self-hosting/profiles/storage.nix

{ config, lib, pkgs, pkgs-unstable, ... }:
{
  imports = [
    ../environment.nix
    ../hardware/hetzner-dedicated-storage1.nix
    ../modules
    ../modules/openssh.nix
    ../modules/mailserver.nix
    ../modules/nginx.nix
    ../modules/jellyfin.nix
    ../modules/stb.nix
    ../modules/monero.nix
    ../modules/torrents.nix
    ../modules/jitsi.nix
    ../modules/binary-cache.nix
    ../modules/grafana.nix
    ../modules/monitoring-exporters.nix
  ];

  sops.secrets = {
    borgSshKey = {
      owner = config.services.borgbackup.jobs.data.user;
      key = "borg/client_keys/storage1/private";
    };
    nixCacheKey = {
      key = "nix/cache_secret_key";
    };
    dmarcExporterPassword = {
      key = "dmarc_exporter/password";
    };
  };

  custom = {
    services.binary-cache = {
      enable = true;
      secretKeyFile = config.sops.secrets.nixCacheKey.path;
    };

    services.backup-job = {
      enable = true;
      readWritePaths = [ "/nix/var/data/backup" ];
      preHook = "${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql";
      startAt = "04:00";
      sshKey = config.sops.secrets.borgSshKey.path;
    };

    services.monit = {
      enable = true;
      additionalConfig = ''
        check host nextcloud with address cloud.banditlair.com
          if failed port 443 protocol https with timeout 20 seconds then alert
        check host anderia-wiki with address anderia.banditlair.com
          if failed port 443 protocol https with timeout 20 seconds then alert
        check host arkadia-wiki with address arkadia.banditlair.com
          if failed port 443 protocol https with timeout 20 seconds then alert
        check host website-marie with address osteopathie.froidmont.org
          if failed port 443 protocol https with timeout 20 seconds then alert
        check host webmail with address webmail.banditlair.com
          if failed port 443 protocol https with timeout 20 seconds then alert

        check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
          if status != 0 then alert

        check host osteoview with address osteoview.app
          if failed
              port 443
              protocol https
              status = 200
              request "/api/_health"
              with timeout 5 seconds
              content = '[{"]Healthy["]:[{}}]'
          then alert
      '';
    };

    services.gitlab-runner.enable = true;
    services.openssh.enable = true;
  };

  services.prometheus.exporters.dmarc = {
    enable = true;
    debug = true;
    imap = {
      host = "mail.banditlair.com";
      username = "paultrial@banditlair.com";
      passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
    };
    folders = {
      inbox = "dmarc_reports";
      done = "Archives.dmarc_report_processed";
      error = "Archives.dmarc_report_error";
    };
  };
  systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential =
    "password:${config.sops.secrets.dmarcExporterPassword.path}";

  networking.firewall.allowedTCPPorts = [ 80 443 18080 ];
  networking.firewall.interfaces.vlan4001.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ];

  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-+" ];
  networking.nat.externalInterface = "enp2s0";

  users.users.www-data = {
    uid = 993;
    isNormalUser = true;
    group = config.users.groups.www-data.name;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16"
    ];
  };
  users.groups.www-data = { gid = 991; };

  users.users.steam = {
    isNormalUser = true;
    group = config.users.groups.steam.name;
  };
  users.groups.steam = { };

  services.minecraft-server = {
    enable = false;
    package = pkgs-unstable.minecraft-server;
    eula = true;
    openFirewall = true;
    declarative = true;
    serverProperties = {
      online-mode = true;
      force-gamemode = true;
      white-list = true;
    };
    whitelist = {
      paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
      Nixo = "ec79d755-c3c9-4307-bb66-b58b7c74422c";
      Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
      denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
    };
    dataDir = "/nix/var/data/minecraft";
  };

  # virtualisation.oci-containers.containers = {
  #   "minecraft" = {
  #     image = "itzg/minecraft-server";
  #     environment = {
  #       EULA = "TRUE";
  #       VERSION = "1.18.2";
  #       TYPE = "AUTO_CURSEFORGE";
  #       MEMORY = "4G";
  #       CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files
  #     };
  #     ports = [ "25565:25565" ];
  #     volumes = [ "/nix/var/data/minecraft-modded:/data" ];
  #     autoStart = true;
  #   };
  # };
}