From 3e32cad35f0083b41bd0185d917e72084424acb2 Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Thu, 11 Jan 2024 14:51:49 -0800 Subject: [PATCH] Potentially broken commit to sync across machines --- .sops.yaml | 7 +++++ meta.nix | 6 ++++ nixos/acme.nix | 8 +++++ nixos/bazarr.nix | 13 ++++++++ nixos/deluge.nix | 8 +++-- nixos/jackett.nix | 12 ++++++++ nixos/ombi.nix | 12 ++++++++ nixos/plex.nix | 29 ++++++++++++++++++ nixos/postgres.nix | 18 +++++++---- nixos/radarr.nix | 13 ++++++++ nixos/sonarr.nix | 14 +++++++++ nixos/tautuli.nix | 13 ++++++++ systems/mediabox/nixos.nix | 31 +++++++++++++++++++ systems/mediabox/secrets.yaml | 57 +++++++++++++++++++++++++++++++++++ systems/tei/nixos.nix | 11 +++---- 15 files changed, 238 insertions(+), 14 deletions(-) create mode 100644 nixos/acme.nix create mode 100644 nixos/bazarr.nix create mode 100644 nixos/jackett.nix create mode 100644 nixos/ombi.nix create mode 100644 nixos/plex.nix create mode 100644 nixos/radarr.nix create mode 100644 nixos/sonarr.nix create mode 100644 nixos/tautuli.nix create mode 100644 systems/mediabox/nixos.nix create mode 100644 systems/mediabox/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 87b45314..58810a85 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr +- &mediabox_osh age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 creation_rules: - path_regex: 'systems/tewi/secrets\.yaml$' shamir_threshold: 1 @@ -20,6 +21,12 @@ creation_rules: - pgp: *pgp_common age: - *tei_osh +- path_regex: 'systems/mediabox/secrets\.yaml$' + shamir_threshold: 1 + key_groups: + - pgp: *pgp_common + age: + - *mediabox_osh - path_regex: 'systems/[^/]+/secrets\.yaml$' shamir_threshold: 1 key_groups: diff --git a/meta.nix b/meta.nix index e0906970..21b3406e 100644 --- a/meta.nix +++ b/meta.nix @@ -31,6 +31,12 @@ nixfiles.nixos.base ]; }; + network.nodes.mediabox = { + imports = [ + ./systems/mediabox/nixos.nix + nixfiles.nixos.base + ]; + }; network.nodes.reisen-ct = { imports = [ ./systems/ct/nixos.nix diff --git a/nixos/acme.nix b/nixos/acme.nix new file mode 100644 index 00000000..300c9856 --- /dev/null +++ b/nixos/acme.nix @@ -0,0 +1,8 @@ +_: { + security.acme = { + acceptTerms = true; + defaults = { + email = "acme@gensokyo.zone"; + }; + }; +} diff --git a/nixos/bazarr.nix b/nixos/bazarr.nix new file mode 100644 index 00000000..bc7409ec --- /dev/null +++ b/nixos/bazarr.nix @@ -0,0 +1,13 @@ +{config, ...}: { + services = { + bazarr = { + enable = true; + listenPort = 6767; + }; + + nginx.virtualHosts."bazarr.gensokyo.zone" = { + enableACME = true; + locations."/".proxyPass = "http://localhost:${toString config.services.bazarr.listenPort}"; + }; + }; +} diff --git a/nixos/deluge.nix b/nixos/deluge.nix index dc2bf554..d5f30319 100644 --- a/nixos/deluge.nix +++ b/nixos/deluge.nix @@ -1,4 +1,8 @@ -{ config, lib, ... }: let +{ + config, + lib, + ... +}: let inherit (lib) mkDefault; cfg = config.services.deluge; in { @@ -24,7 +28,7 @@ in { max_active_seeding = 1; allow_remote = true; daemon_port = 58846; - listen_ports = [ 6881 6889 ]; + listen_ports = [6881 6889]; random_port = false; }; authFile = config.sops.secrets.deluge-auth.path; diff --git a/nixos/jackett.nix b/nixos/jackett.nix new file mode 100644 index 00000000..a5f7c944 --- /dev/null +++ b/nixos/jackett.nix @@ -0,0 +1,12 @@ +_: { + services = { + jackett = { + enable = true; + }; + nginx.virtualHosts."jackett.gensokyo.zone" = { + enableACME = true; + locations."