diff --git a/flake.nix b/flake.nix index 774b968..97e28ff 100644 --- a/flake.nix +++ b/flake.nix @@ -5,29 +5,41 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.url = "github:serokell/deploy-rs"; - simple-nixos-mailserver.url = - "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; foundryvtt.url = "github:reckenrode/nix-foundryvtt"; }; - outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, deploy-rs, sops-nix - , simple-nixos-mailserver, foundryvtt }: + outputs = + inputs@{ + self, + nixpkgs, + nixpkgs-unstable, + deploy-rs, + sops-nix, + simple-nixos-mailserver, + foundryvtt, + }: let pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs-unstable = nixpkgs-unstable.legacyPackages.x86_64-linux; - defaultModuleArgs = { pkgs, ... }: { - _module.args.pkgs-unstable = import nixpkgs-unstable { - inherit (pkgs.stdenv.targetPlatform) system; - config.allowUnfreePredicate = pkg: - builtins.elem (pkgs.lib.getName pkg) [ "minecraft-server" ]; - }; - }; - in { - devShells.x86_64-linux.default = pkgs.mkShell { - sopsPGPKeyDirs = [ "./keys/hosts" "./keys/users" ]; - nativeBuildInputs = - [ (pkgs.callPackage sops-nix { }).sops-import-keys-hook ]; + defaultModuleArgs = + { pkgs, ... }: + { + _module.args.pkgs-unstable = import nixpkgs-unstable { + system = "x86_64-linux"; + config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "minecraft-server" ]; + }; + }; + in + { + devShells.x86_64-linux.default = pkgs.mkShell { + sopsPGPKeyDirs = [ + "./keys/hosts" + "./keys/users" + ]; + + nativeBuildInputs = [ (pkgs.callPackage sops-nix { }).sops-import-keys-hook ]; buildInputs = with pkgs-unstable; [ nixpkgs-fmt @@ -41,81 +53,87 @@ nixosConfigurations = { db1 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { inherit nixpkgs; }; + specialArgs = { + inherit nixpkgs; + }; modules = [ sops-nix.nixosModules.sops ./profiles/db.nix - ({ + { sops.defaultSopsFile = ./secrets.enc.yml; networking.hostName = "db1"; networking.domain = "banditlair.com"; nix.registry.nixpkgs.flake = nixpkgs; system.stateVersion = "21.05"; - }) + } ]; }; backend1 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { inherit nixpkgs; }; + specialArgs = { + inherit nixpkgs; + }; modules = [ + defaultModuleArgs sops-nix.nixosModules.sops ./profiles/backend.nix - ({ + { sops.defaultSopsFile = ./secrets.enc.yml; networking.hostName = "backend1"; networking.domain = "banditlair.com"; nix.registry.nixpkgs.flake = nixpkgs; system.stateVersion = "21.05"; - }) + } ]; }; storage1 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { inherit nixpkgs inputs; }; + specialArgs = { + inherit nixpkgs inputs; + }; modules = [ defaultModuleArgs sops-nix.nixosModules.sops simple-nixos-mailserver.nixosModule foundryvtt.nixosModules.foundryvtt ./profiles/storage.nix - ({ + { sops.defaultSopsFile = ./secrets.enc.yml; networking.hostName = "storage1"; networking.domain = "banditlair.com"; nix.registry.nixpkgs.flake = nixpkgs; system.stateVersion = "21.05"; - }) + } ]; }; }; - deploy.nodes = let - createSystemProfile = configuration: { - user = "root"; - sshUser = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos configuration; + deploy.nodes = + let + createSystemProfile = configuration: { + user = "root"; + sshUser = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos configuration; + }; + in + { + db1 = { + hostname = "db1.banditlair.com"; + profiles.system = createSystemProfile self.nixosConfigurations.db1; + }; + backend1 = { + hostname = "backend1.banditlair.com"; + profiles.system = createSystemProfile self.nixosConfigurations.backend1; + }; + storage1 = { + hostname = "78.46.96.243"; + profiles.system = createSystemProfile self.nixosConfigurations.storage1; + }; }; - in { - db1 = { - hostname = "db1.banditlair.com"; - profiles.system = createSystemProfile self.nixosConfigurations.db1; - }; - backend1 = { - hostname = "backend1.banditlair.com"; - profiles.system = - createSystemProfile self.nixosConfigurations.backend1; - }; - storage1 = { - hostname = "78.46.96.243"; - profiles.system = - createSystemProfile