phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-24 21:26:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Finish migration to NixOS modules

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-03-26 23:37:53 +01:00
parent aef5eabce5
commit d944e36197
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
21 changed files with 1071 additions and 1151 deletions
Download patch file Download diff file Expand all files Collapse all files

20
modules/binary-cache.nix
View file

@ -1,20 +1,14 @@
{ config, lib, ... }:
with lib;
let
cfg = config.custom.services.binary-cache;
in
{
let cfg = config.custom.services.binary-cache;
in {
options.custom.services.binary-cache = {
enable = mkEnableOption "binary-cache";
enable = lib.mkEnableOption "binary-cache";
secretKeyFile = mkOption {
type = types.path;
};
secretKeyFile = lib.mkOption { type = lib.types.path; };
};
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
services.nix-serve = {
enable = true;
port = 1500;
@ -29,7 +23,9 @@ in
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
proxy_pass http://localhost:${
toString config.services.nix-serve.port
};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

17
modules/default.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }:
{
{ config, pkgs, ... }: {
imports = [
./backup-job.nix
./monit.nix
@ -7,5 +6,19 @@
./openssh.nix
./murmur.nix
./mastodon.nix
./nginx.nix
./jellyfin.nix
./stb.nix
./monero.nix
./torrents.nix
./jitsi.nix
./binary-cache.nix
./grafana.nix
./monitoring-exporters.nix
./synapse.nix
./nextcloud.nix
./roundcube.nix
./dokuwiki.nix
./postgresql.nix
];
}

7
modules/dokuwiki.nix
View file

@ -1,5 +1,4 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.custom.services.dokuwiki;
@ -47,11 +46,11 @@ let
in {
options.custom.services.dokuwiki = {
enable = mkEnableOption "dokuwiki";
enable = lib.mkEnableOption "dokuwiki";
secretKeyFile = mkOption { type = types.path; };
secretKeyFile = lib.mkOption { type = lib.types.path; };
};
config = mkIf cfg.enable
config = lib.mkIf cfg.enable
(lib.mkMerge [ (configureWiki "anderia") (configureWiki "arkadia") ]);
}

