tunnel config

dns reorder
enable jellyfin
2026-03-06 19:35:05 +07:00 · 2026-03-06 19:34:58 +07:00 · 2026-03-06 19:34:45 +07:00
6 changed files with 70 additions and 55 deletions
--- a/lib/options.nix
+++ b/lib/options.nix
@ -15,23 +15,24 @@
  
  homelab = rec {
    domain = "satr14.my.id"; # root domain for dns, ssl certs, reverse proxy, etc.
+    cf-tunnel-id = "26318288-cdd7-4e58-904b-c45f10d3e40a";
    disks = {
      share = "/dev/disk/by-uuid/ac61f6c8-ac20-41dd-ba93-41c4a225dc98"; # disk for nas share
      data = "/dev/disk/by-uuid/a5752dd6-092d-484c-969c-2fdc7cb4a5f0"; # disk for app data
    };
    records = [
-      [ "router.dns.${domain}"     "10.3.14.1"                  ]
-      [ "workspace.dns.${domain}"  "10.3.14.57"                 ]
-      [ "server.dns.${domain}"     "10.3.14.69"                 ]
-      [ "home.dns.${domain}"       "10.3.14.235"                ]
+      [ "server.dns.${domain}"     "10.3.14.69"         ]
+      [ "router.dns.${domain}"     "10.3.14.1"          ]
+      [ "home.dns.${domain}"       "10.3.14.235"        ]
+      [ "workspace.dns.${domain}"  "10.3.14.57"         ]
+      [ "old-main.dns.${domain}"   "10.3.14.42"         ] # old main machine for connecting while migrating
      
-      [ "main.dns.${domain}"       "10.3.14.215"                ] # this machine
-      [ "old-main.dns.${domain}"   "10.3.14.42"                 ] # old main machine for connecting while migrating
+      [ "main.dns.${domain}"       "10.3.14.215"        ] # this machine
      [ "proxy.${domain}"          "main.dns.${domain}" ]
      [ "*.proxy.${domain}"        "proxy.${domain}"    ]
      
-      # [ "lancache.steamcontent.com"        "main.dns.${domain}" ]
-      # [ "steam.cache.lancache.net"         "main.dns.${domain}" ]
+      # [ "lancache.steamcontent.com" "main.dns.${domain}" ]
+      # [ "steam.cache.lancache.net" "main.dns.${domain}" ]
    ];
  };

--- a/modules/system/homelab/dash.nix
+++ b/modules/system/homelab/dash.nix
@ -58,6 +58,7 @@
    [ "AdGuardHome" "adguard" "https://dns.proxy.${homelab.domain}" "http://localhost:8088/" ]
    [ "ApacheHTTPD" "apache" "https://cdn.proxy.${homelab.domain}" "http://localhost:3000/" ]
    [ "Immich" "immich" "https://gallery.proxy.${homelab.domain}" "http://localhost:2283/" ]
+    [ "Jellyfin" "jellyfin" "https://media.proxy.${homelab.domain}" "http://localhost:8096/" ]
    [ "VaultWarden" "vaultwarden" "https://pass.proxy.${homelab.domain}" "http://localhost:8060/" ]
    [ "Ollama" "ollama" "https://ai.proxy.${homelab.domain}" "http://localhost:8080/" ]
    [ "Dockge" "docker" "https://containers.proxy.${homelab.domain}" "http://localhost:5001/" ]
--- a/modules/system/homelab/media.nix
+++ b/modules/system/homelab/media.nix
@ -1,5 +1,4 @@
 { pkgs, ... }: {
-  # WIP: declaratively integrate media services into homelab configuration
  environment.systemPackages = with pkgs; [
    jellyfin jellyfin-web jellyfin-ffmpeg
  ];
@ -8,37 +7,37 @@
      enable = true;
      hardwareAcceleration.enable = true;
    };
-    jellyseerr = {
-      enable = true;
-      port = 5055;
-    };
-    radarr = {
-      enable = true;
-      settings = {
-        server = {
-          port = 7878;
-          bindaddress = "127.0.0.1";
-        };
-      };
-    };
-    sonarr = {
-      enable = true;
-      server = {
-        port = 8989;
-        bindaddress = "127.0.0.1";
-      };
-    };
-    qbittorrent = {
-      enable = true;
-      webuiPort = 8020;
-    };
-    jackett = {
-      enable = true;
-      port = 9117;
-    };
-    flaresolverr = {
-      enable = true;
-      port = 8191;
-    };
+    # jellyseerr = {
+    #   enable = true;
+    #   port = 5055;
+    # };
+    # radarr = {
+    #   enable = true;
+    #   settings = {
+    #     server = {
+    #       port = 7878;
+    #       bindaddress = "127.0.0.1";
+    #     };
+    #   };
+    # };
+    # sonarr = {
+    #   enable = true;
+    #   server = {
+    #     port = 8989;
+    #     bindaddress = "127.0.0.1";
+    #   };
+    # };
+    # qbittorrent = {
+    #   enable = true;
+    #   webuiPort = 8020;
+    # };
+    # jackett = {
+    #   enable = true;
+    #   port = 9117;
+    # };
+    # flaresolverr = {
+    #   enable = true;
+    #   port = 8191;
+    # };
  };
 }
--- a/modules/system/homelab/proxy.nix
+++ b/modules/system/homelab/proxy.nix
@ -4,19 +4,13 @@
    "dns"        = { dest = "http://localhost:8088"; auth = true; };
    "ai"         = { dest = "http://localhost:8080"; auth = true; };
    
