phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
self-hosting/profiles/storage.nix

346 lines
11 KiB
Nix
Raw Normal View History

monit: update config
2024-08-26 05:38:10 +02:00
{
config,
lib,
pkgs,
pkgs-unstable,
inputs,
...
}:
{
Add new storage1 deploy-rs config
2021-11-26 00:14:44 +01:00
imports = [
../environment.nix
../hardware/hetzner-dedicated-storage1.nix
Start migrating config to NixOS modules
2022-09-16 01:29:46 +02:00
../modules
Add new storage1 deploy-rs config
2021-11-26 00:14:44 +01:00
];
Configure Jellyfin
2021-12-07 01:55:01 +01:00
Setup backup for storage1
2021-12-27 04:03:07 +01:00
sops.secrets = {
borgSshKey = {
owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/storage1/private";
};
monit: update config
2024-08-26 05:38:10 +02:00
nixCacheKey = {
key = "nix/cache_secret_key";
};
dmarcExporterPassword = {
key = "dmarc_exporter/password";
};
paultrialPassword = {
key = "email/accounts_passwords/paultrial";
};
eliosPassword = {
key = "email/accounts_passwords/elios";
};
mariePassword = {
key = "email/accounts_passwords/marie";
};
alicePassword = {
key = "email/accounts_passwords/alice";
};
monitPassword = {
key = "email/accounts_passwords/monit";
};
Finish migration to NixOS modules
2024-03-26 23:37:53 +01:00
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
noreplyFroidmontPassword = {
key = "email/accounts_passwords/noreply_froidmont";
};
Start migrating config to NixOS modules
2022-09-16 01:29:46 +02:00
};
custom = {
services.binary-cache = {
enable = true;
secretKeyFile = config.sops.secrets.nixCacheKey.path;
};
services.backup-job = {
enable = true;
Move backup to Hetzner's storage box
2023-04-22 02:46:55 +02:00
repoName = "bl";
Add FoundryVTT
2023-10-12 02:59:56 +02:00
additionalPaths = [ config.services.foundryvtt.dataDir ];
Move backup to Hetzner's storage box
2023-04-22 02:46:55 +02:00
patterns = [
"- /nix/var/data/media"
"- /nix/var/data/transmission/downloads"
"- /nix/var/data/transmission/.incomplete"
];
Start migrating config to NixOS modules
2022-09-16 01:29:46 +02:00
readWritePaths = [ "/nix/var/data/backup" ];
Stop jellyfin during backup
2023-09-30 05:43:39 +02:00
preHook = ''
${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql
${pkgs.systemd}/bin/systemctl stop jellyfin.service
Stop some services during backup
2023-10-12 15:29:12 +02:00
${pkgs.systemd}/bin/systemctl stop minecraft-server.service
${pkgs.systemd}/bin/systemctl stop container@torrents
'';
postHook = ''
${pkgs.systemd}/bin/systemctl start jellyfin.service
${pkgs.systemd}/bin/systemctl start minecraft-server.service
${pkgs.systemd}/bin/systemctl start container@torrents
Stop jellyfin during backup
2023-09-30 05:43:39 +02:00
'';
Start migrating config to NixOS modules
2022-09-16 01:29:46 +02:00
startAt = "04:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
Monitor OsteoView
2022-10-30 01:05:16 +02:00
check host osteoview with address osteoview.app
Use healthcheck endpoint to monitor OsteoView
2022-10-30 01:53:58 +02:00
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
monit: update config
2024-08-26 05:38:10 +02:00
content = "Healthy"
Use healthcheck endpoint to monitor OsteoView
2022-10-30 01:53:58 +02:00
then alert
Add monit check for osteoview-demo
2023-07-12 07:46:20 +02:00
check host osteoview-demo with address demo.osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
monit: update config
2024-08-26 05:38:10 +02:00
content = "Healthy"
Add monit check for osteoview-demo
2023-07-12 07:46:20 +02:00
then alert
Start migrating config to NixOS modules
2022-09-16 01:29:46 +02:00
'';
};
Finish migration to NixOS modules
2024-03-26 23:37:53 +01:00
services.nginx.enable = true;
Start migrating config to NixOS modules
2022-09-16 01:29:46 +02:00
services.gitlab-runner.enable = true;
services.openssh.enable = true;
Finish migration to NixOS modules
