phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Start migrating config to NixOS modules

Browse source
This commit is contained in:
Paul-Henri Froidmont 2022-09-16 01:29:46 +02:00
parent c1211cb4e5
commit c0d929be0b
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
11 changed files with 283 additions and 183 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/custom-backup-job.nix → modules/backup-job.nix
View file

@ -1,10 +1,12 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let
cfg = config.services.custom-backup-job; cfg = config.custom.services.backup-job;
in in
{ {
options.services.custom-backup-job = { options.custom.services.backup-job = {
enable = mkEnableOption "backup-job";
additionalPaths = mkOption { additionalPaths = mkOption {
type = with types; listOf path; type = with types; listOf path;
default = [ ]; default = [ ];
@ -35,7 +37,7 @@ in
}; };
}; };
config = { config = mkIf cfg.enable {
sops.secrets = { sops.secrets = {
borgPassphrase = { borgPassphrase = {
@ -43,6 +45,7 @@ in
key = "borg/passphrase"; key = "borg/passphrase";
}; };
}; };
services.borgbackup.jobs.data = { services.borgbackup.jobs.data = {
paths = [ "/nix/var/data" cfg.sshKey ] ++ cfg.additionalPaths; paths = [ "/nix/var/data" cfg.sshKey ] ++ cfg.additionalPaths;
doInit = false; doInit = false;

48
modules/binary-cache.nix
View file

@ -1,32 +1,40 @@
{ config, ... }: { config, lib, ... }:
with lib;
let
cfg = config.custom.services.binary-cache;
in
{ {
options.custom.services.binary-cache = {
sops.secrets = { enable = mkEnableOption "binary-cache";
nixCacheKey = {
key = "nix/cache_secret_key"; secretKeyFile = mkOption {
type = types.path;
}; };
}; };
services.nix-serve = { config = mkIf cfg.enable {
enable = true; services.nix-serve = {
port = 1500; enable = true;
secretKeyFile = config.sops.secrets.nixCacheKey.path; port = 1500;
}; secretKeyFile = config.sops.secrets.nixCacheKey.path;
};
services.nginx = { services.nginx = {
virtualHosts = { virtualHosts = {
"cache.${config.networking.domain}" = { "cache.${config.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port}; proxy_pass http://localhost:${toString config.services.nix-serve.port};
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
''; '';
};
}; };
}; };
}; };

10
modules/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
imports = [
./backup-job.nix
./monit.nix
./gitlab-runner.nix
./openssh.nix
./murmur.nix
];
}

24
modules/dokuwiki.nix
View file

@ -1,5 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let let
cfg = config.custom.services.dokuwiki;
configureWiki = name: { configureWiki = name: {
sops.secrets."usersFile-${name}" = { sops.secrets."usersFile-${name}" = {
@ -25,7 +28,20 @@ let
}; };
}; };
in in
lib.mkMerge [ {
(configureWiki "anderia") options.custom.services.dokuwiki = {
(configureWiki "arkadia")
] enable = mkEnableOption "dokuwiki";
secretKeyFile = mkOption {
type = types.path;
};
};
config = mkIf cfg.enable
(lib.mkMerge [
(configureWiki "anderia")
(configureWiki "arkadia")
]);
}

