From cd7518be45a583ea1ed2d783127465cb71288ee8 Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Thu, 11 Jan 2024 22:01:18 -0800 Subject: [PATCH] Finished setup --- nixos/acme.nix | 8 ------- nixos/bazarr.nix | 1 - nixos/cloudflared.nix | 6 ++++- nixos/jackett.nix | 1 - nixos/ombi.nix | 1 - nixos/plex.nix | 23 +++++++++++++++++-- nixos/radarr.nix | 1 - nixos/sonarr.nix | 1 - nixos/tailscale.nix | 35 +++++++++++++++-------------- nixos/{tautuli.nix => tautulli.nix} | 3 +-- systems/mediabox/nixos.nix | 31 ++++++++++++++++++++----- systems/mediabox/secrets.yaml | 5 +++-- systems/tewi/cloudflared.nix | 6 ++++- 13 files changed, 78 insertions(+), 44 deletions(-) delete mode 100644 nixos/acme.nix rename nixos/{tautuli.nix => tautulli.nix} (72%) diff --git a/nixos/acme.nix b/nixos/acme.nix deleted file mode 100644 index 300c9856..00000000 --- a/nixos/acme.nix +++ /dev/null @@ -1,8 +0,0 @@ -_: { - security.acme = { - acceptTerms = true; - defaults = { - email = "acme@gensokyo.zone"; - }; - }; -} diff --git a/nixos/bazarr.nix b/nixos/bazarr.nix index bc7409ec..97a9528b 100644 --- a/nixos/bazarr.nix +++ b/nixos/bazarr.nix @@ -6,7 +6,6 @@ }; nginx.virtualHosts."bazarr.gensokyo.zone" = { - enableACME = true; locations."/".proxyPass = "http://localhost:${toString config.services.bazarr.listenPort}"; }; }; diff --git a/nixos/cloudflared.nix b/nixos/cloudflared.nix index daf5e06a..db03d599 100644 --- a/nixos/cloudflared.nix +++ b/nixos/cloudflared.nix @@ -1,4 +1,8 @@ -{ config, lib, ... }: let +{ + config, + lib, + ... +}: let inherit (lib.modules) mkDefault; in { config.services.cloudflared.enable = mkDefault true; diff --git a/nixos/jackett.nix b/nixos/jackett.nix index a5f7c944..ddc1ebb7 100644 --- a/nixos/jackett.nix +++ b/nixos/jackett.nix @@ -4,7 +4,6 @@ _: { enable = true; }; nginx.virtualHosts."jackett.gensokyo.zone" = { - enableACME = true; locations."/".proxyPass = "http://localhost:9117/"; }; }; diff --git a/nixos/ombi.nix b/nixos/ombi.nix index eac36e56..09b6d8bf 100644 --- a/nixos/ombi.nix +++ b/nixos/ombi.nix @@ -5,7 +5,6 @@ port = 5000; }; nginx.virtualHosts."ombi.gensokyo.zone" = { - enableACME = true; locations."/".proxyPass = "http://localhost:${toString config.services.ombi.port}"; }; }; diff --git a/nixos/plex.nix b/nixos/plex.nix index 0d28b1b5..83a4cc9b 100644 --- a/nixos/plex.nix +++ b/nixos/plex.nix @@ -4,7 +4,26 @@ _: { enable = true; }; nginx.virtualHosts."plex.gensokyo.zone" = { - enableACME = true; + extraConfig = '' + # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause + send_timeout 100m; + # Plex headers + proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; + proxy_set_header X-Plex-Device $http_x_plex_device; + proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; + proxy_set_header X-Plex-Platform $http_x_plex_platform; + proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; + proxy_set_header X-Plex-Product $http_x_plex_product; + proxy_set_header X-Plex-Token $http_x_plex_token; + proxy_set_header X-Plex-Version $http_x_plex_version; + proxy_set_header X-Plex-Nocache $http_x_plex_nocache; + proxy_set_header X-Plex-Provides $http_x_plex_provides; + proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; + proxy_set_header X-Plex-Model $http_x_plex_model; + # Buffering off send to the client as soon as the data is received from Plex. + proxy_redirect off; + proxy_buffering off; + ''; locations."