diff --git a/modules/custom-backup-job.nix b/modules/backup-job.nix similarity index 89% rename from modules/custom-backup-job.nix rename to modules/backup-job.nix index e18d961..34da967 100644 --- a/modules/custom-backup-job.nix +++ b/modules/backup-job.nix @@ -1,10 +1,12 @@ { config, lib, pkgs, ... }: with lib; let - cfg = config.services.custom-backup-job; + cfg = config.custom.services.backup-job; in { - options.services.custom-backup-job = { + options.custom.services.backup-job = { + enable = mkEnableOption "backup-job"; + additionalPaths = mkOption { type = with types; listOf path; default = [ ]; @@ -35,7 +37,7 @@ in }; }; - config = { + config = mkIf cfg.enable { sops.secrets = { borgPassphrase = { @@ -43,6 +45,7 @@ in key = "borg/passphrase"; }; }; + services.borgbackup.jobs.data = { paths = [ "/nix/var/data" cfg.sshKey ] ++ cfg.additionalPaths; doInit = false; diff --git a/modules/binary-cache.nix b/modules/binary-cache.nix index f73a00f..f53a8fb 100644 --- a/modules/binary-cache.nix +++ b/modules/binary-cache.nix @@ -1,32 +1,40 @@ -{ config, ... }: +{ config, lib, ... }: +with lib; +let + cfg = config.custom.services.binary-cache; +in { + options.custom.services.binary-cache = { - sops.secrets = { - nixCacheKey = { - key = "nix/cache_secret_key"; + enable = mkEnableOption "binary-cache"; + + secretKeyFile = mkOption { + type = types.path; }; }; - services.nix-serve = { - enable = true; - port = 1500; - secretKeyFile = config.sops.secrets.nixCacheKey.path; - }; + config = mkIf cfg.enable { + services.nix-serve = { + enable = true; + port = 1500; + secretKeyFile = config.sops.secrets.nixCacheKey.path; + }; - services.nginx = { - virtualHosts = { - "cache.${config.networking.domain}" = { + services.nginx = { + virtualHosts = { + "cache.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; + enableACME = true; + forceSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:${toString config.services.nix-serve.port}; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; + locations."/".extraConfig = '' + proxy_pass http://localhost:${toString config.services.nix-serve.port}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; }; }; }; diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..7658111 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./backup-job.nix + ./monit.nix + ./gitlab-runner.nix + ./openssh.nix + ./murmur.nix + ]; +} diff --git a/modules/dokuwiki.nix b/modules/dokuwiki.nix index 1cb31a7..c5104e2 100644 --- a/modules/dokuwiki.nix +++ b/modules/dokuwiki.nix @@ -1,5 +1,8 @@ { config, lib, pkgs, ... }: +with lib; let + cfg = config.custom.services.dokuwiki; + configureWiki = name: { sops.secrets."usersFile-${name}" = { @@ -25,7 +28,20 @@ let }; }; in -lib.mkMerge [ - (configureWiki "anderia") - (configureWiki "arkadia") -] +{ + options.custom.services.dokuwiki = { + + enable = mkEnableOption "dokuwiki"; + + secretKeyFile = mkOption { + type = types.path; + }; + }; + + + config = mkIf cfg.enable + (lib.mkMerge [ + (configureWiki "anderia") + (configureWiki "arkadia") + ]); +} diff --git a/modules/gitlab-runner.nix b/modules/gitlab-runner.nix index e8f5bb0..39d272b 100644 --- a/modules/gitlab-runner.nix +++ b/modules/gitlab-runner.nix @@ -1,82 +1,92 @@ { config, lib, pkgs, ... }: +with lib; +let + cfg = config.custom.services.gitlab-runner; +in { - sops.secrets = { - runnerRegistrationConfig = { - owner = config.users.users.gitlab-runner.name; - key = "gitlab/runner_registration_config"; - }; + options.custom.services.gitlab-runner = { + enable = mkEnableOption "gitlab-runner"; }; - users.groups.gitlab-runner = { }; - users.users.gitlab-runner = { - isSystemUser = true; - group = config.users.groups.gitlab-runner.name; - }; - - containers.gitlab-runner = { - autoStart = true; - - privateNetwork = true; - hostAddress = "192.168.100.1"; - localAddress = "192.168.100.2"; - - bindMounts = { - "${config.sops.secrets.runnerRegistrationConfig.path}" = { - hostPath = config.sops.secrets.runnerRegistrationConfig.path; + config = mkIf cfg.enable { + sops.secrets = { + runnerRegistrationConfig = { + owner = config.users.users.gitlab-runner.name; + key = "gitlab/runner_registration_config"; }; }; - config = - let - hostConfig = config; - in - args@{ config, ... }: { + users.groups.gitlab-runner = { }; + users.users.gitlab-runner = { + isSystemUser = true; + group = config.users.groups.gitlab-runner.name; + }; - nix = { - package = pkgs.nixUnstable; - extraOptions = '' - experimental-features = nix-command flakes + containers.gitlab-runner = { + autoStart = true; + + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.2"; + + bindMounts = { + "${config.sops.secrets.runnerRegistrationConfig.path}" = { + hostPath = config.sops.secrets.runnerRegistrationConfig.path; + }; + }; + + config = + let + hostConfig = config; + in + args@{ config, ... }: { + + nix = { + package = pkgs.nixUnstable; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + environment.systemPackages = with pkgs; [ + git + htop + nload + ]; + + users.groups.gitlab-runner = { }; + users.users.gitlab-runner = { + isSystemUser = true; + group = config.users.groups.gitlab-runner.name; + }; + + programs.ssh.extraConfig = '' + StrictHostKeyChecking=no + UserKnownHostsFile=/dev/null ''; - }; - environment.systemPackages = with pkgs; [ - git - htop - nload - ]; - - users.groups.gitlab-runner = { }; - users.users.gitlab-runner = { - isSystemUser = true; - group = config.users.groups.gitlab-runner.name; - }; - - programs.ssh.extraConfig = '' - StrictHostKeyChecking=no - UserKnownHostsFile=/dev/null - ''; - - services = { - openssh.enable = true; - gitlab-runner = { - enable = true; - services = { - shell = { - registrationConfigFile = hostConfig.sops.secrets.runnerRegistrationConfig.path; - executor = "shell"; - tagList = [ "nix" ]; + services = { + openssh.enable = true; + gitlab-runner = { + enable = true; + services = { + shell = { + registrationConfigFile = hostConfig.sops.secrets.runnerRegistrationConfig.path; + executor = "shell"; + tagList = [ "nix" ]; + }; }; }; }; - }; - systemd.services.gitlab-runner.serviceConfig = { - DynamicUser = lib.mkForce false; - User = config.users.users.gitlab-runner.name; - Group = config.users.groups.gitlab-runner.name; - }; + systemd.services.gitlab-runner.serviceConfig = { + DynamicUser = lib.mkForce false; + User = config.users.users.gitlab-runner.name; + Group = config.users.groups.gitlab-runner.name; + }; - system.stateVersion = "22.05"; - }; + system.stateVersion = "22.05"; + }; + }; }; } diff --git a/modules/custom-monit.nix b/modules/monit.nix similarity index 92% rename from modules/custom-monit.nix rename to modules/monit.nix index 1578574..adae29d 100644 --- a/modules/custom-monit.nix +++ b/modules/monit.nix @@ -1,10 +1,12 @@ { config, lib, pkgs, ... }: with lib; let - cfg = config.services.custom-monit; + cfg = config.custom.services.monit; in { - options.services.custom-monit = { + options.custom.services.monit = { + enable = mkEnableOption "monit"; + additionalConfig = mkOption { type = types.lines; default = ""; diff --git a/modules/murmur.nix b/modules/murmur.nix index 5899163..74e9bb6 100644 --- a/modules/murmur.nix +++ b/modules/murmur.nix @@ -1,16 +1,27 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: +with lib; +let + cfg = config.custom.services.murmur; +in { - sops.secrets.murmurEnvFile = { - owner = config.systemd.services.murmur.serviceConfig.User; - key = "murmur.env"; - restartUnits = [ "murmur.service" ]; + options.custom.services.murmur = { + enable = mkEnableOption "murmur"; }; - services.murmur = { - enable = true; - bandwidth = 128000; - password = "$MURMURD_PASSWORD"; - environmentFile = config.sops.secrets.murmurEnvFile.path; - imgMsgLength = 13107200; + + config = mkIf cfg.enable { + sops.secrets.murmurEnvFile = { + owner = config.systemd.services.murmur.serviceConfig.User; + key = "murmur.env"; + restartUnits = [ "murmur.service" ]; + }; + + services.murmur = { + enable = true; + bandwidth = 