commit 73351a9f6d53e840b38f70d6bb9e99c672d7ea7b · ryan.freumh.org/nixos

+43 -3

hosts/elephant/services.nix

···

       9
        
       {

     

       10
        
         custom.nix-cache.enable = true;

     

       11
        
       

     

       12
       -
         age.secrets."eon-vpn.freumh.org.cap" = {

     

       13
       -
           file = ../../secrets/eon-vpn.freumh.org.cap.age;

     

       14
        
           mode = "770";

     

       15
        
           owner = "acme-eon";

     

       16
        
           group = "acme-eon";

     
···

       18
        
         security.acme-eon = {

     

       19
        
           acceptTerms = true;

     

       20
        
           defaults.email = "${config.custom.username}@${config.networking.domain}";

     

       21
       -
           defaults.capFile = config.age.secrets."eon-vpn.freumh.org.cap".path;

     

       22
        
           nginxCerts = [

     

       23
        
             "nix-cache.vpn.freumh.org"

     

       24
        
             "jellyfin.vpn.freumh.org"

     

       0
        
       
     

       25
        
             "transmission.vpn.freumh.org"

     

       26
        
             "nextcloud.vpn.freumh.org"

     

       27
        
             "owntracks.vpn.freumh.org"

     
···

       40
        
               onlySSL = true;

     

       41
        
               listenAddresses = [ "100.64.0.9" ];

     

       42
        
               locations."/" = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       43
        
                 proxyPass = ''

     

       44
        
                   http://localhost:8096

     

       45
        
                 '';

     
···

       210
        
           openFirewall = true;

     

       211
        
           host = "100.64.0.9";

     

       212
        
           mediaLocation = "/tank/immich";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       213
        
         };

     

       214
        
       }

···

       9
        
       {

     

       10
        
         custom.nix-cache.enable = true;

     

       11
        
       

     

       12
       +
         age.secrets."eon-freumh.org.cap" = {

     

       13
       +
           file = ../../secrets/eon-freumh.org.cap.age;

     

       14
        
           mode = "770";

     

       15
        
           owner = "acme-eon";

     

       16
        
           group = "acme-eon";

     
···

       18
        
         security.acme-eon = {

     

       19
        
           acceptTerms = true;

     

       20
        
           defaults.email = "${config.custom.username}@${config.networking.domain}";

     

       21
       +
           defaults.capFile = config.age.secrets."eon-freumh.org.cap".path;

     

       22
        
           nginxCerts = [

     

       23
        
             "nix-cache.vpn.freumh.org"

     

       24
        
             "jellyfin.vpn.freumh.org"

     

       25
       +
             "jellyfin.freumh.org"

     

       26
        
             "transmission.vpn.freumh.org"

     

       27
        
             "nextcloud.vpn.freumh.org"

     

       28
        
             "owntracks.vpn.freumh.org"

     
···

       41
        
               onlySSL = true;

     

       42
        
               listenAddresses = [ "100.64.0.9" ];

     

       43
        
               locations."/" = {

     

       44
       +
                 proxyPass = ''

     

       45
       +
                   http://localhost:8096

     

       46
       +
                 '';

     

       47
       +
                 proxyWebsockets = true;

     

       48
       +
               };

     

       49
       +
             };

     

       50
       +
             "jellyfin.freumh.org" = {

     

       51
       +
               onlySSL = true;

     

       52
       +
               locations."/" = {

     

       53
       +
                 recommendedProxySettings = true;

     

       54
        
                 proxyPass = ''

     

       55
        
                   http://localhost:8096

     

       56
        
                 '';

     
···

       221
        
           openFirewall = true;

     

       222
        
           host = "100.64.0.9";

     

       223
        
           mediaLocation = "/tank/immich";

     

       224
       +
         };

     

       225
       +
       

     

       226
       +
         services.fail2ban = {

     

       227
       +
           enable = true;

     

       228
       +
           bantime = "24h";

     

       229
       +
           bantime-increment = {

     

       230
       +
             enable = true;

     

       231
       +
             multipliers = "1 2 4 8 16 32 64";

     

       232
       +
             maxtime = "168h";

     

       233
       +
             overalljails = true;

     

       234
       +
           };

     

       235
       +
           jails."jellyfin".settings = {

     

       236
       +
             backend = "auto";

     

       237
       +
             port = "80,443";

     

       238
       +
             protocol = "tcp";

     

       239
       +
             filter = "jellyfin";

     

       240
       +
             maxRetry = 3;

     

       241
       +
             bantime = "86400";

     

       242
       +
             findTime = "43200";

     

       243
       +
             logPath = "/var/lib/jellyfin/log/*.log";

     

       244
       +
           };

     

       245
       +
         };

     

       246
       +
         environment.etc = {

     

       247
       +
           "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (

     

       248
       +
             pkgs.lib.mkAfter ''

     

       249
       +
               [Definition]

     

       250
       +
               failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.

