Server update

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-04-02 11:12:09 +02:00 · 2026-01-06 17:24:21 +01:00
parent bfb7c2f4e0
commit fd644671af
18 changed files with 163 additions and 205 deletions
--- a/server-modules/adguardhome.nix
+++ b/server-modules/adguardhome.nix
@@ -1,20 +1,10 @@
 # Adguard is a network-wide ad blocker
 # When installed, open localhost:3000 to setup
-{config, ...}: let
-  domain = "adguard.hadi.diy";
-in {
-  services = {
-    adguardhome = {
-      enable = true;
-      port = 3000;
-    };
-
-    nginx.virtualHosts."${domain}" = {
-      useACMEHost = "hadi.diy";
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.port}";
-      };
-    };
+{config, ...}: {
+  services.adguardhome = {
+    enable = true;
+    port = 3000;
  };
+
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."adguard.hadi.diy" = "http://localhost:${toString config.services.adguardhome.port}";
 }
--- a/server-modules/arr.nix
+++ b/server-modules/arr.nix
@@ -2,12 +2,6 @@
 # See https://github.com/rasmus-kirk/nixarr
 # Setup guide: https://nixarr.com/wiki/setup/
 {config, ...}: let
-  domain = "hadi.diy";
-  mkVirtualHost = port: {
-    useACMEHost = domain;
-    forceSSL = true;
-    locations."/" = {proxyPass = "http://127.0.0.1:${toString port}";};
-  };
  username = config.var.username;
 in {
  # Add my secrets
@@ -43,7 +37,11 @@ in {
    readarr.enable = true;
    transmission = {
      enable = true;
-      extraSettings = {trash-original-torrent-files = true;};
+      extraSettings = {
+        trash-original-torrent-files = true;
+        rpc-whitelist-enabled = false;
+        rpc-host-whitelist-enabled = false;
+      };
      vpn.enable = true;
    };
    recyclarr = {
@@ -52,14 +50,14 @@ in {
    };
  };

-  services.nginx.virtualHosts = {
-    "media.${domain}" = mkVirtualHost 8096;
-    "demandemedia.${domain}" = mkVirtualHost 5055;
-    "bazarr.${domain}" = mkVirtualHost 6767;
-    "prowlarr.${domain}" = mkVirtualHost 9696;
-    "radarr.${domain}" = mkVirtualHost 7878;
-    "sonarr.${domain}" = mkVirtualHost 8989;
-    "transmission.${domain}" = mkVirtualHost 9091;
-    "readarr.${domain}" = mkVirtualHost 8787;
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress = {
+    "media.hadi.diy" = "http://localhost:8096";
+    "demandemedia.hadi.diy" = "http://localhost:5055";
+    "bazarr.hadi.diy" = "http://localhost:6767";
+    "prowlarr.hadi.diy" = "http://localhost:9696";
+    "radarr.hadi.diy" = "http://localhost:7878";
+    "sonarr.hadi.diy" = "http://localhost:8989";
+    "transmission.hadi.diy" = "http://localhost:9091";
+    "readarr.hadi.diy" = "http://localhost:8787";
  };
 }
--- a/server-modules/bitwarden.nix
+++ b/server-modules/bitwarden.nix
@@ -1,27 +0,0 @@
-# Bitwarden (or vaultwarden) is a self-hosted password manager.
-{config, ...}: let
-  domain = "vault.hadi.diy";
-in {
-  services = {
-    vaultwarden = {
-      enable = true;
-      config = {
-        DOMAIN = "https://" + domain;
-        SIGNUPS_ALLOWED = true;
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
-        ROCKET_LOG = "critical";
-      };
-    };
-
-    nginx.virtualHosts."${domain}" = {
-      useACMEHost = "hadi.diy";
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${
-          toString config.services.vaultwarden.config.ROCKET_PORT
-        }";
-      };
-    };
-  };
-}
--- a/server-modules/cloudflared.nix
+++ b/server-modules/cloudflared.nix
@@ -3,24 +3,17 @@
  pkgs,
  ...
 }: {
-  sops.secrets = {
-    cloudflared-token = {
-      mode = "0400";
-    };
-  };
+  sops.secrets.cloudflared-token.mode = "0400";

