diff --git a/hosts/architect/calibre.nix b/hosts/architect/calibre.nix deleted file mode 100644 index bd5fdd5..0000000 --- a/hosts/architect/calibre.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, lib, ... }: - -let - domain = "books.giugl.io"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; -in -{ - services = { - calibre-web = { - enable = true; - group = "media"; - options = { - enableBookConversion = true; - enableBookUploading = true; - }; - }; - - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8083"; - extraConfig = '' - client_max_body_size 500M; - '' + auth_block { access_role = "calibre"; }; - }; - }; - }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; - - users.groups.media.members = [ "calibre-web" ]; -} diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 1a755bc..e2d9f49 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -19,7 +19,6 @@ in ./tailscale.nix ./sunshine.nix ./postgres.nix - ./netdata.nix ./searx.nix ]; diff --git a/hosts/architect/librephotos.nix b/hosts/architect/librephotos.nix deleted file mode 100644 index 82d933e..0000000 --- a/hosts/architect/librephotos.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ config, lib, ... }: - -let - domain = "photos.giugl.io"; - backendPort = 8001; - frontendPort = 3000; -in -{ - architect.vhost.${domain} = { - dnsInterfaces = [ "tailscale" ]; - - locations."/" = { - host = "172.17.0.1"; - port = frontendPort; - # allowLan = true; - # allow = [ config.architect.networks."tailscale".net ]; - }; - - locations."~ ^/(api|media)/" = { - host = "172.17.0.1"; - port = backendPort; - # allowLan = true; - # allow = [ config.architect.networks."tailscale".net ]; - }; - - locations."/ws" = { - host = "172.17.0.1"; - port = backendPort; - proxyWebsockets = true; - # allowLan = true; - # allow = [ config.architect.networks."tailscale".net ]; - }; - }; - - services.redis.servers."librephotos" = { - enable = true; - port = 1233; - bind = "172.17.0.1"; - extraParams = [ "--protected-mode no" ]; - }; - - virtualisation.oci-containers = { - containers = { - librephotos-front = { - image = "reallibrephotos/librephotos-frontend:latest"; - autoStart = true; - ports = [ - "172.17.0.1:${toString frontendPort}:${toString frontendPort}" - ]; - }; - - librephotos-back = { - image = "reallibrephotos/librephotos:latest"; - autoStart = true; - - ports = [ - "172.17.0.1:${toString backendPort}:${toString backendPort}" - ]; - - environment = { - SECRET_KEY = "LOLOL"; - BACKEND_HOST = domain; - ADMIN_EMAIL = "me@giugl.io"; - ADMIN_USERNAME = "giulio"; - ADMIN_PASSWORD = "giulio"; - ALLOWED_HOSTS = domain; - DB_BACKEND = "mysql"; - DB_NAME = "librephotos"; - DB_USER = "librephotos"; - DB_PASS = "librephotos"; - DB_HOST = "172.17.0.1"; - DB_PORT = toString config.services.mysql.settings.mysqld.port; - REDIS_HOST = "172.17.0.1"; - REDIS_PORT = toString config.services.redis.servers."librephotos".port; - MAPBOX_API_KEY = "SOME_KEY"; - WEB_CONCURRENCY = "24"; - DEBUG = "0"; - }; - }; - }; - }; -} diff --git a/hosts/architect/netdata.nix b/hosts/architect/netdata.nix deleted file mode 100644 index abf2d25..0000000 --- a/hosts/architect/netdata.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, pkgs, ... }: - -let - domain = "monitor.giugl.io"; -in -{ - services.netdata = { - enable = true; - package = pkgs.unstablePkgs.netdata; - config = { - db.mode = "dbengine"; - }; - }; - - architect.vhost.${domain} = with config.architect.networks; { - dnsInterfaces = [ "tailscale" "lan" ]; - - locations."/" = { - port = 19999; - allowLan = true; - allow = [ - tailscale.net - ]; - }; - }; -} diff --git a/hosts/architect/openid.nix b/hosts/architect/openid.nix deleted file mode 100644 index 4c6326b..0000000 --- a/hosts/architect/openid.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ lib }: - -{ - openresty_oidc_block = - { access_role ? "", whitelisted_ips ? [ ] }: '' - - ''; - # access_by_lua_block { - # local opts = { - # discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", - # client_id = "nginx", - # client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8", - # logout_path = "/logout", - # redirect_after_logout_uri = "/", - # redirect_uri = "/redirect_uri", - # keepalive = "yes", - # accept_none_alg = true, - # revoke_tokens_on_logout = true, - # -- access token valid for a day - # access_token_expires_in = 86400 - # } - - # ${lib.optionalString (whitelisted_ips != []) '' - # local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} - - # if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then - # return - # end - # ''} - - # -- call introspect for OAuth 2.0 Bearer Access Token validation - # local res, err = require("resty.openidc").authenticate(opts) - - # if err then - # ngx.status = 403 - # ngx.say(err) - # ngx.exit(ngx.HTTP_FORBIDDEN) - # end - - # ${lib.optionalString (access_role != "") '' - # if not check_role(res, "${access_role}") then - # ngx.status = 401 - # ngx.header.content_type = 'text/html'; - # ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") - # ngx.exit(ngx.HTTP_UNAUTHORIZED) - # end - # ''} - # } - # ''; -} diff --git a/hosts/architect/photoprism.nix b/hosts/architect/photoprism.nix deleted file mode 100644 index 0737bc4..0000000 --- a/hosts/architect/photoprism.