nixos/caddy: caddyfile -> rfc42

hosts: blacksteel -> pek0
pek0: qbittorrent-nox -> transmission
2024-08-31 10:19:01 +08:00 · 2024-08-31 08:00:40 +08:00 · 2024-08-31 07:51:49 +08:00
32 changed files with 449 additions and 277 deletions
--- a/flake.nix
+++ b/flake.nix
@ -151,8 +151,8 @@
          deployment.targetHost = "tyo0.ny4.dev";
        };
-        "blacksteel" = {
+        "pek0" = {
-          imports = [ ./hosts/blacksteel ];
+          imports = [ ./hosts/pek0 ];
          deployment.targetHost = "blacksteel"; # thru tailscale
        };
      };
--- a/home/applications/ssh/default.nix
+++ b/home/applications/ssh/default.nix
@ -11,8 +11,10 @@
        };
      in
      {
        "blacksteel" = serverConfig;
        "tyo0.ny4.dev" = serverConfig;
        "pek0.ny4.dev" = serverConfig // {
          hostname = "blacksteel";
        };
      };
  };
 }
--- a/hosts/blacksteel/Caddyfile
+++ b/hosts/blacksteel/Caddyfile
@ -1,67 +0,0 @@
 {
 	servers {
 		trusted_proxies static private_ranges
 		trusted_proxies_strict
 	}
 }
 (default) {
 	encode zstd gzip
 	handle_path /robots.txt {
 		file_server * {
 			root @robots@
 		}
 	}
 }
 http://pek0.ny4.dev:80 {
 	import default
 	basicauth {
 		prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
 	}
 	reverse_proxy localhost:9091
 }
 http://mastodon.ny4.dev:80 {
 	import default
 	handle_path /system/* {
 		file_server * {
 			root /var/lib/mastodon/public-system
 		}
 	}
 	handle /api/v1/streaming/* {
 		reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
 			header_up X-Forwarded-Proto "https"
 		}
 	}
 	route * {
 		file_server * {
 			root @mastodon@/public
 			pass_thru
 		}
 		reverse_proxy * unix//run/mastodon-web/web.socket {
 			header_up X-Forwarded-Proto "https"
 		}
 	}
 	handle_errors {
 		root * @mastodon@/public
 		rewrite 500.html
 		file_server
 	}
 }
 http://matrix.ny4.dev:80 {
 	import default
 	reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock {
 		header_up X-Forwarded-Proto "https"
 	}
 	reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock {
 		header_up X-Forwarded-Proto "https"
 	}
 	reverse_proxy /health unix//run/matrix-synapse/synapse.sock {
 		header_up X-Forwarded-Proto "https"
 	}
 }
--- a/hosts/blacksteel/services/mastodon.nix
+++ b/hosts/blacksteel/services/mastodon.nix
@ -1,38 +0,0 @@
 { config, ... }:
 {
  services.mastodon = {
    enable = true;
    localDomain = "ny4.dev";
    streamingProcesses = 1;
    mediaAutoRemove.olderThanDays = 14;
    # FIXME: this doesn't exist
    smtp = {
      createLocally = false;
      fromAddress = "mastodon@ny4.dev";
    };
    extraConfig = rec {
      SINGLE_USER_MODE = "true";
      WEB_DOMAIN = "mastodon.ny4.dev";
      # keycloak
      OMNIAUTH_ONLY = "true";
      OIDC_ENABLED = "true";
      OIDC_CLIENT_ID = "mastodon";
      # OIDC_CLIENT_SECRET # EnvironmentFile
      OIDC_DISCOVERY = "true";
      OIDC_DISPLAY_NAME = "id.ny4.dev";
      OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
      OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
      OIDC_SCOPE = "openid,profile,email";
      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
      OIDC_UID_FIELD = "preferred_username";
    };
  };
  systemd.services.mastodon-web = {
    environment = config.networking.proxy.envVars;
    serviceConfig.EnvironmentFile = [ config.sops.secrets."mastodon/environment".path ];
  };
  systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
