Homelab updates

- Change domain to opdavies.uk as this works with HTTPS/SSL. - Switch Nginx to Caddy.
2025-01-01 14:45:03 +00:00 · 2025-01-01 14:45:03 +00:00 · 07fde36fb0
parent f43069adac
commit 07fde36fb0
17 changed files with 98 additions and 64 deletions
--- a/nix/hosts/hetznix/modules/acme.nix
+++ b/nix/hosts/hetznix/modules/acme.nix
@ -3,13 +3,16 @@
 {
  security.acme = {
    acceptTerms = true;
-    defaults.email = "oliver@oliverdavies.uk";
+
-    defaults.environmentFile = config.age.secrets.cloudflare.path;
+    defaults = {
      dnsProvider = "cloudflare";
      email = "oliver@oliverdavies.uk";
      environmentFile = config.age.secrets.cloudflare.path;
      webroot = null;
    };
    certs."oliverdavies.uk" = {
      domain = "oliverdavies.uk";
      dnsProvider = "cloudflare";
      webroot = null;
      extraDomainNames = [
        # TODO Refactor to use a wildcard certificate.
--- a/nix/hosts/nixedo/configuration.nix
+++ b/nix/hosts/nixedo/configuration.nix
@ -2,11 +2,13 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-{ inputs, pkgs, ... }:
+{ inputs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./modules/acme.nix
  ];
  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
@ -30,4 +32,6 @@
    80
    443
  ];
  services.caddy.enable = true;
 }
--- a/nix/hosts/nixedo/default.nix
+++ b/nix/hosts/nixedo/default.nix
@ -23,7 +23,5 @@
    ./configuration.nix
    ./secrets.nix
    ./extra.nix
    ./modules/nginx.nix
  ];
 }
--- a/nix/hosts/nixedo/modules/acme.nix
+++ b/nix/hosts/nixedo/modules/acme.nix
@ -0,0 +1,19 @@
 { config, ... }:
 {
  security.acme = {
    acceptTerms = true;
    certs = {
      "opdavies.uk" = {
        domain = "opdavies.uk";
        dnsProvider = "cloudflare";
        email = "oliver@oliverdavies.uk";
        environmentFile = config.age.secrets.cloudflare-opdavies-uk.path;
        webroot = null;
        extraDomainNames = [ "*.opdavies.uk" ];
      };
    };
  };
 }
--- a/nix/hosts/nixedo/modules/nginx.nix
+++ b/nix/hosts/nixedo/modules/nginx.nix
@ -1,11 +0,0 @@
 { config, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "syncthing.localhost".locations."/".proxyPass = "http://localhost:8384/";
    };
  };
 }
--- a/nix/hosts/nixedo/secrets.nix
+++ b/nix/hosts/nixedo/secrets.nix
@ -1,5 +1,6 @@
 {
  age.secrets = {
    cloudflare-opdavies-uk.file = ../../secrets/cloudflare-opdavies-uk.age;
    tubearchivist.file = ../../secrets/tubearchivist.age;
  };
 }
--- a/nix/modules/nixos/features/homelab/audiobookshelf.nix
+++ b/nix/modules/nixos/features/homelab/audiobookshelf.nix
@ -9,21 +9,17 @@ in
  options.features.homelab.audiobookshelf.enable = mkEnableOption "Enable audiobookshelf";
  config = mkIf cfg.enable {
-    services.audiobookshelf = {
+    services = {
-      enable = true;
+      audiobookshelf = {
        enable = true;
-      host = "audiobookshelf.oliverdavies.uk";
+        port = 4001;
-      port = 4001;
+      };
    };
-    services.nginx = {
+      caddy.virtualHosts."audiobookshelf.opdavies.uk" = {
-      enable = true;
+        useACMEHost = "opdavies.uk";
-      virtualHosts."audiobookshelf.oliverdavies.uk" = {
