From 7f512583e092dbe541d1fbcff8e1bff76b38b708 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Tue, 29 Oct 2024 01:07:07 -0400 Subject: [PATCH] Separate some more files and extrapolate more non-secrets --- .../networking/wireguard/pc/default.nix | 4 +- .../networking/wireguard/server/default.nix | 12 +-- .../fileserver/public/nextcloud/default.nix | 64 ++++++-------- .../public/nextcloud/nginx/default.nix | 18 ++++ .../fileserver/public/photoprism/default.nix | 4 + .../public/photoprism/nginx/default.nix | 11 +++ .../services/server/icecast/default.nix | 82 ++++++------------ .../server/icecast/liquidsoap/default.nix | 30 +++++++ variables/secrets/default.nix | Bin 2237 -> 2039 bytes 9 files changed, 122 insertions(+), 103 deletions(-) create mode 100644 modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix create mode 100644 modules/system/services/server/fileserver/public/photoprism/nginx/default.nix create mode 100644 modules/system/services/server/icecast/liquidsoap/default.nix diff --git a/modules/system/devices/networking/wireguard/pc/default.nix b/modules/system/devices/networking/wireguard/pc/default.nix index 5a4e5310..f120f77c 100644 --- a/modules/system/devices/networking/wireguard/pc/default.nix +++ b/modules/system/devices/networking/wireguard/pc/default.nix @@ -11,9 +11,9 @@ privateKey = config.secrets.wgClientPriv; peers = [ { - publicKey = config.secrets.wgServerPub; + publicKey = "qnOT/lXOJMaQgDUdXpyfGZB2IEyUouRje2m/bCe9ux8="; allowedIPs = [ "${config.ips.wgSpan}.0/24" ]; - endpoint = "sv.${config.secrets.jimDomain}:51820"; + endpoint = "sv.${config.domains.jim1}:51820"; persistentKeepalive = 25; } ]; diff --git a/modules/system/devices/networking/wireguard/server/default.nix b/modules/system/devices/networking/wireguard/server/default.nix index 89ac7462..ec016054 100644 --- a/modules/system/devices/networking/wireguard/server/default.nix +++ b/modules/system/devices/networking/wireguard/server/default.nix @@ -17,14 +17,14 @@ listenPort = 51820; privateKey = config.secrets.wgServerPriv; peers = [ - { # Jimbo Pixel 9 - publicKey = config.secrets.wgPixel9Pub; - allowedIPs = [ "${config.ips.wgSpan}.2/32" ]; - } - { # General Nix - publicKey = config.secrets.wgClientPub; + { # NixOS + publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0="; allowedIPs = [ "${config.ips.wgSpan}.16/28" ]; } + { # Pixel 9 + publicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4="; + allowedIPs = [ "${config.ips.wgSpan}.2/32" ]; + } ]; }; }; diff --git a/modules/system/services/server/fileserver/public/nextcloud/default.nix b/modules/system/services/server/fileserver/public/nextcloud/default.nix index 7c2129ea..c50d2f92 100644 --- a/modules/system/services/server/fileserver/public/nextcloud/default.nix +++ b/modules/system/services/server/fileserver/public/nextcloud/default.nix @@ -1,45 +1,31 @@ { pkgs, config, ... }: { - services = { - nextcloud = { - enable = true; - package = pkgs.nextcloud29; - hostName = "cloud.