140
modules/gitlab-runner.nix
View file

@ -1,82 +1,92 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let
cfg = config.custom.services.gitlab-runner;
in
{ {
sops.secrets = { options.custom.services.gitlab-runner = {
runnerRegistrationConfig = { enable = mkEnableOption "gitlab-runner";
owner = config.users.users.gitlab-runner.name;
key = "gitlab/runner_registration_config";
};
}; };
users.groups.gitlab-runner = { }; config = mkIf cfg.enable {
users.users.gitlab-runner = { sops.secrets = {
isSystemUser = true; runnerRegistrationConfig = {
group = config.users.groups.gitlab-runner.name; owner = config.users.users.gitlab-runner.name;
}; key = "gitlab/runner_registration_config";
containers.gitlab-runner = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.2";
bindMounts = {
"${config.sops.secrets.runnerRegistrationConfig.path}" = {
hostPath = config.sops.secrets.runnerRegistrationConfig.path;
}; };
}; };
config = users.groups.gitlab-runner = { };
let users.users.gitlab-runner = {
hostConfig = config; isSystemUser = true;
in group = config.users.groups.gitlab-runner.name;
args@{ config, ... }: { };
nix = { containers.gitlab-runner = {
package = pkgs.nixUnstable; autoStart = true;
extraOptions = ''
experimental-features = nix-command flakes privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.2";
bindMounts = {
"${config.sops.secrets.runnerRegistrationConfig.path}" = {
hostPath = config.sops.secrets.runnerRegistrationConfig.path;
};
};
config =
let
hostConfig = config;
in
args@{ config, ... }: {
nix = {
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
environment.systemPackages = with pkgs; [
git
htop
nload
];
users.groups.gitlab-runner = { };
users.users.gitlab-runner = {
isSystemUser = true;
group = config.users.groups.gitlab-runner.name;
};
programs.ssh.extraConfig = ''
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
''; '';
};
environment.systemPackages = with pkgs; [ services = {
git openssh.enable = true;
htop gitlab-runner = {
nload enable = true;
]; services = {
shell = {
users.groups.gitlab-runner = { }; registrationConfigFile = hostConfig.sops.secrets.runnerRegistrationConfig.path;
users.users.gitlab-runner = { executor = "shell";
isSystemUser = true; tagList = [ "nix" ];
group = config.users.groups.gitlab-runner.name; };
};
programs.ssh.extraConfig = ''
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
'';
services = {
openssh.enable = true;
gitlab-runner = {
enable = true;
services = {
shell = {
registrationConfigFile = hostConfig.sops.secrets.runnerRegistrationConfig.path;
executor = "shell";
tagList = [ "nix" ];
}; };
}; };
}; };
};
systemd.services.gitlab-runner.serviceConfig = { systemd.services.gitlab-runner.serviceConfig = {
DynamicUser = lib.mkForce false; DynamicUser = lib.mkForce false;
User = config.users.users.gitlab-runner.name; User = config.users.users.gitlab-runner.name;
Group = config.users.groups.gitlab-runner.name; Group = config.users.groups.gitlab-runner.name;
}; };
system.stateVersion = "22.05"; system.stateVersion = "22.05";
}; };
};
}; };
} }

6
modules/custom-monit.nix → modules/monit.nix
View file

@ -1,10 +1,12 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let
cfg = config.services.custom-monit; cfg = config.custom.services.monit;
in in
{ {
options.services.custom-monit = { options.custom.services.monit = {
enable = mkEnableOption "monit";
additionalConfig = mkOption { additionalConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";

33
modules/murmur.nix
View file

@ -1,16 +1,27 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
with lib;
let
cfg = config.custom.services.murmur;
in
{ {
sops.secrets.murmurEnvFile = { options.custom.services.murmur = {
owner = config.systemd.services.murmur.serviceConfig.User; enable = mkEnableOption "murmur";
key = "murmur.env";
restartUnits = [ "murmur.service" ];
}; };
services.murmur = {
enable = true; config = mkIf cfg.enable {
bandwidth = 128000; sops.secrets.murmurEnvFile = {
password = "$MURMURD_PASSWORD"; owner = config.systemd.services.murmur.serviceConfig.User;
environmentFile = config.sops.secrets.murmurEnvFile.path; key = "murmur.env";
imgMsgLength = 13107200; restartUnits = [ "murmur.service" ];
};
services.murmur = {
enable = true;
bandwidth = 128000;
password = "$MURMURD_PASSWORD";
environmentFile = config.sops.secrets.murmurEnvFile.path;
imgMsgLength = 13107200;
};
}; };
} }

25
modules/openssh.nix
View file

@ -1,9 +1,20 @@
{ pkgs, lib, config, ... }: { config, lib, ... }:
with lib;
let
cfg = config.custom.services.openssh;
in
{ {
services.openssh.enable = true; options.custom.services.openssh = {
services.openssh.permitRootLogin = "prohibit-password"; enable = mkEnableOption "openssh";
users.users.root.openssh.authorizedKeys.keyFiles = [ };
../ssh_keys/phfroidmont-desktop.pub
../ssh_keys/froidmpa-laptop.pub
]; config = mkIf cfg.enable {
services.openssh.enable = true;
services.openssh.permitRootLogin = "prohibit-password";
users.users.root.openssh.authorizedKeys.keyFiles = [
../ssh_keys/phfroidmont-desktop.pub
../ssh_keys/froidmpa-laptop.pub
];
};
} }