self.nixosConfigurations.storage1; - }; - }; - checks = builtins.mapAttrs - (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; }; } diff --git a/modules/postgresql.nix b/modules/postgresql.nix index eb06fc2..3df69b1 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -24,6 +24,7 @@ in root_as_others root roundcube root_as_others root mastodon root_as_others root dolibarr + root_as_others root odoo ''; authentication = '' local all postgres peer @@ -83,18 +84,21 @@ in PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "dolibarr"' + PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'odoo'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "odoo"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "dolibarr" OWNER "dolibarr"' + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'odoo'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "odoo" OWNER "odoo"' PSQL -tAc "ALTER ROLE synapse LOGIN" PSQL -tAc "ALTER ROLE nextcloud LOGIN" PSQL -tAc "ALTER ROLE roundcube LOGIN" PSQL -tAc "ALTER ROLE mastodon LOGIN" PSQL -tAc "ALTER ROLE dolibarr LOGIN" + PSQL -tAc "ALTER ROLE odoo LOGIN" synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')" PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" @@ -106,6 +110,7 @@ in PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'" dolibarr_password="$(<'${config.sops.secrets.dolibarrDbPassword.path}')" PSQL -tAc "ALTER ROLE dolibarr WITH PASSWORD '$dolibarr_password'" + PSQL -tAc "ALTER ROLE odoo WITH PASSWORD 'odoo'" ''; serviceConfig = { diff --git a/profiles/backend.nix b/profiles/backend.nix index 8f490bb..b2c7d48 100644 --- a/profiles/backend.nix +++ b/profiles/backend.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + pkgs-unstable, ... }: { @@ -156,6 +157,42 @@ }; }; + nixpkgs.config.permittedInsecurePackages = [ "qtwebkit-5.212.0-alpha4" ]; + services.odoo = { + enable = false; + package = pkgs-unstable.odoo.override { + python310 = pkgs.python310.override { + packageOverrides = final: prev: { + furl = prev.furl.overridePythonAttrs (old: { + doCheck = false; + }); + }; + }; + }; + domain = "odoo.froidmont.solutions"; + settings = { + options = { + db_host = "10.0.1.11"; + db_port = 5432; + db_name = "odoo"; + db_user = "odoo"; + db_password = "odoo"; + data_dir = "/var/lib/private/odoo/data"; + }; + }; + }; + services.nginx.virtualHosts = { + ${config.services.odoo.domain} = { + forceSSL = true; + enableACME = true; + }; + }; + services.postgresql.enable = lib.mkForce false; + # systemd.services.odoo = { + # after = lib.mkForce [ "network.target" ]; + # requires = lib.mkForce [ ]; + # }; + networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/profiles/db.nix b/profiles/db.nix index 6d97a1a..c210504 100644 --- a/profiles/db.nix +++ b/profiles/db.nix @@ -37,6 +37,7 @@ ${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp ${config.services.postgresql.package}/bin/pg_dump -U mastodon mastodon > /nix/var/data/postgresql/mastodon.dmp ${config.services.postgresql.package}/bin/pg_dump -U dolibarr dolibarr > /nix/var/data/postgresql/dolibarr.dmp + ${config.services.postgresql.package}/bin/pg_dump -U odoo odoo > /nix/var/data/postgresql/odoo.dmp ''; startAt = "03:00"; sshKey = config.sops.secrets.borgSshKey.path; diff --git a/profiles/storage.nix b/profiles/storage.nix index 1639aaf..475449e 100644 --- a/profiles/storage.nix +++ b/profiles/storage.nix @@ -316,6 +316,11 @@ upnp = false; }; + services.rustdesk-server = { + enable = true; + openFirewall = true; + }; + services.nginx.virtualHosts."vtt.${config.networking.domain}" = { forceSSL = true; enableACME = true; diff --git a/terraform/dns.tf b/terraform/dns.tf index 955a178..bb4c5d4 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -100,6 +100,14 @@ resource "hetznerdns_record" "dolibarr_a" { ttl = 600 } +resource "hetznerdns_record" "odoo_a" { + zone_id = data.hetznerdns_zone.froidmont_solutions_zone.id + name = "odoo" + value = hcloud_server.backend1.ipv4_address + type = "A" + ttl = 600 +} + resource "hetznerdns_record" "jitsi_a" { zone_id = data.hetznerdns_zone.froidmont_zone.id name = "jitsi"