0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

deploy stream (navidrome) microvm

Browse source
This commit is contained in:
Grisha Shipunov 2025-06-11 22:53:22 +02:00
parent 3e6faa5d09
commit 2a44e5c81e
7 changed files with 178 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -11,6 +11,7 @@ keys:
- &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
- &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
- &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
- &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
creation_rules:
- path_regex: hosts/toaster/[^/]+\.yaml$
key_groups:
@ -66,3 +67,9 @@ creation_rules:
- *admin_oxa
age:
- *conduwuit
- path_regex: hosts/stream/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
age:
- *stream

1
flake.nix
View file

@ -71,6 +71,7 @@
"forgejo"
"miniflux"
"radicale"
"stream"
];
microvm-unstable-list = [
"auth"

32
hosts/cloud/proxy/default.nix
View file

@ -60,5 +60,37 @@ in
'';
virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
virtualHosts."music.oxapentane.com".extraConfig = ''
route {
reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
@protected not path /share/* /rest/*
forward_auth @protected 10.89.88.11:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username>Remote-User
trusted_proxies 10.89.88.11 fd31:185d:722f::11
}
@subsonic path /rest/*
forward_auth @subsonic 10.89.88.11:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username>Remote-User
@error status 1xx 3xx 4xx 5xx
handle_response @error {
respond <<SUBSONICERR
<subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
<error code="40" message="Invalid credentials or unsupported client"></error>
</subsonic-response>
SUBSONICERR 200
}
trusted_proxies 10.89.88.11 fd31:185d:722f::11
}
}
reverse_proxy 10.89.88.17:4533
'';
};
}

76
hosts/stream/default.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, lib, ... }:
let
mac = "02:00:00:00:00:07";
in
{
imports = [
./navidrome.nix
];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/0xa-proxy" = {
owner = config.users.users.systemd-network.name;
};
};
microvm = {
hypervisor = "qemu";
mem = 4 * 1024;
vcpu = 3;
interfaces = [
{
type = "tap";
id = "uvm-stream";
mac = mac;
}
];
shares =
[
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
}
]
++ map
(dir: {
source = dir;
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
})
[
"etc"
"var"
"home"
];
};
networking.useNetworkd = true;
networking.firewall.enable = lib.mkForce false; # firewalling done by the host
systemd.network = {
enable = true;
networks."11-host" = {
matchConfig.MACAddress = mac;
networkConfig = {
Address = "10.99.99.17/24";
DHCP = "no";
};
routes = [
{
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
}
];
};
};
networking.hostName = "stream";
system.stateVersion = "25.05";
}

16
hosts/stream/navidrome.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
services.navidrome = {
enable = true;
settings = {
Address = "10.89.88.17";
BaseUrl = "/";
EnableExternalServices = false;
MusicFolder = "/var/lib/navidrome/music";
Port = 4533;
ScanSchedule = "@every 11m";
TranscodingCacheSize = "11GiB";
ReverseProxyWhitelist = "10.89.88.1/24";
};
};
}

38
hosts/stream/secrets.yaml Normal file
View file

@ -0,0 +1,38 @@
wg:
0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str]
sops:
age:
- recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3
QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5
S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5
K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE
WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-12T22:54:11Z"
mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str]
pgp:
- created_at: "2025-06-12T22:51:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6
th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH
HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn
vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B
WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/
uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s
DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/
bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp
lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J
A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg
GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS
XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6
ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU=
=fEVm
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.10.2

8
modules/wg/proxy.nix
View file

@ -71,6 +71,14 @@
publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
};
"stream" = {
address = [
"10.89.88.17/24"
"fd31:185d:722f::17/48"
];
publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4=";
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
};
};
}
];