agenix: modify Caddyfile

Signed-off-by: Myned <dev@bjork.tech>
caddy: add disabled plugins
2025-02-06 20:44:05 -06:00 · 2025-02-06 20:43:53 -06:00 · 2025-02-06 20:43:28 -06:00 · 2025-02-06 20:43:03 -06:00 · 2025-02-06 20:42:44 -06:00 · 2025-02-06 20:42:34 -06:00
21 changed files with 55 additions and 28 deletions
--- a/options/custom/containers/actualbudget.nix
+++ b/options/custom/containers/actualbudget.nix
@ -15,8 +15,8 @@ in {
    virtualisation.arion.projects.actualbudget.settings.services = {
      actualbudget.service = {
        container_name = "actualbudget";
-        image = "actualbudget/actual-server:25.2.0";
-        ports = ["127.0.0.1:5006:5006"];
+        image = "actualbudget/actual-server:25.2.1";
+        ports = ["127.0.0.1:5006:5006/tcp"];
        restart = "unless-stopped";
        volumes = ["${config.custom.containers.directory}/actualbudget/data:/data"];
      };
--- a/options/custom/containers/adguardhome.nix
+++ b/options/custom/containers/adguardhome.nix
@ -17,15 +17,18 @@ in {
    virtualisation.arion.projects.adguardhome.settings.services = {
      # https://github.com/AdguardTeam/AdGuardHome
      # https://adguard-dns.io/kb/adguard-home/overview/
+      #?? ls /var/lib/caddy/.local/share/caddy/certificates/*
      adguardhome.service = {
        container_name = "adguardhome";
        image = "adguard/adguardhome:v0.107.56";

        ports = [
-          "53:53" # DNS
-          "853:853" # DNS-over-TLS
-          "3003:80" # Admin panel
-          "8443:443" # DNS-over-HTTPS
+          "53:53/tcp" # DNS
+          "53:53/udp" # DNS
+          "853:853/tcp" # DNS-over-TLS
+          "853:853/udp" # DNS-over-QUIC
+          "3003:80/tcp" # Admin panel
+          "8443:443/tcp" # DNS-over-HTTPS
        ];

        restart = "unless-stopped";
@ -40,11 +43,13 @@ in {
    # https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption
    networking.firewall = {
      allowedTCPPorts = [
+        53 # DNS
        853 # DNS-over-TLS
      ];

      allowedUDPPorts = [
        53 # DNS
+        853 # DNS-over-QUIC
      ];
    };

--- a/options/custom/containers/conduwuit.nix
+++ b/options/custom/containers/conduwuit.nix
@ -25,7 +25,7 @@ in {
      conduwuit.service = {
        container_name = "conduwuit";
        image = "girlbossceo/conduwuit:main";
-        ports = ["127.0.0.1:6167:6167"];
+        ports = ["127.0.0.1:6167:6167/tcp"];
        restart = "unless-stopped";

        environment = {
--- a/options/custom/containers/forgejo.nix
+++ b/options/custom/containers/forgejo.nix
@ -38,8 +38,8 @@ in {
        volumes = ["${config.custom.containers.directory}/forgejo/data:/data"];

        ports = [
-          "127.0.0.1:3333:3000"
-          "22:2222"
+          "127.0.0.1:3333:3000/tcp"
+          "22:2222/tcp"
        ];
      };

--- a/options/custom/containers/foundryvtt.nix
+++ b/options/custom/containers/foundryvtt.nix
@ -26,7 +26,7 @@ in {
        container_name = "foundryvtt";
        env_file = [config.age.secrets."${config.custom.profile}/foundryvtt/.env".path];
        image = "felddy/foundryvtt:12";
-        ports = ["127.0.0.1:30000:30000"];
+        ports = ["127.0.0.1:30000:30000/tcp"];
        restart = "unless-stopped";
        volumes = ["${config.custom.containers.directory}/foundryvtt/data:/data"];
      };
--- a/options/custom/containers/headscale.nix
+++ b/options/custom/containers/headscale.nix
@ -35,8 +35,8 @@ in {
        restart = "unless-stopped";

        ports = [
-          "9999:9999"
-          "9090:9090"
+          "9999:9999/tcp"
+          "9090:9090/tcp"
        ];