 }
--- a/hosts/blacksteel/services/qbittorrent.nix
+++ b/hosts/blacksteel/services/qbittorrent.nix
@ -1,8 +0,0 @@
 { pkgs, ... }:
 {
  # TODO: https://github.com/NixOS/nixpkgs/pull/287923
  # currently running qbittorrent-nox with tmux :c
  environment.systemPackages = with pkgs; [
    qbittorrent-nox
  ];
 }
--- a/hosts/blacksteel/anti-feature.nix
+++ b/hosts/blacksteel/anti-feature.nix
--- a/hosts/blacksteel/default.nix
+++ b/hosts/blacksteel/default.nix
@ -18,13 +18,13 @@
    ./services/mastodon.nix
    ./services/matrix.nix
    ./services/minecraft.nix
    ./services/qbittorrent.nix
    ./services/samba.nix
    ./services/transmission.nix
  ];
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.systemd-boot.enable = true;
-  networking.hostName = "blacksteel";
+  networking.hostName = "pek0";
  system.stateVersion = "24.05";
  ######## Secrets
@ -67,12 +67,21 @@
    };
  };
-  services.caddy = {
+  services.caddy.enable = true;
-    enable = true;
+  services.caddy.settings.apps.http.servers.srv0 = {
-    configFile = pkgs.replaceVars ./Caddyfile {
+    listen = [ ":80" ];
-      robots = toString ../tyo0/robots.txt;
+    trusted_proxies = {
-      inherit (pkgs) mastodon;
+      ranges = [
        "192.168.0.0/16"
        "172.16.0.0/12"
        "10.0.0.0/8"
        "127.0.0.1/8"
        "fd00::/8"
        "::1"
      ];
      source = "static";
    };
    trusted_proxies_strict = 1;
  };
  systemd.services.caddy.serviceConfig = {
--- a/hosts/blacksteel/hardware-configuration.nix
+++ b/hosts/blacksteel/hardware-configuration.nix
--- a/hosts/blacksteel/secrets.yaml
+++ b/hosts/blacksteel/secrets.yaml
--- a/hosts/blacksteel/services/jellyfin.nix
+++ b/hosts/blacksteel/services/jellyfin.nix
--- a/hosts/pek0/services/mastodon.nix
+++ b/hosts/pek0/services/mastodon.nix
@ -0,0 +1,121 @@
 {
  lib,
  pkgs,
  config,
  ...
 }:
 {
  services.mastodon = {
    enable = true;
    localDomain = "ny4.dev";
    streamingProcesses = 1;
    mediaAutoRemove.olderThanDays = 14;
    # FIXME: this doesn't exist
    smtp = {
      createLocally = false;
      fromAddress = "mastodon@ny4.dev";
    };
    extraConfig = rec {
      SINGLE_USER_MODE = "true";
      WEB_DOMAIN = "mastodon.ny4.dev";
      # keycloak
      OMNIAUTH_ONLY = "true";
      OIDC_ENABLED = "true";
      OIDC_CLIENT_ID = "mastodon";
      # OIDC_CLIENT_SECRET # EnvironmentFile
      OIDC_DISCOVERY = "true";
      OIDC_DISPLAY_NAME = "id.ny4.dev";
      OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
      OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
      OIDC_SCOPE = "openid,profile,email";
      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
      OIDC_UID_FIELD = "preferred_username";
    };
  };
  systemd.services.mastodon-web = {
    environment = config.networking.proxy.envVars;
    serviceConfig.EnvironmentFile = [ config.sops.secrets."mastodon/environment".path ];
  };
  systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "mastodon.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "subroute";
      routes = [
        {
          match = lib.singleton {
            path = [ "/api/v1/streaming/*" ];
          };
          handle = lib.singleton {
            handler = "reverse_proxy";
            headers.request.set."X-Forwarded-Proto" = [ "https" ];
            upstreams = lib.singleton {
              dial = "unix//run/mastodon-streaming/streaming-1.socket";
