From 6c5d958f40d9adc6a77fafa6ab5b5f97788e8e66 Mon Sep 17 00:00:00 2001 From: Alexander Szczepanski Date: Sat, 10 Aug 2024 21:42:14 +0200 Subject: [PATCH] vps-arm-2024-08-10-21-42-14 --- machine/vps-arm.nix | 33 +++++++++++++++++-------- services/adguardhome.nix | 52 ++++++++++++++++++++++++++++----------- services/frigate.nix | 53 +++++++++++++++++++++++++++++++--------- services/headscale.nix | 14 ++++++++--- 4 files changed, 113 insertions(+), 39 deletions(-) diff --git a/machine/vps-arm.nix b/machine/vps-arm.nix index 34b8097..1715ede 100755 --- a/machine/vps-arm.nix +++ b/machine/vps-arm.nix @@ -46,21 +46,23 @@ in firewall = { allowPing = true; allowedTCPPorts = [ - 80 # web - # 222 # SSH for gitea - 443 # web - # 9898 # i2p + 53 # adguardhome DNS + 80 # nginxs + 443 # nginx + 853 # adguardhome DoT ]; allowedUDPPorts = [ - 80 # web - 443 # web + 53 # adguardhome + 80 # nginx + 443 # nginx + 853 # adguardhome DoT 3478 # headscale - # 9898 # i2p - # 51820 # wireguard ]; }; }; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + environment.systemPackages = with pkgs; [ goaccess xd @@ -79,6 +81,8 @@ in }; services = { + dnscrypt-proxy2.enable = lib.mkForce false; + nginx = { enable = true; @@ -97,11 +101,19 @@ in ''; virtualHosts = { - ${config.services.adguardhome.settings.tls.server_name} = { + "szczepan.ski" = { forceSSL = true; enableACME = true; + globalRedirect = "alexander.szczepan.ski"; + }; + "alexander.szczepan.ski" = { + forceSSL = true; + enableACME = true; + root = "/var/www/alexander.szczepan.ski"; locations = { - "/" = { proxyPass = "https://127.0.0.1:3003/"; }; + "/" = { + tryFiles = "$uri $uri.html $uri/ =404"; + }; }; }; @@ -122,6 +134,7 @@ in tailscale = { enable = true; useRoutingFeatures = "both"; + openFirewall = true; }; fail2ban = { diff --git a/services/adguardhome.nix b/services/adguardhome.nix index 95c03d7..90d196f 100644 --- a/services/adguardhome.nix +++ b/services/adguardhome.nix @@ -1,29 +1,53 @@ { config, pkgs, lib, ... }: +let + dns-domain = "dns.szczepan.ski"; +in { + security.acme.certs.${dns-domain}.postRun = + '' + cp fullchain.pem /var/lib/AdGuardHome/chain.pem \ + && cp key.pem /var/lib/AdGuardHome/key.pem \ + && chown adguardhome:adguardhome /var/lib/AdGuardHome/chain.pem \ + && chown adguardhome:adguardhome /var/lib/AdGuardHome/key.pem + ''; + services = { + nginx = { + virtualHosts = { + ${dns-domain} = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { proxyPass = "https://127.0.0.1:3003/"; }; + }; + }; + }; + }; + adguardhome = { enable = true; - # mutableSettings = true; + mutableSettings = true; host = "127.0.0.1"; port = 3002; settings = { users = [{ name = "alex"; - password = "$2a$10$g5byXeV9EsVAhUdmso5hv.MkeMi0XGKbEejzx0Y4xmucAg1BNGKoi"; + password = "$2y$10$UhKvi4oztTfULWlIKnQhveORKXpIKCqpawJ/skSBAH96Njn4YDhTC"; }]; dns = { bind_hots = [ - "127.0.0.1" + "0.0.0.0" ]; - port = 54; + port = 53; upstream_dns = [ - # Example config with quad9 - "9.9.9.9" - "149.112.112.112" - # Uncomment the following to use a local DNS service (e.g. Unbound) - # Additionally replace the address & port as needed - # "127.0.0.1:5335" + "https://dns.quad9.net/dns-query" + "sdns://AgcAAAAAAAAADTk0LjE0MC4xNC4xNDAgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkNOTQuMTQwLjE0LjE0MAovZG5zLXF1ZXJ5" + "tls://one.one.one.one" + "tls://dns.google" ]; + cache_size = 4194304; + cache_ttl_min = 2400; + cache_ttl_max = 84600; }; filtering = { protection_enabled = true; @@ -38,16 +62,16 @@ enabled = true; }; tls = { - server_name = "dns.v220240679185274666.nicesrv.de"; + server_name = dns-domain; enabled = true; - allow_unencrypted_doh = true; + allow_unencrypted_doh = false; port_dns_over_tls = 853; port_dns_over_quic = 0; port_https = 3003; certificate_chain = ""; private_key = ""; - certificate_path = "/var/lib/chain.pem"; - private_key_path = "/var/lib/key.pem"; + certificate_path = "/var/lib/AdGuardHome/chain.pem"; + private_key_path = "/var/lib/AdGuardHome/key.pem"; }; # The following notation uses map # to not have to manually create {enabled = true; url = "";} for every filter diff --git a/services/frigate.nix b/services/frigate.nix index c23f2c1..bd9410f 100644 --- a/services/frigate.nix +++ b/services/frigate.nix @@ -1,13 +1,24 @@ { config, lib, pkgs, ... }: let unstable = import { config.allowUnfree = true; }; + secrets = import ../configs/secrets.nix; in { services = { + nginx = { + virtualHosts = { + "frigate.szczepan.ski" = { + forceSSL = true; + enableACME = true; + basicAuth = { alex = secrets.frigate-password; }; + }; + }; + }; + frigate = { enable = true; package = unstable.pkgs.frigate; - hostname = "100.64.0.7"; + hostname = "frigate.szczepan.ski"; settings = { logger = { @@ -24,12 +35,32 @@ in num_threads = 4; }; - # ffmpeg.hwaccel_args = "preset-vaapi"; - cameras = { - home = { + # home = { + # ffmpeg.inputs = [{ + # path = "rtsp://admin:REMOVED@192.168.178.34:554/H.264"; + # # input_args = "preset-rtsp-restream"; + # # roles = [ "record" "detect" ]; + # roles = [ "record" ]; + # }]; + + # record = { + # enabled = true; + # retain = { + # days = 7; + # mode = "all"; + # }; + # # events = { + # # retain = { + # # default = 14; + # # }; + # # }; + # }; + # }; + + garage = { ffmpeg.inputs = [{ - path = "rtsp://admin:REMOVED@192.168.178.34:554/H.264"; + path = "rtsp://admin:REMOVED@192.168.178.42:554/H.264"; # input_args = "preset-rtsp-restream"; # roles = [ "record" "detect" ]; roles = [ "record" ]; @@ -41,14 +72,14 @@ in days = 7; mode = "all"; }; - # events = { - # retain = { - # default = 14; - # }; - # }; + events = { + retain = { + default = 14; + }; + }; }; - }; + }; }; }; diff --git a/services/headscale.nix b/services/headscale.nix index 68289c0..9979302 100644 --- a/services/headscale.nix +++ b/services/headscale.nix @@ -5,7 +5,6 @@ services = { nginx = { virtualHosts = { - # ${config.services.headscale.settings.dns_config.domains} = { "headscale.szczepan.ski" = { forceSSL = true; enableACME = true; @@ -29,14 +28,21 @@ server_url = "https://headscale.szczepan.ski"; ip_prefixes = [ "100.64.0.0/10" + "fd7a:115c:a1e0::/48" ]; + # later + # prefixes = { + # v4 = "100.64.0.0/10"; + # v6 = "fd7a:115c:a1e0::/48"; + # }; dns_config = { + override_local_dns = true; base_domain = "szczepan.ski"; magic_dns = true; - domains = [ "headscale.szczepan.ski" ]; + domains = [ "main.szczepan.ski" ]; nameservers = [ - "1.1.1.1" - "9.9.9.9" + "100.64.0.2" + "127.0.0.1" ]; }; };