316
modules/grafana.nix
View file

@ -1,187 +1,183 @@
{ config, ... }:
{
{ config, lib, ... }:
let cfg = config.custom.services.grafana;
in {
options.custom.services.grafana = { enable = lib.mkEnableOption "grafana"; };
sops.secrets = {
grafanaAdminPassword = {
owner = config.users.users.grafana.name;
key = "grafana/admin_password";
};
};
services.grafana = {
enable = true;
dataDir = "/nix/var/data/grafana";
settings = {
server = {
domain = "grafana.${config.networking.domain}";
config = lib.mkIf cfg.enable {
sops.secrets = {
grafanaAdminPassword = {
owner = config.users.users.grafana.name;
key = "grafana/admin_password";
};
security.admin_password = "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
};
provision = {
services.grafana = {
enable = true;
datasources.settings = {
datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
}
];
dataDir = "/nix/var/data/grafana";
settings = {
server = { domain = "grafana.${config.networking.domain}"; };
security.admin_password =
"$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
};
dashboards.settings.providers = [
{
provision = {
enable = true;
datasources.settings = {
datasources = [
{
name = "Prometheus";
type = "prometheus";
url =
"http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${
toString
config.services.loki.configuration.server.http_listen_port
}";
}
];
};
dashboards.settings.providers = [{
name = "Config";
options.path = ./dashboards;
}];
};
};
services.nginx = {
virtualHosts = {
"${config.services.grafana.settings.server.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${
toString config.services.grafana.settings.server.http_port
}";
proxyWebsockets = true;
};
};
};
};
services.prometheus = {
enable = true;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [
"10.0.2.3:${
toString config.services.prometheus.exporters.node.port
}"
"10.0.1.1:${
toString config.services.prometheus.exporters.node.port
}"
"10.0.1.11:${
toString config.services.prometheus.exporters.node.port
}"
];
}];
}
{
job_name = "synapse";
scrape_interval = "15s";
metrics_path = "/_synapse/metrics";
static_configs = [{ targets = [ "10.0.1.1:9000" ]; }];
}
{
job_name = "dmarc";
scrape_interval = "15s";
static_configs = [{
targets = [
"10.0.2.3:${
toString config.services.prometheus.exporters.dmarc.port
}"
];
}];
}
];
};
};
services.nginx = {
virtualHosts = {
"${config.services.grafana.settings.server.domain}" = {
services.loki = {
enable = true;
enableACME = true;
forceSSL = true;
dataDir = "/nix/var/data/loki";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
};
};
configuration = {
server.http_listen_port = 3100;
auth_enabled = false;
services.prometheus = {
enable = true;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [
"10.0.2.3:${toString config.services.prometheus.exporters.node.port}"
"10.0.1.1:${toString config.services.prometheus.exporters.node.port}"
"10.0.1.11:${toString config.services.prometheus.exporters.node.port}"
];
}];
}
{
job_name = "synapse";
scrape_interval = "15s";
metrics_path = "/_synapse/metrics";
static_configs = [{
targets = [
"10.0.1.1:9000"
];
}];
}
{
job_name = "dmarc";
scrape_interval = "15s";
static_configs = [{
targets = [
"10.0.2.3:${toString config.services.prometheus.exporters.dmarc.port}"
];
}];
}
];
};
services.loki = {
enable = true;
dataDir = "/nix/var/data/loki";
configuration = {
server.http_listen_port = 3100;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = { store = "inmemory"; };
replication_factor = 1;
};
replication_factor = 1;
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
limits_config = { ingestion_rate_mb = 16; };
schema_config = {
configs = [{
from = "2022-09-15";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}];
};
storage_config = {
boltdb_shipper = {
active_index_directory =
"${config.services.loki.dataDir}/boltdb-index";
cache_location = "${config.services.loki.dataDir}/boltdb-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem = {
directory = "${config.services.loki.dataDir}/chunks";
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
limits_config = {
ingestion_rate_mb = 16;
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
schema_config = {
configs = [{
from = "2022-09-15";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}];
};
chunk_store_config = { max_look_back_period = "0s"; };
storage_config = {
boltdb_shipper = {
active_index_directory = "${config.services.loki.dataDir}/boltdb-index";
cache_location = "${config.services.loki.dataDir}/boltdb-cache";
cache_ttl = "24h";
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "${config.services.loki.dataDir}";
shared_store = "filesystem";
compactor_ring = { kvstore = { store = "inmemory"; }; };
};
filesystem = {
directory = "${config.services.loki.dataDir}/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
chunk_store_config = {
max_look_back_period = "0s";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "${config.services.loki.dataDir}";
shared_store = "filesystem";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
analytics = {
reporting_enabled = false;
analytics = { reporting_enabled = false; };
};
};
};
}

59
modules/jellyfin.nix
View file

@ -1,38 +1,43 @@
{ config, lib, pkgs, ... }:
{
services.jellyfin = {
enable = true;
{ config, lib, ... }:
let cfg = config.custom.services.jellyfin;
in {
options.custom.services.jellyfin = {
enable = lib.mkEnableOption "jellyfin";
};
systemd.services.jellyfin.serviceConfig.ExecStart =
lib.mkOverride 10 "${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'";
config = lib.mkIf cfg.enable {
services.jellyfin = { enable = true; };
services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
systemd.services.jellyfin.serviceConfig.ExecStart = lib.mkOverride 10
"${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'";
locations."= /".extraConfig = ''
return 302 https://$host/web/;
'';
services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_buffering off;
locations."= /".extraConfig = ''
return 302 https://$host/web/;
'';
};
locations."= /web/" = {
proxyPass = "http://127.0.0.1:8096/web/index.html";
};
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_buffering off;
'';
};
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
locations."= /web/" = {
proxyPass = "http://127.0.0.1:8096/web/index.html";
};
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
};
}

18
modules/jitsi.nix
View file

@ -1,8 +1,14 @@
{ pkgs, lib, config, ... }: {
services.jitsi-meet = {
enable = true;
hostName = "jitsi.froidmont.org";
interfaceConfig = { RECENT_LIST_ENABLED = false; };
{ pkgs, config, lib, ... }:
let cfg = config.custom.services.jitsi;
in {
options.custom.services.jitsi = { enable = lib.mkEnableOption "jitsi"; };
config = lib.mkIf cfg.enable {
services.jitsi-meet = {
enable = true;
hostName = "jitsi.froidmont.org";
interfaceConfig = { RECENT_LIST_ENABLED = false; };
};
services.jitsi-videobridge.openFirewall = true;
};
services.jitsi-videobridge.openFirewall = true;
}

