gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Potentially broken commit to sync across machines

Browse source
This commit is contained in:
Kat Inskip 2024-01-11 14:51:49 -08:00
parent ee0d52cd8c
commit 3e32cad35f
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
15 changed files with 238 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -4,6 +4,7 @@ keys:
- &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
- &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
- &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
- &mediabox_osh age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
creation_rules:
- path_regex: 'systems/tewi/secrets\.yaml$'
shamir_threshold: 1
@ -20,6 +21,12 @@ creation_rules:
- pgp: *pgp_common
age:
- *tei_osh
- path_regex: 'systems/mediabox/secrets\.yaml$'
shamir_threshold: 1
key_groups:
- pgp: *pgp_common
age:
- *mediabox_osh
- path_regex: 'systems/[^/]+/secrets\.yaml$'
shamir_threshold: 1
key_groups:

6
meta.nix
View file

@ -31,6 +31,12 @@
nixfiles.nixos.base
];
};
network.nodes.mediabox = {
imports = [
./systems/mediabox/nixos.nix
nixfiles.nixos.base
];
};
network.nodes.reisen-ct = {
imports = [
./systems/ct/nixos.nix

8
nixos/acme.nix Normal file
View file

@ -0,0 +1,8 @@
_: {
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@gensokyo.zone";
};
};
}

13
nixos/bazarr.nix Normal file
View file

@ -0,0 +1,13 @@
{config, ...}: {
services = {
bazarr = {
enable = true;
listenPort = 6767;
};
nginx.virtualHosts."bazarr.gensokyo.zone" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:${toString config.services.bazarr.listenPort}";
};
};
}

6
nixos/deluge.nix
View file

@ -1,4 +1,8 @@
{ config, lib, ... }: let
{
config,
lib,
...
}: let
inherit (lib) mkDefault;
cfg = config.services.deluge;
in {

12
nixos/jackett.nix Normal file
View file

@ -0,0 +1,12 @@
_: {
services = {
jackett = {
enable = true;
};
nginx.virtualHosts."jackett.gensokyo.zone" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:9117/";
};
};
# Port 9117
}

12
nixos/ombi.nix Normal file
View file

@ -0,0 +1,12 @@
{config, ...}: {
services = {
ombi = {
enable = true;
port = 5000;
};
nginx.virtualHosts."ombi.gensokyo.zone" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:${toString config.services.ombi.port}";
};
};
}

29
nixos/plex.nix Normal file
View file

@ -0,0 +1,29 @@
_: {
services = {
plex = {
enable = true;
};
nginx.virtualHosts."plex.gensokyo.zone" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:32400";
};
};
# Plex Media Server:
#
# TCP:
# * 32400 - direct HTTP access - we don't want to open this considering we're reverse proxying
# * 8324 - Roku via Plex Companion
# * 32469 - Plex DLNA Server
# UDP:
# * 1900 - DLNA
# * 5353 - Bonjour / Avahi
# * 32410, 32412, 32413, 32414 - GDM Network Discovery
# Tautulli and Ombi will also be reverse proxied, presumably
networking.firewall = {
allowedTCPPorts = [8324 32469];
allowedUDPPorts = [1900 5353 32410 32412 32413 32414];
};
}

12
nixos/postgres.nix
View file

@ -1,11 +1,17 @@
{ config, pkgs, ... }: {
{
config,
pkgs,
...
}: {
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
ensureDatabases = ["hass"];
ensureUsers = [{
ensureUsers = [
{
name = "hass";
ensureDBOwnership = true;
}];
}
];
};
}

13
nixos/radarr.nix Normal file
View file

@ -0,0 +1,13 @@
_: {
services = {
radarr = {
enable = true;
};
nginx.virtualHosts."radarr.gensokyo.zone" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:7878";
};
};
# Port 7878
}

14
nixos/sonarr.nix Normal file
View file

@ -0,0 +1,14 @@
_: {
services = {
sonarr = {
enable = true;
};
nginx.virtualHosts."sonarr.gensokyo.zone" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:8989";
};
};
# Port 8989
}

13
nixos/tautuli.nix Normal file
View file

@ -0,0 +1,13 @@
{config, ...}: {
services = {
tautulli = {
enable = true;
port = 8181;
};
nginx.virtualHosts."tautuli.gensokyo.zone" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:${toString config.services.tautulli.port}";
};
};
}

31
systems/mediabox/nixos.nix Normal file
View file

@ -0,0 +1,31 @@
{
meta,
lib,
...
}: {
imports = with meta; [
nixos.reisen-ct
nixos.sops
nixos.tailscale
nixos.nginx
nixos.acme
nixos.cloudflared
/*
# media
nixos.plex
nixos.tautuli
nixos.ombi
# yarr harr fiddle dee dee >w<
nixos.radarr
nixos.sonarr
nixos.bazarr
nixos.jackett
*/
];
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "21.05";
}