-    # "jsr"        = { dest = "http://localhost:5055"; auth = false; };
-    # "rdr"        = { dest = "http://localhost:5055"; auth = false; };
-    # "snr"        = { dest = "http://localhost:5055"; auth = false; };
-    # "qbt"        = { dest = "http://localhost:8020"; auth = false; };
-    # "jkt"        = { dest = "http://localhost:9117"; auth = false; };
-    # "media"      = { dest = "http://localhost:8096"; auth = false; };
-    
    "auth"       = { dest = "http://localhost:1411"; auth = false; };
    "git"        = { dest = "http://localhost:5080"; auth = false; };
    
    "containers" = { dest = "http://localhost:5001"; auth = false; };
    "gallery"    = { dest = "http://localhost:2283"; auth = false; };
    "remote"     = { dest = "http://localhost:8085"; auth = false; };
+    "media"      = { dest = "http://localhost:8096"; auth = false; };
    "pass"       = { dest = "http://localhost:8060"; auth = false; };
    "cdn"        = { dest = "http://localhost:3000"; auth = false; };
    "@"          = { dest = "http://localhost:5070"; auth = false; };
--- a/modules/system/homelab/tunnels.nix
+++ b/modules/system/homelab/tunnels.nix
@ -1,16 +1,36 @@
-{ homelab, ... }: {
+{ pkgs, lib, homelab, ... }: let
+  routes = {
+    "git.${homelab.domain}"     = "http://localhost:3000";
+    "auth.${homelab.domain}"    = "http://localhost:1411";
+    "dash.${homelab.domain}"    = "http://localhost:5070";
+    "gallery.${homelab.domain}" = "http://localhost:2284";
+  };
+in {
  services.cloudflared = {
    enable = true;
    tunnels.homelab = {
      credentialsFile = "/mnt/data/cloudflared/homelab.json";
      certificateFile = "/mnt/data/cloudflared/cert.pem";
      default = "http_status:404";
-      ingress = {
-        "git.${homelab.domain}"     = "http://localhost:3000";
-        "auth.${homelab.domain}"    = "http://localhost:1411";
-        "dash.${homelab.domain}"    = "http://localhost:5070";
-        "gallery.${homelab.domain}" = "http://localhost:2284";
+      ingress = routes;
+    };
+    
+    systemd.services.cloudflared-dns-route = {
+      description = "Sync Cloudflare Tunnel DNS routes";
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      
+      serviceConfig = {
+        RemainAfterExit = true;
+        Type = "oneshot";
+        User = "root";
      };
+  
+      script = lib.concatMapStringsSep "\n" (domain: ''
+        echo "Ensuring DNS route for ${domain}..."
+        ${pkgs.cloudflared}/bin/cloudflared tunnel --origincert /mnt/data/cloudflared/cert.pem route dns ${homelab.cf-tunnel-id} ${domain} || true
+      '') builtins.attrNames routes;
    };
  };
 }
--- a/modules/system/server.nix
+++ b/modules/system/server.nix
@ -10,7 +10,7 @@ in {
    ./homelab/gallery.nix
    ./homelab/tunnels.nix
    ./homelab/remote.nix
-    # ./homelab/media.nix # wip
+    ./homelab/media.nix
    ./homelab/share.nix
    ./homelab/proxy.nix
    ./homelab/auth.nix
Author	SHA1	Message	Date
Satria	fc66316343	tunnel config	2026-03-06 19:35:05 +07:00
Satria	35e59b9e50	dns reorder	2026-03-06 19:34:58 +07:00
Satria	666435f968	enable jellyfin	2026-03-06 19:34:45 +07:00