feat: https over tailscale

DieracDelta · DieracDelta · commit 69e6c337f93b · 2025-12-12T19:39:04.000-05:00
diff --git a/custom_modules/core_services.nix b/custom_modules/core_services.nix
@@ -64,6 +64,41 @@ in
       # package = nixpkgs-stable.legacyPackages.${system}.tailscale;
       enable = true;
     };
+
+    systemd.services.tailscale-optimization = {
+      description = "Optimize ethtool settings for Tailscale";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${lib.getExe pkgs.ethtool} -K enp6s0 rx-udp-gro-forwarding on rx-gro-list off";
+      };
+    };
+    services.caddy = {
+      enable = true;
+
+      globalConfig = ''
+        https_port 8443
+      '';
+
+      virtualHosts."office-desktop.tail5ca7.ts.net" = {
+        extraConfig = ''
+          bind 127.0.0.1
+
+          route /navidrome* {
+            reverse_proxy 127.0.0.1:4533
+          }
+          handle_path /netdata* {
+            reverse_proxy 127.0.0.1:19999
+          }
+          handle_path /open-webui* {
+            reverse_proxy 127.0.0.1:8085
+          }
+        '';
+      };
+    };
+    services.tailscale.permitCertUid = "caddy";
+
     # create a oneshot job to authenticate to Tailscale
     # systemd.services.tailscale-autoconnect = {
     # description = "Automatic authentication to Tailscale";
@@ -93,6 +128,29 @@ in
     # serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
     # };
 
+    services.sslh = {
+      enable = true;
+      # "listenAddresses" replaces the old "port" setting
+      listenAddresses = [ "0.0.0.0" ];
+
+      settings = {
+        transparent = false;
+        protocols = [
+          {
+            name = "ssh";
+            service = "ssh";
+            host = "127.0.0.1";
+            port = "22";
+          }
+          {
+            name = "tls";
+            host = "127.0.0.1";
+            port = "8443";
+          }
+        ];
+      };
+    };
+
     services.openssh = {
       enable = true;
       settings.PasswordAuthentication = false;
@@ -104,7 +162,6 @@ in
         200
         201
         202
-        443
         2001
         2002
       ];
@@ -179,6 +236,7 @@ in
       3389
       80
       443
+      8443
       444
       9993
       8080
diff --git a/custom_modules/jellyfin.nix b/custom_modules/jellyfin.nix
@@ -38,10 +38,12 @@ in
     services.navidrome.user = "jellyfin";
     services.navidrome.group = "jellyfin";
     services.navidrome.openFirewall = true;
-    services.navidrome.settings.Address = "0.0.0.0";
+    services.navidrome.settings.Address = "127.0.0.1";
     services.navidrome.settings."Scanner.FollowSymlinks" = true;
+    services.navidrome.settings.Port = 4533;
     services.navidrome.settings.MusicFolder = "/jellyfin/MUSIC";
-    services.navidrome.package = nixpkgs-master.legacyPackages.${system}.navidrome;
+    services.navidrome.package = pkgs.navidrome;
+    services.navidrome.settings.BaseUrl = "/navidrome";
     systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = [ "/var/lib/musiclibrary" ];
 
     services.jellyfin.enable = false;
diff --git a/custom_modules/network_monitor.nix b/custom_modules/network_monitor.nix
@@ -25,13 +25,21 @@ let
 
         def get_data(hours):
             try:
-                df = pd.read_csv(LOG_FILE, parse_dates=['timestamp'])
+                # Read CSV. We don't rely on automatic parsing in read_csv
+                # to ensure we can control the UTC conversion explicitly below.
+                df = pd.read_csv(LOG_FILE)
             except FileNotFoundError:
                 print(f"Error: Log file {LOG_FILE} not found. Wait for the hourly timer to run.")
                 sys.exit(1)
 
-            # Filter by time window
-            start_time = datetime.now() - timedelta(hours=hours)
+            # Convert timestamp column to timezone-aware UTC
+            # This handles the mixed offsets (e.g. -05:00) provided by `date -Iseconds`
+            df['timestamp'] = pd.to_datetime(df['timestamp'], utc=True)
+
+            # Generate the start time as timezone-aware UTC
+            start_time = pd.Timestamp.now(tz='UTC') - pd.Timedelta(hours=hours)
+
+            # Now both sides are TZ-aware (UTC), enabling valid comparison
             df = df[df['timestamp'] >= start_time].copy()
 
             if df.empty:
@@ -45,7 +53,6 @@ let
             df = df.sort_values(['unit', 'timestamp'])
 
             # Calculate the difference between rows (Usage = Current - Previous)
-            # We group by 'unit' so we don't subtract Service A from Service B
             df['down_mb'] = df.groupby('unit')['ingress_bytes'].diff().fillna(0) / 1024 / 1024
             df['up_mb'] = df.groupby('unit')['egress_bytes'].diff().fillna(0) / 1024 / 1024
 
