yanlin/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Adjust wireguard-based proxy structure

Browse source
This commit is contained in:
Yan Lin 2025-09-11 18:00:58 +02:00
parent b3dfe87e32
commit 256e7173fc
2 changed files with 270 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

193
hosts/nixos/hs/containers.nix
View file

@ -33,13 +33,13 @@ in
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.homeassistant.rule" = "Host(`home.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.homeassistant.rule" = "Host(`home.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.homeassistant.entrypoints" = "websecure"; # "traefik.http.routers.homeassistant.entrypoints" = "websecure";
"traefik.http.routers.homeassistant.tls" = "true"; # "traefik.http.routers.homeassistant.tls" = "true";
"traefik.http.routers.homeassistant.tls.certresolver" = "cloudflare"; # "traefik.http.routers.homeassistant.tls.certresolver" = "cloudflare";
"traefik.http.routers.homeassistant.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.homeassistant.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.homeassistant.loadbalancer.server.port" = "8123"; # "traefik.http.services.homeassistant.loadbalancer.server.port" = "8123";
}; };
environment = { environment = {
@ -47,12 +47,13 @@ in
# Configure Home Assistant to trust reverse proxy # Configure Home Assistant to trust reverse proxy
HASS_HTTP_TRUSTED_PROXY_1 = "127.0.0.1"; HASS_HTTP_TRUSTED_PROXY_1 = "127.0.0.1";
HASS_HTTP_TRUSTED_PROXY_2 = "::1"; HASS_HTTP_TRUSTED_PROXY_2 = "::1";
HASS_HTTP_TRUSTED_PROXY_3 = "10.2.2.1";
HASS_HTTP_USE_X_FORWARDED_FOR = "true"; HASS_HTTP_USE_X_FORWARDED_FOR = "true";
}; };
extraOptions = [ extraOptions = [
"--privileged" # Required for USB device access "--privileged" # Required for USB device access
"--network=host" # Use host networking "--network=host"
"--device=/dev/ttyUSB0:/dev/ttyUSB0" # Sky Connect Zigbee dongle "--device=/dev/ttyUSB0:/dev/ttyUSB0" # Sky Connect Zigbee dongle
"--device=/dev/dri:/dev/dri" # Hardware acceleration "--device=/dev/dri:/dev/dri" # Hardware acceleration
]; ];
@ -73,13 +74,13 @@ in
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.immich.rule" = "Host(`photo.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.immich.rule" = "Host(`photo.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.immich.entrypoints" = "websecure"; # "traefik.http.routers.immich.entrypoints" = "websecure";
"traefik.http.routers.immich.tls" = "true"; # "traefik.http.routers.immich.tls" = "true";
"traefik.http.routers.immich.tls.certresolver" = "cloudflare"; # "traefik.http.routers.immich.tls.certresolver" = "cloudflare";
"traefik.http.routers.immich.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.immich.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.immich.loadbalancer.server.port" = "8080"; # "traefik.http.services.immich.loadbalancer.server.port" = "8080";
}; };
environment = { environment = {
@ -176,6 +177,10 @@ in
VERSION = "docker"; VERSION = "docker";
}; };
ports = [
"5008:32400"
];
extraOptions = [ extraOptions = [
"--network=podman" "--network=podman"
"--device=/dev/dri:/dev/dri" # Hardware acceleration "--device=/dev/dri:/dev/dri" # Hardware acceleration
@ -194,13 +199,13 @@ in
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.sonarr.rule" = "Host(`sonarr.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.sonarr.rule" = "Host(`sonarr.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.sonarr.entrypoints" = "websecure"; # "traefik.http.routers.sonarr.entrypoints" = "websecure";
"traefik.http.routers.sonarr.tls" = "true"; # "traefik.http.routers.sonarr.tls" = "true";
"traefik.http.routers.sonarr.tls.certresolver" = "cloudflare"; # "traefik.http.routers.sonarr.tls.certresolver" = "cloudflare";