/".proxyPass = "http://localhost:32400"; }; }; @@ -23,7 +42,7 @@ _: { # Tautulli and Ombi will also be reverse proxied, presumably networking.firewall = { - allowedTCPPorts = [8324 32469]; + allowedTCPPorts = [32400 8324 32469 8181 5000]; allowedUDPPorts = [1900 5353 32410 32412 32413 32414]; }; } diff --git a/nixos/radarr.nix b/nixos/radarr.nix index 68218ed4..a5eda25d 100644 --- a/nixos/radarr.nix +++ b/nixos/radarr.nix @@ -4,7 +4,6 @@ _: { enable = true; }; nginx.virtualHosts."radarr.gensokyo.zone" = { - enableACME = true; locations."/".proxyPass = "http://localhost:7878"; }; }; diff --git a/nixos/sonarr.nix b/nixos/sonarr.nix index 1c8830a1..2db3f4a4 100644 --- a/nixos/sonarr.nix +++ b/nixos/sonarr.nix @@ -5,7 +5,6 @@ _: { }; nginx.virtualHosts."sonarr.gensokyo.zone" = { - enableACME = true; locations."/".proxyPass = "http://localhost:8989"; }; }; diff --git a/nixos/tailscale.nix b/nixos/tailscale.nix index 401df743..94a0af61 100644 --- a/nixos/tailscale.nix +++ b/nixos/tailscale.nix @@ -27,14 +27,14 @@ in { services.tailscale.enable = mkDefault true; - sops.secrets.tailscale-key = mkIf config.services.tailscale.enable { }; + sops.secrets.tailscale-key = mkIf config.services.tailscale.enable {}; systemd.services.tailscale-autoconnect = mkIf config.services.tailscale.enable rec { description = "Automatic connection to Tailscale"; # make sure tailscale is running before trying to connect to tailscale after = wants ++ wantedBy; - wants = [ "network-pre.target" ]; - wantedBy = [ "tailscaled.service" ]; + wants = ["network-pre.target"]; + wantedBy = ["tailscaled.service"]; # set this service as a oneshot job serviceConfig = { @@ -44,25 +44,26 @@ in { # have the job run this shell script script = let fixResolved = optionalString config.services.resolved.enable '' - resolvectl revert ${config.services.tailscale.interfaceName} || false + resolvectl revert ${config.services.tailscale.interfaceName} || true ''; advertiseExitNode = optionalString cfg.advertiseExitNode " --advertise-exit-node"; - in with pkgs; '' - # wait for tailscaled to settle - sleep 5 + in + with pkgs; '' + # wait for tailscaled to settle + sleep 5 - ${fixResolved} + ${fixResolved} - # check if we are already authenticated to tailscale - status="$(${getExe tailscale} status -json | ${getExe jq} -r .BackendState)" - if [[ $status = Running ]]; then - # if so, then do nothing - exit 0 - fi + # check if we are already authenticated to tailscale + status="$(${getExe tailscale} status -json | ${getExe jq} -r .BackendState)" + if [[ $status = Running ]]; then + # if so, then do nothing + exit 0 + fi - # otherwise authenticate with tailscale - ${getExe tailscale} up${advertiseExitNode} -authkey $(cat ${config.sops.secrets.tailscale-key.path}) - ''; + # otherwise authenticate with tailscale + ${getExe tailscale} up${advertiseExitNode} -authkey $(cat ${config.sops.secrets.tailscale-key.path}) + ''; }; }; } diff --git a/nixos/tautuli.nix b/nixos/tautulli.nix similarity index 72% rename from nixos/tautuli.nix rename to nixos/tautulli.nix index f87935fe..423e1485 100644 --- a/nixos/tautuli.nix +++ b/nixos/tautulli.nix @@ -5,8 +5,7 @@ port = 8181; }; - nginx.virtualHosts."tautuli.gensokyo.zone" = { - enableACME = true; + nginx.virtualHosts."tautulli.gensokyo.zone" = { locations."