     

       251
       +
             ''

     

       252
       +
           );

     

       253
        
         };

     

       254
        
       }

+7

hosts/owl/default.nix

···

       328
        
                 type = "CNAME";

     

       329
        
                 value = "fn06.org.";

     

       330
        
               }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       331
        
             ];

     

       332
        
           };

     

       333
        
         };

···

       328
        
                 type = "CNAME";

     

       329
        
                 value = "fn06.org.";

     

       330
        
               }

     

       331
       +
       

     

       332
       +
               {

     

       333
       +
                 name = "jellyfin.${config.networking.domain}.";

     

       334
       +
                 type = "A";

     

       335
       +
                 # TODO dynamic update

     

       336
       +
                 value = "86.188.33.97";

     

       337
       +
               }

     

       338
        
             ];

     

       339
        
           };

     

       340
        
         };

+9

secrets/eon-freumh.org.cap.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 2wDnOw 8i6ugC0nU4RD64L6fug7Hyv2WSoc1zwOTrEOwNNipRg

     

       3
       +
       z5gIWRaBHzI5olr2njsY6A0v6Ho+n/OBuo+mRjhAe/4

     

       4
       +
       -> ssh-ed25519 hFxbYA CCgzTnyIvNkl2+Y8Dn4Tg2LZvEIYZBYGqsjRfwP47Cg

     

       5
       +
       +SOkoh/AFMVZMMusXLu30Hi+IEA+b0hLetQznRcwsxY

     

       6
       +
       -> ssh-ed25519 suwb0g /W+mvbXhymbq+p2YGujdVU5ubJKuFa5w0zfzw9dvuT4

     

       7
       +
       Nb3YXUHlqsoL/8zkgxAQUmv1hA5Gt+Wxz4EtkbqfQrY

     

       8
       +
       --- wXVnE9m9+5Cp930toZvlbh+/ELxyIx5zTGEmy5geN9w

     

       9
       +
       ��qT^�fƔ�W�����/Y��'�.�a�ބ}&��HUZ���ݿ�#y�<���4O �*����Z$6L5Z9-"軾�Ls����j�Ա��vOc�}��&�$�,�T&u7Z�55>g��rI�nv�odC�t��*Κ���͐�����u"�

-8

secrets/eon-vpn.freumh.org.cap.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 2wDnOw km9DxOjSHC/qjKTjQ4tLa4FQ71HZu+e44BAqcnvdon8

     

       3
       -
       2IPauPpl5Rdc2ab7kiFa2Dw3Wo4uyNbJvgtNpdzRQos

     

       4
       -
       -> ssh-ed25519 hFxbYA fSaGdqdM9Kv3RuEy/B2eqb1FwFMwxZsl9jM/5lXZxQI

     

       5
       -
       jhu22pyF2kAhlt0ix9Tcjo2ddWSct4AOb2nIYYYqBjo

     

       6
       -
       --- p+RhBa8i2Z8+hhdOfvMdzuUuQIPd50eMatMGk7PbiPg

     

       7
       -
       �>(�:b}%�:�Z�
_��k�n�w#�m2�U�X�s�ci&}���t�0�'qy�`b�/t�v
LeX�J��~�B�M�ȹ��ʘc�c/�1��U*y<j�	̟~�	�V�u���G

     

       8
       -
       )�	xU��jZ��ܺptsE��.��"z��

+4 -1

secrets/secrets.nix

···

       42
        
         "nextcloud.age".publicKeys = user ++ [ elephant ];

     

       43
        
         "headscale.age".publicKeys = user ++ [ owl ];

     

       44
        
         "eon-capnp.age".publicKeys = user ++ [ owl ];

     

       45
       -
         "eon-vpn.freumh.org.cap.age".publicKeys = user ++ [ elephant ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       46
        
         "eon-sirref-primary.cap.age".publicKeys = user ++ [ owl ];

     

       47
        
       }

···

       42
        
         "nextcloud.age".publicKeys = user ++ [ elephant ];

     

       43
        
         "headscale.age".publicKeys = user ++ [ owl ];

     

       44
        
         "eon-capnp.age".publicKeys = user ++ [ owl ];

     

       45
       +
         "eon-freumh.org.cap.age".publicKeys = user ++ [

     

       46
       +
           elephant

     

       47
       +
           owl

     

       48
       +
         ];

     

       49
        
         "eon-sirref-primary.cap.age".publicKeys = user ++ [ owl ];

     

       50
        
       }