Nix configurations for my homelab
arr: setup reverse proxying with acme dns challenges
author
yemou
date
(May 28, 2026, 10:10 PM -0400)
commit
8673eff9
8673eff99f1c451b010795a19af57ea49dba8127
parent
8d8ec5ed
8d8ec5ede242efeb6284b0f977efe45355c1de11
+79
-6
+3
-1
lily/config.nix
+3
-1
lily/config.nix
···
22
22
../modules/vpn-container.nix
23
23
24
24
../modules/services/caddy
25
+
../modules/services/caddy/arr.nix
25
26
../modules/services/caddy/atproto-did.nix
26
27
../modules/services/caddy/bsky-sieve.nix
27
28
../modules/services/caddy/cp-certs.nix
···
55
56
cafe = {
56
57
caddy.package = {
57
58
plugins = [
59
+
"github.com/caddy-dns/porkbun@v0.3.1"
58
60
"github.com/mholt/caddy-events-exec@v0.1.0"
59
61
"github.com/mholt/caddy-l4@v0.1.0"
60
62
];
61
-
hash = "sha256-ooue6yzL4NmfYKprhGabAw8Cplw8WjcTDGVhanA9gWY=";
63
+
hash = "sha256-H5YpAVeXhwQHeIBXEfcvwMld/CF5+3ObM47S1LnYj2M=";
62
64
};
63
65
info.host.server = true;
64
66
};
+5
modules/qbittorrent.nix
+5
modules/qbittorrent.nix
···
112
112
};
113
113
WebUI = {
114
114
LocalHostAuth = false;
115
+
Username = "mou";
116
+
Password_PBKDF2 =
117
+
"@ByteArray(oC8JAmq9UwLSd6SXZGeM/g==:9ElZqPoIQLPwfRlCxb8fZgFTZsrhF/zASd0RbVGgagYa2seez105FOW1QuwOrFpMlY"
118
+
+ "v+lPW0NjT4PbgWomPFWA==)";
119
+
ReverseProxySupportEnabled = true;
115
120
AuthSubnetWhitelistEnabled = true;
116
121
AuthSubnetWhitelist = lib.strings.join ", " [
117
122
"192.168.2.1/32"
+63
modules/services/caddy/arr.nix
+63
modules/services/caddy/arr.nix
···
1
+
{ config, ... }:
2
+
{
3
+
sops = {
4
+
secrets = {
5
+
"porkbun/api-key" = { };
6
+
"porkbun/api-secret-key" = { };
7
+
};
8
+
templates.porkbun-env.content = ''
9
+
PORKBUN_API_KEY="${config.sops.placeholder."porkbun/api-key"}"
10
+
PORKBUN_API_SECRET_KEY="${config.sops.placeholder."porkbun/api-secret-key"}"
11
+
'';
12
+
};
13
+
14
+
services.caddy = {
15
+
environmentFile = config.sops.templates.porkbun-env.path;
16
+
virtualHosts = {
17
+
"pr.lab.biota.cafe".extraConfig = ''
18
+
tls {
19
+
dns porkbun {
20
+
api_key {env.PORKBUN_API_KEY}
21
+
api_secret_key {env.PORKBUN_API_SECRET_KEY}
22
+
}
23
+
}
24
+
25
+
encode
26
+
reverse_proxy [::1]:9696
27
+
'';
28
+
"qb.lab.biota.cafe".extraConfig = ''
29
+
tls {
30
+
dns porkbun {
31
+
api_key {env.PORKBUN_API_KEY}
32
+
api_secret_key {env.PORKBUN_API_SECRET_KEY}
33
+
}
34
+
}
35
+
36
+
encode
37
+
reverse_proxy ${config.cafe.info.network.lily.netbird-ipv4}:8082
38
+
'';
39
+
"rr.lab.biota.cafe".extraConfig = ''
40
+
tls {
41
+
dns porkbun {
42
+
api_key {env.PORKBUN_API_KEY}
43
+
api_secret_key {env.PORKBUN_API_SECRET_KEY}
44
+
}
45
+
}
46
+
47
+
encode
48
+
