/config/podgrab.nix b/modules/config/instances/config/podgrab.nix deleted file mode 100755 index 3635de6..0000000 --- a/modules/config/instances/config/podgrab.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - domain0 - servicePath - sslPath - sopsPath - ; - - label = "Podgrab"; - name = "podgrab"; - subdomain = "podcasts"; - domain = "${subdomain}.${domain0}"; -in -{ - label = label; - name = name; - sops = { - path0 = "${sopsPath}/${name}"; - }; - domains = { - url0 = domain; - }; - subdomain = name; - paths = { - path0 = "${servicePath}/${label}"; - }; - ports = { - port0 = 4242; - }; - ssl = { - cert = "${sslPath}/${name}.${domain0}/fullchain.pem"; - key = "${sslPath}/${name}.${domain0}/key.pem"; - }; -} diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix index 659eff6..1cbec44 100755 --- a/modules/nixos/services/acme/default.nix +++ b/modules/nixos/services/acme/default.nix @@ -38,7 +38,6 @@ in "nextcloud" "syncthing" "searx" - "podgrab" "vaultwarden" "audiobookshelf" ] diff --git a/modules/nixos/services/podgrab/default.nix b/modules/nixos/services/podgrab/default.nix deleted file mode 100755 index 82a5b95..0000000 --- a/modules/nixos/services/podgrab/default.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, flake, ... }: -let - inherit (flake.config.services.instances) podgrab web; - inherit (flake.config.machines.devices) ceres; - service = podgrab; - localhost = web.localhost.address0; - host = service.domains.url0; -in -{ - services = { - podgrab = { - enable = true; - port = service.ports.port0; - passwordFile = config.sops.secrets."${service.name}-pass".path; - dataDirectory = service.paths.path0; - }; - caddy = { - virtualHosts = { - "${host}" = { - extraConfig = '' - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - - reverse_proxy ${localhost}:${toString service.ports.port0} - - tls ${service.ssl.cert} ${service.ssl.key} - ''; - }; - }; - }; - }; - - sops = - let - sopsPath = secret: { - path = "${service.sops.path0}/password.env"; - owner = service.name; - mode = "600"; - }; - in - { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${service.name}-${secret}"; - value = sopsPath secret; - }) - [ - "pass" - ] - ); - }; - - fileSystems."/var/lib/${service.name}" = { - device = service.paths.path0; - fsType = "none"; - options = [ - "bind" - ]; - depends = [ - ceres.storage0.mount - ]; - }; - - systemd.tmpfiles.rules = [ - "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" - "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -" - ]; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - ]; - }; - }; -} From 44865ba36c017084c10a10327a90847f1f55fd51 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 19:40:32 -0500 Subject: [PATCH 02/21] feat: wireguard test --- modules/config/devices/config/deimos.nix | 3 ++ modules/home/cli/utilities/dig/default.nix | 0 .../home/cli/utilities/ipTables/default.nix | 0 secrets/secrets.yaml | 6 ++- systems/ceres/config/wireguard.nix | 9 +++- systems/deimos/config/wireguard.nix | 53 +++++++++++++++++++ 6 files changed, 68 insertions(+), 3 deletions(-) mode change 100644 => 100755 modules/home/cli/utilities/dig/default.nix mode change 100644 => 100755 modules/home/cli/utilities/ipTables/default.nix create mode 100755 systems/deimos/config/wireguard.nix diff --git a/modules/config/devices/config/deimos.nix b/modules/config/devices/config/deimos.nix index dfb252c..f7c7f9e 100755 --- a/modules/config/devices/config/deimos.nix +++ b/modules/config/devices/config/deimos.nix @@ -14,6 +14,9 @@ in ip = { address0 = deimosIP; }; + wireguard = { + ip0 = "10.100.0.3"; + }; boot = { options = ownerWriteOthersReadMask; }; diff --git a/modules/home/cli/utilities/dig/default.nix b/modules/home/cli/utilities/dig/default.nix old mode 100644 new mode 100755 diff --git a/modules/home/cli/utilities/ipTables/default.nix b/modules/home/cli/utilities/ipTables/default.nix old mode 100644 new mode 100755 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 34a8a1c..a682cf8 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -40,6 +40,8 @@ wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhda wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str] wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str] wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str] +wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0TIFr8/zn2l7AD7NfmpgZXuPII=,iv:tK9Iyll/GXPXNsMXJKpNKSxMqeHLqSgCfQTSM8+NOVU=,tag:yfJP9hjR/6DXgKtFKqR5Zw==,type:str] +wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str] glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTSF+v1BgnNcIu4cS9OwHBCFl1m28=,tag:3Eld1FkI6AftlCyC3419BA==,type:str] podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str] @@ -56,7 +58,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-01T08:55:49Z" - mac: ENC[AES256_GCM,data:2m5iKDV7yIkYIL2bq9+7sFD2Nf8K1Z7mB6EKE3U+nFurOTxgUE0W10kV3BJoPoD78t5xjdbbmIt+NpmH9D41oE4lSPlOdTZujEpT0EcuNBVwz4MDBR/N7GRk74Etq1kJQ2f/NInhh8eH4xZDCQHR8BKxSX1RCd/0yWqrEbpfWrk=,iv:7gI48Urn0xFJwx3l3IzBT7KLTf4FlIf5p5Y/6Pms3ZA=,tag:QdA9cuKvFbXfT7kMbth5hQ==,type:str] + lastmodified: "2025-07-04T00:40:18Z" + mac: ENC[AES256_GCM,data:N2BwAzga2/Ig96p49rqNhhZ2udYWt7mQ9JD8DFXuxa3HOh3gtx7FWeWpGjvLnLWCgGcT4R61RKmgZQZRADNxYPE3vtdpPOFz0XvgcYSDlwslzBdSsVc08sh77P0LDgZsCzE1MxYynQ6nzFcc6gW5sorInLarsHoCCBC+Z5YpOVg=,iv:H6d3VrERM02/1zI5boFemEpMYD3greYZRqlSpBqROzM=,tag:TEakUvOlKoZYo/XPS6HVnA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 466ebf5..998cd7e 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -1,7 +1,7 @@ { config, flake, ... }: let inherit (flake.config.services.instances) wireGuard searx; - inherit (flake.config.machines.devices) mars ceres; + inherit (flake.config.machines.devices) mars deimos ceres; service = wireGuard; in { @@ -32,10 +32,17 @@ in listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; peers = [ + # if you need to create a new key pair + # wg genkey | save --raw --force privatekey + # open privatekey | wg pubkey | save --raw --force publickey { publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; allowedIPs = [ "${mars.wireguard.ip0}/32" ]; } + { + publicKey = "hKbvOlvKdWAlq45rfV3ggwOI8xqiqVWweXV+2GQx/0I="; + allowedIPs = [ "${deimos.wireguard.ip0}/32" ]; + } ]; }; }; diff --git a/systems/deimos/config/wireguard.nix b/systems/deimos/config/wireguard.nix new file mode 100755 index 0000000..6a88979 --- /dev/null +++ b/systems/deimos/config/wireguard.nix @@ -0,0 +1,53 @@ +{ config, flake, ... }: +let + inherit (flake.config.services.instances) wireGuard web; + inherit (flake.config.services) instances; + inherit (flake.config.machines.devices) ceres deimos; + service = wireGuard; +in +{ + networking = { + hosts = { + ${ceres.wireguard.ip0} = [ instances.searx.domains.url0 ]; + }; + wireguard.interfaces = { + wg0 = { + ips = [ "${deimos.wireguard.ip0}/32" ]; + privateKeyFile = config.sops.secrets."${service.name}-deimos-private".path; + peers = [ + { + publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; + allowedIPs = [ + "${ceres.wireguard.ip0}/32" + "${web.localhost.address4}/24" + ]; + endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}-pass"; + owner = "root"; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}-${secret}"; + value = sopsPath secret; + }) + [ + "deimos-private" + "deimos-public" + ] + ); + }; +} From d306321c8a447d9063c564085d81aa70ee114f6e Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 19:43:04 -0500 Subject: [PATCH 03/21] feat: wireguard test --- modules/nixos/services/searx/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index 2f2cbeb..6c7e949 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -5,7 +5,7 @@ ... }: let - inherit (flake.config.machines.devices) ceres mars; + inherit (flake.config.machines.devices) ceres mars deimos; inherit (flake.config.services.instances) searx web; configHelpers = { service = searx; @@ -47,7 +47,7 @@ in "${configHelpers.host}" = { extraConfig = '' @allowed_ips { - remote_ip ${mars.wireguard.ip0} + remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0} } handle @allowed_ips { From 187e067118f334fb5d14805d22f60af83d3657ef Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 19:49:48 -0500 Subject: [PATCH 04/21] feat: added glance to caddy --- modules/nixos/services/acme/default.nix | 1 + modules/nixos/services/glance/default.nix | 39 +++++++++++++++++++---- 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix index 1cbec44..931dafb 100755 --- a/modules/nixos/services/acme/default.nix +++ b/modules/nixos/services/acme/default.nix @@ -40,6 +40,7 @@ in "searx" "vaultwarden" "audiobookshelf" + "glance" ] ) ++ (map diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix index c600215..5bb77f3 100755 --- a/modules/nixos/services/glance/default.nix +++ b/modules/nixos/services/glance/default.nix @@ -1,6 +1,17 @@ { config, flake, ... }: let - inherit (flake.config.services.instances) glance jellyfin; + inherit (flake.config.services.instances) + glance + jellyfin + web + ; + inherit (flake.config.machines.devices) ceres mars deimos; + configHelpers = { + service = glance; + hostname = config.networking.hostName; + localhost = web.localhost.address0; + host = configHelpers.service.domains.url0; + }; service = glance; configPath = ./config; configImports = { @@ -17,6 +28,27 @@ in settings = configImports; }; }; + caddy = { + virtualHosts = { + "${configHelpers.host}" = { + extraConfig = '' + @allowed_ips { + remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0} + } + + handle @allowed_ips { + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} + } + handle { + respond "Access Denied" 403 + } + tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} + ''; + }; + }; + }; sops = let sopsPath = secret: { @@ -41,11 +73,6 @@ in ); }; - systemd.tmpfiles.rules = [ - # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" - # "Z ${service.sops.path0} 755 root root -" - ]; - networking = { firewall = { allowedTCPPorts = [ From 2205231563960628e9380f578e0fad7dd8b066dd Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:03:37 -0500 Subject: [PATCH 05/21] feat: added glance to caddy --- modules/nixos/default.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 9f10bcb..2eb4236 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -10,7 +10,6 @@ in mullvad syncthing ollama - glance plasma sddm hypr @@ -32,7 +31,6 @@ in sddm flatpak espanso - glance ; }; }; @@ -52,17 +50,18 @@ in acme audiobookshelf caddy + forgejo + glance jellyfin logrotate mastodon minecraft ollama - website postgresql samba searx vaultwarden - forgejo + website ; }; }; From 021eda06aaac0a72a10de7168719f5f2cc5f806e Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:11:18 -0500 Subject: [PATCH 06/21] feat: added glance to caddy --- modules/nixos/services/glance/config/server.nix | 5 +++-- modules/nixos/services/glance/default.nix | 9 ++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index cefc788..156a54d 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -1,10 +1,11 @@ -{ flake, service, ... }: +{ flake, configHelpers, ... }: let inherit (flake.config.people) user0; in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - port = service.ports.port0; + host = configHelpers.service.domains.url0; + port = configHelpers.service.ports.port0; # auth = { # secret-key = config.sops.secrets."${service.name}-key".path; # users.${user0}.password = config.sops.secrets."${service.name}-${user0}-pass".path; diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix index 5bb77f3..f78357e 100755 --- a/modules/nixos/services/glance/default.nix +++ b/modules/nixos/services/glance/default.nix @@ -12,10 +12,9 @@ let localhost = web.localhost.address0; host = configHelpers.service.domains.url0; }; - service = glance; configPath = ./config; configImports = { - server = import (configPath + /server.nix) { inherit flake service; }; + server = import (configPath + /server.nix) { inherit flake configHelpers; }; branding = import (configPath + /branding.nix); theme = import (configPath + /theme.nix); pages = import (configPath + /pages.nix) { inherit config flake; }; @@ -52,7 +51,7 @@ in sops = let sopsPath = secret: { - path = "/run/secrets/${service.name}-${secret}"; + path = "/run/secrets/${configHelpers.service.name}-${secret}"; owner = "root"; group = "root"; mode = "644"; @@ -62,7 +61,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${service.name}-${secret}"; + name = "${configHelpers.service.name}-${secret}"; value = sopsPath secret; }) [ @@ -76,7 +75,7 @@ in networking = { firewall = { allowedTCPPorts = [ - service.ports.port0 + configHelpers.service.ports.port0 ]; }; }; From c667b34f37ce239c55c40ec9b56f90d2d8d8adc8 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:12:21 -0500 Subject: [PATCH 07/21] feat: glance test --- modules/nixos/services/glance/config/server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index 156a54d..1eeb542 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -4,7 +4,7 @@ let in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - host = configHelpers.service.domains.url0; + host = configHelpers.host; port = configHelpers.service.ports.port0; # auth = { # secret-key = config.sops.secrets."${service.name}-key".path; From d2550deac31a213ff664b689465b81ccb6a46f20 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:16:56 -0500 Subject: [PATCH 08/21] feat: glance test --- systems/ceres/config/wireguard.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 998cd7e..b4d30bb 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -1,8 +1,10 @@ { config, flake, ... }: let - inherit (flake.config.services.instances) wireGuard searx; + inherit (flake.config.services) instances; inherit (flake.config.machines.devices) mars deimos ceres; - service = wireGuard; + service = instances.wireGuard; + searx = instances.searx; + glance = instances.glance; in { networking = { @@ -16,6 +18,7 @@ in ]; interfaces.wg0.allowedTCPPorts = [ searx.ports.port0 + glance.ports.port0 ]; }; From 8118b90e5596ead267992094d9f222e4c6463570 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:21:14 -0500 Subject: [PATCH 09/21] feat: glance test --- modules/nixos/services/glance/default.nix | 36 +++++++++++------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix index f78357e..90872de 100755 --- a/modules/nixos/services/glance/default.nix +++ b/modules/nixos/services/glance/default.nix @@ -26,25 +26,25 @@ in enable = true; settings = configImports; }; - }; - caddy = { - virtualHosts = { - "${configHelpers.host}" = { - extraConfig = '' - @allowed_ips { - remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0} - } + caddy = { + virtualHosts = { + "${configHelpers.host}" = { + extraConfig = '' + @allowed_ips { + remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0} + } - handle @allowed_ips { - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} - } - handle { - respond "Access Denied" 403 - } - tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} - ''; + handle @allowed_ips { + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} + } + handle { + respond "Access Denied" 403 + } + tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} + ''; + }; }; }; }; From edadd32d3a12a31be3302d5057813f1cec8643d0 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:25:06 -0500 Subject: [PATCH 10/21] feat: glance test --- modules/nixos/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 2eb4236..4f690f2 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -51,7 +51,7 @@ in audiobookshelf caddy forgejo - glance + # glance jellyfin logrotate mastodon From 4b255e7f2637daab4f19c97fb192871bead8eed6 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:25:51 -0500 Subject: [PATCH 11/21] feat: glance test --- modules/nixos/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 4f690f2..2eb4236 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -51,7 +51,7 @@ in audiobookshelf caddy forgejo - # glance + glance jellyfin logrotate mastodon From 547bc9d43e3706b55074f64d9a444b461bc73808 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:28:42 -0500 Subject: [PATCH 12/21] feat: glance test --- modules/nixos/services/glance/config/server.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index 1eeb542..6c27604 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -4,7 +4,8 @@ let in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - host = configHelpers.host; + # host = configHelpers.host; + host = "0.0.0.0"; port = configHelpers.service.ports.port0; # auth = { # secret-key = config.sops.secrets."