/".proxyPass = "http://localhost:9117/"; + }; + }; + # Port 9117 +} diff --git a/nixos/ombi.nix b/nixos/ombi.nix new file mode 100644 index 00000000..eac36e56 --- /dev/null +++ b/nixos/ombi.nix @@ -0,0 +1,12 @@ +{config, ...}: { + services = { + ombi = { + enable = true; + port = 5000; + }; + nginx.virtualHosts."ombi.gensokyo.zone" = { + enableACME = true; + locations."/".proxyPass = "http://localhost:${toString config.services.ombi.port}"; + }; + }; +} diff --git a/nixos/plex.nix b/nixos/plex.nix new file mode 100644 index 00000000..0d28b1b5 --- /dev/null +++ b/nixos/plex.nix @@ -0,0 +1,29 @@ +_: { + services = { + plex = { + enable = true; + }; + nginx.virtualHosts."plex.gensokyo.zone" = { + enableACME = true; + locations."/".proxyPass = "http://localhost:32400"; + }; + }; + + # Plex Media Server: + # + # TCP: + # * 32400 - direct HTTP access - we don't want to open this considering we're reverse proxying + # * 8324 - Roku via Plex Companion + # * 32469 - Plex DLNA Server + # UDP: + # * 1900 - DLNA + # * 5353 - Bonjour / Avahi + # * 32410, 32412, 32413, 32414 - GDM Network Discovery + + # Tautulli and Ombi will also be reverse proxied, presumably + + networking.firewall = { + allowedTCPPorts = [8324 32469]; + allowedUDPPorts = [1900 5353 32410 32412 32413 32414]; + }; +} diff --git a/nixos/postgres.nix b/nixos/postgres.nix index 3a44093c..a8130276 100644 --- a/nixos/postgres.nix +++ b/nixos/postgres.nix @@ -1,11 +1,17 @@ -{ config, pkgs, ... }: { +{ + config, + pkgs, + ... +}: { services.postgresql = { enable = true; package = pkgs.postgresql_14; - ensureDatabases = [ "hass" ]; - ensureUsers = [{ - name = "hass"; - ensureDBOwnership = true; - }]; + ensureDatabases = ["hass"]; + ensureUsers = [ + { + name = "hass"; + ensureDBOwnership = true; + } + ]; }; } diff --git a/nixos/radarr.nix b/nixos/radarr.nix new file mode 100644 index 00000000..68218ed4 --- /dev/null +++ b/nixos/radarr.nix @@ -0,0 +1,13 @@ +_: { + services = { + radarr = { + enable = true; + }; + nginx.virtualHosts."radarr.gensokyo.zone" = { + enableACME = true; + locations."/".proxyPass = "http://localhost:7878"; + }; + }; + + # Port 7878 +} diff --git a/nixos/sonarr.nix b/nixos/sonarr.nix new file mode 100644 index 00000000..1c8830a1 --- /dev/null +++ b/nixos/sonarr.nix @@ -0,0 +1,14 @@ +_: { + services = { + sonarr = { + enable = true; + }; + + nginx.virtualHosts."sonarr.gensokyo.zone" = { + enableACME = true; + locations."/".proxyPass = "http://localhost:8989"; + }; + }; + + # Port 8989 +} diff --git a/nixos/tautuli.nix b/nixos/tautuli.nix new file mode 100644 index 00000000..f87935fe --- /dev/null +++ b/nixos/tautuli.nix @@ -0,0 +1,13 @@ +{config, ...}: { + services = { + tautulli = { + enable = true; + port = 8181; + }; + + nginx.virtualHosts."tautuli.gensokyo.zone" = { + enableACME = true; + locations."