@@ -85,8 +92,12 @@ let
                 print(f"No history found for unit: {unit}")
                 return
 
-            # Resample to hourly chunks to smooth out the table
+            # Resample to hourly chunks.
+            # We set the index to our UTC timestamp for resampling.
             timeline.set_index('timestamp', inplace=True)
+
+            # Convert index to local time for display purposes if desired,
+            # or keep as UTC. Here we keep it simple.
             hourly = timeline[['down_mb', 'up_mb']].resample('1h').sum()
 
             print(f"\n=== Hourly Timeline for {unit} ===")
@@ -109,7 +120,6 @@ let
             else:
                 print_summary(time_window)
       '';
-
 in
 {
   options.custom_modules.network_monitor.enable = lib.mkOption {
@@ -126,6 +136,14 @@ in
     systemd.services.systemd-net-logger = {
       description = "Log Systemd IP Counters to CSV";
       serviceConfig.Type = "oneshot";
+
+      # 1. Provide necessary tools
+      path = with pkgs; [
+        gawk
+        findutils
+        coreutils
+      ];
+
       script = ''
         LOG_FILE="/var/log/network/systemd.csv"
         TIMESTAMP=$(date -Iseconds)
@@ -138,9 +156,27 @@ in
         | awk '{print $1}' \
         | xargs ${pkgs.systemd}/bin/systemctl show -p Id -p IPIngressBytes -p IPEgressBytes \
         | awk -v date="$TIMESTAMP" -F= '
-            /^Id=/ { id=$2 }
-            /^IPIngressBytes=/ { input=$2 }
-            /^IPEgressBytes=/ { output=$2; if (input > 0 || output > 0) printf "%s,%s,%s,%s\n", date, id, input, output }
+            # 2. Reset variables for every new Unit ID to prevent leaking
+            /^Id=/ {
+              id=$2;
+              input=0;
+              output=0;
+              has_input=0;
+              has_output=0;
+            }
+
+            # 3. Filter out "unset" values (UINT64_MAX) and non-numbers
+            /^IPIngressBytes=/ {
+              if ($2 ~ /^[0-9]+$/ && $2 != "18446744073709551615") { input=$2; has_input=1; }
+            }
+            /^IPEgressBytes=/ {
+              if ($2 ~ /^[0-9]+$/ && $2 != "18446744073709551615") { output=$2; has_output=1; }
+
+              # 4. Only log if we actually found valid traffic data
+              if ((has_input || has_output) && (input > 0 || output > 0)) {
+                 printf "%s,%s,%s,%s\n", date, id, input, output
+              }
+            }
           ' >> "$LOG_FILE"
       '';
     };
diff --git a/custom_modules/workstation_services.nix b/custom_modules/workstation_services.nix
@@ -386,31 +386,31 @@ in
     #   # ];
     # };
 
-    # services.ollama = {
-    #   # package = tmpnixpkgs.ollama;
-    #   #package = (import nixpkgs-stable { system = "x86_64-linux"; config.allowUnfree = true; }).ollama;
-    #   loadModels = [
-    #     "deepseek-r1:32b"
-    #     "deepseek-r1:14b"
-    #     "SIGJNF/deepseek-r1-671b-1.58bit"
-    #   ];
-    #   enable = true;
-    #   package = pkgs.ollama-cuda;
-    #   # acceleration = "cuda";
-    #   host = "0.0.0.0";
-    #   # environmentVariables = {"OLLAMA_KV_CACHE_TYPE" = "q4_0"; };
-    # };
-    # services.open-webui = {
-    #   # package = tmpnixpkgs.open-webui;
-    #   openFirewall = true;
-    #   enable = true;
-    #   host = "0.0.0.0";
-    #   environment = {
-    #     OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
-    #     # Disable authentication
-    #     WEBUI_AUTH = "False";
-    #   };
-    # };
+    services.ollama = {
+      # package = tmpnixpkgs.ollama;
+      #package = (import nixpkgs-stable { system = "x86_64-linux"; config.allowUnfree = true; }).ollama;
+      # loadModels = [
+      #   "deepseek-r1:32b"
+      #   "deepseek-r1:14b"
+      #   "SIGJNF/deepseek-r1-671b-1.58bit"
+      # ];
+      enable = true;
+      # package = pkgs.ollama-cuda;
+      # acceleration = "cuda";
+      host = "0.0.0.0";
+      # environmentVariables = {"OLLAMA_KV_CACHE_TYPE" = "q4_0"; };
+    };
+    services.open-webui = {
+      # package = tmpnixpkgs.open-webui;
+      openFirewall = true;
+      enable = true;
+      host = "0.0.0.0";
+      environment = {
+        OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
+        # Disable authentication
+        WEBUI_AUTH = "False";
+      };
+    };
 
     # programs.kdeconnect.enable = true;
 