+        extraConfig = "reverse_proxy localhost:${toString config.services.audiobookshelf.port}";
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.audiobookshelf.port}/";
          proxyWebsockets = true;
        };
      };
    };
  };
--- a/nix/modules/nixos/features/homelab/forgejo.nix
+++ b/nix/modules/nixos/features/homelab/forgejo.nix
@ -2,9 +2,6 @@
 with lib;
 let
  port = 2223;
 in
 {
  options.features.homelab.forgejo.enable = mkEnableOption "Enable forgejo";
@ -17,7 +14,8 @@ in
        settings = {
          server = {
-            HTTP_PORT = port;
+            DOMAIN = "forgejo.opdavies.uk";
            HTTP_PORT = 2223;
          };
          service = {
@ -26,11 +24,10 @@ in
        };
      };
-      nginx = {
+      caddy.virtualHosts."${config.services.forgejo.settings.server.DOMAIN}" = {
-        enable = true;
+        useACMEHost = "opdavies.uk";
-        virtualHosts."forgejo.oliverdavies.uk".locations."/".proxyPass =
+        extraConfig = "reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
          "http://localhost:${toString port}/";
      };
    };
  };
--- a/nix/modules/nixos/features/homelab/freshrss.nix
+++ b/nix/modules/nixos/features/homelab/freshrss.nix
@ -95,11 +95,10 @@ in
      wantedBy = [ "multi-user.target" ];
    };
-    services.nginx = {
+    services.caddy.virtualHosts."freshrss.opdavies.uk" = {
-      enable = true;
+      useACMEHost = "opdavies.uk";
-      virtualHosts."freshrss.oliverdavies.uk".locations."/".proxyPass =
+      extraConfig = "reverse_proxy localhost:${toString port}";
        "http://localhost:${toString port}/";
    };
  };
 }
--- a/nix/modules/nixos/features/homelab/gitea.nix
+++ b/nix/modules/nixos/features/homelab/gitea.nix
@ -26,10 +26,10 @@ in
        };
      };
-      nginx = {
+      caddy.virtualHosts."gitea.opdavies.uk" = {
-        enable = true;
+        useACMEHost = "opdavies.uk";
-        virtualHosts."gitea.oliverdavies.uk".locations."/".proxyPass = "http://localhost:${toString port}/";
+        extraConfig = "reverse_proxy localhost:${toString port}";
      };
    };
  };
--- a/nix/modules/nixos/features/homelab/immich.nix
+++ b/nix/modules/nixos/features/homelab/immich.nix
@ -19,11 +19,10 @@ with lib;
    environment.systemPackages = [ pkgs.immich-cli ];
-    services.nginx = {
+    services.caddy.virtualHosts."immich.opdavies.uk" = {
-      enable = true;
+      useACMEHost = "opdavies.uk";
-      virtualHosts."immich.oliverdavies.uk".locations."/".proxyPass =
+      extraConfig = "reverse_proxy localhost:${toString config.services.immich.port}";
        "http://localhost:${toString config.services.immich.port}/";
    };
  };
 }
--- a/nix/modules/nixos/features/homelab/jellyfin.nix
+++ b/nix/modules/nixos/features/homelab/jellyfin.nix
@ -13,10 +13,10 @@ with lib;
      configDir = "/mnt/media/jellyfin";
    };
-    services.nginx = {
+    services.caddy.virtualHosts."jellyfin.opdavies.uk" = {
-      enable = true;
+      useACMEHost = "opdavies.uk";
-      virtualHosts."jellyfin.oliverdavies.uk".locations."/".proxyPass = "http://localhost:8096/";
+      extraConfig = "reverse_proxy localhost:8096";
    };
  };
 }