            };
          };
        }
        {
          match = lib.singleton {
            path = [ "/system/*" ];
          };
          handle = [
            {
              handler = "rewrite";
              strip_path_prefix = "/system";
            }
            {
              handler = "file_server";
              root = "/var/lib/mastodon/public-system";
            }
          ];
        }
        {
          handle = [
            {
              handler = "file_server";
              root = "${pkgs.mastodon}/public";
              pass_thru = true;
            }
            {
              handler = "reverse_proxy";
              headers.request.set."X-Forwarded-Proto" = [ "https" ];
              upstreams = lib.singleton {
                dial = "unix//run/mastodon-web/web.socket";
              };
            }
          ];
        }
      ];
    };
  };
  services.caddy.settings.apps.http.servers.srv0.errors.routes = lib.singleton {
    match = lib.singleton {
      host = [ "mastodon.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "subroute";
      routes = [
        {
          handle = lib.singleton {
            handler = "rewrite";
            uri = "500.html";
          };
        }
        {
          handle = lib.singleton {
            handler = "file_server";
            root = "${pkgs.mastodon}/public";
          };
        }
      ];
    };
  };
 }
--- a/hosts/blacksteel/services/matrix.nix
+++ b/hosts/blacksteel/services/matrix.nix
@ -54,4 +54,29 @@
    environment = config.networking.proxy.envVars;
    serviceConfig.RuntimeDirectory = [ "matrix-synapse" ];
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "matrix.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "subroute";
      routes = lib.singleton {
        match = lib.singleton {
          path = [
            "/_matrix/*"
            "/_synapse/*"
            "/health"
          ];
        };
        handle = lib.singleton {
          handler = "reverse_proxy";
          headers.request.set."X-Forwarded-Proto" = [ "https" ];
          upstreams = lib.singleton {
            dial = "unix//run/matrix-synapse/synapse.sock";
          };
        };
      };
    };
  };
 }
--- a/hosts/blacksteel/services/minecraft.nix
+++ b/hosts/blacksteel/services/minecraft.nix
--- a/hosts/blacksteel/services/samba.nix
+++ b/hosts/blacksteel/services/samba.nix
@ -1,3 +1,4 @@
 { config, ... }:
 {
  services.samba = {
    enable = true;
@ -12,4 +13,12 @@
    enable = true;
    openFirewall = true;
  };
  users.users."guanranwang" = {
    uid = 1000;
    isNormalUser = true;
    createHome = false;
    useDefaultShell = false;
    hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
  };
 }
--- a/hosts/pek0/services/transmission.nix
+++ b/hosts/pek0/services/transmission.nix
@ -0,0 +1,27 @@
 { pkgs, ... }:
 {
  services.transmission = {
    enable = true;
    openRPCPort = true;
    webHome = pkgs.flood-for-transmission;
    settings = {
      rpc-bind-address = "0.0.0.0";
      rpc-port = 9080;
      # tailscale
      rpc-whitelist = "100.*.*.*";
      rpc-host-whitelist = "blacksteel";
      incomplete-dir = "/mnt/torrent/downloading";
      download-dir = "/mnt/torrent";
      speed-limit-up-enabled = true;
      speed-limit-up = 1000;
      speed-limit-down-enabled = true;
      speed-limit-down = 4000;
      ratio-limit-enabled = true;
      ratio-limit = 2;
    };
  };