"traefik.http.routers.sonarr.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.sonarr.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.sonarr.loadbalancer.server.port" = "8989"; # "traefik.http.services.sonarr.loadbalancer.server.port" = "8989";
}; };
environment = { environment = {
@ -209,6 +214,10 @@ in
TZ = systemTZ; TZ = systemTZ;
}; };
ports = [
"5003:8989"
];
extraOptions = [ extraOptions = [
"--network=podman" "--network=podman"
]; ];
@ -226,13 +235,13 @@ in
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.radarr.rule" = "Host(`radarr.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.radarr.rule" = "Host(`radarr.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.radarr.entrypoints" = "websecure"; # "traefik.http.routers.radarr.entrypoints" = "websecure";
"traefik.http.routers.radarr.tls" = "true"; # "traefik.http.routers.radarr.tls" = "true";
"traefik.http.routers.radarr.tls.certresolver" = "cloudflare"; # "traefik.http.routers.radarr.tls.certresolver" = "cloudflare";
"traefik.http.routers.radarr.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.radarr.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.radarr.loadbalancer.server.port" = "7878"; # "traefik.http.services.radarr.loadbalancer.server.port" = "7878";
}; };
environment = { environment = {
@ -241,38 +250,10 @@ in
TZ = systemTZ; TZ = systemTZ;
}; };
extraOptions = [ ports = [
"--network=podman" "5004:7878"
]; ];
autoStart = true;
};
# Bazarr subtitle management
bazarr = {
image = "docker.io/linuxserver/bazarr:latest";
volumes = [
"/var/lib/containers/bazarr/config:/config"
"/mnt/storage/Media:/data"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.bazarr.rule" = "Host(`bazarr.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.bazarr.entrypoints" = "websecure";
"traefik.http.routers.bazarr.tls" = "true";
"traefik.http.routers.bazarr.tls.certresolver" = "cloudflare";
"traefik.http.routers.bazarr.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.bazarr.loadbalancer.server.port" = "6767";
};
environment = {
PUID = commonUID;
PGID = commonGID;
TZ = systemTZ;
};
extraOptions = [ extraOptions = [
"--network=podman" "--network=podman"
]; ];
@ -290,13 +271,13 @@ in
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.qbittorrent.rule" = "Host(`qbit.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.qbittorrent.rule" = "Host(`qbit.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.qbittorrent.entrypoints" = "websecure"; # "traefik.http.routers.qbittorrent.entrypoints" = "websecure";
"traefik.http.routers.qbittorrent.tls" = "true"; # "traefik.http.routers.qbittorrent.tls" = "true";
"traefik.http.routers.qbittorrent.tls.certresolver" = "cloudflare"; # "traefik.http.routers.qbittorrent.tls.certresolver" = "cloudflare";
"traefik.http.routers.qbittorrent.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.qbittorrent.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.qbittorrent.loadbalancer.server.port" = "8080"; # "traefik.http.services.qbittorrent.loadbalancer.server.port" = "8080";
}; };
environment = { environment = {
@ -308,7 +289,7 @@ in
}; };
extraOptions = [ extraOptions = [
"--network=host" # Use host networking as requested "--network=host"
]; ];
autoStart = true; autoStart = true;
@ -326,13 +307,13 @@ in
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.paperless.rule" = "Host(`paperless.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.paperless.rule" = "Host(`paperless.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.paperless.entrypoints" = "websecure"; # "traefik.http.routers.paperless.entrypoints" = "websecure";
"traefik.http.routers.paperless.tls" = "true"; # "traefik.http.routers.paperless.tls" = "true";
"traefik.http.routers.paperless.tls.certresolver" = "cloudflare"; # "traefik.http.routers.paperless.tls.certresolver" = "cloudflare";