--- a/nix/modules/nixos/features/homelab/paperless.nix
+++ b/nix/modules/nixos/features/homelab/paperless.nix
@ -6,8 +6,20 @@ with lib;
  options.features.homelab.paperless.enable = mkEnableOption "Enable paperless";
  config = mkIf config.features.homelab.paperless.enable {
-    services.paperless = {
+    services = {
-      enable = true;
+      paperless = {
        enable = true;
        settings = {
          PAPERLESS_URL = "https://paperless.opdavies.uk";
        };
      };
      caddy.virtualHosts."paperless.opdavies.uk" = {
        useACMEHost = "opdavies.uk";
        extraConfig = "reverse_proxy localhost:28981";
      };
    };
  };
 }
--- a/nix/modules/nixos/features/homelab/pi-hole.nix
+++ b/nix/modules/nixos/features/homelab/pi-hole.nix
@ -95,9 +95,5 @@ in
        wantedBy = [ "multi-user.target" ];
      };
    };
    services.nginx.virtualHosts."pihole.localhost" = {
      locations."/".proxyPass = "http://localhost:${toString port}/";
    };
  };
 }
--- a/nix/modules/nixos/features/homelab/tubearchivist-container.nix
+++ b/nix/modules/nixos/features/homelab/tubearchivist-container.nix
@ -10,7 +10,7 @@ with lib;
 let
  cfg = config.features.homelab.tubearchivist-container;
-  port = 8000;
+  port = 8085;
 in
 {
  options.features.homelab.tubearchivist-container = {
@ -286,11 +286,10 @@ in
      wantedBy = [ "multi-user.target" ];
    };
-    services.nginx = {
+    services.caddy.virtualHosts."tubearchivist.opdavies.uk" = {
-      enable = true;
+      useACMEHost = "opdavies.uk";
-      virtualHosts."tubearchivist.oliverdavies.uk".locations."/".proxyPass =
+      extraConfig = "reverse_proxy localhost:${toString port}";
        "http://localhost:${toString port}/";
    };
  };
 }
--- a/nix/secrets/cloudflare-opdavies-uk.age
+++ b/nix/secrets/cloudflare-opdavies-uk.age
@ -0,0 +1,18 @@
 age-encryption.org/v1
 -> ssh-ed25519 IsVD3g kacSrvgn/CGIwU05AkK6UGhxVm5oO/FRK2jgH1qHVg0
 JXzp1+Al5O8sBw3a4td7RA3HVP6C9tIdvvgZFZ9Se5w
 -> ssh-rsa +vTWQw
 ndPfUjqCzN5uqcrRvb/OGKmBouyM6qwf5ZmnfMg49NXcxt7bwCK0v7iPtOOOgDI2
 34Oi1EGgjkJ/YY+nxKuHZtRlq+wySbqeLVXUmb52reW4sj4PHEZOsFIO8Dnxmx9P
 9AtISLIrdJd3V39v4+pXOo9tBvBcTAs7JKqDGFcfp7gcVH0vLga0l3jLUspZiNB9
 DXW6Gbttg8Z6El9J1fAqVXcDE3q7pPZE//zu/cIRyt4/kbK76bx7yEaKAy2GycZS
 SCjjxsRtkBHOKQEQnFdKfWD/AG1USNmoiv4zHx1G9pIVJJA47yNWLwsx8Q7VrfNS
 CXpxQt+ElOH5pRTpXMAx1/rHs/NpXMMUm0EVvWKTNbrbHvepTUvEYABo+DKicRVI
 3H6RYWedXZ9ggpfID66CbF4HFtVJTXwHhvdzGfdna8J1Dy7nJyevT/fCz8tqlVIa
 EFEFqUardSWj0zFL3PQgk2qmrC9W1+isp83Rioi/n/ow8O0Q+XlzO3rQjNYWtEgp
 jufzw+3YI9HuNLPXB0xBfSgwP8Ao6iYskE+8IL+xu4ITCec/ItpoYk1Yeb38G2HQ
 6JlIseQIgpOzw8DlMMWtWjO4U+9JAZh5XOlEgwFPFL25m//24UM7RB3/Yd1/it8i
 cNaHR1L2/P8k5FnbR2jhxcTb2tEzlFo422brC0r/Ilc
 --- MqcbFcs1myK1Dn1h/PQKZ59BdgYXIifkp0DkvoNQaL4
 €ÒWÙ±à·¹Üy
 šj`šÊ$ÜEŠ¬n¥ï‡_<‡íý¤²í%s`#¦d,x¿MGëdf:õÄ*`z‰öR‹X–¯>ýÄKJâ¶0ž€ÙB’ÄØDÂj<Å£¤´§=%
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@ -13,11 +13,15 @@ in
 {
  "cloudflare.age".publicKeys = [
    hosts.hetznix
    hosts.nixedo
    hosts.t490
    users.opdavies
  ];
  "cloudflare-opdavies-uk.age".publicKeys = [
    hosts.nixedo
    users.opdavies
  ];
  "tubearchivist.age".publicKeys = [
    hosts.lemp11
    hosts.nixedo