128000; + password = "$MURMURD_PASSWORD"; + environmentFile = config.sops.secrets.murmurEnvFile.path; + imgMsgLength = 13107200; + }; }; } diff --git a/modules/openssh.nix b/modules/openssh.nix index 44d6563..38fbfc0 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -1,9 +1,20 @@ -{ pkgs, lib, config, ... }: +{ config, lib, ... }: +with lib; +let + cfg = config.custom.services.openssh; +in { - services.openssh.enable = true; - services.openssh.permitRootLogin = "prohibit-password"; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../ssh_keys/phfroidmont-desktop.pub - ../ssh_keys/froidmpa-laptop.pub - ]; + options.custom.services.openssh = { + enable = mkEnableOption "openssh"; + }; + + + config = mkIf cfg.enable { + services.openssh.enable = true; + services.openssh.permitRootLogin = "prohibit-password"; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../ssh_keys/phfroidmont-desktop.pub + ../ssh_keys/froidmpa-laptop.pub + ]; + }; } diff --git a/profiles/backend.nix b/profiles/backend.nix index fc04aea..81bce59 100644 --- a/profiles/backend.nix +++ b/profiles/backend.nix @@ -3,13 +3,10 @@ imports = [ ../environment.nix ../hardware/hcloud.nix - ../modules/openssh.nix + ../modules ../modules/nginx.nix - ../modules/murmur.nix ../modules/synapse.nix ../modules/nextcloud.nix - ../modules/custom-backup-job.nix - ../modules/custom-monit.nix ../modules/dokuwiki.nix ../modules/website-marie.nix ../modules/roundcube.nix @@ -23,36 +20,50 @@ }; }; - services.custom-backup-job = { - additionalPaths = [ "/var/lib/nextcloud/config" ]; - readWritePaths = [ "/nix/var/data/murmur" "/nix/var/data/backup/" ]; - preHook = '' - cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite - ''; - postHook = '' - touch /nix/var/data/backup/backup-ok - ''; - startAt = "03:30"; - sshKey = config.sops.secrets.borgSshKey.path; + custom = { + services.backup-job = { + enable = true; + additionalPaths = [ "/var/lib/nextcloud/config" ]; + readWritePaths = [ "/nix/var/data/murmur" "/nix/var/data/backup/" ]; + preHook = '' + cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite + ''; + postHook = '' + touch /nix/var/data/backup/backup-ok + ''; + startAt = "03:30"; + sshKey = config.sops.secrets.borgSshKey.path; + }; + + services.monit = { + enable = true; + additionalConfig = '' + check file nextcloud-data-mounted with path /var/lib/nextcloud/data/index.html + start = "${pkgs.systemd}/bin/systemctl start nextcloud-data-sshfs.service" + + check host jellyfin with address jellyfin.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host stb with address www.societe-de-tir-bertrix.com + if failed port 443 protocol https with timeout 20 seconds then alert + + check host transmission with address transmission.banditlair.com + if failed + port 443 + protocol https + status = 401 + with timeout 20 seconds + then alert + ''; + }; + + services.dokuwiki.enable = true; + + services.openssh.enable = true; + + services.murmur.enable = true; }; - services.custom-monit.additionalConfig = '' - check file nextcloud-data-mounted with path /var/lib/nextcloud/data/index.html - start = "${pkgs.systemd}/bin/systemctl start nextcloud-data-sshfs.service" - check host jellyfin with address jellyfin.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check host stb with address www.societe-de-tir-bertrix.com - if failed port 443 protocol https with timeout 20 seconds then alert - - check host transmission with address transmission.banditlair.com - if failed - port 443 - protocol https - status = 401 - with timeout 20 seconds - then alert - ''; networking.interfaces.enp1s0 = { useDHCP = true; diff --git a/profiles/db.nix b/profiles/db.nix index c13b002..9255922 100644 --- a/profiles/db.nix +++ b/profiles/db.nix @@ -3,10 +3,8 @@ imports = [ ../environment.nix ../hardware/hcloud.nix - ../modules/openssh.nix + ../modules ../modules/postgresql.nix - ../modules/custom-backup-job.nix - ../modules/custom-monit.nix ../modules/monitoring-exporters.nix ]; @@ -19,16 +17,21 @@ }; }; - services.custom-backup-job = { - readWritePaths = [ "/nix/var/data/postgresql" "/nix/var/data/backup/" ]; - preHook = '' - ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp - ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp - ${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp - ''; - postHook = "touch /nix/var/data/backup/backup-ok"; - startAt = "03:00"; - sshKey = config.sops.secrets.borgSshKey.path; + custom = { + services.backup-job = { + enable = true; + readWritePaths = [ "/nix/var/data/postgresql" "/nix/var/data/backup/" ]; + preHook = '' + ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp + ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp + ${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp + ''; + postHook = "touch /nix/var/data/backup/backup-ok"; + startAt = "03:00"; + sshKey = config.sops.secrets.borgSshKey.path; + }; + + services.openssh.enable = true; }; } diff --git a/profiles/storage.nix b/profiles/storage.nix index b5bf635..eb26b36 100644 --- a/profiles/storage.nix +++ b/profiles/storage.nix @@ -3,6 +3,7 @@ imports = [ ../environment.nix ../hardware/hetzner-dedicated-storage1.nix + ../modules ../modules/openssh.nix ../modules/mailserver.nix ../modules/nginx.nix @@ -10,10 +11,7 @@ ../modules/stb.nix ../modules/monero.nix ../modules/torrents.nix - ../modules/custom-backup-job.nix - ../modules/custom-monit.nix ../modules/jitsi.nix - ../modules/gitlab-runner.nix ../modules/binary-cache.nix ../modules/grafana.nix ../modules/monitoring-exporters.nix @@ -24,6 +22,47 @@ owner = config.services.borgbackup.jobs.data.user; key = "borg/client_keys/storage1/private"; }; + nixCacheKey = { + key = "nix/cache_secret_key"; + }; + }; + + custom = { + services.binary-cache = { + enable = true; + secretKeyFile = config.sops.secrets.nixCacheKey.path; + }; + + services.backup-job = { + enable = true; + readWritePaths = [ "/nix/var/data/backup" ]; + preHook = "${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql"; + postHook = "touch /nix/var/data/backup/backup-ok"; + startAt = "04:00"; + sshKey = config.sops.secrets.borgSshKey.path; + }; + + services.monit = { + enable = true; + additionalConfig = '' + check host nextcloud with address cloud.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host anderia-wiki with address anderia.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host arkadia-wiki with address arkadia.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host website-marie with address osteopathie.froidmont.org + if failed port 443 protocol https with timeout 20 seconds then alert + check host webmail with address webmail.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + + check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127" + if status != 0 then alert + ''; + }; + + services.gitlab-runner.enable = true; + services.openssh.enable = true; }; networking.firewall.allowedTCPPorts = [ 80 443 18080 ]; @@ -49,30 +88,6 @@ }; users.groups.steam = { }; - services.custom-backup-job = { - readWritePaths = [ "/nix/var/data/backup" ]; - preHook = "${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql"; - postHook = "touch /nix/var/data/backup/backup-ok"; - startAt = "04:00"; - sshKey = config.sops.secrets.borgSshKey.path; - }; - - services.custom-monit.additionalConfig = '' - check host nextcloud with address cloud.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check host anderia-wiki with address anderia.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check host arkadia-wiki with address arkadia.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check host website-marie with address osteopathie.froidmont.org - if failed port 443 protocol https with timeout 20 seconds then alert - check host webmail with address webmail.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - - check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127" - if status != 0 then alert - ''; - services.minecraft-server = { enable = true; package = pkgs-unstable.minecraft-server;