aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorspl3g <spleefer6@gmail.com>2026-03-24 00:06:02 +0300
committerspl3g <spleefer6@gmail.com>2026-03-24 00:06:02 +0300
commitdbda818a24af12bd3de6416199451f419557acb4 (patch)
treec0b9e17e633a10826f5e5fd01ecfffff419a869b
parent03648b3d9f177227df40129bed22558f6924b91c (diff)
feat(servers): add search, mail, git and fix some thingsv2
Diffstat
-rw-r--r--flake.lock102
-rw-r--r--flake.nix7
-rw-r--r--modules/hosts/ltrr-block/configuration.nix219
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age9
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.agebin0 -> 583 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.agebin0 -> 3214 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/stalwart-admin.key.age9
-rw-r--r--modules/hosts/ltrr-block/secrets/stalwart-cert.agebin0 -> 3159 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/stalwart-pk.agebin0 -> 582 bytes
-rw-r--r--modules/hosts/ltrr-cloud/configuration.nix170
-rw-r--r--modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.agebin0 -> 595 bytes
-rw-r--r--modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.agebin0 -> 548 bytes
-rw-r--r--modules/nixosModules/nginxProxy.nix55
-rw-r--r--modules/nixosModules/watcharr.nix2
14 files changed, 459 insertions, 114 deletions
diff --git a/flake.lock b/flake.lock
index b6e3589..c7ff500 100644
--- a/flake.lock
+++ b/flake.lock
@@ -35,11 +35,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
- "lastModified": 1759699908,
- "narHash": "sha256-kYVGY8sAfqwpNch706Fy2+/b+xbtfidhXSnzvthAhIQ=",
+ "lastModified": 1772478757,
+ "narHash": "sha256-OZ/rD87JVagLiHCz5M/kfu5n3+32G+kvoZ3F5xmzVng=",
"owner": "oddlama",
"repo": "agenix-rekey",
- "rev": "42362b12f59978aabf3ec3334834ce2f3662013d",
+ "rev": "4b0b511675cc368956a3917f0710dd62ba7b4043",
"type": "github"
},
"original": {
@@ -72,6 +72,24 @@
"type": "github"
}
},
+ "beaker-src": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1773884524,
+ "narHash": "sha256-1dnlofWaxI/YRID+WPz2jHZNDyloBubDt/bAQk9ePLU=",
+ "ref": "refs/heads/master",
+ "rev": "abc598baf15d6f8a4de395a27ba34b1e769558e1",
+ "revCount": 21,
+ "shallow": false,
+ "type": "git",
+ "url": "https://git.bwaaa.monster/beaker"
+ },
+ "original": {
+ "shallow": false,
+ "type": "git",
+ "url": "https://git.bwaaa.monster/beaker"
+ }
+ },
"crane": {
"locked": {
"lastModified": 1760924934,
@@ -158,11 +176,11 @@
]
},
"locked": {
- "lastModified": 1769524058,
- "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
+ "lastModified": 1773889306,
+ "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
"owner": "nix-community",
"repo": "disko",
- "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
+ "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
"type": "github"
},
"original": {
@@ -229,11 +247,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
- "lastModified": 1768135262,
- "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
+ "lastModified": 1772408722,
+ "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
"owner": "hercules-ci",
"repo": "flake-parts",
- "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
+ "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
"type": "github"
},
"original": {
@@ -309,11 +327,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
- "lastModified": 1769699427,
- "narHash": "sha256-dAQt3qXugGhg92A+jqaUcmH0elbgEN/mV4vy1+ohLZk=",
+ "lastModified": 1774007980,
+ "narHash": "sha256-FOnZjElEI8pqqCvB6K/1JRHTE8o4rer8driivTpq2uo=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "2a08ab21abc8b482f41c521b5f9b0df5b18a67eb",
+ "rev": "9670de2921812bc4e0452f6e3efd8c859696c183",
"type": "github"
},