"traefik.http.routers.paperless.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.paperless.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.paperless.loadbalancer.server.port" = "8000"; # "traefik.http.services.paperless.loadbalancer.server.port" = "8000";
}; };
environment = { environment = {
@ -341,16 +322,20 @@ in
PAPERLESS_OCR_LANGUAGES = "chi-sim"; PAPERLESS_OCR_LANGUAGES = "chi-sim";
PAPERLESS_FILENAME_FORMAT = "{{ created }}-{{ correspondent }}-{{ title }}"; PAPERLESS_FILENAME_FORMAT = "{{ created }}-{{ correspondent }}-{{ title }}";
PAPERLESS_TIME_ZONE = "Europe/Copenhagen"; PAPERLESS_TIME_ZONE = "Europe/Copenhagen";
PAPERLESS_URL = "https://paperless.${config.networking.hostName}.yanlincs.com"; PAPERLESS_URL = "https://paperless.yanlincs.com";
PAPERLESS_CSRF_TRUSTED_ORIGINS = "https://paperless.${config.networking.hostName}.yanlincs.com"; PAPERLESS_CSRF_TRUSTED_ORIGINS = "https://paperless.yanlincs.com";
PAPERLESS_ALLOWED_HOSTS = "paperless.${config.networking.hostName}.yanlincs.com"; PAPERLESS_ALLOWED_HOSTS = "paperless.yanlincs.com";
PAPERLESS_CORS_ALLOWED_HOSTS = "https://paperless.${config.networking.hostName}.yanlincs.com"; PAPERLESS_CORS_ALLOWED_HOSTS = "https://paperless.yanlincs.com";
PAPERLESS_SECRET_KEY = "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee"; PAPERLESS_SECRET_KEY = "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee";
USERMAP_UID = commonUID; USERMAP_UID = commonUID;
USERMAP_GID = commonGID; USERMAP_GID = commonGID;
CA_TS_FALLBACK_DIR = "/usr/src/paperless/data"; CA_TS_FALLBACK_DIR = "/usr/src/paperless/data";
}; };
ports = [
"5005:8000"
];
extraOptions = [ extraOptions = [
"--network=podman" "--network=podman"
]; ];
@ -375,20 +360,20 @@ in
image = "docker.io/miniflux/miniflux:latest"; image = "docker.io/miniflux/miniflux:latest";
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.rss.rule" = "Host(`rss.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.rss.rule" = "Host(`rss.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.rss.entrypoints" = "websecure"; # "traefik.http.routers.rss.entrypoints" = "websecure";
"traefik.http.routers.rss.tls" = "true"; # "traefik.http.routers.rss.tls" = "true";
"traefik.http.routers.rss.tls.certresolver" = "cloudflare"; # "traefik.http.routers.rss.tls.certresolver" = "cloudflare";
"traefik.http.routers.rss.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.rss.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.rss.loadbalancer.server.port" = "8080"; # "traefik.http.services.rss.loadbalancer.server.port" = "8080";
}; };
environment = { environment = {
DATABASE_URL = "postgres://miniflux:miniflux@rss-db/miniflux?sslmode=disable"; DATABASE_URL = "postgres://miniflux:miniflux@rss-db/miniflux?sslmode=disable";
ADMIN_USERNAME = "yanlin"; ADMIN_USERNAME = "yanlin";
ADMIN_PASSWORD = "1Hayashi-2Hiko"; ADMIN_PASSWORD = "1Hayashi-2Hiko";
BASE_URL = "https://rss.${config.networking.hostName}.yanlincs.com"; BASE_URL = "https://rss.yanlincs.com";
CREATE_ADMIN = "1"; CREATE_ADMIN = "1";
RUN_MIGRATIONS = "1"; RUN_MIGRATIONS = "1";
HTTP_CLIENT_TIMEOUT = "50000"; HTTP_CLIENT_TIMEOUT = "50000";
@ -398,6 +383,10 @@ in
CLEANUP_REMOVE_SESSIONS_DAYS = "30"; CLEANUP_REMOVE_SESSIONS_DAYS = "30";
}; };
ports = [
"5006:8080"
];
extraOptions = [ extraOptions = [
"--network=podman" "--network=podman"
]; ];
@ -436,15 +425,19 @@ in
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.linkding.rule" = "Host(`link.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.linkding.rule" = "Host(`link.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.linkding.entrypoints" = "websecure"; # "traefik.http.routers.linkding.entrypoints" = "websecure";
"traefik.http.routers.linkding.tls" = "true"; # "traefik.http.routers.linkding.tls" = "true";
"traefik.http.routers.linkding.tls.certresolver" = "cloudflare"; # "traefik.http.routers.linkding.tls.certresolver" = "cloudflare";
