xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

weilite: alternative domain for immich

Browse source
This commit is contained in:
xinyangli 2025-02-05 11:51:04 +08:00
parent 6331a915ac
commit a78e9164e9
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
5 changed files with 72 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
machines/weilite/default.nix
View file

@ -62,14 +62,6 @@
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = { secrets = {
cloudflare_dns_token = {
owner = "caddy";
mode = "400";
};
dnspod_dns_token = {
owner = "caddy";
mode = "400";
};
"restic/localpass" = { "restic/localpass" = {
owner = "restic"; owner = "restic";
}; };
@ -163,38 +155,6 @@
# tailscale derper module use nginx for reverse proxy # tailscale derper module use nginx for reverse proxy
services.nginx.enable = lib.mkForce false; services.nginx.enable = lib.mkForce false;
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [
"github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
"github.com/caddy-dns/dnspod@v0.0.4"
];
hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM=";
};
virtualHosts."derper00.namely.icu:8443".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
'';
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
# API Token must be added in systemd environment file
virtualHosts."immich.xinyang.life:8000".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
globalConfig = ''
acme_dns dnspod {env.DNSPOD_API_TOKEN}
'';
};
networking.firewall.allowedTCPPorts = [ 8000 ];
systemd.services.caddy = {
serviceConfig = {
EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
};
};
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";
fileSystems."/" = { fileSystems."/" = {

9
machines/weilite/secrets.yaml
View file

@ -1,5 +1,6 @@
cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] caddy:
dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str] cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str]
dnspod_dns_token: ENC[AES256_GCM,data:ATed7RqLu1u06B61Irhd4SCzjK/Z823ygAgzROsNixZ2rExpB/Xo,iv:L121CGA+iZhn9V6mG2qEu3FI91/s7JO3cVTAwmAeqGw=,tag:l/7MXMZNqgFBwgCCMeZR2A==,type:str]
immich: immich:
oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
restic: restic:
@ -30,8 +31,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-25T00:35:15Z" lastmodified: "2025-02-01T15:54:35Z"
mac: ENC[AES256_GCM,data:sk4DL+w740RD9A3sPvcGD4fc90Nfw9C8dH11ScGRgt6gS3v4V16pD0Q/bHHZiUCll76phZKjp+sGcZaPw0X7RDlK582WY3uw0pLtqLlm0gejjmvBJYKg47nA0dCD+vDvbMkJlvJG6N3sRuXDBa/7bAe452eXZNS8Xnm7ceDscVc=,iv:Nx4yCfG9rNk0q8akuI1aZr6Wj4GIAxASE8Tc7TH4Vj8=,tag:GodvlMbhIPpPu062spKFxA==,type:str] mac: ENC[AES256_GCM,data:hDX2lQ5GbBGTqioEqNc/k4NvBW7/3ISOVUk8/6CkuW6ZQHUeMnfziWV7faw+DiMvYmwFUJ4mhY77Je5+gid0Ae5JyNxznBW2uzpXvLcTBsYz8iSZL6Jw5FciPIgkGDN5U5wMkusS6Ok2W/idIgmwlmxf3ACNaf7e0QpypwYwxZw=,iv:mkIQ2rvTpQXRuRarlcl/aIKDY3JmJKVsr1oS4+3vmnk=,tag:of2CSCqZAJaaZ5DvC6+Amg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.2 version: 3.9.2

63
machines/weilite/services/caddy.nix Normal file
View file

@ -0,0 +1,63 @@
{ config, pkgs, ... }:
{
sops = {
secrets = {
"caddy/cf_dns_token" = {
owner = "caddy";
mode = "400";
};
"caddy/dnspod_dns_token" = {
owner = "caddy";
mode = "400";
};
};
templates."caddy.env".content = ''
CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"}
DNSPOD_API_TOKEN=${config.sops.placeholder."caddy/dnspod_dns_token"}
'';
};
services.caddy =
let
acmeCF = "tls {
dns cloudflare {env.CF_API_TOKEN}
}";
acmeDnspod = "tls {
dns dnspod {env.DNSPOD_API_TOKEN}
}";
in
{
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [
"github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
"github.com/caddy-dns/dnspod@v0.0.4"
];
hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM=";
};
virtualHosts."derper00.namely.icu:8443".extraConfig = ''
${acmeDnspod}
reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
'';
# API Token must be added in systemd environment file
virtualHosts."immich.xinyang.life:8000".extraConfig = ''
${acmeDnspod}
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
virtualHosts."immich.xiny.li:8443".extraConfig = ''
${acmeCF}
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
};
networking.firewall.allowedTCPPorts = [
8000
8443
];
systemd.services.caddy = {
serviceConfig = {
EnvironmentFile = config.sops.templates."caddy.env".path;
};
};
}

1
machines/weilite/services/default.nix
View file

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./caddy.nix
./ocis.nix ./ocis.nix
./restic.nix ./restic.nix
./media-download.nix ./media-download.nix

3
machines/weilite/services/restic.nix
View file

@ -42,6 +42,9 @@ in
networking.firewall.allowedTCPPorts = [ 8443 ]; networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = '' services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
tls {
dns dnspod {env.DNSPOD_API_TOKEN}
}
reverse_proxy ${config.services.restic.server.listenAddress} reverse_proxy ${config.services.restic.server.listenAddress}
''; '';
} }