diff --git a/machines/genepi/actual.nix b/machines/genepi/actual.nix index 6bf59f3..b455535 100644 --- a/machines/genepi/actual.nix +++ b/machines/genepi/actual.nix @@ -1,4 +1,7 @@ { config, ... }: +let + domain = "actual.val"; +in { services.actual = { enable = true; @@ -8,12 +11,14 @@ }; }; - services.nginx.virtualHosts."actual.home.rpqt.fr" = { + services.nginx.virtualHosts.${domain} = { forceSSL = true; - useACMEHost = "home.rpqt.fr"; + enableACME = true; locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.actual.settings.port}"; }; - clan.core.state.acutal.folders = [ "/var/lib/actual" ]; + security.acme.certs.${domain}.server = "https://ca.val/acme/acme/directory"; + + clan.core.state.actual.folders = [ "/var/lib/actual" ]; } diff --git a/machines/genepi/freshrss.nix b/machines/genepi/freshrss.nix index 8222566..511ee1d 100644 --- a/machines/genepi/freshrss.nix +++ b/machines/genepi/freshrss.nix @@ -1,13 +1,13 @@ { config, ... }: let - domain = "home.rpqt.fr"; - subdomain = "rss.${domain}"; + tld = "val"; + domain = "rss.${tld}"; in { services.freshrss = { enable = true; - baseUrl = "https://${subdomain}"; - virtualHost = "${subdomain}"; + baseUrl = "https://${domain}"; + virtualHost = "${domain}"; defaultUser = "rpqt"; passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path; @@ -15,9 +15,11 @@ in services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = { forceSSL = true; - useACMEHost = "${domain}"; + enableACME = true; }; + security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory"; + clan.core.vars.generators.freshrss = { prompts.freshrss-password = { description = "freshrss default user password"; diff --git a/machines/genepi/glance-config.nix b/machines/genepi/glance-config.nix index 569ae62..b8d2c17 100644 --- a/machines/genepi/glance-config.nix +++ b/machines/genepi/glance-config.nix @@ -1,3 +1,4 @@ +{ tld }: { theme = { light = true; @@ -41,22 +42,22 @@ sites = [ { title = "Immich"; - url = "https://images.home.rpqt.fr"; + url = "https://images.${tld}"; icon = "sh:immich"; } { title = "FreshRSS"; - url = "https://rss.home.rpqt.fr"; + url = "https://rss.${tld}"; icon = "sh:freshrss"; } { title = "Syncthing"; - url = "https://genepi.home.rpqt.fr/syncthing"; + url = "https://genepi.${tld}/syncthing"; icon = "sh:syncthing"; } { title = "Actual Budget"; - url = "https://actual.home.rpqt.fr"; + url = "https://actual.${tld}"; icon = "sh:actual-budget"; } { @@ -66,12 +67,12 @@ } { title = "Pinchflat"; - url = "https://pinchflat.home.rpqt.fr"; + url = "https://pinchflat.${tld}"; icon = "https://cdn.jsdelivr.net/gh/selfhst/icons/png/pinchflat.png"; } { title = "Home Assistant"; - url = "https://assistant.home.rpqt.fr"; + url = "https://assistant.${tld}"; icon = "sh:home-assistant"; } { @@ -98,12 +99,12 @@ sites = [ { title = "Grafana"; - url = "https://grafana.home.rpqt.fr"; + url = "https://grafana.${tld}"; icon = "sh:grafana"; } { title = "Prometheus"; - url = "http://genepi.home.rpqt.fr:9090"; + url = "http://genepi.${tld}:9090"; icon = "sh:prometheus"; } ]; @@ -115,7 +116,7 @@ sites = [ { title = "Lounge"; - url = "https://lounge.home.rpqt.fr"; + url = "https://lounge.${tld}"; icon = "si:html5"; } { @@ -178,7 +179,7 @@ cache = "12h"; feeds = [ { - url = "https://rss.home.rpqt.fr/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss"; + url = "https://rss.${tld}/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss"; } ]; } diff --git a/machines/genepi/glance.nix b/machines/genepi/glance.nix index a68385e..6aa1cc2 100644 --- a/machines/genepi/glance.nix +++ b/machines/genepi/glance.nix @@ -1,18 +1,20 @@ { config, ... }: let - domain = "home.rpqt.fr"; - subdomain = "glance.${domain}"; + tld = "val"; + domain = "glance.${tld}"; in { services.glance = { enable = true; - settings = ./glance-config.nix; + settings = (import ./glance-config.nix) { inherit tld; }; }; - services.nginx.virtualHosts.${subdomain} = { + services.nginx.virtualHosts.${domain} = { forceSSL = true; - useACMEHost = "${domain}"; + enableACME = true; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.glance.settings.server.port}"; }; + + security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory"; } diff --git a/machines/genepi/homeassistant.nix b/machines/genepi/homeassistant.nix index 3f73dd5..2c61efb 100644 --- a/machines/genepi/homeassistant.nix +++ b/machines/genepi/homeassistant.nix @@ -1,7 +1,7 @@ { config, ... }: let - domain = "home.rpqt.fr"; - subdomain = "assistant.${domain}"; + tld = "val"; + domain = "assistant.