2024-03-26 23:37:53 +01:00
services.jellyfin.enable = true;
services.stb.enable = true;
services.monero.enable = true;
services.torrents.enable = true;
services.jitsi.enable = true;
services.grafana.enable = true;
services.monitoring-exporters.enable = true;
};
mailserver = {
enable = true;
fqdn = "mail.banditlair.com";
monit: update config
2024-08-26 05:38:10 +02:00
domains = [
"banditlair.com"
"froidmont.org"
"falbo.fr"
];
Finish migration to NixOS modules
2024-03-26 23:37:53 +01:00
localDnsResolver = false;
enableManageSieve = true;
mailDirectory = "/nix/var/data/vmail";
sieveDirectory = "/nix/var/data/sieve";
lmtpSaveToDetailMailbox = "no";
policydSPFExtraConfig = ''
Domain_Whitelist = skynet.be
'';
loginAccounts = {
"paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
monit: update config
2024-08-26 05:38:10 +02:00
aliases = [
"contact@froidmont.org"
"account@banditlair.com"
];
Finish migration to NixOS modules
2024-03-26 23:37:53 +01:00
};
"marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path;
monit: update config
2024-08-26 05:38:10 +02:00
aliases = [
"osteopathie@froidmont.org"
"communication@froidmont.org"
];
Finish migration to NixOS modules
2024-03-26 23:37:53 +01:00
};
"alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.alicePassword.path;
};
"elios@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.eliosPassword.path;
monit: update config
2024-08-26 05:38:10 +02:00
aliases = [
"webshit@banditlair.com"
"outlook-pascal@banditlair.com"
];
Finish migration to NixOS modules
2024-03-26 23:37:53 +01:00
};
"monit@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.monitPassword.path;
sendOnly = true;
};
"noreply@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
sendOnly = true;
};
"noreply@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
sendOnly = true;
};
};
extraVirtualAliases = {
"info@banditlair.com" = "paultrial@banditlair.com";
"postmaster@banditlair.com" = "paultrial@banditlair.com";
"abuse@banditlair.com" = "paultrial@banditlair.com";
"info@froidmont.org" = "paultrial@banditlair.com";
"postmaster@froidmont.org" = "paultrial@banditlair.com";
"abuse@froidmont.org" = "paultrial@banditlair.com";
"info@falbo.fr" = "paultrial@banditlair.com";
"postmaster@falbo.fr" = "paultrial@banditlair.com";
"abuse@falbo.fr" = "paultrial@banditlair.com";
#Catch all
"@banditlair.com" = "paultrial@banditlair.com";
"@froidmont.org" = "paultrial@banditlair.com";
"@falbo.fr" = "elios@banditlair.com";
};
certificateScheme = "acme-nginx";
Setup backup for storage1
2021-12-27 04:03:07 +01:00
};
Add dmarc metrics
2022-11-07 17:32:20 +01:00
services.prometheus.exporters.dmarc = {
enable = true;
debug = true;
imap = {
host = "mail.banditlair.com";
username = "paultrial@banditlair.com";
monit: update config
2024-08-26 05:38:10 +02:00
passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
Add dmarc metrics
2022-11-07 17:32:20 +01:00
};
folders = {
inbox = "dmarc_reports";
done = "Archives.dmarc_report_processed";
error = "Archives.dmarc_report_error";
};
};
monit: update config
2024-08-26 05:38:10 +02:00
systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}";
Add dmarc metrics
2022-11-07 17:32:20 +01:00
Minecraft: change port
2023-08-08 01:07:19 +02:00
networking.firewall.allowedTCPPorts = [
80
443
18080
23363 # Minecraft
];
networking.firewall.allowedUDPPorts = [
23363 # Minecraft
];
monit: update config
2024-08-26 05:38:10 +02:00
networking.firewall.interfaces.vlan4001.allowedTCPPorts = [
config.services.loki.configuration.server.http_listen_port
];
Migrate torrents
2021-12-10 03:02:34 +01:00
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-+" ];
networking.nat.externalInterface = "enp2s0";
users.users.www-data = {
uid = 993;
Update to NixOS 23.05
2023-07-10 19:19:25 +02:00
createHome = true;
home = "/home/www-data";
useDefaultShell = true;