"original": {
@@ -324,11 +342,11 @@
},
"import-tree": {
"locked": {
- "lastModified": 1763762820,
- "narHash": "sha256-ZvYKbFib3AEwiNMLsejb/CWs/OL/srFQ8AogkebEPF0=",
+ "lastModified": 1773693634,
+ "narHash": "sha256-BtZ2dtkBdSUnFPPFc+n0kcMbgaTxzFNPv2iaO326Ffg=",
"owner": "vic",
"repo": "import-tree",
- "rev": "3c23749d8013ec6daa1d7255057590e9ca726646",
+ "rev": "c41e7d58045f9057880b0d85e1152d6a4430dbf1",
"type": "github"
},
"original": {
@@ -355,11 +373,11 @@
},
"nixpkgs-lib": {
"locked": {
- "lastModified": 1765674936,
- "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
+ "lastModified": 1772328832,
+ "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
+ "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
"type": "github"
},
"original": {
@@ -370,11 +388,11 @@
},
"nixpkgs-small": {
"locked": {
- "lastModified": 1769651179,
- "narHash": "sha256-+CBdFa+LgNhX63PxP5JsBi9iMbf9GPBzxXOHQweFBRU=",
+ "lastModified": 1774041495,
+ "narHash": "sha256-Jbzx23j3YPRChU/djx7EhhupGlDq7CRQ8L0IWYCbav4=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "fabe65b5b16d107e904f3d9a590b91bed77e767a",
+ "rev": "5ba249aa104c36c3542e3017d85cf55196732b7b",
"type": "github"
},
"original": {
@@ -386,11 +404,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1769598131,
- "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
+ "lastModified": 1773814637,
+ "narHash": "sha256-GNU+ooRmrHLfjlMsKdn0prEKVa0faVanm0jrgu1J/gY=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
+ "rev": "fea3b367d61c1a6592bc47c72f40a9f3e6a53e96",
"type": "github"
},
"original": {
@@ -402,11 +420,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1769018530,
- "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=",
+ "lastModified": 1773821835,
+ "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "88d3861acdd3d2f0e361767018218e51810df8a1",
+ "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
"type": "github"
},
"original": {
@@ -418,11 +436,11 @@
},
"nixpkgs_3": {
"locked": {
- "lastModified": 1769461804,
- "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
+ "lastModified": 1773821835,
+ "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
+ "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
"type": "github"
},
"original": {
@@ -432,6 +450,27 @@
"type": "github"
}
},
+ "omnisearch": {
+ "inputs": {
+ "beaker-src": "beaker-src",
+ "nixpkgs": [
+ "nixpkgs-stable"
+ ]
+ },
+ "locked": {
+ "lastModified": 1774184185,
+ "narHash": "sha256-uxvwbXjpJUpWgXLi3Oadd+PqR3UV5MC7B/lm45oluLc=",
+ "ref": "refs/heads/master",
+ "rev": "bcee71cbbb0282d84841ba9b8908773ab56decf2",
+ "revCount": 66,
+ "type": "git",
+ "url": "https://git.bwaaa.monster/omnisearch"
+ },
+ "original": {
+ "type": "git",
+ "url": "https://git.bwaaa.monster/omnisearch"
+ }
+ },
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
@@ -466,7 +505,8 @@
"import-tree": "import-tree",
"nixpkgs": "nixpkgs_3",
"nixpkgs-small": "nixpkgs-small",
- "nixpkgs-stable": "nixpkgs-stable"
+ "nixpkgs-stable": "nixpkgs-stable",
+ "omnisearch": "omnisearch"
}
},
"rust-overlay": {
diff --git a/flake.nix b/flake.nix
index 497471e..7019be4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,6 +24,13 @@
};
deploy-rs.url = "github:serokell/deploy-rs";
+
+ omnisearch = {
+ url = "git+https://git.bwaaa.monster/omnisearch";
+ inputs = {
+ nixpkgs.follows = "nixpkgs-stable";
+ };
+ };
};
outputs = inputs:
diff --git a/modules/hosts/ltrr-block/configuration.nix b/modules/hosts/ltrr-block/configuration.nix
index 5ee4711..556c852 100644
--- a/modules/hosts/ltrr-block/configuration.nix
+++ b/modules/hosts/ltrr-block/configuration.nix
@@ -13,6 +13,7 @@
modulesPath,
pkgs,
config,
+ lib,
...