 }
--- a/hosts/tyo0/Caddyfile
+++ b/hosts/tyo0/Caddyfile
@ -1,115 +0,0 @@
 (default) {
 	encode zstd gzip
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
 		}
 	}
 }
 www.ny4.dev {
 	import default
 	redir https://blog.ny4.dev
 }
 # get the certificate for hysteria
 tyo0.ny4.dev {
 	import default
 	basicauth {
 		prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
 	}
 	reverse_proxy localhost:9091
 }
 ny4.dev {
 	import default
 	# Synapse
 	header /.well-known/matrix/* Content-Type application/json
 	header /.well-known/matrix/* Access-Control-Allow-Origin *
 	handle_path /.well-known/matrix/* {
 		file_server * {
 			root /var/www/matrix
 		}
 	}
 	# Mastodon
 	header /.well-known/webfinger Access-Control-Allow-Origin *
 	redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent
 	# TODO: Build Hugo blog with Nix
 	# How do I use hugo modules without using FOD?
 	route * {
 		redir https://blog.ny4.dev
 	}
 }
 pb.ny4.dev {
 	import default
 	reverse_proxy localhost:8200
 }
 ntfy.ny4.dev {
 	import default
 	reverse_proxy unix//run/ntfy-sh/ntfy.sock
 }
 id.ny4.dev {
 	import default
 	reverse_proxy localhost:8800
 }
 element.ny4.dev {
 	import default
 	root * @element@
 	header X-Frame-Options SAMEORIGIN;
 	header X-Content-Type-Options nosniff;
 	header X-XSS-Protection "1; mode=block";
 	header Content-Security-Policy "frame-ancestors 'self'";
 	file_server
 }
 cinny.ny4.dev {
 	import default
 	@index {
 		not path /index.html
 		not path /public/*
 		not path /assets/*
 		not path /config.json
 		not path /manifest.json
 		not path /pdf.worker.min.js
 		not path /olm.wasm
 		path /*
 	}
 	root * @cinny@
 	rewrite /*/olm.wasm /olm.wasm
 	rewrite @index /index.html
 	file_server
 }
 git.ny4.dev {
 	import default
 	reverse_proxy unix//run/forgejo/forgejo.sock
 }
 rss.ny4.dev {
 	import default
 	reverse_proxy localhost:9300
 }
 reddit.ny4.dev {
 	import default
 	reverse_proxy localhost:9400
 }
 vault.ny4.dev {
 	import default
 	reverse_proxy localhost:9500
 }
 prom.ny4.dev {
 	import default
 	reverse_proxy localhost:9090
 }
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@ -23,6 +23,7 @@
  ];
  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
  networking.hostName = "tyo0";
  system.stateVersion = "24.05";
  swapDevices = lib.singleton {
@ -57,32 +58,146 @@
    443
  ];
-  systemd.tmpfiles.settings = {
+  services.caddy.enable = true;
-    "10-www" = {
+  services.caddy.settings.apps.http.servers.srv0 = {
-      "/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
+    listen = [ ":443" ];
      "/var/www/matrix/client".C.argument = toString ./matrix-client.json;
      "/var/www/matrix/server".C.argument = toString ./matrix-server.json;
    };
  };
-  services.caddy = {
+  services.caddy.settings.apps.http.servers.srv0.routes = [
-    enable = true;
+    {
-    configFile = pkgs.replaceVars ./Caddyfile {
+      match = lib.singleton {
-      "element" = pkgs.element-web.override {
+        host = [ "ny4.dev" ];
-        conf.default_server_config."m.homeserver" = {
+        path = [ "/.well-known/matrix/server" ];
-          base_url = "https://matrix.ny4.dev";
+      };
-          server_name = "ny4.dev";
+      handle = lib.singleton {
        handler = "static_response";
        status_code = 200;
        headers = {
          Access-Control-Allow-Origin = [ "*" ];
          Content-Type = [ "application/json" ];
        };
        body = builtins.toJSON {
          "m.server" = "matrix.ny4.dev:443";
        };
      };
-
+    }
-      "cinny" = pkgs.cinny.override {
+    {
-        conf = {
+      match = lib.singleton {
-          defaultHomeserver = 0;
+        host = [ "ny4.dev" ];
-          homeserverList = [ "ny4.dev" ];
+        path = [ "/.well-known/matrix/client" ];
      };
      handle = lib.singleton {
        handler = "static_response";
        status_code = 200;
        headers = {
          Access-Control-Allow-Origin = [ "*" ];
          Content-Type = [ "application/json" ];
        };
        body = builtins.toJSON {
          "m.homeserver" = {
            "base_url" = "https://matrix.ny4.dev";