182
modules/mailserver.nix
View file

@ -1,182 +0,0 @@
{ config, lib, pkgs, ... }: {
sops.secrets = {
paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
eliosPassword = { key = "email/accounts_passwords/elios"; };
mariePassword = { key = "email/accounts_passwords/marie"; };
alicePassword = { key = "email/accounts_passwords/alice"; };
monitPassword = { key = "email/accounts_passwords/monit"; };
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
noreplyFroidmontPassword = {
key = "email/accounts_passwords/noreply_froidmont";
};
};
mailserver = {
enable = true;
fqdn = "mail.banditlair.com";
domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
localDnsResolver = false;
enableManageSieve = true;
mailDirectory = "/nix/var/data/vmail";
sieveDirectory = "/nix/var/data/sieve";
lmtpSaveToDetailMailbox = "no";
policydSPFExtraConfig = ''
Domain_Whitelist = skynet.be
'';
loginAccounts = {
"paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
};
"marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path;
aliases = [
"osteopathie@froidmont.org"
"communication@froidmont.org"
"crelan.communication@froidmont.org"
"kerger.communication@froidmont.org"
"3arcs.communication@froidmont.org"
"7days.communication@froidmont.org"
"ulb.communication@froidmont.org"
"baijot.communication@froidmont.org"
"alltrails.communication@froidmont.org"
"alltricks.communication@froidmont.org"
"amazon.communication@froidmont.org"
"athletv.communication@froidmont.org"
"bebecenter.communication@froidmont.org"
"canyon.communication@froidmont.org"
"cbc.communication@froidmont.org"
"coursulb.communication@froidmont.org"
"decathlon.communication@froidmont.org"
"degiro.communication@froidmont.org"
"delogne.communication@froidmont.org"
"diagnosteo.communication@froidmont.org"
"haptis.communication@froidmont.org"
"fortis.communication@froidmont.org"
"fox.communication@froidmont.org"
"vandenborre.communication@froidmont.org"
"swissquote.communication@froidmont.org"
"belso.communication@froidmont.org"
"hibike.communication@froidmont.org"
"giromedical.communication@froidmont.org"
"gymna.communication@froidmont.org"
"hotmail.communication@froidmont.org"
"hubo.communication@froidmont.org"
"infopixel.communication@froidmont.org"
"jysk.communication@froidmont.org"
"kerger.communication@froidmont.org"
"ldlc.communication@froidmont.org"
"location.communication@froidmont.org"
"mainslibres.communication@froidmont.org"
"vistaprint.communication@froidmont.org"
"solidaris.communication@froidmont.org"
"coulon.communication@froidmont.org"
"vlan.communication@froidmont.org"
"hotel.communication@froidmont.org"
"medipost.communication@froidmont.org"
"proximus.communication@froidmont.org"
"marie.communication@froidmont.org"
"tuxedo.communication@froidmont.org"
"corine.wallaux.communication@froidmont.org"
"maziers.communication@froidmont.org"
"miliboo.communication@froidmont.org"
"nike.communication@froidmont.org"
"partena.communication@froidmont.org"
"payconiq.communication@froidmont.org"
"plumart.communication@froidmont.org"
"probikeshop.communication@froidmont.org"
"ring.communication@froidmont.org"
"teams.communication@froidmont.org"
"trail.communication@froidmont.org"
"wikiloc.communication@froidmont.org"
"udemy.communication@froidmont.org"
];
};
"alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.alicePassword.path;
};
"elios@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.eliosPassword.path;
aliases = [
"webshit@banditlair.com"
"outlook-pascal@banditlair.com"
"nexusmods.webshit@banditlair.com"
"pizza.webshit@banditlair.com"
"fnac.webshit@banditlair.com"
"paypal.webshit@banditlair.com"
"zooplus.webshit@banditlair.com"
"event.webshit@banditlair.com"
"reservation.webshit@banditlair.com"
"netflix.webshit@banditlair.com"
"jvc.webshit@banditlair.com"
"kickstarter.webshit@banditlair.com"
"vpn.webshit@banditlair.com"
"VOO.WEBSHIT@banditlair.com"
"proximus.webshit@banditlair.com"
"post.webshit@banditlair.com"
"ikea.webshit@banditlair.com"
"microsoft.webshit@banditlair.com"
"zerotier.webshit@banditlair.com"
"athome.webshit@banditlair.com"
"nordvpn.webshit@banditlair.com"
"sncf.webshit@banditlair.com"
"paradox.webshit@banditlair.com"
"oracle.webshit@banditlair.com"
"kinepolis.webshit@banditlair.com"
"leboncoin.webshit@banditlair.com"
"wondercraft.webshit@banditlair.com"
"petitvapoteur.webshit@banditlair.com"
"ryanair.webshit@banditlair.com"
"europapark.webshit@banditlair.com"
"Tricount.webshit@banditlair.com"
"huawei.webshit@banditlair.com"
"facebook.webshit@banditlair.com"
"roll20.webshit@banditlair.com"
"drivethrurpg.webshit@banditlair.com"
"chrono24.webshit@banditlair.com"
"emby.webshit@banditlair.com"
"amazon.webshit@banditlair.com"
"steam.webshit@banditlair.com"
"tinder.webshit@banditlair.com"
];
};
"monit@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.monitPassword.path;
sendOnly = true;
};
"noreply@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
sendOnly = true;
};
"noreply@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
sendOnly = true;
};
};
extraVirtualAliases = {
"info@banditlair.com" = "paultrial@banditlair.com";
"postmaster@banditlair.com" = "paultrial@banditlair.com";
"abuse@banditlair.com" = "paultrial@banditlair.com";
"info@froidmont.org" = "paultrial@banditlair.com";
"postmaster@froidmont.org" = "paultrial@banditlair.com";
"abuse@froidmont.org" = "paultrial@banditlair.com";
"info@falbo.fr" = "paultrial@banditlair.com";
"postmaster@falbo.fr" = "paultrial@banditlair.com";
"abuse@falbo.fr" = "paultrial@banditlair.com";
#Catch all
"@banditlair.com" = "paultrial@banditlair.com";
"@froidmont.org" = "paultrial@banditlair.com";
"@falbo.fr" = "elios@banditlair.com";
};
certificateScheme = "acme-nginx";
};
}

