From 008bf7c80eb939131e751b0383330f8768492f9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= <nikodem@rabulinski.com>
Date: Sat, 20 Jul 2024 18:32:53 +0200
Subject: [PATCH] hosts/legion/nas: allocate subdomains for services

---
 hosts/legion/nas/media.nix | 68 +++++++++++++++++++++++++++++++++++++-
 secrets/rab-lol-cf.age     |  7 ++++
 secrets/secrets.nix        |  4 +++
 3 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 secrets/rab-lol-cf.age

diff --git a/hosts/legion/nas/media.nix b/hosts/legion/nas/media.nix
index 726ac5e..387f3b4 100644
--- a/hosts/legion/nas/media.nix
+++ b/hosts/legion/nas/media.nix
@@ -1,5 +1,15 @@
-{ username, lib, ... }:
 {
+  config,
+  username,
+  lib,
+  ...
+}:
+{
+  age.secrets.rab-lol-cf = {
+    file = ../../../secrets/rab-lol-cf.age;
+    owner = config.services.nginx.user;
+  };
+
   services.jellyfin.enable = true;
   services.radarr.enable = true;
   services.sonarr.enable = true;
@@ -39,4 +49,60 @@
         requires = [ "zfs-mount.service" ];
         after = [ "zfs-mount.service" ];
       });
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts =
+      let
+        services = [
+          "jellyfin"
+          "deluge"
+          "prowlarr"
+          "sonarr"
+          "radarr"
+        ];
+        mkService = name: {
+          forceSSL = true;
+          useACMEHost = "_wildcard.legion.rab.lol";
+          listen = lib.flatten (
+            map
+              (port: [
+                (port // { addr = config.settei.tailscale.ipv4; })
+                (port // { addr = "[${config.settei.tailscale.ipv6}]"; })
+              ])
+              [
+                { port = 80; }
+                {
+                  port = 443;
+                  ssl = true;
+                }
+              ]
+          );
+
+          locations."/".proxyPass = "http://${name}";
+        };
+        services' = map (service: {
+          name = "${service}.legion.rab.lol";
+          value = mkService service;
+        }) services;
+      in
+      lib.listToAttrs services';
+    upstreams = {
+      jellyfin.servers."localhost:8096" = { };
+      deluge.servers."localhost:8112" = { };
+      prowlarr.servers."localhost:9696" = { };
+      radarr.servers."localhost:7878" = { };
+      sonarr.servers."localhost:8989" = { };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+  security.acme.acceptTerms = true;
+  security.acme.certs."_wildcard.legion.rab.lol" = {
+    domain = "*.legion.rab.lol";
+    dnsProvider = "cloudflare";
+    credentialsFile = config.age.secrets.rab-lol-cf.path;
+    email = "nikodem@rabulinski.com";
+  };
 }
diff --git a/secrets/rab-lol-cf.age b/secrets/rab-lol-cf.age
new file mode 100644
index 0000000..16f3ff6
--- /dev/null
+++ b/secrets/rab-lol-cf.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ioPMHA OalLSgF0zP+HWMvce3JMzuPzkMfKB6mfObp9DCMBE1M
+YaQXa2PGhrpSPgbHODvN80m6ovnaz+ZezS3OsW1YYcc
+-> ssh-ed25519 GKhvwg uUOhm+rQ/BL8uX85R+thBcRWNupUrMj/wYZ/rzhjugU
+XAm8FqJ4G4sUwibp8vC/cyZIrsrk2GNp7rVIfM/phBI
+--- bvhcnA92V3feL8yv3Nx5aBKZi64Eg47zT2MS9I1hL0c
+›;á ¥Ö°Á$Q§±^G5@LÐí9|²k?¾FÁ?BÊ0ésÊ¥œÆ^,UŠ[9&¿èÃáÞúyýh‚„ÛOÍéÄ0.ã£"~PØPñ±‚üÊüúÀA†
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e03a19d..d93cc64 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -76,4 +76,8 @@ in
     keys.system.miyagi
     keys.other.bootstrap
   ];
+  "rab-lol-cf.age".publicKeys = [
+    keys.system.legion
+    keys.other.bootstrap
+  ];
 }