···

       
49
       
49
       
 
       
host = "marvin"

     

       
50
       
50
       
 
       
extUrl = "media.pyrox.dev"

     

       
51
       
51
       
 
       
anubis = 8404

     

       
52
       
52
       
+
       
exporter = 30103

     

       
52
       
53
       
 
       


     

       
53
       
54
       
 
       
[matrix-server]

     

       
54
       
55
       
 
       
port = 6922

     

···

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  pkgs,

     

       
3
       
3
       
+
       
  lib,

     

       
4
       
4
       
+
       
  config,

     

       
5
       
5
       
+
       
  ...

     

       
6
       
6
       
+
       
}:

     

       
1
       
7
       
 
       
{

     

       
2
       
8
       
 
       
  services.jellyfin = {

     

       
3
       
9
       
 
       
    enable = true;

     
···

       
16
       
22
       
 
       
      job_name = "jellyfin_server";

     

       
17
       
23
       
 
       
      static_configs = [ { targets = [ "127.0.0.1:8096" ]; } ];

     

       
18
       
24
       
 
       
    }

     

       
25
       
25
       
+
       
    {

     

       
26
       
26
       
+
       
      job_name = "jellyfin";

     

       
27
       
27
       
+
       
      static_configs = [ { targets = [ "127.0.0.1:30103" ]; } ];

     

       
28
       
28
       
+
       
    }

     

       
19
       
29
       
 
       
  ];

     

       
30
       
30
       
+
       
  systemd.services.jellyfin-exporter = lib.mkIf config.services.jellyfin.enable {

     

       
31
       
31
       
+
       
    enable = true;

     

       
32
       
32
       
+
       
    wantedBy = [ "multi-user.target" ];

     

       
33
       
33
       
+
       
    after = [

     

       
34
       
34
       
+
       
      "network.target"

     

       
35
       
35
       
+
       
      "jellyfin.service"

     

       
36
       
36
       
+
       
    ];

     

       
37
       
37
       
+
       
    description = "Jellyfin Metrics Exporter for Prometheus";

     

       
38
       
38
       
+
       
    serviceConfig = {

     

       
39
       
39
       
+
       
      ExecStart = "${lib.getExe pkgs.py.jellyfin-exporter} @${config.age.secrets.jellyfin-exporter-config.path}";

     

       
40
       
40
       
+
       
      ReadOnlyPaths = [ config.age.secrets.jellyfin-exporter-config.path ];

     

       
41
       
41
       
+
       
      Restart = "always";

     

       
42
       
42
       
+
       
      DynamicUser = true;

     

       
43
       
43
       
+
       
      User = "jellyfin-exporter";

     

       
44
       
44
       
+
       
      Group = "jellyfin-exporter";

     

       
45
       
45
       
+
       
      StateDirectory = "jellyfin-exporter";

     

       
46
       
46
       
+
       
      CacheDirectory = "stalwart-mail";

     

       
47
       
47
       
+
       


     

       
48
       
48
       
+
       
      # Hardening

     

       
49
       
49
       
+
       
      MemoryDenyWriteExecute = true;

     

       
50
       
50
       
+
       
      PrivateDevices = true;

     

       
51
       
51
       
+
       
      PrivateTmp = true;

     

       
52
       
52
       
+
       
      ProtectClock = true;

     

       
53
       
53
       
+
       
      ProtectControlGroups = true;

     

       
54
       
54
       
+
       
      ProtectHome = true;

     

       
55
       
55
       
+
       
      ProtectHostname = true;

     

       
56
       
56
       
+
       
      ProtectKernelLogs = true;

     

       
57
       
57
       
+
       
      ProtectKernelModules = true;

     

       
58
       
58
       
+
       
      ProtectKernelTunables = true;

     

       
59
       
59
       
+
       
      RestrictNamespaces = true;

     

       
60
       
60
       
+
       
      RestrictRealtime = true;

     

       
61
       
61
       
+
       
      RestrictSUIDSGID = true;

     

       
62
       
62
       
+
       
    };

     

       
63
       
63
       
+
       
  };

     

       
64
       
64
       
+
       
  age.secrets.jellyfin-exporter-config = {

     

       
65
       
65
       
+
       
    file = ./secrets/jellyfin-exporter-config.age;

     

       
66
       
66
       
+
       
    mode = "444";

     

       
67
       
67
       
+
       
  };

     

       
20
       
68
       
 
       
}

     

···

       
1
       
1
       
+
       
age-encryption.org/v1

     

       
2
       
2
       
+
       
-> ssh-ed25519 iqBxIA TYkyDIP1q7bJrSI0YsLBg1F78NF0AnWGTDBL5EdkexI

     

       
3
       
3
       
+
       
wPDeCC6nUE2Y0xzepEc3p5DM4W5VmXgoUQ7Lxe7pEf4

     

       
4
       
4
       
+
       
-> ssh-rsa fFaiTA

     