/".proxyPass = "http://localhost:${toString config.services.tautulli.port}"; }; }; diff --git a/systems/mediabox/nixos.nix b/systems/mediabox/nixos.nix index ac80f0e5..556abde9 100644 --- a/systems/mediabox/nixos.nix +++ b/systems/mediabox/nixos.nix @@ -1,4 +1,5 @@ { + config, meta, lib, ... @@ -6,15 +7,12 @@ imports = with meta; [ nixos.reisen-ct nixos.sops - nixos.tailscale nixos.nginx - nixos.acme nixos.cloudflared - /* - # media + # media nixos.plex - nixos.tautuli + nixos.tautulli nixos.ombi # yarr harr fiddle dee dee >w< @@ -22,9 +20,30 @@ nixos.sonarr nixos.bazarr nixos.jackett - */ ]; + sops.secrets.cloudflare_mediabox_tunnel = { + owner = config.services.cloudflared.user; + }; + + services.cloudflared = let + tunnelId = "9295ed6e-4743-45c1-83b1-6c252ae5580a"; + in { + tunnels.${tunnelId} = { + default = "http_status:404"; + credentialsFile = config.sops.secrets.cloudflare_mediabox_tunnel.path; + ingress = { + "plex.gensokyo.zone".service = "http://localhost:32400"; + "tautuli.gensokyo.zone".service = "http://localhost:8181"; + "ombi.gensokyo.zone".service = "http://localhost:3579"; + "sonarr.gensokyo.zone".service = "http://localhost:8989"; + "radarr.gensokyo.zone".service = "http://localhost:7878"; + "bazarr.gensokyo.zone".service = "http://localhost:6767"; + "jackett.gensokyo.zone".service = "http://localhost:9117"; + }; + }; + }; + sops.defaultSopsFile = ./secrets.yaml; system.stateVersion = "21.05"; diff --git a/systems/mediabox/secrets.yaml b/systems/mediabox/secrets.yaml index f33b5544..55c3a6a6 100644 --- a/systems/mediabox/secrets.yaml +++ b/systems/mediabox/secrets.yaml @@ -1,4 +1,5 @@ tailscale-key: ENC[AES256_GCM,data:TnXZW2c5NhMYHutOdDn8NG5RcdcNTzcTXuC27Ir+OO/4abF0rCEts1A=,iv:OK2nUBJ6LyP9w9L05JGtHe5rxmfoNyk8+zF6M6jYIG8=,tag:McbAMcTJ93C5OluGzYMvCw==,type:str] +cloudflare_mediabox_tunnel: ENC[AES256_GCM,data:8evCY9lil+SYHTfaHOj8ULYFAX9Q5HHj/caZtfEsG30UiLZCThLWAXUA0FmKgIr8TNAz1tt9ySAaoUyDUFs6leV+FNqUv6fsJGKXQ039+s5YiGZzbKpG6EltDjJ8DYLl8JXuxMxOCsbbAsuhCmzUC8T2jbduxrb1f+nu7e7W6c+j8/5+ujH+Bk3mcd65s5/29Z6bwRhHjCwLDqNwnsI84FOIf8O9JrVXbfWmL33/plxo/xVwo7muffHFPFah8zIMNglg+teM,iv:YBRiJ2WzXsntH13Jv9o8XaNe12hS+VyKjAsbBc3o0EQ=,tag:hLywh0v+SfPkE7p+PLQItw==,type:str] sops: shamir_threshold: 1 kms: [] @@ -15,8 +16,8 @@ sops: aDVRZTJtTzh5aElnN3hpcitZWmluQ3MK/je9HcOaN+DiSi2JsCThRXOEbydNQcRM ZBjYlbtPILMjrn4NoUtxnwbmm7vNgGdXVu7EDfQ0OxjWbo9Cv95WZg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-11T22:46:33Z" - mac: ENC[AES256_GCM,data:lfx0h0sXAM7o5ig7NoqLUNY62B9vxZj2cWMHtfXbCfDIXUt72ybfbjuT0RE9YPnVyzKtVcLzbJwq1ls3LoPLohAAYsqH2C2Qpi3M5sf3vaVHheXAAdcn2ivk9i/PyfiXX8NBkVun2VJp6t7EZs76Xxwznt6vHzjXOZbMeV9wpC8=,iv:wd68KvHD8p2Qe+qfXlQmoIB+wW6GQErKKlsCxt9UflI=,tag:bBkX/j3NE5HQ/J/Yc/FrtA==,type:str] + lastmodified: "2024-01-12T05:09:30Z" + mac: ENC[AES256_GCM,data:WBT09CBeXUGOPP7OeJHPOEXVjP39jY+XyvDBniHlWOUFsHQn8N9wCRQ9OfJflw5CHmpxRlQvlzROhEoXvx4dgrEzDB0s6tkoTPkXAsMvTZAJVPl99XcOtmAodzAtn6ejsVnKp5f5EGKEubENsK1RvgzKS4oUoA18l8cAgvnq3kQ=,iv:XM54p8iSKzUNUSUbvanhYtjVrfTTWO3Wjyxnw8UFQ+k=,tag:2kPmBVFBoowqfymQCHAFvQ==,type:str] pgp: - created_at: "2024-01-11T22:30:58Z" enc: |- diff --git a/systems/tewi/cloudflared.nix b/systems/tewi/cloudflared.nix index 2951240f..00b3a32f 100644 --- a/systems/tewi/cloudflared.nix +++ b/systems/tewi/cloudflared.nix @@ -1,4 +1,8 @@ -{ config, lib, ... }: let +{ + config, + lib, + ... +}: let inherit (config) services; apartment = "131222b0-9db0-4168-96f5-7d45ec51c3be"; in {