${config.domains.jim1}"; - datadir = "/mnt/nextcloud"; - https = true; - config = { - adminuser = "jimbo"; - adminpassFile = "/mnt/nextcloud/password.txt"; - }; - settings = { - trusted_proxies = [ "127.0.0.1" ]; - trusted_domains = [ "cloud.${config.domains.jim1}" ]; - overwriteprotocol = "https"; - mail_smtphost = "mx.${config.domains.jim1}"; - mail_domain = "${config.domains.jim1}"; - mail_from_address = "noreply"; - mail_smtpauth = "true"; - mail_smtpname = "noreply@${config.domains.jim1}"; - mail_smtppassword = config.secrets.noreplyPassword; - mail_smtpmode = "smtp"; - mail_smtpport = 587; - }; - }; + imports = [ + ./nginx + ]; - nginx.virtualHosts."cloud.${config.domains.jim1}" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - extraConfig = " - location /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - "; - }; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud29; + hostName = "cloud.${config.domains.jim1}"; + datadir = "/mnt/nextcloud"; + https = true; + config = { + adminuser = "jimbo"; + adminpassFile = "/mnt/nextcloud/password.txt"; + }; + settings = { + trusted_proxies = [ "127.0.0.1" ]; + trusted_domains = [ "cloud.${config.domains.jim1}" ]; + overwriteprotocol = "https"; + mail_smtphost = "mx.${config.domains.jim1}"; + mail_domain = "${config.domains.jim1}"; + mail_from_address = "noreply"; + mail_smtpauth = "true"; + mail_smtpname = "noreply@${config.domains.jim1}"; + mail_smtppassword = config.secrets.noreplyPassword; + mail_smtpmode = "smtp"; + mail_smtpport = 587; }; }; } diff --git a/modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix b/modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix new file mode 100644 index 00000000..4350dfdd --- /dev/null +++ b/modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix @@ -0,0 +1,18 @@ +{ pkgs, config, ... }: +{ + services.nginx.virtualHosts."cloud.${config.domains.jim1}" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + extraConfig = " + location /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + "; + }; + }; +} diff --git a/modules/system/services/server/fileserver/public/photoprism/default.nix b/modules/system/services/server/fileserver/public/photoprism/default.nix index 59b01efa..73683394 100644 --- a/modules/system/services/server/fileserver/public/photoprism/default.nix +++ b/modules/system/services/server/fileserver/public/photoprism/default.nix @@ -1,5 +1,9 @@ { config, ... }: { + imports = [ + ./nginx + ]; + services = { photoprism = { enable = true; diff --git a/modules/system/services/server/fileserver/public/photoprism/nginx/default.nix b/modules/system/services/server/fileserver/public/photoprism/nginx/default.nix new file mode 100644 index 00000000..169d9539 --- /dev/null +++ b/modules/system/services/server/fileserver/public/photoprism/nginx/default.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + services.nginx.virtualHosts."gallery.${config.domains.jim1}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:2342"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/system/services/server/icecast/default.nix b/modules/system/services/server/icecast/default.nix index f2aff00d..61c64cc5 100644 --- a/modules/system/services/server/icecast/default.nix +++ b/modules/system/services/server/icecast/default.nix @@ -2,64 +2,34 @@ { imports = [ ./nginx + ./liquidsoap ]; - services = { - icecast = { - enable = true; - listen.port = 265; - hostname = "icecast.${config.domains.jim1}"; - admin = { - user = "jimbo"; - password = "${config.secrets.castAdminPass}"; - }; - extraConf = '' - - ${config.secrets.castSourcePass} - - - Canada - jimbo@${config.domains.jim2} - - - /jimbops.opus - JimBops Radio - Music gathered by me, Jimbo. - https://icecast.jimbosfiles.com/jimbops.opus - Anything - application/ogg - vorbis - - ''; - }; - - # The audio stream - liquidsoap.streams = { - jimbops = pkgs.writeText "liquidjim" '' - settings.log.stdout.set(true) - settings.init.allow_root.set(true) - settings.scheduler.fast_queues.set(2) - settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"]) - - # Define the source with random playlist - jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/")) - - # Ensure the stream never stops - jimbops_fallback = fallback([jimbops, jimbops]) - - # Output configuration to Icecast - output.icecast( - %ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)), - host="127.0.0.1", - port=265, - password="${config.secrets.castSourcePass}", - public=true, - icy_metadata=["artist", "title"], - mount="jimbops.opus", - encoding = "UTF-8", - jimbops_fallback - ) - ''; + services.icecast = { + enable = true; + listen.port = 265; + hostname = "icecast.