self-hosting/profiles/storage.nix

{ config, lib, pkgs, pkgs-unstable, ... }:
{
  imports = [
    ../environment.nix
    ../hardware/hetzner-dedicated-storage1.nix
    ../modules/openssh.nix
    ../modules/mailserver.nix
    ../modules/nginx.nix
    ../modules/jellyfin.nix
    ../modules/stb.nix
    ../modules/monero.nix
    ../modules/torrents.nix
    ../modules/custom-backup-job.nix
    ../modules/custom-monit.nix
    ../modules/jitsi.nix
    ../modules/gitlab-runner.nix
    ../modules/binary-cache.nix
  ];

  sops.secrets = {
    borgSshKey = {
      owner = config.services.borgbackup.jobs.data.user;
      key = "borg/client_keys/storage1/private";
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 18080 ];

  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-+" ];
  networking.nat.externalInterface = "enp2s0";

  users.users.www-data = {
    uid = 993;
    isNormalUser = true;
    group = config.users.groups.www-data.name;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16"
    ];
  };
  users.groups.www-data = { gid = 991; };

  users.users.steam = {
    isNormalUser = true;
    group = config.users.groups.steam.name;
  };
  users.groups.steam = { };

  services.custom-backup-job = {
    readWritePaths = [ "/nix/var/data/backup" ];
    preHook = "${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql";
    postHook = "touch /nix/var/data/backup/backup-ok";
    startAt = "04:00";
    sshKey = config.sops.secrets.borgSshKey.path;
  };

  services.custom-monit.additionalConfig = ''
    check host nextcloud with address cloud.banditlair.com
      if failed port 443 protocol https with timeout 20 seconds then alert
    check host anderia-wiki with address anderia.banditlair.com
      if failed port 443 protocol https with timeout 20 seconds then alert
    check host arkadia-wiki with address arkadia.banditlair.com
      if failed port 443 protocol https with timeout 20 seconds then alert
    check host website-marie with address osteopathie.froidmont.org
      if failed port 443 protocol https with timeout 20 seconds then alert
    check host webmail with address webmail.banditlair.com
      if failed port 443 protocol https with timeout 20 seconds then alert

    check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
      if status != 0 then alert
  '';

  services.minecraft-server = {
    enable = true;
    package = pkgs-unstable.minecraft-server;
    eula = true;
    openFirewall = true;
    declarative = true;
    serverProperties = {
      online-mode = true;
      force-gamemode = true;
      white-list = true;
    };
    whitelist = {
      paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
      Nixo = "ec79d755-c3c9-4307-bb66-b58b7c74422c";
      Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
      denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
    };
    dataDir = "/nix/var/data/minecraft";
  };
}
Use minecraft-server from unstable 2022-07-19 06:34:33 +02:00			`{ config, lib, pkgs, pkgs-unstable, ... }:`
Add new storage1 deploy-rs config 2021-11-26 00:14:44 +01:00			`{`
			`imports = [`
			`../environment.nix`
			`../hardware/hetzner-dedicated-storage1.nix`
			`../modules/openssh.nix`
Start migration to NixOS for storage1 2021-11-29 02:04:29 +01:00			`../modules/mailserver.nix`
Use letsencrypt certificate for mail server 2021-12-07 00:44:36 +01:00			`../modules/nginx.nix`
Configure Jellyfin 2021-12-07 01:55:01 +01:00			`../modules/jellyfin.nix`
Migrate stb-wordpress 2021-12-08 01:03:24 +01:00			`../modules/stb.nix`
Add Monero node 2021-12-09 09:28:28 +01:00			`../modules/monero.nix`
Migrate torrents 2021-12-10 03:02:34 +01:00			`../modules/torrents.nix`
Setup backup for storage1 2021-12-27 04:03:07 +01:00			`../modules/custom-backup-job.nix`
Configure Monit on all hosts 2021-12-27 05:28:51 +01:00			`../modules/custom-monit.nix`
Add Jitsi 2021-12-27 17:17:02 +01:00			`../modules/jitsi.nix`
Add gitlab-runner 2022-07-19 08:54:18 +02:00			`../modules/gitlab-runner.nix`
Add NixOS binary cache 2022-09-15 03:40:09 +02:00			`../modules/binary-cache.nix`
Add new storage1 deploy-rs config 2021-11-26 00:14:44 +01:00			`];`
Configure Jellyfin 2021-12-07 01:55:01 +01:00
Setup backup for storage1 2021-12-27 04:03:07 +01:00			`sops.secrets = {`
			`borgSshKey = {`
			`owner = config.services.borgbackup.jobs.data.user;`
			`key = "borg/client_keys/storage1/private";`
			`};`
			`};`