Migrate torrents
2021-12-10 03:02:34 +01:00
group = config.users.groups.www-data.name;
Migrate Nextcloud data
2021-12-26 23:01:12 +01:00
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16"
];
Migrate torrents
2021-12-10 03:02:34 +01:00
};
monit: update config
2024-08-26 05:38:10 +02:00
users.groups.www-data = {
gid = 991;
};
Migrate emails
2021-12-26 19:42:23 +01:00
Allow less secure Mac because of Nextcloud
2023-07-18 21:12:57 +02:00
services.openssh.settings.Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-256" # Needed for Nextcloud sshfs
];
Migrate emails
2021-12-26 19:42:23 +01:00
users.users.steam = {
isNormalUser = true;
group = config.users.groups.steam.name;
};
users.groups.steam = { };
Setup backup for storage1
2021-12-27 04:03:07 +01:00
Add minecraft server
2022-02-22 18:47:38 +01:00
services.minecraft-server = {
Enable Minecraft
2023-08-07 06:18:37 +02:00
enable = true;
Use minecraft-server from unstable
2022-07-19 06:34:33 +02:00
package = pkgs-unstable.minecraft-server;
Add minecraft server
2022-02-22 18:47:38 +01:00
eula = true;
Minecraft: change port
2023-08-08 01:07:19 +02:00
openFirewall = false;
Add minecraft server
2022-02-22 18:47:38 +01:00
declarative = true;
serverProperties = {
Minecraft: change port
2023-08-08 01:07:19 +02:00
enable-rcon = true;
"rcon.port" = 25575;
"rcon.password" = "password";
server-port = 23363;
Configure whitelist for Minecraft server
2022-06-09 10:11:32 +02:00
online-mode = true;
Add minecraft server
2022-02-22 18:47:38 +01:00
force-gamemode = true;
Fix minecraft-server whitelist
2022-08-07 23:03:54 +02:00
white-list = true;
Enable Minecraft
2023-08-07 06:18:37 +02:00
diffuculty = "hard";
Add minecraft server
2022-02-22 18:47:38 +01:00
};
Configure whitelist for Minecraft server
2022-06-09 10:11:32 +02:00
whitelist = {
paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
};
Fix minecraft-server whitelist
2022-08-07 23:03:54 +02:00
dataDir = "/nix/var/data/minecraft";
Add minecraft server
2022-02-22 18:47:38 +01:00
};
Disable minecraft
2023-03-30 12:48:06 +02:00
# virtualisation.oci-containers.containers = {
# "minecraft" = {
# image = "itzg/minecraft-server";
# environment = {
# EULA = "TRUE";
# VERSION = "1.18.2";
# TYPE = "AUTO_CURSEFORGE";
# MEMORY = "4G";
# CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files
# };
# ports = [ "25565:25565" ];
# volumes = [ "/nix/var/data/minecraft-modded:/data" ];
# autoStart = true;
# };
# };
Setup borg repo for epicerie_du_cellier
2023-04-17 05:28:49 +02:00
Add FoundryVTT
2023-10-12 02:59:56 +02:00
services.foundryvtt = {
enable = true;
Update inputs to fix OpenSSH CVE-2024-6387
2024-07-02 18:16:26 +02:00
package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_11;
Add FoundryVTT
2023-10-12 02:59:56 +02:00
hostName = "vtt.${config.networking.domain}";
language = "fr.core";
proxyPort = 443;
proxySSL = true;
Update inputs to fix OpenSSH CVE-2024-6387
2024-07-02 18:16:26 +02:00
upnp = false;
Add FoundryVTT
2023-10-12 02:59:56 +02:00
};
Add Odoo config
2024-09-20 03:55:11 +02:00
services.rustdesk-server = {
enable = true;
openFirewall = true;
};
Add FoundryVTT
2023-10-12 02:59:56 +02:00
services.nginx.virtualHosts."vtt.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
monit: update config
2024-08-26 05:38:10 +02:00
proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}";
Add FoundryVTT
2023-10-12 02:59:56 +02:00
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
Setup borg repo for epicerie_du_cellier
2023-04-17 05:28:49 +02:00
services.borgbackup.repos = {
epicerie_du_cellier = {
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDbiI5UOGpVbaV+xihLqKP0B3UehboMMzOy3HhjjbSz backend1@epicerieducellier.be"
];
path = "/var/lib/epicerie_du_cellier_backup";
};
};
Add new storage1 deploy-rs config
2021-11-26 00:14:44 +01:00
}
Reference in a new issue Copy permalink