        volumes = [
--- a/options/custom/containers/homeassistant.nix
+++ b/options/custom/containers/homeassistant.nix
@ -16,7 +16,7 @@ in {
      homeassistant.service = {
        container_name = "homeassistant";
        image = "homeassistant/home-assistant:2025.1";
-        ports = ["8123:8123"];
+        ports = ["8123:8123/tcp"];
        restart = "unless-stopped";
        volumes = ["${config.custom.containers.directory}/homeassistant/config:/config"];
      };
--- a/options/custom/containers/mastodon.nix
+++ b/options/custom/containers/mastodon.nix
@ -29,7 +29,7 @@ in {
        container_name = "mastodon";
        env_file = [config.age.secrets."${config.custom.profile}/mastodon/.env".path];
        image = "lscr.io/linuxserver/mastodon:4.3.3";
-        ports = ["3000:443"];
+        ports = ["3000:443/tcp"];
        restart = "unless-stopped";
        volumes = ["${config.custom.containers.directory}/mastodon/config:/config"];

--- a/options/custom/containers/netbox/default.nix
+++ b/options/custom/containers/netbox/default.nix
@ -39,7 +39,7 @@ in {
      netbox.service =
        netbox
        // {
-          ports = ["8585:8080"];
+          ports = ["8585:8080/tcp"];

          # https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins
          #!! Context modifications require a rebuild
--- a/options/custom/containers/nextcloud.nix
+++ b/options/custom/containers/nextcloud.nix
@ -28,7 +28,7 @@ in {
        container_name = "nextcloud";
        env_file = [config.age.secrets."${config.custom.profile}/nextcloud/.env".path];
        image = "nextcloud:29-apache";
-        ports = ["127.0.0.1:8181:80"];
+        ports = ["127.0.0.1:8181:80/tcp"];
        restart = "unless-stopped";

        volumes = [
--- a/options/custom/containers/oryx.nix
+++ b/options/custom/containers/oryx.nix
@ -28,8 +28,8 @@ in {
        image = "ossrs/oryx:5";

        ports = [
-          "127.0.0.1:2022:2022" # HTTP
-          "1935:1935" # RTMP
+          "127.0.0.1:2022:2022/tcp" # HTTP
+          "1935:1935/tcp" # RTMP
          "8000:8000/udp" # WebRTC
          "10080:10080/udp" # SRT
        ];
--- a/options/custom/containers/owncast.nix
+++ b/options/custom/containers/owncast.nix
@ -20,8 +20,8 @@ in {
        volumes = ["${config.custom.containers.directory}/owncast/data:/app/data"];

        ports = [
-          "1935:1935"
-          "127.0.0.1:8800:8080"
+          "1935:1935/tcp"
+          "127.0.0.1:8800:8080/tcp"
        ];
      };
    };
--- a/options/custom/containers/redlib.nix
+++ b/options/custom/containers/redlib.nix
@ -16,7 +16,7 @@ in {
      redlib.service = {
        container_name = "redlib";
        image = "quay.io/redlib/redlib:latest";
-        ports = ["127.0.0.1:8888:8080"];
+        ports = ["127.0.0.1:8888:8080/tcp"];
        restart = "unless-stopped";

        environment = {
--- a/options/custom/containers/searxng/default.nix
+++ b/options/custom/containers/searxng/default.nix
@ -29,7 +29,7 @@ in {
        depends_on = ["cache"];
        env_file = [config.age.secrets."${config.custom.profile}/searxng/.env".path];
        image = "searxng/searxng:latest";
-        ports = ["127.0.0.1:8000:8080"];
+        ports = ["127.0.0.1:8000:8080/tcp"];
        restart = "unless-stopped";

        volumes = [
--- a/options/custom/programs/chromium.nix
+++ b/options/custom/programs/chromium.nix
@ -270,7 +270,7 @@ in {
          {
            name = "Reddit";
            shortcut = "r";
-            url = "https://www.google.com/search?q=site%3Areddit.com+{searchTerms}";
+            url = "https://kagi.com/search?q=site%3Areddit.com+{searchTerms}";
          }