Add Monero node 2021-12-09 09:28:28 +01:00			`networking.firewall.allowedTCPPorts = [ 80 443 18080 ];`
Migrate torrents 2021-12-10 03:02:34 +01:00
			`networking.nat.enable = true;`
			`networking.nat.internalInterfaces = [ "ve-+" ];`
			`networking.nat.externalInterface = "enp2s0";`

			`users.users.www-data = {`
			`uid = 993;`
Migrate Nextcloud data 2021-12-26 23:01:12 +01:00			`isNormalUser = true;`
Migrate torrents 2021-12-10 03:02:34 +01:00			`group = config.users.groups.www-data.name;`
Migrate Nextcloud data 2021-12-26 23:01:12 +01:00			`openssh.authorizedKeys.keys = [`
			"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16"
			`];`
Migrate torrents 2021-12-10 03:02:34 +01:00			`};`
			`users.groups.www-data = { gid = 991; };`
Migrate emails 2021-12-26 19:42:23 +01:00
			`users.users.steam = {`
			`isNormalUser = true;`
			`group = config.users.groups.steam.name;`
			`};`
			`users.groups.steam = { };`
Setup backup for storage1 2021-12-27 04:03:07 +01:00
			`services.custom-backup-job = {`
			`readWritePaths = [ "/nix/var/data/backup" ];`
			`preHook = "${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql";`
Configure Monit on all hosts 2021-12-27 05:28:51 +01:00			`postHook = "touch /nix/var/data/backup/backup-ok";`
Setup backup for storage1 2021-12-27 04:03:07 +01:00			`startAt = "04:00";`
			`sshKey = config.sops.secrets.borgSshKey.path;`
			`};`
Configure Monit on all hosts 2021-12-27 05:28:51 +01:00
			`services.custom-monit.additionalConfig = ''`
			`check host nextcloud with address cloud.banditlair.com`
			`if failed port 443 protocol https with timeout 20 seconds then alert`
			`check host anderia-wiki with address anderia.banditlair.com`
			`if failed port 443 protocol https with timeout 20 seconds then alert`
			`check host arkadia-wiki with address arkadia.banditlair.com`
			`if failed port 443 protocol https with timeout 20 seconds then alert`
			`check host website-marie with address osteopathie.froidmont.org`
			`if failed port 443 protocol https with timeout 20 seconds then alert`
Add Roundcube 2021-12-27 16:39:22 +01:00			`check host webmail with address webmail.banditlair.com`
			`if failed port 443 protocol https with timeout 20 seconds then alert`
Watch raid status with Monit 2022-09-09 04:53:16 +02:00
			`check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"`
			`if status != 0 then alert`
Configure Monit on all hosts 2021-12-27 05:28:51 +01:00			`'';`
Add minecraft server 2022-02-22 18:47:38 +01:00
			`services.minecraft-server = {`
			`enable = true;`
Use minecraft-server from unstable 2022-07-19 06:34:33 +02:00			`package = pkgs-unstable.minecraft-server;`
Add minecraft server 2022-02-22 18:47:38 +01:00			`eula = true;`
			`openFirewall = true;`
			`declarative = true;`
			`serverProperties = {`
Configure whitelist for Minecraft server 2022-06-09 10:11:32 +02:00			`online-mode = true;`
Add minecraft server 2022-02-22 18:47:38 +01:00			`force-gamemode = true;`
Fix minecraft-server whitelist 2022-08-07 23:03:54 +02:00			`white-list = true;`
Add minecraft server 2022-02-22 18:47:38 +01:00			`};`
Configure whitelist for Minecraft server 2022-06-09 10:11:32 +02:00			`whitelist = {`
			`paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";`
			`Nixo = "ec79d755-c3c9-4307-bb66-b58b7c74422c";`
			`Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";`
			`denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";`
			`};`
Fix minecraft-server whitelist 2022-08-07 23:03:54 +02:00			`dataDir = "/nix/var/data/minecraft";`
Add minecraft server 2022-02-22 18:47:38 +01:00			`};`
Add new storage1 deploy-rs config 2021-11-26 00:14:44 +01:00			`}`