reverse_proxy [::1]:7878
49
+
'';
50
+
"sr.lab.biota.cafe".extraConfig = ''
51
+
tls {
52
+
dns porkbun {
53
+
api_key {env.PORKBUN_API_KEY}
54
+
api_secret_key {env.PORKBUN_API_SECRET_KEY}
55
+
}
56
+
}
57
+
58
+
encode
59
+
reverse_proxy [::1]:8989
60
+
'';
61
+
};
62
+
};
63
+
}
+8
-5
secrets/lily.yaml
+8
-5
secrets/lily.yaml
···
17
17
radarr-apikey: ENC[AES256_GCM,data:7FLygsV20gXqnT/T7fxW8kajcDN6OiA/LIIrYUYx8y8=,iv:YreEg2rnm+ghAH3FiabqdRx7lYfZLO6uEhKqDAA4gA4=,tag:n/xCQAHF1b5a0lIfkfI3CQ==,type:str]
18
18
sonarr-apikey: ENC[AES256_GCM,data:CTmGQN0k2iQknPOSxfyckBemY1Bp1SPLeHTuUBwxH6E=,iv:gtQ0hZQ+YKEYDEDOyQUG58xAxyjSHZU9CVanyh/1bL8=,tag:cRPIb9nUZYxvtFnoqAxwRQ==,type:str]
19
19
prowlarr-apikey: ENC[AES256_GCM,data:w5pQjQed4qbqLWI4STNvqCi6p0VMy8LvzenPsKZRMmk=,iv:BbZGwTUjFh3XI47mUi3ctZhvQsqhD65HNiXJlrcTL0o=,tag:UWCn3Zy49AC0/O0nsAOLnw==,type:str]
20
+
porkbun:
21
+
api-key: ENC[AES256_GCM,data:8i2+l3rFAPdzU2JcvuQMMZlrE9Oja2UkV3M8VLAvTlOEpHyb91WyipRhQJ0Glj8SxYP0Ne1i2ffMVKZGLMHoh1DqEPM=,iv:r8lvv7CMHOlPJzTihJQMGMQIzkhPp7RRWmoj3ZO+HmI=,tag:XSQbDDW/mQdclSorcitbFA==,type:str]
22
+
api-secret-key: ENC[AES256_GCM,data:r/74LXkoVLbaKOfPDFHVXdvoiDSzJXsIqfwE7NWcfe4MAB7JuXm8aHiIH4w6SmD+Z+Q5I/ZFpwlj5SepCbiDeNz1nNU=,iv:Zt5W5ko4E6RuTQ2lwwZ+tr/ld7SNJ/mnEIK9Zr+ezuI=,tag:NXsTCVU7/rHuuhtumBjPjQ==,type:str]
20
23
sops:
21
24
age:
22
-
- recipient: age1amaa55e7nusv904a9ucfvtnjlw4srtet42suehey6u3yc4t2xc5sdldepj
23
-
enc: |
25
+
- enc: |
24
26
-----BEGIN AGE ENCRYPTED FILE-----
25
27
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbzRJOVBKQlI3Z2lmaVBR
26
28
UnhWOU5LOCtXMSthOU10OGVJek02eWFaSmhJClpidnpjWkFTWXU4Qk9ZV0s2cVds
···
28
30
cHlWQjF3ZkU5NUs0Y1hodUlabkxpdzAK91EV34EhJMrxxdVrRCwZlGKuRs7AU7v3
29
31
dU8XRhjAzJs2Vu5UnCVOGB5Zl6w7FkXICYY0IP2dA0b477dI5rXNBg==
30
32
-----END AGE ENCRYPTED FILE-----
31
-
lastmodified: "2026-05-01T21:52:53Z"
32
-
mac: ENC[AES256_GCM,data:amL1DOUlhvNkSQdInc9m4Cjej4xtlAZ+jVvWYMfWD7Ed7JdDhpoexMJ7XSgsUWcFU0Nolvk0cqr0ffGZw7mq5R4GOD30joEP0Al/S3RLeVRwVnVHMbKZU2HPl5ZVhw3ksU297JxyLP9qGIYw16VqF1j3tyxAqDZYQ/gmhdAMjeg=,iv:BUFlgkAwxqFepdvu8wZtT6kusiw6V2qXo3ZGctVw9wk=,tag:bgZKN2/ib3oFfyaiOeFoww==,type:str]
33
+
recipient: age1amaa55e7nusv904a9ucfvtnjlw4srtet42suehey6u3yc4t2xc5sdldepj
34
+
lastmodified: "2026-05-29T01:24:49Z"
35
+
mac: ENC[AES256_GCM,data:2h8F+mkNPAyhQ+UgkpUarr2KpkK08vgiYE7nTO4huL/FbeuZe6rnUoicb+mMzI0dodCR2nDPpT5Cu+eti17Hi/SuRIbsAHA9QJ58yM2Y4W4sEwNQc6LY+pN81+GRsBQOdIdmBCwuW+8drFlrRD7f9A1EV/b12WnewCuTS96NY44=,iv:X6htk1j5B/Osaj1bkpxAewkMz4GGkcjKNgCx2wsv+e0=,tag:hjqMqKVw9EzcdolRVpayCg==,type:str]
33
36
unencrypted_suffix: _unencrypted
34
-
version: 3.12.2
37
+
version: 3.13.1