"traefik.http.routers.linkding.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.linkding.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.linkding.loadbalancer.server.port" = "9090"; # "traefik.http.services.linkding.loadbalancer.server.port" = "9090";
}; };
ports = [
"5007:9090"
];
extraOptions = [ extraOptions = [
"--network=podman" "--network=podman"
]; ];
@ -462,13 +455,13 @@ in
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "false";
"traefik.http.routers.cloud.rule" = "Host(`cloud.${config.networking.hostName}.yanlincs.com`)"; # "traefik.http.routers.cloud.rule" = "Host(`cloud.${config.networking.hostName}.yanlincs.com`)";
"traefik.http.routers.cloud.entrypoints" = "websecure"; # "traefik.http.routers.cloud.entrypoints" = "websecure";
"traefik.http.routers.cloud.tls" = "true"; # "traefik.http.routers.cloud.tls" = "true";
"traefik.http.routers.cloud.tls.certresolver" = "cloudflare"; # "traefik.http.routers.cloud.tls.certresolver" = "cloudflare";
"traefik.http.routers.cloud.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com"; # "traefik.http.routers.cloud.tls.domains[0].main" = "*.${config.networking.hostName}.yanlincs.com";
"traefik.http.services.cloud.loadbalancer.server.port" = "80"; # "traefik.http.services.cloud.loadbalancer.server.port" = "80";
}; };
environment = { environment = {

176
hosts/nixos/vps/proxy.nix
View file

@ -45,6 +45,110 @@
}]; }];
}; };
}; };
# Home Assistant
home = {
rule = "Host(`home.yanlincs.com`)";
entrypoints = "websecure";
service = "home";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
# Sonarr TV show management
sonarr = {
rule = "Host(`sonarr.yanlincs.com`)";
entrypoints = "websecure";
service = "sonarr";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
# Radarr movie management
radarr = {
rule = "Host(`radarr.yanlincs.com`)";
entrypoints = "websecure";
service = "radarr";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
# Paperless document management
paperless = {
rule = "Host(`paperless.yanlincs.com`)";
entrypoints = "websecure";
service = "paperless";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
# RSS reader (Miniflux)
rss = {
rule = "Host(`rss.yanlincs.com`)";
entrypoints = "websecure";
service = "rss";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
# Linkding bookmark manager
link = {
rule = "Host(`link.yanlincs.com`)";
entrypoints = "websecure";
service = "link";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
# Plex Media Server
plex = {
rule = "Host(`plex.yanlincs.com`)";
entrypoints = "websecure";
service = "plex";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
# qBittorrent torrent client
qbit = {
rule = "Host(`qbit.yanlincs.com`)";
entrypoints = "websecure";
service = "qbit";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
}; };
services = { services = {
# Redirect service # Redirect service
@ -73,6 +177,78 @@
}]; }];
}; };
}; };
# Home Assistant backend (via WireGuard)
home = {
loadBalancer = {
servers = [{
url = "http://10.2.2.20:8123";
}];
};
};
# Sonarr backend (via WireGuard)
sonarr = {
loadBalancer = {
servers = [{
url = "http://10.2.2.20:5003";
}];
};
};
# Radarr backend (via WireGuard)
radarr = {
loadBalancer = {
servers = [{
url = "http://10.2.2.20:5004";
}];
};
};
# Paperless backend (via WireGuard)
paperless = {
loadBalancer = {
servers = [{
url = "http://10.2.2.20:5005";
}];
};
};
# RSS reader backend (via WireGuard)
rss = {
loadBalancer = {
servers = [{
url = "http://10.2.2.20:5006";
}];
};
};
# Linkding backend (via WireGuard)
link = {
loadBalancer = {
servers = [{
url = "http://10.2.2.20:5007";
}];
};
};
# Plex backend (via WireGuard)
plex = {
loadBalancer = {
servers = [{
url = "http://10.2.2.20:5008";
}];
};
};
# qBittorrent backend (via WireGuard)
qbit = {
loadBalancer = {
servers = [{
url = "http://10.2.2.20:8080";
}];
};
};
}; };
middlewares = { middlewares = {
# Redirect middleware # Redirect middleware