${tld}"; in { services.home-assistant = { @@ -26,9 +26,9 @@ in }; }; - services.nginx.virtualHosts.${subdomain} = { + services.nginx.virtualHosts.${domain} = { forceSSL = true; - useACMEHost = "${domain}"; + enableACME = true; extraConfig = '' proxy_buffering off; ''; @@ -37,4 +37,6 @@ in proxyWebsockets = true; }; }; + + security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory"; } diff --git a/machines/genepi/immich.nix b/machines/genepi/immich.nix index 3b67b45..76e7f65 100644 --- a/machines/genepi/immich.nix +++ b/machines/genepi/immich.nix @@ -1,19 +1,19 @@ { config, ... }: let - domain = "home.rpqt.fr"; - subdomain = "images.${domain}"; + tld = "val"; + domain = "images.${tld}"; in { services.immich = { enable = true; settings = { - server.externalDomain = "https://${subdomain}"; + server.externalDomain = "https://${domain}"; }; }; - services.nginx.virtualHosts.${subdomain} = { + services.nginx.virtualHosts.${domain} = { forceSSL = true; - useACMEHost = "${domain}"; + enableACME = true; locations."/" = { proxyPass = "http://${toString config.services.immich.host}:${toString config.services.immich.port}"; proxyWebsockets = true; @@ -26,5 +26,7 @@ in }; }; + security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory"; + clan.core.state.immich.folders = [ "/var/lib/immich" ]; } diff --git a/machines/genepi/monitoring/grafana.nix b/machines/genepi/monitoring/grafana.nix index 7bea765..ac96660 100644 --- a/machines/genepi/monitoring/grafana.nix +++ b/machines/genepi/monitoring/grafana.nix @@ -1,6 +1,6 @@ { config, ... }: let - domain = "home.rpqt.fr"; + tld = "val"; in { services.grafana = { @@ -8,7 +8,7 @@ in settings = { server = { http_port = 3000; - domain = "grafana.${domain}"; + domain = "grafana.${tld}"; }; }; provision = { @@ -31,10 +31,13 @@ in services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = { forceSSL = true; - useACMEHost = "${domain}"; + enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; }; }; + + security.acme.certs.${config.services.grafana.settings.server.domain}.server = + "https://ca.${tld}/acme/acme/directory"; } diff --git a/machines/genepi/pinchflat.nix b/machines/genepi/pinchflat.nix index 9d29657..14fbca2 100644 --- a/machines/genepi/pinchflat.nix +++ b/machines/genepi/pinchflat.nix @@ -3,6 +3,10 @@ pkgs, ... }: +let + tld = "val"; + domain = "pinchflat.${tld}"; +in { services.pinchflat = { enable = true; @@ -23,9 +27,11 @@ clan.core.state.pinchflat.folders = [ "/var/lib/pinchflat" ]; - services.nginx.virtualHosts."pinchflat.home.rpqt.fr" = { + services.nginx.virtualHosts.${domain} = { forceSSL = true; - useACMEHost = "home.rpqt.fr"; + enableACME = true; locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.pinchflat.port}"; }; + + security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory"; } diff --git a/machines/genepi/syncthing.nix b/machines/genepi/syncthing.nix index dd72177..fd3400e 100644 --- a/machines/genepi/syncthing.nix +++ b/machines/genepi/syncthing.nix @@ -1,31 +1,41 @@ { config, lib, + pkgs, ... }: let user = "rpqt"; home = config.users.users.${user}.home; - domain = "home.rpqt.fr"; - subdomain = "genepi.${domain}"; + tld = "val"; + domain = "genepi.${tld}"; in { - services.nginx.virtualHosts.${subdomain} = { + services.nginx.virtualHosts.${domain} = { forceSSL = true; - useACMEHost = "${domain}"; - locations."/syncthing".proxyPass = "http://${config.services.syncthing.guiAddress}"; + enableACME = true; + locations."/syncthing" = { + proxyPass = "http://${config.services.syncthing.guiAddress}"; + }; }; + security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory"; + services.syncthing = { enable = true; user = user; group = lib.mkForce "users"; dataDir = home; configDir = lib.mkForce "${home}/.config/syncthing"; + guiAddress = "0.0.0.0:8384"; guiPasswordFile = config.clan.core.vars.generators.syncthing-gui.files.password.path; }; + networking.firewall.interfaces.wireguard = { + allowedTCPPorts = [ 8384 ]; + }; + clan.core.vars.generators.syncthing-gui = { files.password = { secret = true; diff --git a/modules/lounge.nix b/modules/lounge.nix index a51de5a..dd23b1c 100644 --- a/modules/lounge.nix +++ b/modules/lounge.nix @@ -1,7 +1,13 @@ +let + tld = "val"; + domain = "lounge.${tld}"; +in { - services.nginx.virtualHosts."lounge.home.rpqt.fr" = { - useACMEHost = "home.rpqt.fr"; + services.nginx.virtualHosts.${domain} = { + enableACME = true; forceSSL = true; root = "/var/www/lounge"; }; + + security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory"; }