${service.name}-key".path; From 6e7ef9901cdb73d2550d11a88298a2a23b76ddf3 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:30:31 -0500 Subject: [PATCH 13/21] feat: glance test --- modules/nixos/services/glance/config/server.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index 6c27604..ba56785 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -4,8 +4,8 @@ let in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - # host = configHelpers.host; - host = "0.0.0.0"; + host = "https://${configHelpers.host}"; + # host = "0.0.0.0"; port = configHelpers.service.ports.port0; # auth = { # secret-key = config.sops.secrets."${service.name}-key".path; From 0e431fe4b199ae0ae06a6ddb547e198b002e5c24 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:35:35 -0500 Subject: [PATCH 14/21] feat: glance test --- modules/nixos/services/glance/config/server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index ba56785..8c3b9cc 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -4,7 +4,7 @@ let in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - host = "https://${configHelpers.host}"; + host = configHelpers.host; # host = "0.0.0.0"; port = configHelpers.service.ports.port0; # auth = { From 008a38b808d1d99dc4c6248a3d2524513bfbb8f3 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:41:40 -0500 Subject: [PATCH 15/21] feat: glance test --- modules/nixos/services/glance/default.nix | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix index 90872de..37b28d2 100755 --- a/modules/nixos/services/glance/default.nix +++ b/modules/nixos/services/glance/default.nix @@ -30,18 +30,8 @@ in virtualHosts = { "${configHelpers.host}" = { extraConfig = '' - @allowed_ips { - remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0} - } + reverse_proxy ${configHelpers.localhost}:${toString configHelpers.service.ports.port0} - handle @allowed_ips { - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} - } - handle { - respond "Access Denied" 403 - } tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} ''; }; From f21952ba0576bf78bea92cce54e2fa326372d0f9 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:42:37 -0500 Subject: [PATCH 16/21] feat: glance test --- modules/nixos/services/glance/config/server.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index 8c3b9cc..0fbd8e3 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -4,8 +4,8 @@ let in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - host = configHelpers.host; - # host = "0.0.0.0"; + # host = configHelpers.host; + host = configHelpers.localhost; port = configHelpers.service.ports.port0; # auth = { # secret-key = config.sops.secrets."${service.name}-key".path; From 10fa322a830bd8be415ac8eb4aad9cef9047ef57 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:49:41 -0500 Subject: [PATCH 17/21] feat: glance test --- systems/mars/config/wireguard.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index 74df4bc..bc07a81 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -8,7 +8,10 @@ in { networking = { hosts = { - ${ceres.wireguard.ip0} = [ instances.searx.domains.url0 ]; + ${ceres.wireguard.ip0} = [ + instances.searx.domains.url0 + instances.glance.domains.url0 + ]; }; wireguard.interfaces = { wg0 = { From 76aa17f2fb7e1cadb7731ba14a97efda5cde082b Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 20:56:06 -0500 Subject: [PATCH 18/21] feat: glance test --- modules/nixos/services/glance/default.nix | 14 ++++++++++++-- systems/ceres/config/wireguard.nix | 4 ---- systems/deimos/config/wireguard.nix | 5 ++++- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix index 37b28d2..eb08189 100755 --- a/modules/nixos/services/glance/default.nix +++ b/modules/nixos/services/glance/default.nix @@ -30,8 +30,18 @@ in virtualHosts = { "${configHelpers.host}" = { extraConfig = '' - reverse_proxy ${configHelpers.localhost}:${toString configHelpers.service.ports.port0} + @allowed_ips { + remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0} + } + handle @allowed_ips { + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} + } + handle { + respond "Access Denied" 403 + } tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} ''; }; @@ -64,7 +74,7 @@ in networking = { firewall = { - allowedTCPPorts = [ + interfaces.wg0.allowedTCPPorts = [ configHelpers.service.ports.port0 ]; }; diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index b4d30bb..c435e8c 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -16,10 +16,6 @@ in service.ports.port0 service.ports.port1 ]; - interfaces.wg0.allowedTCPPorts = [ - searx.ports.port0 - glance.ports.port0 - ]; }; nat = { diff --git a/systems/deimos/config/wireguard.nix b/systems/deimos/config/wireguard.nix index 6a88979..72fb149 100755 --- a/systems/deimos/config/wireguard.nix +++ b/systems/deimos/config/wireguard.nix @@ -8,7 +8,10 @@ in { networking = { hosts = { - ${ceres.wireguard.ip0} = [ instances.searx.domains.url0 ]; + ${ceres.wireguard.ip0} = [ + instances.searx.domains.url0 + instances.glance.domains.url0 + ]; }; wireguard.interfaces = { wg0 = { From 1fdf9e3d5e9e3bae99e82fc1e3c7f22916668cd0 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 21:01:55 -0500 Subject: [PATCH 19/21] feat: glance test --- modules/nixos/services/acme/default.nix | 16 ++++++++-------- modules/nixos/services/glance/default.nix | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix index 931dafb..06fd49c 100755 --- a/modules/nixos/services/acme/default.nix +++ b/modules/nixos/services/acme/default.nix @@ -32,15 +32,15 @@ in value = dnsConfig; }) [ - "jellyfin" - "minecraft" - "ollama" - "nextcloud" - "syncthing" - "searx" - "vaultwarden" "audiobookshelf" "glance" + "jellyfin" + "minecraft" + "nextcloud" + "ollama" + "searx" + "syncthing" + "vaultwarden" ] ) ++ (map @@ -49,9 +49,9 @@ in value = dnsConfig; }) [ - "peertube" "forgejo" "mastodon" + "peertube" ] ) ++ (map diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix index eb08189..1afdc33 100755 --- a/modules/nixos/services/glance/default.nix +++ b/modules/nixos/services/glance/default.nix @@ -9,7 +9,7 @@ let configHelpers = { service = glance; hostname = config.networking.hostName; - localhost = web.localhost.address0; + localhost = web.localhost.address1; host = configHelpers.service.domains.url0; }; configPath = ./config; From 50644ccbd4bbb3ab65c79a23c819e431270b12a4 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 21:06:18 -0500 Subject: [PATCH 20/21] feat: glance test --- modules/nixos/services/glance/config/server.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index 0fbd8e3..9fffbff 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -4,8 +4,8 @@ let in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - # host = configHelpers.host; - host = configHelpers.localhost; + host = configHelpers.host; + # host = configHelpers.localhost; port = configHelpers.service.ports.port0; # auth = { # secret-key = config.sops.secrets."${service.name}-key".path; From 5c1d3e635673069becf784e376704d2941295120 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 3 Jul 2025 21:25:03 -0500 Subject: [PATCH 21/21] feat: glance test --- modules/nixos/services/glance/config/server.nix | 4 +++- systems/ceres/config/wireguard.nix | 2 -- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index 9fffbff..12cf8ec 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -1,11 +1,13 @@ { flake, configHelpers, ... }: let inherit (flake.config.people) user0; + inherit (flake.config.machines.devices) ceres; in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - host = configHelpers.host; + # host = configHelpers.host; # host = configHelpers.localhost; + host = ceres.wireguard.ip0; port = configHelpers.service.ports.port0; # auth = { # secret-key = config.sops.secrets."${service.name}-key".path; diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index c435e8c..3a178f0 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -3,8 +3,6 @@ let inherit (flake.config.services) instances; inherit (flake.config.machines.devices) mars deimos ceres; service = instances.wireGuard; - searx = instances.searx; - glance = instances.glance; in { networking = {