       
5
       
5
       
+
       
OAT8CyT8DHsr5gkiqhaP5eg//9BAiIGFbiYtr3Wyj3gRv91qsjtRh+MKggqysSPk

     

       
6
       
6
       
+
       
EN0z7NeoVujFe1mF3/dIFrQD5rcyVSomOnGytmL6R1aSDP677S0JoXUi1RaYfyYq

     

       
7
       
7
       
+
       
NE59VXK27kCTwsnsD3F2Aish+xmYvBTmUSHDXU/DtKGRB7vgqRSBlMUC9nHCKYvn

     

       
8
       
8
       
+
       
9dBC7gzikMRBNJ7ciOLfB1m7cR3A31gw+4OpUYqlLXCvfdCuh5QPhToy4VDPFZOq

     

       
9
       
9
       
+
       
5C4upvtK1qcyy8ZBLL1mwfLpP79t9NIHZnbg0q5fNwSqUkmGfV+mAJHKH5bZMbxB

     

       
10
       
10
       
+
       
5soPF9yV3mXqXbhl4xEhOMVd50LJwE8t/CyWqkLmZ8CmQ1UovsI4qIDEXP3tLSmC

     

       
11
       
11
       
+
       
PAT/RYqw84Pzb7Yd8RYELWnbWR/4BbzjkR5rbj7sklSo55be+A0N5YoWuU1ApBR8

     

       
12
       
12
       
+
       
8LKCKJMzaWnfHS6WNeMNHHP+j7SlBlKnqJWjbjfURJG1HyRx8TIJZ40jZUzfeFG1

     

       
13
       
13
       
+
       
W4U0RFQZ83d6vz4MBLa9Fk0ms6NyJoO+Rgh0Wl45tritHtkkwYWyxxPL2yPivQ/w

     

       
14
       
14
       
+
       
NDtBn08eliJzxhAGz0pAHETU8aHgNkLAXbMGku9U/hDaQ4XjGH3np6WOjwnCxJ0W

     

       
15
       
15
       
+
       
W7ChuMLXcD7CopjGkJSwTUQB3W1McVLQ34yfD7ZroJM

     

       
16
       
16
       
+
       
-> ssh-ed25519 wpmdHA JpxYf1dtrdlZEx4E8Su0scbGteAREMlKJ3OHfqDWyRc

     

       
17
       
17
       
+
       
/ZVDz4HSKPT6OyeryIEkfplDLN2XIWm0b4ncg/xezfs

     

       
18
       
18
       
+
       
--- oY4WmthKy5Ytp1j3hd81DRGFW1A2818Wr9pYmc14hRU

     

       
19
       
19
       
+
       
�;�2����}�O3h�u5����缻�N��s}oVU���@��嬝��L�at��8�x��P�R��d�Rx{3�b��?o����x8`��V ܬ�"*����e��
#NV��?���aP��N��Iɥ�j��S��y3�i����hgп\�D�b��1;��\A<d��f9����A�g�J4؞��R����'תs�COCs�	���ŒN�v�"��vk>8,�DR���
     

···

       
29
       
29
       
 
       
  "grafana-smtp-password.age".publicKeys = marvinDefault;

     

       
30
       
30
       
 
       
  "iceshrimp-secret-config.age".publicKeys = marvinDefault;

     

       
31
       
31
       
 
       
  "iceshrimp-db-password.age".publicKeys = marvinDefault;

     

       
32
       
32
       
+
       
  "jellyfin-exporter-config.age".publicKeys = marvinDefault;

     

       
32
       
33
       
 
       
  "minio-root.age".publicKeys = marvinDefault;

     

       
33
       
34
       
 
       
  "miniflux-admin.age".publicKeys = marvinDefault;

     

       
34
       
35
       
 
       
  "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault;

     

···

       
1
       
1
       
 
       
{ pkgs, lib, ... }:

     

       
2
       
2
       
 
       
let

     

       
3
       
3
       
 
       
  pns = lib.py.data.services;

     

       
4
       
4
       
+
       
  mail = lib.py.data.mail;

     

       
4
       
5
       
 
       
  marvin = "http://${lib.py.data.hosts.marvin.ts.ip4}";

     

       
6
       
6
       
+
       
  marvinIP = lib.py.data.hosts.marvin.ts.ip4;

     

       
5
       
7
       
 
       
  tsNet = lib.py.data.tsNet;

     

       
6
       
8
       
 
       
in

     

       
7
       
9
       
 
       
{

     
···

       
12
       
14
       
 
       
        "github.com/caddy-dns/desec@v1.0.1"

     

       
13
       
15
       
 
       
        "github.com/greenpau/caddy-security@v1.1.31"

     

       
14
       
16
       
 
       
        "github.com/tailscale/caddy-tailscale@v0.0.0-20250207163903-69a970c84556"

     

       
17
       
17
       
+
       
        "github.com/mholt/caddy-l4@v0.0.0-20250428144642-57989befb7e6"

     

       
18
       
18
       
+
       
        "github.com/mohammed90/caddy-git-fs@v0.0.0-20240805164056-529acecd1830"