          {
--- a/options/custom/programs/firefox.nix
+++ b/options/custom/programs/firefox.nix
@ -497,7 +497,7 @@ in {
              Name = "Reddit";
              Alias = "r";
              IconURL = "https://www.redditstatic.com/desktop2x/img/favicon/favicon-96x96.png";
-              URLTemplate = "https://www.google.com/search?q=site%3Areddit.com+{searchTerms}";
+              URLTemplate = "https://kagi.com/search?q=site%3Areddit.com+{searchTerms}";
            }

            {
--- a/options/custom/programs/walker/search.sh
+++ b/options/custom/programs/walker/search.sh
@ -209,7 +209,7 @@ case "$1" in
  'r '*)
    label="Reddit"
    icon="reddit"
-    url="https://www.google.com/search?q=site%3Areddit.com+"
+    url="https://kagi.com/search?q=site%3Areddit.com+"
    query="${1:2}"
    ;;
  's '*)
--- a/options/custom/services/caddy.nix
+++ b/options/custom/services/caddy.nix
@ -2,6 +2,7 @@
  config,
  inputs,
  lib,
+  pkgs,
  ...
 }:
 with lib; let
@ -26,6 +27,25 @@ in {
      caddy = {
        enable = true;

+        # BUG: DNS-over-TLS not currently functional, reattempt when fixed or PROXY protocol supported
+        # https://github.com/mholt/caddy-l4/issues/276
+        # https://github.com/AdguardTeam/AdGuardHome/issues/2798
+        # TODO: Use stable package when available with plugins
+        # https://github.com/NixOS/nixpkgs/pull/358586
+        # package = pkgs.unstable.caddy.withPlugins {
+        #   #?? Copy from failed build
+        #   hash = "sha256-rB2exWVfKS82QpAuEM6+PlUNNmd8sqxvqNHRxCVIE/c=";
+
+        #   #?? REPO@TAG
+        #   plugins = [
+        #     # https://github.com/mholt/caddy-l4
+        #     "github.com/mholt/caddy-l4@v0.0.0-20250124234235-87e3e5e2c7f9"
+
+        #     # https://github.com/tailscale/caddy-tailscale
+        #     "github.com/tailscale/caddy-tailscale@v0.0.0-20250207004440-fd3f49d73216"
+        #   ];
+        # };
+
        # TODO: Convert services to Tailscale subdomains when supported or use plugin when supported by nix
        # https://github.com/tailscale/tailscale/issues/7081
        # https://github.com/tailscale/caddy-tailscale
@ -50,9 +70,6 @@ in {
      };
    };

-    # https://wiki.nixos.org/wiki/Firewall
-    # https://github.com/coturn/coturn/blob/master/docker/coturn/README.md
-    # https://element-hq.github.io/synapse/latest/turn-howto.html
    networking.firewall = {
      allowedTCPPorts = [
        80 # HTTP
--- a/options/custom/settings/boot.nix
+++ b/options/custom/settings/boot.nix
@ -48,6 +48,10 @@ in {

        # https://docs.syncthing.net/users/faq.html#inotify-limits
        "fs.inotify.max_user_watches" = 204800;
+
+        # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
+        "net.core.rmem_max" = 7500000;
+        "net.core.wmem_max" = 7500000;
      };

      loader = {
--- a/options/custom/settings/packages.nix
+++ b/options/custom/settings/packages.nix
@ -35,6 +35,7 @@ in {
          nmap # Network scanner
          nvd # Nix diff viewer
          progress # Coreutils progress viewer
+          q # DNS tester
          rclone # File sync
          stress # CPU stress tester
          testdisk # Data recovery tool
--- a/secrets/server/caddy/Caddyfile
+++ b/secrets/server/caddy/Caddyfile
Author	SHA1	Message	Date
Myned	5a98adcd27	agenix: modify Caddyfile Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 20:44:05 -06:00
Myned	225766361e	caddy: add disabled plugins Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 20:43:53 -06:00
Myned	0fc8faa151	search: use kagi for reddit Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 20:43:28 -06:00
Myned	c35b0147c3	sysctl: increase quic buffer Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 20:43:03 -06:00
Myned	00dc56ae04	pkgs: add q Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 20:42:44 -06:00
Myned	a55109782c	adguardhome: fix ports Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 20:42:34 -06:00
Myned	88e234f0ac	containers: explicitly indicate tcp ports Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 20:42:13 -06:00
Myned	a169bf2511	actualbudget: upgrade to 25.2.1 Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 20:41:26 -06:00