${config.domains.jim1}"; + admin = { + user = "jimbo"; + password = "${config.secrets.castAdminPass}"; }; + extraConf = '' + + ${config.secrets.castSourcePass} + + + Canada + jimbo@${config.domains.jim2} + + + /jimbops.opus + JimBops Radio + Music gathered by me, Jimbo. + https://icecast.jimbosfiles.com/jimbops.opus + Anything + application/ogg + vorbis + + ''; }; } diff --git a/modules/system/services/server/icecast/liquidsoap/default.nix b/modules/system/services/server/icecast/liquidsoap/default.nix new file mode 100644 index 00000000..de82af3d --- /dev/null +++ b/modules/system/services/server/icecast/liquidsoap/default.nix @@ -0,0 +1,30 @@ +{ pkgs, config, ... }: +{ + services.liquidsoap.streams = { + jimbops = pkgs.writeText "liquidjim" '' + settings.log.stdout.set(true) + settings.init.allow_root.set(true) + settings.scheduler.fast_queues.set(2) + settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"]) + + # Define the source with random playlist + jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/")) + + # Ensure the stream never stops + jimbops_fallback = fallback([jimbops, jimbops]) + + # Output configuration to Icecast + output.icecast( + %ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)), + host="127.0.0.1", + port=265, + password="${config.secrets.castSourcePass}", + public=true, + icy_metadata=["artist", "title"], + mount="jimbops.opus", + encoding = "UTF-8", + jimbops_fallback + ) + ''; + }; +} diff --git a/variables/secrets/default.nix b/variables/secrets/default.nix index 7452a13fe40fa6f183e408f23ad2c563cc59859e..6febffcd9a35b52a0800b35e242951b55a0a3bef 100644 GIT binary patch literal 2039 zcmZQ@_Y83kiVO&0=wJ5ows*Ub!_rBuQU7+n`DmV9AtJ5yH+128x0Ou%AroZ}>1|t5 zG5>DP`lu?)LI ze$TzUHuR45GWUQhm)=cO5pd&_`@d(`%*~<6|76}=7t5wr?Eft z8qMNs&OW=f#j29m z-RGLoroR%(o?(COrqqRqTCqg_dMsS*_v+WL>C1dIyQlg-F`DRgS^oL9^(@bd<{x*C zV7@96veNsti_53eoKlaj+jZJat;qv6fw^Ia*QBBsy#w7=<2i!Ix}tFDz-?*0xf z*yOP_S#KVv#l3qLnHRSSdo6UW*Z8np%Iin>#e%j2qAt(1t#bdZWxjaUdB&;M22Hnq z+qvg0zi=&n*Qe6psyK6@uT*9HrI*dOZrk|&n$0@ndhnv&xp&>&WX)LwN;dn;G@o2> zxUl47gU=c1*N+-cZ*`J-bnDxnO>b&mY$;e1Cs6NmEbK`XN8p)r^>yF*Sj*PUWnO3Y zHPwM>Q{UTV8!IktU7r+NvTbtkKIcdJh3tVwsW0D$G;zGsd!WEIWuqPc;mofVe$Rz7 zI{xdZifAz&_G{JHa`;Qq<;<-~iG8~c>i&!S;qzO?qeRyBXQBTc(G$%R_0}D3_03PY zlHR0-mGyF1b6Fu9oPYs_^K|WA>`mucCz7>rZLzcHSwnZ)xSN?+qNHO81{# zot0+uag9Q}M4|JaL!Y)y;jKKsRC}Amy{dbC)d#oij=q$+c1!fOn5F6KBhPZI@8i~+ z`f^VSt10tA@15sdUl~mADJpeQKOq|giv`7QoFRye)<`?-V4>$kQxTXwCw@~%eY{U5VD z>pR&MW=|?Byo4tf96gyBxQ)yB;xr}?{`=AK$6X?SuWEVI!K&GnH2sPAgrGH%X;!~Z z*LCU_&D;68&rPgj-y_nvJ~D}D-qn_`ft@7j_}>p%TKOuit2i^vblTyvNc^3 z57bY*KeuDSdj9QcTDJt|xV~zLUcNy}#AlYpyf-dgz8&)&-FVk@#qXGOSh97NE(3>w zGDmJob!3soz>z&vb6T5ct1)_rJbL2hOjV(=40y*J`n)qk`vSS0&3!OFK%k zEy6ZEy!Yn+Q)U)Bt%SL()A`mJD7N{Ts%_lM_vPb+wXgcNL?*YMvR^#wZ^Efdp~p4$ zw`eU;E?u%S$+Ao(=mAg4ooTK)GvDpb-BGcy?Tag~*sb=UYm*a0Sf1E&iOe;~J6k$$ zOQ*t}CAV5;oB1D!IlDtg+etcyZ|BEL*Z;*IQ93iF`~Q?n4wrb|lKHc?vEe#)?U2p zq5DxGp`hH!RynLTb26XmEp@NP6@SI+<~;sd`h4ln+e`=Kq8?0cQ&excebT+%uS(Fm zzv5fK;rus?