73
profiles/backend.nix
View file

@ -3,13 +3,10 @@
imports = [ imports = [
../environment.nix ../environment.nix
../hardware/hcloud.nix ../hardware/hcloud.nix
../modules/openssh.nix ../modules
../modules/nginx.nix ../modules/nginx.nix
../modules/murmur.nix
../modules/synapse.nix ../modules/synapse.nix
../modules/nextcloud.nix ../modules/nextcloud.nix
../modules/custom-backup-job.nix
../modules/custom-monit.nix
../modules/dokuwiki.nix ../modules/dokuwiki.nix
../modules/website-marie.nix ../modules/website-marie.nix
../modules/roundcube.nix ../modules/roundcube.nix
@ -23,36 +20,50 @@
}; };
}; };
services.custom-backup-job = { custom = {
additionalPaths = [ "/var/lib/nextcloud/config" ]; services.backup-job = {
readWritePaths = [ "/nix/var/data/murmur" "/nix/var/data/backup/" ]; enable = true;
preHook = '' additionalPaths = [ "/var/lib/nextcloud/config" ];
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite readWritePaths = [ "/nix/var/data/murmur" "/nix/var/data/backup/" ];
''; preHook = ''
postHook = '' cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
touch /nix/var/data/backup/backup-ok '';
''; postHook = ''
startAt = "03:30"; touch /nix/var/data/backup/backup-ok
sshKey = config.sops.secrets.borgSshKey.path; '';
startAt = "03:30";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check file nextcloud-data-mounted with path /var/lib/nextcloud/data/index.html
start = "${pkgs.systemd}/bin/systemctl start nextcloud-data-sshfs.service"
check host jellyfin with address jellyfin.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host stb with address www.societe-de-tir-bertrix.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
'';
};
services.dokuwiki.enable = true;
services.openssh.enable = true;
services.murmur.enable = true;
}; };
services.custom-monit.additionalConfig = ''
check file nextcloud-data-mounted with path /var/lib/nextcloud/data/index.html
start = "${pkgs.systemd}/bin/systemctl start nextcloud-data-sshfs.service"
check host jellyfin with address jellyfin.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host stb with address www.societe-de-tir-bertrix.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
'';
networking.interfaces.enp1s0 = { networking.interfaces.enp1s0 = {
useDHCP = true; useDHCP = true;

29
profiles/db.nix
View file

@ -3,10 +3,8 @@
imports = [ imports = [
../environment.nix ../environment.nix
../hardware/hcloud.nix ../hardware/hcloud.nix
../modules/openssh.nix ../modules
../modules/postgresql.nix ../modules/postgresql.nix
../modules/custom-backup-job.nix
../modules/custom-monit.nix
../modules/monitoring-exporters.nix ../modules/monitoring-exporters.nix
]; ];
@ -19,16 +17,21 @@
}; };
}; };
services.custom-backup-job = { custom = {
readWritePaths = [ "/nix/var/data/postgresql" "/nix/var/data/backup/" ]; services.backup-job = {
preHook = '' enable = true;
${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp readWritePaths = [ "/nix/var/data/postgresql" "/nix/var/data/backup/" ];
${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp preHook = ''
${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
''; ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
postHook = "touch /nix/var/data/backup/backup-ok"; ${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
startAt = "03:00"; '';
sshKey = config.sops.secrets.borgSshKey.path; postHook = "touch /nix/var/data/backup/backup-ok";
startAt = "03:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.openssh.enable = true;
}; };
} }

69
profiles/storage.nix
View file

@ -3,6 +3,7 @@
imports = [ imports = [
../environment.nix ../environment.nix
../hardware/hetzner-dedicated-storage1.nix ../hardware/hetzner-dedicated-storage1.nix
../modules
../modules/openssh.nix ../modules/openssh.nix
../modules/mailserver.nix ../modules/mailserver.nix
../modules/nginx.nix ../modules/nginx.nix
@ -10,10 +11,7 @@
../modules/stb.nix ../modules/stb.nix
../modules/monero.nix ../modules/monero.nix
../modules/torrents.nix ../modules/torrents.nix
../modules/custom-backup-job.nix
../modules/custom-monit.nix
../modules/jitsi.nix ../modules/jitsi.nix
../modules/gitlab-runner.nix
../modules/binary-cache.nix ../modules/binary-cache.nix
../modules/grafana.nix ../modules/grafana.nix
../modules/monitoring-exporters.nix ../modules/monitoring-exporters.nix
@ -24,6 +22,47 @@
owner = config.services.borgbackup.jobs.data.user; owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/storage1/private"; key = "borg/client_keys/storage1/private";
}; };
nixCacheKey = {
key = "nix/cache_secret_key";
};
};
custom = {
services.binary-cache = {
enable = true;
secretKeyFile = config.sops.secrets.nixCacheKey.path;
};
services.backup-job = {
enable = true;
readWritePaths = [ "/nix/var/data/backup" ];
preHook = "${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql";
postHook = "touch /nix/var/data/backup/backup-ok";
startAt = "04:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
'';
};
services.gitlab-runner.enable = true;
services.openssh.enable = true;
}; };
networking.firewall.allowedTCPPorts = [ 80 443 18080 ]; networking.firewall.allowedTCPPorts = [ 80 443 18080 ];
@ -49,30 +88,6 @@
}; };
users.groups.steam = { }; users.groups.steam = { };
services.custom-backup-job = {
readWritePaths = [ "/nix/var/data/backup" ];
preHook = "${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql";
postHook = "touch /nix/var/data/backup/backup-ok";
startAt = "04:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.custom-monit.additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
'';
services.minecraft-server = { services.minecraft-server = {
enable = true; enable = true;
package = pkgs-unstable.minecraft-server; package = pkgs-unstable.minecraft-server;