hosts/legion/nas: allocate subdomains for services

2024-07-20 18:32:53 +02:00 · 2024-07-20 18:32:53 +02:00 · 008bf7c80e
commit 008bf7c80e
parent 82c86143a6
3 changed files with 78 additions and 1 deletions
--- a/hosts/legion/nas/media.nix
+++ b/hosts/legion/nas/media.nix
@ -1,5 +1,15 @@
-{ username, lib, ... }:
 {
+  config,
+  username,
+  lib,
+  ...
+}:
+{
+  age.secrets.rab-lol-cf = {
+    file = ../../../secrets/rab-lol-cf.age;
+    owner = config.services.nginx.user;
+  };
+
  services.jellyfin.enable = true;
  services.radarr.enable = true;
  services.sonarr.enable = true;
@ -39,4 +49,60 @@
        requires = [ "zfs-mount.service" ];
        after = [ "zfs-mount.service" ];
      });
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts =
+      let
+        services = [
+          "jellyfin"
+          "deluge"
+          "prowlarr"
+          "sonarr"
+          "radarr"
+        ];
+        mkService = name: {
+          forceSSL = true;
+          useACMEHost = "_wildcard.legion.rab.lol";
+          listen = lib.flatten (
+            map
+              (port: [
+                (port // { addr = config.settei.tailscale.ipv4; })
+                (port // { addr = "[${config.settei.tailscale.ipv6}]"; })
+              ])
+              [
+                { port = 80; }
+                {
+                  port = 443;
+                  ssl = true;
+                }
+              ]
+          );
+
+          locations."/".proxyPass = "http://${name}";
+        };
+        services' = map (service: {
+          name = "${service}.legion.rab.lol";
+          value = mkService service;
+        }) services;
+      in
+      lib.listToAttrs services';
+    upstreams = {
+      jellyfin.servers."localhost:8096" = { };
+      deluge.servers."localhost:8112" = { };
+      prowlarr.servers."localhost:9696" = { };
+      radarr.servers."localhost:7878" = { };
+      sonarr.servers."localhost:8989" = { };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+  security.acme.acceptTerms = true;
+  security.acme.certs."_wildcard.legion.rab.lol" = {
+    domain = "*.legion.rab.lol";
+    dnsProvider = "cloudflare";
+    credentialsFile = config.age.secrets.rab-lol-cf.path;
+    email = "nikodem@rabulinski.com";
+  };
 }
--- a/secrets/rab-lol-cf.age
+++ b/secrets/rab-lol-cf.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ioPMHA OalLSgF0zP+HWMvce3JMzuPzkMfKB6mfObp9DCMBE1M
+YaQXa2PGhrpSPgbHODvN80m6ovnaz+ZezS3OsW1YYcc
+-> ssh-ed25519 GKhvwg uUOhm+rQ/BL8uX85R+thBcRWNupUrMj/wYZ/rzhjugU
+XAm8FqJ4G4sUwibp8vC/cyZIrsrk2GNp7rVIfM/phBI
+--- bvhcnA92V3feL8yv3Nx5aBKZi64Eg47zT2MS9I1hL0c
+›;á ĄÖ°Á$Q§±^G5@LĐí9|˛k?ľFÁ?BĘ0ésĘĄśĆ^,UŠŹ[9&żčĂáŢúyýh‚„ŰOÍéÄ0.ăŁ"~PŘPń±‚üĘüúŔA†
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -76,4 +76,8 @@ in
    keys.system.miyagi
    keys.other.bootstrap
  ];
+  "rab-lol-cf.age".publicKeys = [
+    keys.system.legion
+    keys.other.bootstrap
+  ];
 }