}: let
domain = "kcu.su";
@@ -63,6 +64,15 @@
};
};
+ users.users.git = {
+ group = "git";
+ extraGroups = ["files"];
+ home = lib.mkForce "/var/lib/git";
+ createHome = true;
+ isSystemUser = true;
+ };
+ users.groups.git = {};
+
users.users.mc = {
isNormalUser = true;
packages = with pkgs; [
@@ -99,8 +109,18 @@
networking.hostName = "ltrr-block";
networking.firewall = {
- allowedTCPPorts = [80 5030 2049 25565];
- allowedUDPPorts = [51820 16261 16262];
+ allowedTCPPorts = [
+ 80
+ # mail
+ 25
+ 465
+ 993
+
+ 25565 # minecraft
+ ];
+ allowedUDPPorts = [
+ 51820
+ ];
};
security.acme = {
@@ -137,13 +157,24 @@
"tube".proxyPass = "http://127.0.0.1:5410";
"torrents".proxyPass = "http://127.0.0.1:7317";
"jellyfin".proxyPass = "http://127.0.0.1:8096";
+ "books" = {
+ proxyPass = "http://127.0.0.1:6458";
+ proxyWebsockets = true;
+ };
"lidarr" = {
proxyPass = "http://127.0.0.1:8686";
proxyWebsockets = true;
};
-
- "prowlarr".proxyPass = "http://127.0.0.1:9696";
"shelfmark".proxyPass = "http://127.0.0.1:8084";
+ "mail".proxyPass = "http://127.0.0.1:7845";
+ };
+ extraVirtualHosts = {
+ "navidrome.${domain}" = {
+ enableAuthelia = false;
+ };
+ "git.${domain}" = {
+ enableAuthelia = false;
+ };
};
};
@@ -235,10 +266,6 @@
group = "music";
};
- services.prowlarr = {
- enable = true;
- };
-
services.qbittorrent = {
enable = true;
user = "files";
@@ -410,7 +437,7 @@
# "127.0.0.1:8083:8083"
# ];
# volumes = [
- # "/srv/files/books:/calibre-library"
+ # "/srv/files/books/library:/calibre-library"
# "/srv/files/books/injest:/cwa-book-ingest"
# "/var/lib/cwa:/config"
# ];
@@ -441,16 +468,36 @@
"host"
];
};
- services.booklore = {
+
+ services.audiobookshelf = {
enable = true;
- subdomain = "books";
- uid = "1000";
- gid = "1001";
- settings = {
- timezone = "Europe/Yekaterinburg";
- booksDir = "/srv/files/books/library";
- bookdropDir = "/srv/files/books/injest";
+ port = 6458;
+ user = "files";
+ group = "books";
+ };
+
+ createPaths."/var/lib/stump" = {
+ owner = "files";
+ group = "books";
+ permissions = "0750";
+ };
+
+ virtualisation.oci-containers.containers.stump = {
+ image = "aaronleopold/stump:nightly";
+ volumes = [
+ "/var/lib/stump:/config"
+ "/srv/files/books/library:/data"
+ ];
+ ports = [
+ "127.0.0.1:10821:10801"
+ ];
+ environment = {
+ PUID = "1000";
+ PGID = "1001";
};
+ networks = [
+ "host"
+ ];
};
services.watcharr = {
@@ -458,6 +505,144 @@
subdomain = "watched";
};
+ age.secrets.stalwart-admin = {
+ rekeyFile = ./secrets/stalwart-admin.key.age;
+ };
+ age.secrets.stalwart-cert = {
+ rekeyFile = ./secrets/stalwart-cert.age;
+ };
+ age.secrets.stalwart-pk = {
+ rekeyFile = ./secrets/stalwart-pk.age;
+ };
+
+ services.stalwart-mail = {
+ enable = true;
+ settings = {
+ server = {
+ hostname = "mail.kcu.su";
+ listener = {
+ smtp = {
+ bind = ["[::]:25"];
+ protocol = "smtp";
+ };
+ submissions = {
+ bind = ["[::]:465"];
+ protocol = "smtp";
+ tls.implicit = true;
+ };
+ imaptls = {
+ bind = ["[::]:993"];
+ protocol = "imap";
+ tls.implicit = true;
+ };
+ management = {
+ bind = ["127.0.0.1:7845"];
+ protocol = "http";
+ };
+ };
+ };
+ storage = {
+ data = "rocksdb";
+ fts = "rocksdb";
+ blob = "rocksdb";
+ lookup = "rocksdb";
+ directory = "internal";
+ };
+ store.rocksdb = {
+ type = "rocksdb";
+ path = "${config.services.stalwart-mail.dataDir}/data";
+ compression = "lz4";
+ };
+ directory.internal = {
+ type = "internal";
+ store = "rocksdb";
+ };
+ tracer.stdout = {
+ type = "stdout";
+ level = "info";
+ ansi = false;
+ enable = true;
+ };
+ authentication.fallback-admin = {
+ user = "admin_fallback";