/".proxyPass = "http://localhost:${toString config.services.tautulli.port}"; + }; + }; +} diff --git a/systems/mediabox/nixos.nix b/systems/mediabox/nixos.nix new file mode 100644 index 00000000..ac80f0e5 --- /dev/null +++ b/systems/mediabox/nixos.nix @@ -0,0 +1,31 @@ +{ + meta, + lib, + ... +}: { + imports = with meta; [ + nixos.reisen-ct + nixos.sops + nixos.tailscale + nixos.nginx + nixos.acme + nixos.cloudflared + + /* + # media + nixos.plex + nixos.tautuli + nixos.ombi + + # yarr harr fiddle dee dee >w< + nixos.radarr + nixos.sonarr + nixos.bazarr + nixos.jackett + */ + ]; + + sops.defaultSopsFile = ./secrets.yaml; + + system.stateVersion = "21.05"; +} diff --git a/systems/mediabox/secrets.yaml b/systems/mediabox/secrets.yaml new file mode 100644 index 00000000..f33b5544 --- /dev/null +++ b/systems/mediabox/secrets.yaml @@ -0,0 +1,57 @@ +tailscale-key: ENC[AES256_GCM,data:TnXZW2c5NhMYHutOdDn8NG5RcdcNTzcTXuC27Ir+OO/4abF0rCEts1A=,iv:OK2nUBJ6LyP9w9L05JGtHe5rxmfoNyk8+zF6M6jYIG8=,tag:McbAMcTJ93C5OluGzYMvCw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKYVd6VExuZG1oWGNMbWlF + MVZaNnRXSmJlSG5jT1pZa3M5Zk9uN2lYSENNCm1hZ0NqMXNJcjY4Y1MxblNaWm9z + VE5SNVBZNG1RZU9EZ1RwVFFhNnFJN0kKLS0tIHJJM3ZNZEp5NC9lckpEYm9qaFdh + aDVRZTJtTzh5aElnN3hpcitZWmluQ3MK/je9HcOaN+DiSi2JsCThRXOEbydNQcRM + ZBjYlbtPILMjrn4NoUtxnwbmm7vNgGdXVu7EDfQ0OxjWbo9Cv95WZg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-11T22:46:33Z" + mac: ENC[AES256_GCM,data:lfx0h0sXAM7o5ig7NoqLUNY62B9vxZj2cWMHtfXbCfDIXUt72ybfbjuT0RE9YPnVyzKtVcLzbJwq1ls3LoPLohAAYsqH2C2Qpi3M5sf3vaVHheXAAdcn2ivk9i/PyfiXX8NBkVun2VJp6t7EZs76Xxwznt6vHzjXOZbMeV9wpC8=,iv:wd68KvHD8p2Qe+qfXlQmoIB+wW6GQErKKlsCxt9UflI=,tag:bBkX/j3NE5HQ/J/Yc/FrtA==,type:str] + pgp: + - created_at: "2024-01-11T22:30:58Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ/+No0QH0UAsfEg6M/yLbUhS/HjfjrY9R7LsExUTUFDIaMw + 7rX6bGFgiEgiz3RAzAGQlZLZ6+/K3DmHPooyPZ8Az1U24ShWE06rgk7OFcdzVcDE + FvWbli5C/h1hnVn7ZPMPsdqnT+1TfiLU4s5+d+Zf8gHXra/MFjvobWQQqcKruWWF + 0RirORKHsYIXcfuWlB8xchc+L2sHBJCpacsOKAVf9K7nRAoa/BLowKhd22ao24+6 + V7kENJJgR+ipWG9PL5XxVCQ/vgY7BX+VAZs4eCG3K5AMP53xp6E9wnhvtQdGHZ/g + PCrZNEUiGDYsZJeS2xrV15xBVxuag3lBN+ibuFJPH7q/sd0Me0BYdgtOAFHuyZUW + J4czHN9PQaK4B1pEwePKWVXIpl3/os6+x7C76IzDvxkNGpcJhbktXcNuqZ+koUWI + obTleAzfV/Pm6v1II1J/2DWHuPymYUQmIi0v5JLsGqnx8+0k/Om68cxUsggxkIKp + bQxV9C2fH5DTwBpV7ZrntXZVulfWXRUfRZYmoqeDwvGn42VrXvZRb908kZbefYsL + jUOsXmCddYHR3wlA/PHi2t1+C5X730X0weAuaQ+WJftHSDqk6dvnBVgM0piqjvQC + 1svaYup1KZJeKsmnsmV7fUlQrIUKPNRCYySvx/2+ZeMANfdLs6h1jVZ3rfdHso3S + XgG5+oGkXvWMvQ1ng85pUPURi/BzGKBiJ5xgDmpzjX3Yu4uhkIJsXfakIH4WQf0Z + /a3Uc6G9CJf+KEjjPMW8PC2+EB3iqGrJb1D6OmtZK5HliCvV6rr3QxbfHvKVGOE= + =cz4W + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-01-11T22:30:58Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQf/RRUXU3qJRsa5SXHIvmYrkO+gO7Gp/DpyXOVqoYbzFFhL + VMt3R8S6nnktxBvvTRcWQUT7/Ceg3f3ic2THOpWmgC26kDIHfEaCpcCFj0Oz4Plb + Y8ZjA59snO1siMmIQaiPl2N0iomrlpS8O1ls1y8457+iejSSOWwodYTYssDJVVy9 + IM0R2PFc0VVJ4kmX08nFDTDhrvmNZWYKZs7LZlU9aJ39U4Ppp4AWnsgPeoyUleIy + /2WJ0q66WjEAgC/6tBXb4kiOwrptJoGjytiTI4SmmoVCwl081FbMzrqw7ncI0eA1 + ahPKQ6YLtYnhCBbKT7zoK1n/PmycdabasbN8R8SY+dJeAUOjdysynp5wJLnj4KgJ + Tu3ISQ5RWKn0UCEkBjmsOe9nryUoWQ0ZHPbLMYLrgOCHyMS1cDhmd6f6NgdURgC4 + 3UcHXy5yJkW2p8MOX/4IJ46j1XeoPSGrFowGzkPK6A== + =2qKs + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index 63c6aa06..0a235f0f 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -3,12 +3,11 @@ lib, ... }: { - imports = with meta; - [ - nixos.reisen-ct - nixos.sops - nixos.tailscale - ]; + imports = with meta; [ + nixos.reisen-ct + nixos.sops + nixos.tailscale + ]; sops.defaultSopsFile = ./secrets.yaml;