^n_M@IiGe;OL)TmG;@7F&6(9|vi^Z#d#c;MI~}^85M|Au{;S~A`X;k@ z8*lS%iEZlB4{a1SE!20L|2=bU?oyWSneAd){?hZad@fyWXR@+f)+x_EIj-k@Zq>fn zz*N5ced}k|vu?O|V4e4^-%-vyaa&UT*Bi%o&1F_tDs3+3{3h+M_U?UFdvnfLES)}; zQ)i#lwC6V+OXo0jPrusn*ty}>Z&#PU?B1{E3h$fzBhl?tQSx0z9^HS_R%vcfkluHW z)6FwXKG1Wu>Nn>r*~@>L&)15azT)l;`Eo$7drH-79V~* z?|6bA@A0T);p0}@!Ym%Gti5nZMCkv@&)Jnb=B*U^eq$wr_SNzk@w2>6+7;5EKlCJPDXiw$aUVS(R05Uu45{6kekBW6tnwQ_O>mVJ2HC0B-4+3 zwtZ8%GBs?Cl#r;sW>cS{)*jMWiOW{B<&B3%G&kR@sIkuE#23a cM)6Nuk~JyCv*v#h^TO#LY`vt#PImAD0IP!l)Bpeg literal 2237 zcmZQ@_Y83kiVO&0*fC8cyd>jfzDj?N+p}dRN~d?G>A1EPq;=G4EWAB?XM+Aj`8fg$ zixkr3etwi${O8w(`CKKwg16$8cLvo{a?_b;E3zbProuKn4ITPwazx^KNDO7eYXS0}@bM_1l% zf4FVahe=+6b>K*eM zZnpUxiBz`U;aRnA$}^?&7Ix)%AAht=ty|01_y2nT+nv1?(TS`2Gfh2>m~-kw`JM=b zUVOUAW#h6JtG=Js7IWDcz0>Z`mA}gzf2e&=Oki7J`(5Iu%B?6_xg_%+MS6D&&%b)6 zQPqBMJ>O?f(TQ9)jx#WYZ;Ry=nR7-y>CURPoSSF<{9ngr{`Xl%TI}EW&E~5r^y<$!p}$q(!KWWb#h<1J zMJDD+RR?D9U%jMnWxYYOMPPRN_MwSjTY`q;Ym$gF15t`BUByL{Zkuia5!w9U!W z!Q-8#T(zYBqW-Jgi~;{8v+RB5eiPi(d8BM_f8z4YIs00tzO>U@7aO~vN=m2KS$on& z!*!B38RTBS+4z%d$>iQ5+wHSYK0V@N)aLN)52wXK<(erCFTY%vSe6uTkjB}*T7-4e zeC`aT2|o(kS07wuaQQ{uU50CWJ|#47UA$w*+3w3>uQ~QMte7q0!7tFVXUFUI^y~Zr z^?{Pv7G2f;{O@=krBs-f)Nq)E?Ve`v-B0a=cTG}vq@3&Z=Rm{ ze1e5ZW6$RIv0P^^{513OTrH}nD0XvGdCN+H#Ci+0RpMDXzCXO15ADBh_Q;}o$=g>~ z69gRDj>XyXUI;(^T|B3>Zd<`4_DJ5&g8LhJLj&iZ+WhX={K>VQ=1-Kv*9j{y9WLk3 z<$hP$nRrclO1HsY4GFXV3j-KJ!O-l%#CG|FO&`CrUq}3xO~3l zPsQwL-QJxtrH$qL3!8Q8WS+e^K1m~gxvfy_kzHSp2K>8dYII4hPvZEUFHME(GbS1; z&v03w&gQT0B|i5rcdV~R=PU6!+y820sdtvHzo^D2!r`$k-u>|Hz50S}tR>=4yn9cb zy}$WeInRcw3o5zk8V|mF={;~%vrkUG_tNzS%ZhF_gY(H(?kkuHC%n#IAbL|R-O+5> zZ{HUVvgZ@86klhpGHw%EwdbGS+`rrfPD)!onN;*dh!*8fuMlqbIq9h{z0e@%%-*eX zv($2YkLpiIE%)@%s>ogA6|OE2zR!4-{_5X9typI5yB=Y&an;A-Q}boY*F9;n3sLSV zjaF6n3H&mCeVsSNz+N;Eu z)OT(_%dx=t+$z60Zu>9ha7s^FvGGf^kNBj%rx$ZKTRTZ=9lgbJ&U^qtGcVZ8s+oQnfR13=7iyvJva5IO^^S)PC zCH3lQ_o>%r>z7XYRXDZNZ0-7~Eag{K4l#vj)j4&%{iI@0qLsdNny6z~{Igo8nqS)& zENA|r@WU2*19eQV) zb24|oc{``%w)xs=QtmO5>2vmF)LnnO+E?IFw-&G1=4JB_U1@f?v~~N{R>PyWwX#+T zik+9;I76E+WbcgLo+?GnNHeod6IuVr#?N#eaniF;3x@*5iUN7`IGaHg(@Dr*mRYiVi+J%5mmTkI?J0Hbn=!Ra4Fg z?t0BAxb>Dn%sI0j_NTYc>giRVtlRL^RZ4a9^+l_fu6|RS~Ek*nXB{k z&W-@{&<`_36-s^>W|<^kZ85x@#9J0Ob)LAkz$b_OY0iIQQZ-nuW|^{uEYxoED~k7G z+jsG8qV40-ma@sGxoF5OIor|w;E}Y5V z>~-Xn$FijK6Wa__wKphfi7Z{n`D5LccN}YX?tOAlkEQ0l(C_cOUu7MSAFkZ~ac|g# zMFyvyD0xlY<$Cnd(cPV4LA+IWwK@gw-rZ;Akkzn?xl!Ub<7!J|&$1xR((U+|>1Yu98I)$`3-OEhb*eLeYh;)jOsM)B9puHIah_U>rz;omCD*%c*bAF?=p zzyDInlKuqiv+53=ui|r#FYKPrd`Qgv$z{dzPqX7DIdBzCC<~fVzU)BQMyo{sX_mFN z89A>!m}1NoeU2W!({xjRTIuCUzKd9-mvGMSaDVQ8>Fk`iW5@WGPdxm?WNo#2^u)$T Y>{)$3c|R0+R2dc5zi8^!XI