     

       
15
       
19
       
 
       
      ];

     

       
16
       
16
       
-
       
      hash = "sha256-lsceZXoTPJCDjl84OQTZUTBRuVAxo8KMWjTXzCFwA6U=";

     

       
20
       
20
       
+
       
      hash = "sha256-NPMrt7hARdnXP3xh4TRsc+TMpuXZzwY6zdrTw6E3nSM=";

     

       
17
       
21
       
 
       
    };

     

       
18
       
22
       
 
       
    email = "pyrox@pyrox.dev";

     

       
19
       
23
       
 
       
    virtualHosts = {

     

       
20
       
20
       
-
       
      # Just get TLS certs for mailserver

     

       
21
       
21
       
-
       
      "mail.pyrox.dev" = { };

     

       
22
       
24
       
 
       
      # Redirect old domains -> pyrox.dev

     

       
23
       
25
       
 
       
      "blog.pyrox.dev" = {

     

       
24
       
26
       
 
       
        serverAliases = [

     
···

       
53
       
55
       
 
       
              -Server

     

       
54
       
56
       
 
       
            }

     

       
55
       
57
       
 
       
            file_server {

     

       
56
       
56
       
-
       
              root /var/www/blog

     

       
58
       
58
       
+
       
              fs blog-repo

     

       
57
       
59
       
 
       
              hide .git

     

       
58
       
60
       
 
       
              precompressed br gzip

     

       
59
       
61
       
 
       
            }

     
···

       
160
       
162
       
 
       
          header Access-Control-Allow-Origin *

     

       
161
       
163
       
 
       
          header /.well-known/openpgpkey/{labels.1}.{labels.0}/hu/* Content-Type application/octet-stream

     

       
162
       
164
       
 
       
          file_server {

     

       
163
       
163
       
-
       
            root /var/www/blog/

     

       
165
       
165
       
+
       
            fs blog-repo

     

       
164
       
166
       
 
       
          }

     

       
165
       
167
       
 
       
        '';

     

       
166
       
168
       
 
       
      };

     
···

       
251
       
253
       
 
       
          reverse_proxy ${marvin}:${toString pns.pinchflat.port}

     

       
252
       
254
       
 
       
        '';

     

       
253
       
255
       
 
       
      };

     

       
254
       
254
       
-
       


     

       
256
       
256
       
+
       
      "mail.pyrox.dev:80" = {

     

       
257
       
257
       
+
       
        extraConfig = ''

     

       
258
       
258
       
+
       
          reverse_proxy ${marvin}:${mail.intHTTP}

     

       
259
       
259
       
+
       
        '';

     

       
260
       
260
       
+
       
      };

     

       
255
       
261
       
 
       
    };

     

       
262
       
262
       
+
       
    # Mail Config

     

       
263
       
263
       
+
       
    extraConfig = ''

     

       
264
       
264
       
+
       
      filesystem blog-repo git ${marvin}:${pns.git.port}/pyrox/new-blog {

     

       
265
       
265
       
+
       
        ref pages

     

       
266
       
266
       
+
       
        refresh_period 10m

     

       
267
       
267
       
+
       
      }

     

       
268
       
268
       
+
       
      layer4 {

     

       
269
       
269
       
+
       
        0.0.0.0:465 {

     

       
270
       
270
       
+
       
          route {

     

       
271
       
271
       
+
       
            proxy {

     

       
272
       
272
       
+
       
              proxy_protocol v2

     

       
273
       
273
       
+
       
              upstream ${marvinIP}:${mail.intSMTPS}

     

       
274
       
274
       
+
       
            }

     

       
275
       
275
       
+
       
          }

     

       
276
       
276
       
+
       
        }

     

       
277
       
277
       
+
       
        0.0.0.0:993 {

     

       
278
       
278
       
+
       
          route {

     

       
279
       
279
       
+
       
            proxy {

     

       
280
       
280
       
+
       
              proxy_protocol v2

     

       
281
       
281
       
+
       
              upstream ${marvinIP}:${mail.intIMAPS}

     

       
282
       
282
       
+
       
            }

     

       
283
       
283
       
+
       
          }

     

       
284
       
284
       
+
       
        }

     

       
285
       
285
       
+
       
        0.0.0.0:4190 {

     

       
286
       
286
       
+
       
          route {

     

       
287
       
287
       
+
       
            proxy {

     

       
288
       
288
       
+
       
              proxy_protocol v2

     

       
289
       
289
       
+
       
              upstream ${marvinIP}:${mail.intManageSieve}

     

       
290
       
290
       
+
       
            }

     

       
291
       
291
       
+
       
          }

     

       
292
       
292
       
+
       
        }

     

       
293
       
293
       
+
       
      }

     

       
294
       
294
       
+
       
    '';

     

       
256
       
295
       
 
       
  };

     

       
257
       
296
       
 
       
  systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

     

       
258
       
297
       
 
       
  systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";