          };
        };
      };
-    };
+    }
-  };
+    {
      match = lib.singleton {
        host = [ "ny4.dev" ];
        path = [ "/.well-known/webfinger" ];
      };
      handle = lib.singleton {
        handler = "static_response";
        status_code = 301;
        headers = {
          Access-Control-Allow-Origin = [ "*" ];
          Location = [ "https://mastodon.ny4.dev{http.request.uri}" ];
        };
      };
    }
    {
      match = lib.singleton {
        host = [ "ny4.dev" ];
      };
      handle = lib.singleton {
        handler = "static_response";
        status_code = 302;
        headers = {
          Location = [ "https://blog.ny4.dev" ];
        };
      };
    }
    {
      match = lib.singleton {
        host = [ "element.ny4.dev" ];
      };
      handle = [
        {
          handler = "headers";
          response.set = {
            X-Frame-Options = [ "SAMEORIGIN" ];
            X-Content-Type-Options = [ "nosniff" ];
            X-XSS-Protection = [ "1; mode=block" ];
            Content-Security-Policy = [ "frame-ancestors 'self'" ];
          };
        }
        {
          handler = "file_server";
          root = pkgs.element-web.override {
            conf.default_server_config."m.homeserver" = {
              base_url = "https://matrix.ny4.dev";
              server_name = "ny4.dev";
            };
          };
        }
      ];
    }
    {
      match = lib.singleton {
        host = [ "cinny.ny4.dev" ];
      };
      handle = lib.singleton {
        handler = "subroute";
        routes = [
          {
            match = [ { "path" = [ "/*/olm.wasm" ]; } ];
            handle = lib.singleton {
              handler = "rewrite";
              uri = "/olm.wasm";
            };
          }
          {
            match = lib.singleton {
              not = [
                { path = [ "/index.html" ]; }
                { path = [ "/public/*" ]; }
                { path = [ "/assets/*" ]; }
                { path = [ "/config.json" ]; }
                { path = [ "/manifest.json" ]; }
                { path = [ "/pdf.worker.min.js" ]; }
                { path = [ "/olm.wasm" ]; }
              ];
              path = [ "/*" ];
            };
            handle = lib.singleton {
              handler = "rewrite";
              uri = "/index.html";
            };
          }
          {
            handle = lib.singleton {
              handler = "file_server";
              root = pkgs.cinny.override {
                conf = {
                  defaultHomeserver = 0;
                  homeserverList = [ "ny4.dev" ];
                };
              };
            };
          }
        ];
      };
    }
  ];
  services.postgresql = {
    package = pkgs.postgresql_16;
--- a/hosts/tyo0/matrix-client.json
+++ b/hosts/tyo0/matrix-client.json
@ -1,5 +0,0 @@
 {
  "m.homeserver": {
    "base_url": "https://matrix.ny4.dev"
  }
 }
--- a/hosts/tyo0/matrix-server.json
+++ b/hosts/tyo0/matrix-server.json
@ -1,3 +0,0 @@
 {
  "m.server": "matrix.ny4.dev:443"
 }
--- a/hosts/tyo0/robots.txt
+++ b/hosts/tyo0/robots.txt
@ -1,4 +0,0 @@
 User-Agent: *
 Disallow: /harming/humans
 Disallow: /ignoring/human/orders
 Disallow: /harm/to/self
--- a/hosts/tyo0/services/forgejo.nix
+++ b/hosts/tyo0/services/forgejo.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
  services.forgejo = {
    enable = true;
@ -26,4 +26,14 @@
      };
    };
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "git.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
      upstreams = [ { dial = "unix//run/forgejo/forgejo.sock"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/keycloak.nix
+++ b/hosts/tyo0/services/keycloak.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
  services.keycloak = {
    enable = true;
@ -8,8 +8,17 @@
      http-host = "127.0.0.1";
      http-port = 8800;
      proxy = "edge";
      # proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
    };
    database.passwordFile = toString (pkgs.writeText "password" "keycloak");
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "id.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