+ secret = "%{file:/run/credentials/stalwart-mail.service/admin_secret}%";
+ };
+ config = {
+ local-keys = [
+ "store.*"
+ "directory.*"
+ "tracer.*"
+ "!server.blocked-ip.*"
+ "!server.allowed-ip.*"
+ "server.*"
+ "authentication.fallback-admin.*"
+ "cluster.*"
+ "config.local-keys.*"
+ "storage.data"
+ "storage.blob"
+ "storage.lookup"
+ "storage.fts"
+ "storage.directory"
+ "certificate.*"
+ ];
+ };
+ certificate.default = {
+ cert = "%{file:/run/credentials/stalwart-mail.service/cert}%";
+ private-key = "%{file:/run/credentials/stalwart-mail.service/pk}%";
+ default = true;
+ };
+ };
+ credentials = {
+ cert = config.age.secrets.stalwart-cert.path;
+ pk = config.age.secrets.stalwart-pk.path;
+ admin_secret = config.age.secrets.stalwart-admin.path;
+ };
+ };
+
+ createPaths."/srv/files/git" = {
+ owner = "git";
+ group = "git";
+ permissions = "0770";
+ };
+ services.cgit.kcu = {
+ enable = true;
+ user = "git";
+ group = "git";
+ scanPath = "/srv/files/git";
+ gitHttpBackend = {
+ enable = true;
+ checkExportOkFiles = false;
+ };
+ nginx.virtualHost = "git.${domain}";
+
+ settings = {
+ root-title = "kcu.su git";
+ root-desc = "this is where i keep my (dead) projects";
+
+ enable-git-config = 1;
+
+ about-filter = "${pkgs.cgit}/lib/filters/about-formatting.sh";
+ source-filter = "${pkgs.cgit}/lib/filters/syntax-highlighting.py";
+ readme = [
+ "master:README.md"
+ "master:README.org"
+ ];
+ project-list = "/var/lib/git/projects.list";
+ };
+ };
+
+ services.gitolite = {
+ enable = true;
+ user = "git";
+ description = "";
+ group = "git";
+ adminPubkey = "";
+ extraGitoliteRc = ''
+ $RC{GIT_CONFIG_KEYS} = ".*";
+ $RC{GL_REPO_BASE} = "/srv/files/git";
+ '';
+ };
+
services.immich = {
enable = true;
};
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age b/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
new file mode 100644
index 0000000..90ca528
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptoveQ vDi/rd7OWJyvz4nnM2kwX+8f9Vvru1lgvEXXHoD5TgQ
+qMckZ4SxsRksF8Yg8MtSlZtvn/sm73xskjI9DSmIQtE
+-> 8-grease k# SA{/ =I;)gK
+844hA/7PS0QSd1dP16JX7JTJW8NWhSouyEF7VBpa8+uIZSrfUOwJDs+Af7dtIEd2
+
+--- TLscAo6DhT5qKf7AAH7GqpigW8L/bMsoSBpoDWmVRtI
+7+"Ry& ( _(Hk VLNm8WCg[pZkΗK`o" eV#KܰDyyRċTiB |uW
+ d%vPH&ۻ:z \ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age b/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age
new file mode 100644
index 0000000..8a778bf
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age b/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age
new file mode 100644
index 0000000..4279838
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age b/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
new file mode 100644
index 0000000..8ae6dd3
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 5YBERzwh+Vis6esJiMwoUQbRSeB3XqufSnpOLvx8qRw
+0tgBOtYD7n5C8yMluNij1rimPAxc4k8/WLWcxdvR7A8
+-> ?&'/-grease bm}^I5I uJ~R_S '/<ECm
+l6zIQMmDjFRA8hqVXsfu+6Qmn9LHQu8X3axNNMSIoId2FCG38gd/xbSq80z3BWhg
+2t1sXRD7+msi8Vxghdh56e++atH5oli36/vQOoyhfcM
+--- fq2O9hy5sEtEpHrayYJ5c6Z6UmN+fW/iukMQJeAjVt4
++WqJ23DȘ(By0
+1ÅRNn W634A&ZA-|E3hry֏L0HYNe^ImBnԮ0Ln^hY̴agVӰu \ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-cert.age b/modules/hosts/ltrr-block/secrets/stalwart-cert.age
new file mode 100644
index 0000000..88ae1b9
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-cert.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-pk.age b/modules/hosts/ltrr-block/secrets/stalwart-pk.age
new file mode 100644
index 0000000..b0f092a