+  # To setup cloudflared, run
+  # cloudflared tunnel login
+  # cloudflared tunnel create JackTunnel
+  # This will create a credentials file & give you the tunnel ID to use below.
  services.cloudflared = {
    enable = true;
-    tunnels = {
-      "f7c8f777-a36c-4b9a-b6e3-6a112bd43e73" = {
-        credentialsFile = config.sops.secrets."cloudflared-token".path;
-        default = "http_status:404";
-        ingress = {
-          "media.hadi.diy" = "http://localhost:443";
-          "demandemedia.hadi.diy" = "http://localhost:443";
-          "ssh.hadi.diy" = "ssh://localhost:22";
-        };
-      };
+    tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73" = {
+      credentialsFile = config.sops.secrets."cloudflared-token".path;
+      default = "http_status:404";
    };
  };

--- a/server-modules/cyberchef.nix
+++ b/server-modules/cyberchef.nix
@@ -0,0 +1,14 @@
+{pkgs, ...}: {
+  services = {
+    nginx.virtualHosts."cyberchef.local" = {
+      root = "${pkgs.cyberchef}/share/cyberchef";
+      listen = [
+        {
+          addr = "127.0.0.1";
+          port = 8754;
+        }
+      ];
+    };
+    cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."cyberchef.hadi.diy" = "http://localhost:8754";
+  };
+}
--- a/server-modules/eleakxir.nix
+++ b/server-modules/eleakxir.nix
@@ -13,7 +13,7 @@
    user = "eleakxir";
    group = "eleakxir";
    limit = 1000;
-    folders = ["/var/lib/eleakxir/leaks/" "/mnt/data/clean-leak/"];
+    folders = ["/var/lib/eleakxir/leaks/" "/mnt/data/big-leaks/"];
    debug = true;
  };

@@ -21,13 +21,5 @@
    inputs.eleakxir.packages.${pkgs.stdenv.hostPlatform.system}.leak-utils
  ];

-  services.nginx.virtualHosts."eleakxir-back.hadi.diy" = {
-    useACMEHost = "hadi.diy";
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${
-        toString config.services.eleakxir.port
-      }";
-    };
-  };
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."eleakxir-back.hadi.diy" = "http://localhost:${toString config.services.eleakxir.port}";
 }
--- a/server-modules/fail2ban.nix
+++ b/server-modules/fail2ban.nix
@@ -0,0 +1,13 @@
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+  };
+}
--- a/server-modules/glance.nix
+++ b/server-modules/glance.nix
@@ -33,7 +33,6 @@
  in
    lib.concatMapStringsSep " " roundToString [h s l];
 in {
-  # TODO: Add tailscale custom widget
  services = {
    glance = {
      enable = true;
@@ -318,15 +317,6 @@ in {
        server = {port = 5678;};
      };
    };
-    nginx.virtualHosts."${domain}" = {
-      useACMEHost = "hadi.diy";
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${
-          toString config.services.glance.settings.server.port
-        }";
-      };
-    };
  };