      upstreams = [ { dial = "localhost:8800"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/miniflux.nix
+++ b/hosts/tyo0/services/miniflux.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ lib, config, ... }:
 {
  services.miniflux = {
    enable = true;
@ -14,4 +14,14 @@
      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
    };
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "rss.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
      upstreams = [ { dial = "localhost:9300"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/ntfy.nix
+++ b/hosts/tyo0/services/ntfy.nix
@ -1,3 +1,4 @@
 { lib, ... }:
 {
  services.ntfy-sh = {
    enable = true;
@ -11,4 +12,14 @@
  };
  systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = [ "ntfy-sh" ];
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "ntfy.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
      upstreams = [ { dial = "unix//run/ntfy-sh/ntfy.sock"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/prometheus.nix
+++ b/hosts/tyo0/services/prometheus.nix
@ -139,4 +139,14 @@
      };
    };
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "prom.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
      upstreams = [ { dial = "127.0.0.1:9090"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/redlib.nix
+++ b/hosts/tyo0/services/redlib.nix
@ -1,7 +1,18 @@
 { lib, ... }:
 {
  services.redlib = {
    enable = true;
    address = "127.0.0.1";
    port = 9400;
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "reddit.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
      upstreams = [ { dial = "localhost:9400"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/vaultwarden.nix
+++ b/hosts/tyo0/services/vaultwarden.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ lib, config, ... }:
 {
  services.vaultwarden = {
    enable = true;
@ -15,4 +15,14 @@
      ORG_CREATION_USERS = "none";
    };
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "vault.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
      upstreams = [ { dial = "localhost:9500"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/wastebin.nix
+++ b/hosts/tyo0/services/wastebin.nix
@ -1,6 +1,17 @@
 { lib, ... }:
 {
  services.wastebin = {
    enable = true;
    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "pb.ny4.dev" ];
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
      upstreams = [ { dial = "localhost:8200"; } ];
    };
  };
 }
--- a/nixos/profiles/core/default.nix
+++ b/nixos/profiles/core/default.nix
@ -1,5 +1,4 @@
 {
  lib,
  inputs,
  pkgs,
  ...
--- a/nixos/profiles/prometheus/default.nix
+++ b/nixos/profiles/prometheus/default.nix
@ -1,3 +1,4 @@
 { config, lib, ... }:
 {
  services.prometheus.exporters.node = {
    enable = true;
@ -5,4 +6,24 @@
    port = 9091;
    enabledCollectors = [ "systemd" ];
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ config.networking.fqdn ];
      path = [ "/metrics" ];
    };
    handle = [
      {
        handler = "authentication";
        providers.http_basic.accounts = lib.singleton {
          username = "prometheus";
          password = "$2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.";
        };
      }
      {
        handler = "reverse_proxy";
        upstreams = lib.singleton { dial = "127.0.0.1:9091"; };
      }
    ];
  };
 }
--- a/nixos/profiles/server/default.nix
+++ b/nixos/profiles/server/default.nix
@ -19,4 +19,6 @@
  ];
  time.timeZone = "UTC";
  networking.domain = "ny4.dev";
 }
--- a/treefmt.nix
+++ b/treefmt.nix
@ -9,7 +9,7 @@
  ### misc
  programs.prettier.enable = true;
  settings.formatter.prettier.excludes = [
-    "hosts/blacksteel/secrets.yaml"
+    "hosts/pek0/secrets.yaml"
    "hosts/tyo0/secrets.yaml"
    "nixos/profiles/sing-box/secrets.yaml"
    "nixos/profiles/wireless/secrets.yaml"
Author	SHA1	Message	Date
Guanran Wang	602995c205	nixos/caddy: caddyfile -> rfc42	2024-08-31 10:19:01 +08:00
Guanran Wang	5bf6e5f576	hosts: blacksteel -> pek0	2024-08-31 08:00:40 +08:00
Guanran Wang	7c0764a270	pek0: qbittorrent-nox -> transmission	2024-08-31 07:51:49 +08:00