diff --git a/flake.nix b/flake.nix index 9e7a36c..7807522 100644 --- a/flake.nix +++ b/flake.nix @@ -23,6 +23,7 @@ ./modules/nix/linux.nix ./modules/shell.nix + ./modules/services/caddy.nix ./modules/services/miniflux.nix ./modules/services/media/arr.nix ./modules/services/media/jellyfin.nix diff --git a/modules/services/caddy.nix b/modules/services/caddy.nix new file mode 100644 index 0000000..2c0bf1b --- /dev/null +++ b/modules/services/caddy.nix @@ -0,0 +1,34 @@ +{ pkgs, config, lib, ... }: + +{ + options = { + homelab.domain = lib.mkOption { + type = lib.types.str; + }; + }; + + config = { + homelab.domain = "nyanyanya.myaddr.io"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.caddy = { + enable = true; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "nicocute@proton.me"; + + certs."${config.homelab.domain}" = { + group = config.services.caddy.group; + + domain = "${config.homelab.domain}"; + extraDomainNames = [ "*.${config.homelab.domain}" ]; + dnsProvider = "myaddr"; + dnsResolver = "1.1.1.1:53"; + dnsPropagationCheck = true; + environmentFile = /var/lib/caddy/secret; + }; + }; + }; +} diff --git a/modules/services/glance.nix b/modules/services/glance.nix index db03733..ed000bb 100644 --- a/modules/services/glance.nix +++ b/modules/services/glance.nix @@ -3,9 +3,9 @@ { services.glance = { enable = true; - settings.server.port = 80; + settings.server.port = 8888; settings.server.host = "0.0.0.0"; - openFirewall = true; + openFirewall = false; settings = { pages = [ { @@ -57,35 +57,35 @@ links = [ { title = "Jellyfin"; - url = "http://${config.networking.hostName}:8096"; + url = "https://watch.${config.homelab.domain}"; } { title = "Jellyseer"; - url = "http://${config.networking.hostName}:5055"; + url = "https://jellyseer.${config.homelab.domain}"; } { title = "Radarr"; - url = "http://${config.networking.hostName}:7878"; + url = "https://radarr.${config.homelab.domain}"; } { title = "Sonarr"; - url = "http://${config.networking.hostName}:8989"; + url = "https://sonarr.${config.homelab.domain}"; } { title = "Lidarr"; - url = "http://${config.networking.hostName}:8686"; + url = "https://lidarr.${config.homelab.domain}"; } { title = "Prowlarr"; - url = "http://${config.networking.hostName}:9696"; + url = "https://prowlarr.${config.homelab.domain}"; } { title = "Bazarr"; - url = "http://${config.networking.hostName}:6767"; + url = "https://bazarr.${config.homelab.domain}"; } { title = "Deluge"; - url = "http://${config.networking.hostName}:8112"; + url = "https://deluge.${config.homelab.domain}"; } ]; } @@ -95,7 +95,7 @@ links = [ { title = "Miniflux"; - url = "http://${config.networking.hostName}:8021"; + url = "https://rss.${config.homelab.domain}"; } ]; } @@ -109,6 +109,10 @@ }; }; - # allow services to bind to port 80 - boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0; + services.caddy.virtualHosts."${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:8888 + ''; + }; } diff --git a/modules/services/media/arr.nix b/modules/services/media/arr.nix index c51dbac..027dab2 100644 --- a/modules/services/media/arr.nix +++ b/modules/services/media/arr.nix @@ -6,33 +6,33 @@ # Finding/Requesting downloading services.radarr = { enable = true; - openFirewall = true; + openFirewall = false; dataDir = "/var/lib/radarr"; group = "media"; }; services.sonarr = { enable = true; - openFirewall = true; + openFirewall = false; dataDir = "/var/lib/sonarr"; group = "media"; }; services.lidarr = { enable = true; - openFirewall = true; + openFirewall = false; dataDir = "/var/lib/lidarr"; group = "media"; }; services.prowlarr = { enable = true; - openFirewall = true; + openFirewall = false; }; services.bazarr = { enable = true; - openFirewall = true; + openFirewall = false; group = "media"; }; @@ -40,7 +40,7 @@ services.deluge = { enable = true; web.enable = true; - web.openFirewall = true; + web.openFirewall = false; group = "media"; }; @@ -49,7 +49,50 @@ services.jellyseerr = { enable = true; port = 5055; - openFirewall = true; + openFirewall = false; package = pkgs.jellyseerr; }; + + services.caddy.virtualHosts."radarr.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:7878 + ''; + }; + services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:8989 + ''; + }; + services.caddy.virtualHosts."lidarr.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:8686 + ''; + }; + services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:9696 + ''; + }; + services.caddy.virtualHosts."bazarr.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:6767 + ''; + }; + services.caddy.virtualHosts."deluge.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:8112 + ''; + }; + services.caddy.virtualHosts."jellyseer.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:5055 + ''; + }; } diff --git a/modules/services/media/jellyfin.nix b/modules/services/media/jellyfin.nix index 16e5fdc..1d847ce 100644 --- a/modules/services/media/jellyfin.nix +++ b/modules/services/media/jellyfin.nix @@ -1,10 +1,17 @@ -{ ... }: +{ config, ... }: { # Streaming frontend services.jellyfin = { enable = true; - openFirewall = true; + openFirewall = false; group = "media"; }; + + services.caddy.virtualHosts."watch.${config.homelab.domain}" = { +# useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:8096 + ''; + }; } diff --git a/modules/services/miniflux.nix b/modules/services/miniflux.nix index bb5ebc0..a39f50d 100644 --- a/modules/services/miniflux.nix +++ b/modules/services/miniflux.nix @@ -11,7 +11,7 @@ config = { LISTEN_ADDR = "0.0.0.0:8021"; - BASE_URL = "http://${config.networking.hostName}"; + BASE_URL = "http://rss.${config.homelab.domain}"; CLEANUP_FREQUENCY = 48; CREATE_ADMIN = 1; @@ -34,6 +34,10 @@ }; }; - networking.firewall.allowedTCPPorts = [ 8021 ]; - networking.firewall.allowedUDPPorts = [ 8021 ]; + services.caddy.virtualHosts."rss.${config.homelab.domain}" = { + useACMEHost = config.homelab.domain; + extraConfig = '' + reverse_proxy http://localhost:8021 + ''; + }; }