From a78e9164e9a64af2fc86456b7d5d2b83fc74e28f Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Wed, 5 Feb 2025 11:51:04 +0800
Subject: [PATCH] weilite: alternative domain for immich
---
machines/weilite/default.nix | 40 -----------------
machines/weilite/secrets.yaml | 9 ++--
machines/weilite/services/caddy.nix | 63 +++++++++++++++++++++++++++
machines/weilite/services/default.nix | 1 +
machines/weilite/services/restic.nix | 3 ++
5 files changed, 72 insertions(+), 44 deletions(-)
create mode 100644 machines/weilite/services/caddy.nix
diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix
index 5e0bb3c..a750205 100644
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@@ -62,14 +62,6 @@
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
- cloudflare_dns_token = {
- owner = "caddy";
- mode = "400";
- };
- dnspod_dns_token = {
- owner = "caddy";
- mode = "400";
- };
"restic/localpass" = {
owner = "restic";
};
@@ -163,38 +155,6 @@
# tailscale derper module use nginx for reverse proxy
services.nginx.enable = lib.mkForce false;
- services.caddy = {
- enable = true;
- package = pkgs.caddy.withPlugins {
- plugins = [
- "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
- "github.com/caddy-dns/dnspod@v0.0.4"
- ];
- hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM=";
- };
- virtualHosts."derper00.namely.icu:8443".extraConfig = ''
- reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
- '';
- virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
- reverse_proxy 127.0.0.1:${toString config.services.immich.port}
- '';
- # API Token must be added in systemd environment file
- virtualHosts."immich.xinyang.life:8000".extraConfig = ''
- reverse_proxy 127.0.0.1:${toString config.services.immich.port}
- '';
- globalConfig = ''
- acme_dns dnspod {env.DNSPOD_API_TOKEN}
- '';
- };
-
- networking.firewall.allowedTCPPorts = [ 8000 ];
-
- systemd.services.caddy = {
- serviceConfig = {
- EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
- };
- };
-
time.timeZone = "Asia/Shanghai";
fileSystems."/" = {
diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml
index b5c3aa5..0e63460 100644
--- a/machines/weilite/secrets.yaml
+++ b/machines/weilite/secrets.yaml
@@ -1,5 +1,6 @@
-cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
-dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str]
+caddy:
+ cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str]
+ dnspod_dns_token: ENC[AES256_GCM,data:ATed7RqLu1u06B61Irhd4SCzjK/Z823ygAgzROsNixZ2rExpB/Xo,iv:L121CGA+iZhn9V6mG2qEu3FI91/s7JO3cVTAwmAeqGw=,tag:l/7MXMZNqgFBwgCCMeZR2A==,type:str]
immich:
oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
restic:
@@ -30,8 +31,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-12-25T00:35:15Z"
- mac: ENC[AES256_GCM,data:sk4DL+w740RD9A3sPvcGD4fc90Nfw9C8dH11ScGRgt6gS3v4V16pD0Q/bHHZiUCll76phZKjp+sGcZaPw0X7RDlK582WY3uw0pLtqLlm0gejjmvBJYKg47nA0dCD+vDvbMkJlvJG6N3sRuXDBa/7bAe452eXZNS8Xnm7ceDscVc=,iv:Nx4yCfG9rNk0q8akuI1aZr6Wj4GIAxASE8Tc7TH4Vj8=,tag:GodvlMbhIPpPu062spKFxA==,type:str]
+ lastmodified: "2025-02-01T15:54:35Z"
+ mac: ENC[AES256_GCM,data:hDX2lQ5GbBGTqioEqNc/k4NvBW7/3ISOVUk8/6CkuW6ZQHUeMnfziWV7faw+DiMvYmwFUJ4mhY77Je5+gid0Ae5JyNxznBW2uzpXvLcTBsYz8iSZL6Jw5FciPIgkGDN5U5wMkusS6Ok2W/idIgmwlmxf3ACNaf7e0QpypwYwxZw=,iv:mkIQ2rvTpQXRuRarlcl/aIKDY3JmJKVsr1oS4+3vmnk=,tag:of2CSCqZAJaaZ5DvC6+Amg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2
diff --git a/machines/weilite/services/caddy.nix b/machines/weilite/services/caddy.nix
new file mode 100644
index 0000000..6cc22b0
--- /dev/null
+++ b/machines/weilite/services/caddy.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+{
+ sops = {
+ secrets = {
+ "caddy/cf_dns_token" = {
+ owner = "caddy";
+ mode = "400";
+ };
+ "caddy/dnspod_dns_token" = {
+ owner = "caddy";
+ mode = "400";
+ };
+ };
+ templates."caddy.env".content = ''
+ CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"}
+ DNSPOD_API_TOKEN=${config.sops.placeholder."caddy/dnspod_dns_token"}
+ '';
+ };
+
+ services.caddy =
+ let
+ acmeCF = "tls {
+ dns cloudflare {env.CF_API_TOKEN}
+ }";
+ acmeDnspod = "tls {
+ dns dnspod {env.DNSPOD_API_TOKEN}
+ }";
+ in
+ {
+ enable = true;
+ package = pkgs.caddy.withPlugins {
+ plugins = [
+ "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
+ "github.com/caddy-dns/dnspod@v0.0.4"
+ ];
+ hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM=";
+ };
+ virtualHosts."derper00.namely.icu:8443".extraConfig = ''
+ ${acmeDnspod}
+ reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
+ '';
+ # API Token must be added in systemd environment file
+ virtualHosts."immich.xinyang.life:8000".extraConfig = ''
+ ${acmeDnspod}
+ reverse_proxy 127.0.0.1:${toString config.services.immich.port}
+ '';
+ virtualHosts."immich.xiny.li:8443".extraConfig = ''
+ ${acmeCF}
+ reverse_proxy 127.0.0.1:${toString config.services.immich.port}
+ '';
+ };
+
+ networking.firewall.allowedTCPPorts = [
+ 8000
+ 8443
+ ];
+
+ systemd.services.caddy = {
+ serviceConfig = {
+ EnvironmentFile = config.sops.templates."caddy.env".path;
+ };
+ };
+}
diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix
index ca5ee33..649ca08 100644
--- a/machines/weilite/services/default.nix
+++ b/machines/weilite/services/default.nix
@@ -1,5 +1,6 @@
{
imports = [
+ ./caddy.nix
./ocis.nix
./restic.nix
./media-download.nix
diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix
index f62786e..be272eb 100644
--- a/machines/weilite/services/restic.nix
+++ b/machines/weilite/services/restic.nix
@@ -42,6 +42,9 @@ in
networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
+ tls {
+ dns dnspod {env.DNSPOD_API_TOKEN}
+ }
reverse_proxy ${config.services.restic.server.listenAddress}
'';
}