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-pk.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/configuration.nix b/modules/hosts/ltrr-cloud/configuration.nix
index 34a74e0..03d7c1e 100644
--- a/modules/hosts/ltrr-cloud/configuration.nix
+++ b/modules/hosts/ltrr-cloud/configuration.nix
@@ -31,6 +31,8 @@
inputs.agenix.nixosModules.default
inputs.agenix-rekey.nixosModules.default
+
+ inputs.omnisearch.nixosModules.default
];
nixpkgs.hostPlatform = "x86_64-linux";
@@ -86,7 +88,7 @@
swapDevices = [
{
device = "/var/lib/swapfile";
- size = 2 * 1024;
+ size = 1024;
}
];
@@ -108,26 +110,37 @@
preUp = ''
sysctl -w net.ipv4.ip_forward=1
- # 16261
- iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
- iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
- iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
-
- # 16262
- iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
- iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
- iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+ # 25
+ iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 25 -j DNAT --to-destination 10.1.1.2:25
+ iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 25 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 25 -d 10.1.1.2 -j MASQUERADE
+
+ # 465
+ iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 465 -j DNAT --to-destination 10.1.1.2:465
+ iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 465 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 465 -d 10.1.1.2 -j MASQUERADE
+
+ # 993
+ iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 993 -j DNAT --to-destination 10.1.1.2:993
+ iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 993 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 993 -d 10.1.1.2 -j MASQUERADE
'';
+
postDown = ''
- # 16261
- iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
- iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
- iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
-
- # 16262
- iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
- iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
- iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+ # 25
+ iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 25 -j DNAT --to-destination 10.1.1.2:25
+ iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 25 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 25 -d 10.1.1.2 -j MASQUERADE
+
+ # 465
+ iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 465 -j DNAT --to-destination 10.1.1.2:465
+ iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 465 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 465 -d 10.1.1.2 -j MASQUERADE
+
+ # 993
+ iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 993 -j DNAT --to-destination 10.1.1.2:993
+ iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 993 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 993 -d 10.1.1.2 -j MASQUERADE
'';
peers = [
@@ -140,9 +153,45 @@
};
};
- networking.firewall.allowedTCPPorts = [80 443 25565];
- networking.firewall.allowedUDPPorts = [51820 16261 16262];
+ networking.firewall.allowedTCPPorts = [
+ # http
+ 80
+ 443
+
+ #mail
+ 25
+ 465
+ 993
+
+ 25565 # minecraft
+ ];
+ networking.firewall.allowedUDPPorts = [
+ 51820 # wg
+ ];
+
+ environment.etc = {
+ "fail2ban/filter.d/authelia.conf".text = ''
+ # Fail2Ban filter for Authelia
+
+ # Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend
+ # only contains a single IP address (the one from the end-user), and not the proxy chain
+ # (it is misleading: usually, this is the purpose of this header).
+
+ # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
+ # second line) as a failure.
+ # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
+
+ [Definition]
+ failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+ ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+
+ ignoreregex = ^.*level=debug.*
+ ^.*level=info.*
+ ^.*level=warning.*
+ journalmatch = _SYSTEMD_UNIT=authelia-kcu.service + _COMM=authelia
+ '';
+ };
services.fail2ban = {
enable = true;
ignoreIP = [
@@ -157,12 +206,6 @@
};
jails = {
- nginx-http-auth.settings = {
- enabled = true;
- port = "http,https";
- logpath = "/var/log/nginx/*.log";
- backend = "auto";
- };
nginx-botsearch.settings = {
enabled = true;
port = "http,https";
@@ -175,6 +218,10 @@
logpath = "/var/log/nginx/*.log";
backend = "auto";
};
+ authelia = ''
+ enabled = true
+ port = http,https
+ '';
};
};
@@ -203,15 +250,14 @@
proxyPass = "http://127.0.0.1:8090";
};
"auth".proxyPass = "http://127.0.0.1:9091";
+
+ "search".proxyPass = "http://127.0.0.1:8087";
};
extraVirtualHosts = {
- "kcu.su" = {
+ "${domain}" = {
forceSSL = true;
enableACME = true;
- locations."/apple" = {
- root = "/var/www";
- };
locations."/" = {
return = 444;
};
@@ -228,6 +274,7 @@
homeConfig = self.nixosConfigurations.ltrr-block.config;
in {
subdomains = homeConfig.nginxProxy.subdomains;
+ virtualHosts = homeConfig.nginxProxy.extraVirtualHosts;
url = "http://10.1.1.2";
};
};
@@ -242,6 +289,11 @@
owner = "authelia-kcu";
group = "authelia-kcu";
};
+ age.secrets.authelia-users = {
+ rekeyFile = ./secrets/authelia-users.yaml.age;
+ owner = "authelia-kcu";
+ group = "authelia-kcu";
+ };
services.authelia.instances.kcu = {
enable = true;
secrets = {
@@ -251,7 +303,7 @@
settings = {
authentication_backend = {
file = {
- path = "/var/lib/authelia-kcu/users_database.yml";
+ path = config.age.secrets.authelia-users.path;
};
};
@@ -285,6 +337,15 @@
];
};
+ server.endpoints.authz.auth-request = {
+ implementation = "AuthRequest";
+ authn_strategies = [
+ {
+ name = "CookieSession";
+ }
+ ];
+ };
+
storage = {
local = {
path = "/var/lib/authelia-kcu/db.sqlite3";
@@ -300,6 +361,15 @@
};
};
+ services.omnisearch = {
+ enable = true;
+ settings = {
+ server = {
+ domain = "https://search.${domain}";
+ };
+ };
+ };
+
services.headscale = {
enable = true;
package = pkgs.headscale;
@@ -321,24 +391,24 @@
};
};
virtualisation.oci-containers.backend = "podman";
- virtualisation.oci-containers.containers = {
- "uptime-kuma" = {
- image = "louislam/uptime-kuma:2";
- volumes = [
- "/var/lib/uptime-kuma:/app/data"
- ];
- ports = [
- "127.0.0.1:8762:3001"
- ];
- capabilities = {
- NET_RAW = true;
- };
- };
- };
-
- services.beszel.hub = {
- enable = true;
- };
+ # virtualisation.oci-containers.containers = {
+ # "uptime-kuma" = {
+ # image = "louislam/uptime-kuma:2";
+ # volumes = [
+ # "/var/lib/uptime-kuma:/app/data"
+ # ];
+ # ports = [
+ # "127.0.0.1:8762:3001"
+ # ];
+ # capabilities = {
+ # NET_RAW = true;
+ # };
+ # };
+ # };
+
+ # services.beszel.hub = {
+ # enable = true;
+ # };
system.stateVersion = "24.05";
};
diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age b/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age
new file mode 100644
index 0000000..aec8015
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age
new file mode 100644
index 0000000..fea60a5
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age
Binary files differ
diff --git a/modules/nixosModules/nginxProxy.nix b/modules/nixosModules/nginxProxy.nix
index 36fdc59..e7af19d 100644