57
systems/mediabox/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
tailscale-key: ENC[AES256_GCM,data:TnXZW2c5NhMYHutOdDn8NG5RcdcNTzcTXuC27Ir+OO/4abF0rCEts1A=,iv:OK2nUBJ6LyP9w9L05JGtHe5rxmfoNyk8+zF6M6jYIG8=,tag:McbAMcTJ93C5OluGzYMvCw==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKYVd6VExuZG1oWGNMbWlF
MVZaNnRXSmJlSG5jT1pZa3M5Zk9uN2lYSENNCm1hZ0NqMXNJcjY4Y1MxblNaWm9z
VE5SNVBZNG1RZU9EZ1RwVFFhNnFJN0kKLS0tIHJJM3ZNZEp5NC9lckpEYm9qaFdh
aDVRZTJtTzh5aElnN3hpcitZWmluQ3MK/je9HcOaN+DiSi2JsCThRXOEbydNQcRM
ZBjYlbtPILMjrn4NoUtxnwbmm7vNgGdXVu7EDfQ0OxjWbo9Cv95WZg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-11T22:46:33Z"
mac: ENC[AES256_GCM,data:lfx0h0sXAM7o5ig7NoqLUNY62B9vxZj2cWMHtfXbCfDIXUt72ybfbjuT0RE9YPnVyzKtVcLzbJwq1ls3LoPLohAAYsqH2C2Qpi3M5sf3vaVHheXAAdcn2ivk9i/PyfiXX8NBkVun2VJp6t7EZs76Xxwznt6vHzjXOZbMeV9wpC8=,iv:wd68KvHD8p2Qe+qfXlQmoIB+wW6GQErKKlsCxt9UflI=,tag:bBkX/j3NE5HQ/J/Yc/FrtA==,type:str]
pgp:
- created_at: "2024-01-11T22:30:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ/+No0QH0UAsfEg6M/yLbUhS/HjfjrY9R7LsExUTUFDIaMw
7rX6bGFgiEgiz3RAzAGQlZLZ6+/K3DmHPooyPZ8Az1U24ShWE06rgk7OFcdzVcDE
FvWbli5C/h1hnVn7ZPMPsdqnT+1TfiLU4s5+d+Zf8gHXra/MFjvobWQQqcKruWWF
0RirORKHsYIXcfuWlB8xchc+L2sHBJCpacsOKAVf9K7nRAoa/BLowKhd22ao24+6
V7kENJJgR+ipWG9PL5XxVCQ/vgY7BX+VAZs4eCG3K5AMP53xp6E9wnhvtQdGHZ/g
PCrZNEUiGDYsZJeS2xrV15xBVxuag3lBN+ibuFJPH7q/sd0Me0BYdgtOAFHuyZUW
J4czHN9PQaK4B1pEwePKWVXIpl3/os6+x7C76IzDvxkNGpcJhbktXcNuqZ+koUWI
obTleAzfV/Pm6v1II1J/2DWHuPymYUQmIi0v5JLsGqnx8+0k/Om68cxUsggxkIKp
bQxV9C2fH5DTwBpV7ZrntXZVulfWXRUfRZYmoqeDwvGn42VrXvZRb908kZbefYsL
jUOsXmCddYHR3wlA/PHi2t1+C5X730X0weAuaQ+WJftHSDqk6dvnBVgM0piqjvQC
1svaYup1KZJeKsmnsmV7fUlQrIUKPNRCYySvx/2+ZeMANfdLs6h1jVZ3rfdHso3S
XgG5+oGkXvWMvQ1ng85pUPURi/BzGKBiJ5xgDmpzjX3Yu4uhkIJsXfakIH4WQf0Z
/a3Uc6G9CJf+KEjjPMW8PC2+EB3iqGrJb1D6OmtZK5HliCvV6rr3QxbfHvKVGOE=
=cz4W
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-01-11T22:30:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQf/RRUXU3qJRsa5SXHIvmYrkO+gO7Gp/DpyXOVqoYbzFFhL
VMt3R8S6nnktxBvvTRcWQUT7/Ceg3f3ic2THOpWmgC26kDIHfEaCpcCFj0Oz4Plb
Y8ZjA59snO1siMmIQaiPl2N0iomrlpS8O1ls1y8457+iejSSOWwodYTYssDJVVy9
IM0R2PFc0VVJ4kmX08nFDTDhrvmNZWYKZs7LZlU9aJ39U4Ppp4AWnsgPeoyUleIy
/2WJ0q66WjEAgC/6tBXb4kiOwrptJoGjytiTI4SmmoVCwl081FbMzrqw7ncI0eA1
ahPKQ6YLtYnhCBbKT7zoK1n/PmycdabasbN8R8SY+dJeAUOjdysynp5wJLnj4KgJ
Tu3ISQ5RWKn0UCEkBjmsOe9nryUoWQ0ZHPbLMYLrgOCHyMS1cDhmd6f6NgdURgC4
3UcHXy5yJkW2p8MOX/4IJ46j1XeoPSGrFowGzkPK6A==
=2qKs
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1

3
systems/tei/nixos.nix
View file

@ -3,8 +3,7 @@
lib,
...
}: {
imports = with meta;
[
imports = with meta; [
nixos.reisen-ct
nixos.sops
nixos.tailscale