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = "photos.giugl.io"; -in -{ - services.photoprism = { - enable = true; - package = pkgs.unstablePkgs.photoprism; - originalsPath = "/var/lib/private/photoprism/originals"; - address = "0.0.0.0"; - settings = { - PHOTOPRISM_DEFAULT_LOCALE = "en"; - PHOTOPRISM_DATABASE_DRIVER = "mysql"; - PHOTOPRISM_DATABASE_NAME = "photoprism"; - PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; - PHOTOPRISM_DATABASE_USER = "photoprism"; - PHOTOPRISM_SITE_URL = "https://${domain}"; - PHOTOPRISM_SITE_TITLE = "PePrism"; - PHOTOPRISM_FFMPEG_ENCODER = "nvidia"; - PHOTOPRISM_INIT = "tensorflow"; - NVIDIA_VISIBLE_DEVICES = "all"; - NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility"; - PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg"; - }; - }; - - architect.vhost.${domain} = { - dnsInterfaces = [ "tailscale" "lan" ]; - locations."/" = { - port = config.services.photoprism.port; - allowLan = true; - allow = [ config.architect.networks."tailscale".net ]; - proxyWebsockets = true; - }; - }; -} diff --git a/hosts/architect/prosody.nix b/hosts/architect/prosody.nix deleted file mode 100644 index ce6068a..0000000 --- a/hosts/architect/prosody.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ lib, config, ... }: - -let - domain = "xmpp.giugl.io"; - conference_domain = "conference.${domain}"; - upload_domain = "uploads.${domain}"; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; -in -{ - architect.firewall = { - openTCP = [ 5222 5269 ]; - }; - - services = { - prosody = { - enable = true; - virtualHosts.${domain} = { - inherit domain; - - enabled = true; - ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem"; - ssl.cert = - "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; - }; - - muc = [{ domain = conference_domain; }]; - uploadHttp = { domain = upload_domain; }; - - admins = [ "giulio@${domain}" ]; - #httpInterfaces = [ "wg0" ]; - #httpsInterfaces = [ "wg0" ]; - }; - - nginx.virtualHosts = { - "${domain}" = { - enableACME = true; - forceSSL = true; - }; - # "${conference_domain}".enableACME = true; - # "${upload_domain}".enableACME = true; - }; - }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; - - users.groups = { - acme.members = [ "prosody" ]; - nginx.members = [ "prosody" ]; - }; -} diff --git a/hosts/architect/runas.nix b/hosts/architect/runas.nix deleted file mode 100644 index 4070ec4..0000000 --- a/hosts/architect/runas.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = "runas.rocks"; - runas_root = "/var/lib/runas.rocks/dist"; - service_name = "runas.rocks-pull"; - mkStartScript = name: pkgs.writeShellScript "${name}.sh" '' - set -euo pipefail - cd ${runas_root} - git pull origin main --rebase - ''; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; -in -{ - services.nginx.virtualHosts.${domain} = { - enableACME = true; - forceSSL = true; - - locations."/".root = runas_root; - - locations."/.git" = { return = "404"; }; - }; - - systemd = { - services.${service_name} = { - path = [ pkgs.git ]; - enable = true; - serviceConfig = { - Type = "oneshot"; - ExecStart = mkStartScript "${service_name}"; - }; - }; - timers.${service_name} = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "hourly"; - Unit = "${service_name}.service"; - }; - }; - }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; -} diff --git a/hosts/architect/teslamate.nix b/hosts/architect/teslamate.nix deleted file mode 100644 index 684b746..0000000 --- a/hosts/architect/teslamate.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ config, ... }: - -let - domain = "tesla.giugl.io"; - teslamatePort = 11234; - grafanaPort = 11334; - allowLan = true; - allowWAN = false; -in -{ - age.secrets.teslamate = { - file = ../../secrets/teslamate.age; - owner = "teslamate"; - }; - - architect.vhost.${domain} = with config.architect.networks; { - dnsInterfaces = [ "lan" "tailscale" ]; - locations = { - "/" = { - inherit allowLan allowWAN; - port = teslamatePort; - proxyWebsockets = true; - allow = [ - tailscale.net - ]; - }; - "/live/websocket" = { - inherit allowLan allowWAN; - port = teslamatePort; - proxyWebsockets = true; - allow = [ - tailscale.net - ]; - }; - "/grafana" = { - inherit allowLan allowWAN; - port = grafanaPort; - proxyWebsockets = true; - allow = [ - tailscale.net - ]; - }; - }; - }; - - services.teslamate = { - enable = true; - port = teslamatePort; - - listenAddress = "127.0.0.1"; - secretsFile = config.age.secrets.teslamate.path; - virtualHost = domain; - postgres.enable_server = true; - grafana = { - enable = true; - port = grafanaPort; - listenAddress = "127.0.0.1"; - urlPath = "/grafana"; - }; - mqtt = { - enable = true; - }; - }; -}