--- a/modules/nixosModules/nginxProxy.nix
+++ b/modules/nixosModules/nginxProxy.nix
@@ -10,7 +10,19 @@
locationOptions = import (pkgs.path + "/nixos/modules/services/web-servers/nginx/location-options.nix");
nginxOptions = import (pkgs.path + "/nixos/modules/services/web-servers/nginx/default.nix");
- autheliaAuth = url: ''
+ authVhostOptions =
+ recursiveUpdate
+ (vhostOptions {inherit config lib;})
+ {
+ options = {
+ enableAuthelia = mkOption {
+ type = types.bool;
+ default = cfg.home.authelia.enable;
+ };
+ };
+ };
+
+ autheliaAuth = ''
auth_request /internal/authelia/authz;
auth_request_set $redirection_url $upstream_http_location;
error_page 401 =302 $redirection_url;
@@ -84,13 +96,13 @@
};
extraVirtualHosts = mkOption {
- type = types.attrsOf (types.submodule (vhostOptions {inherit config lib;}));
+ type = types.attrsOf (types.submodule authVhostOptions);
default = {};
};
home = {
virtualHosts = mkOption {
- type = types.attrsOf (types.submodule (vhostOptions {inherit config lib;}));
+ type = types.attrsOf (types.submodule authVhostOptions);
default = {};
description = ''
Virtual hosts from another nginx configuration, that will be used to decrypt ssl and forward traffic to another server.
@@ -187,29 +199,42 @@
homeRoutes = homeVirtualHosts: homeUrl:
builtins.mapAttrs
(name: value:
- {
- locations."/" =
- value.locations."/"
- // {
- proxyPass = homeUrl;
- recommendedProxySettings = true;
- extraConfig = value.locations."/".extraConfig + (autheliaAuth cfg.home.authelia.publicUrl);
- };
- locations."/internal/authelia/authz" = mkIf cfg.home.authelia.enable {
- extraConfig = autheliaLocation cfg.home.authelia.localUrl;
+ recursiveUpdate value {
+ locations."/" = {
+ proxyPass = homeUrl;
+ recommendedProxySettings = true;
};
}
// ssl)
homeVirtualHosts;
+ removeAuthelia = filterAttrsRecursive (n: v: n != "enableAuthelia");
+
vhosts = makeVhosts cfg.domain cfg.subdomains;
- homeVhosts = homeRoutes ((makeVhosts (cfg.home.domain) cfg.home.subdomains) // cfg.home.virtualHosts) cfg.home.url;
+ homeVhosts = homeRoutes (recursiveUpdate (makeVhosts (cfg.home.domain) cfg.home.subdomains) cfg.home.virtualHosts) cfg.home.url;
+ addAutheliaRoutes = isHome: vhosts:
+ builtins.mapAttrs
+ (name: value: (recursiveUpdate value {
+ locations."/" = {
+ extraConfig =
+ value.locations."/".extraConfig or ""
+ + concatStrings (optional (value.enableAuthelia or true && !isHome) autheliaAuth);
+ };
+ locations."/internal/authelia/authz" = mkIf (value.enableAuthelia or true && !isHome) {
+ extraConfig = autheliaLocation cfg.home.authelia.localUrl;
+ };
+ }))
+ vhosts;
in
{
enable = true;
recommendedProxySettings = cfg.recommendedProxySettings;
- virtualHosts = vhosts // homeVhosts // cfg.extraVirtualHosts;
+ virtualHosts =
+ removeAuthelia
+ (addAutheliaRoutes
+ (homeVhosts == {})
+ (recursiveUpdate (recursiveUpdate vhosts homeVhosts) cfg.extraVirtualHosts));
}
// cfg.extraConfig;
};
diff --git a/modules/nixosModules/watcharr.nix b/modules/nixosModules/watcharr.nix
index 2263e4f..061a18c 100644
--- a/modules/nixosModules/watcharr.nix
+++ b/modules/nixosModules/watcharr.nix
@@ -63,7 +63,7 @@
virtualisation.oci-containers.containers.watcharr = {
image = "ghcr.io/sbondco/watcharr:latest";
ports = [
- "127.0.0.1${port}:3080"
+ "127.0.0.1:${port}:3080"
];
volumes = [
"${cfg.settings.dataDir}:/data"
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-24 00:30:03 +0000