  systemd.services.glance = {
@@ -350,4 +340,6 @@ in {
    owner = "glance";
    mode = "0600";
  };
+
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."start.hadi.diy" = "http://localhost:${toString config.services.glance.settings.server.port}";
 }
--- a/server-modules/linkding.nix
+++ b/server-modules/linkding.nix
@@ -0,0 +1,23 @@
+{...}: let
+  port = 9090;
+in {
+  virtualisation.oci-containers.containers.linkding = {
+    autoStart = true;
+    image = "sissbruecker/linkding@sha256:6d4fcc50bee8ee054ad2dfebbc41217f325398b907aff7ec011996c6a5ec17c9";
+    volumes = ["/var/lib/linkding/data:/etc/linkding/data"];
+    ports = ["${builtins.toString port}:${builtins.toString port}"];
+  };
+
+  # Ensure our mount point exists
+  systemd.tmpfiles.settings."10-linkding" = {
+    "/var/lib/linkding/data" = {
+      d = {
+        mode = "0755";
+        user = "root";
+        group = "root";
+      };
+    };
+  };
+
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."linkding.hadi.diy" = "http://localhost:${toString port}";
+}
--- a/server-modules/mazanoke.nix
+++ b/server-modules/mazanoke.nix
@@ -0,0 +1,35 @@
+{pkgs, ...}: let
+  version = "1.1.5"; # Ajuste la version si nécessaire
+  mazanoke-pkg = pkgs.stdenv.mkDerivation {
+    inherit version;
+    pname = "mazanoke";
+    src = pkgs.fetchFromGitHub {
+      owner = "civilblur";
+      repo = "mazanoke";
+      rev = "v${version}";
+      hash = "sha256-B/AF4diMNxN94BzpZP/C+K8kNj9q+4SDKWa/qd4LrVU=";
+    };
+
+    # On utilise installPhase pour copier les fichiers vers $out
+    installPhase = ''
+      mkdir -p $out/share/mazanoke
+      cp -r ./index.html ./favicon.ico ./manifest.json ./service-worker.js ./assets $out/share/mazanoke/
+    '';
+  };
+in {
+  services = {
+    nginx.virtualHosts."mazanoke.local" = {
+      root = "${mazanoke-pkg}/share/mazanoke";
+      locations."/" = {
+        index = "index.html";
+      };
+      listen = [
+        {
+          addr = "127.0.0.1";
+          port = 8755;
+        }
+      ];
+    };
+    cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."mazanoke.hadi.diy" = "http://localhost:8755";
+  };
+}
--- a/server-modules/mealie.nix
+++ b/server-modules/mealie.nix
@@ -1,19 +1,9 @@
 # Mealie is a recipe management and meal planning application.
-{config, ...}: let
-  domain = "mealie.hadi.diy";
-in {
-  services = {
-    mealie = {
-      enable = true;
-      port = 8092;
-    };
-
-    nginx.virtualHosts."${domain}" = {
-      useACMEHost = "hadi.diy";
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.mealie.port}";
-      };
-    };
+{config, ...}: {
+  services.mealie = {
+    enable = true;
+    port = 8092;
  };
+
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."mealie.hadi.diy" = "http://localhost:${toString config.services.mealie.port}";
 }
--- a/server-modules/nginx.nix
+++ b/server-modules/nginx.nix
@@ -1,45 +1,5 @@
-# Nginx is a web server that can also be used as a reverse proxy, load balancer, and HTTP cache.
-{config, ...}: let
-  domain = "hadi.diy";
-in {
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = config.var.git.email;
-    certs."${domain}" = {
-      domain = "${domain}";
-      extraDomainNames = ["*.${domain}"];
-      group = "nginx";
-      dnsProvider = "cloudflare";
-      dnsPropagationCheck = true;
-      credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
-    };
-  };
-
-  # Return 444 for all requests not matching a used subdomain.
+{
  services.nginx = {
    enable = true;
-    virtualHosts = {
-      "default" = {
-        default = true;
-        locations."/" = {return = 444;};
-      };
-      "*.${domain}" = {
-        useACMEHost = domain;
-        forceSSL = true;
-        locations."/" = {return = 444;};
-      };
-      "aaaaaa.${domain}" = {
-        useACMEHost = domain;
-        forceSSL = true;
-        locations."/" = {return = 444;};
-      };
-    };
  };
-
-  networking.firewall = {
-    allowedTCPPorts = [80 443];
-    allowedUDPPorts = [80 443];
-  };
-
-  sops.secrets.cloudflare-dns-token = {path = "/etc/cloudflare/dnskey.txt";};
 }
--- a/server-modules/ssh.nix
+++ b/server-modules/ssh.nix
@@ -14,9 +14,9 @@ in {
  };

  # Add my public SSH key to my user
-  users.users."${username}" = {
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPG9SE80ZyBcXZK/f5ypSKudaM5Jo3XtQikCnGo0jI5E hadi@nixy"
-    ];
-  };
+  users.users."${username}".openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPG9SE80ZyBcXZK/f5ypSKudaM5Jo3XtQikCnGo0jI5E hadi@nixy"
+  ];
+
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."ssh.hadi.diy" = "ssh://localhost:22";
 }
--- a/server-modules/stirling-pdf.nix
+++ b/server-modules/stirling-pdf.nix
@@ -0,0 +1,8 @@
+{config, ...}: {
+  services.stirling-pdf = {
+    enable = true;
+    environment."SERVER_PORT" = "8083";
+  };
+
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."pdf.hadi.diy" = "http://localhost:${toString config.services.stirling-pdf.environment.SERVER_PORT}";
+}