33
modules/monero.nix
View file

@ -1,21 +1,24 @@
{ config, lib, pkgs, ... }:
{
{ config, lib, ... }:
let cfg = config.custom.services.monero;
in {
options.custom.services.monero = { enable = lib.mkEnableOption "monero"; };
services.monero = {
enable = true;
rpc.restricted = true;
};
config = lib.mkIf cfg.enable {
services.monero = {
enable = true;
rpc.restricted = true;
};
services.nginx.virtualHosts."monero.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
services.nginx.virtualHosts."monero.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:18081";
extraConfig = ''
proxy_http_version 1.1;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:18081";
extraConfig = ''
proxy_http_version 1.1;
'';
};
};
};
}

94
modules/monitoring-exporters.nix
View file

@ -1,61 +1,61 @@
{ config, lib, ... }:
{
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" "processes" ];
};
};
let cfg = config.custom.services.monitoring-exporters;
in {
options.custom.services.monitoring-exporters = {
enable = lib.mkEnableOption "monitoring-exporters";
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 0;
config = lib.mkIf cfg.enable {
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" "processes" ];
};
};
clients = [{
url = "http://10.0.2.3:3100/loki/api/v1/push";
}];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "${config.networking.hostName}";
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 0;
};
clients = [{ url = "http://10.0.2.3:3100/loki/api/v1/push"; }];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "${config.networking.hostName}";
};
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}
(lib.mkIf config.services.nginx.enable {
job_name = "nginx";
static_configs = [
{
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}
(lib.mkIf config.services.nginx.enable {
job_name = "nginx";
static_configs = [{
targets = [ "localhost" ];
labels = {
job = "nginx";
host = "${config.networking.hostName}";
__path__ = "/var/log/nginx/*.log";
};
}
];
})
];
}];
})
];
};
};
systemd.services.promtail.serviceConfig = {
ReadOnlyPaths = lib.mkIf config.services.nginx.enable "/var/log/nginx";
SupplementaryGroups = lib.mkIf config.services.nginx.enable [ "nginx" ];
};
};
systemd.services.promtail.serviceConfig = {
ReadOnlyPaths = lib.mkIf config.services.nginx.enable "/var/log/nginx";
SupplementaryGroups = lib.mkIf config.services.nginx.enable [ "nginx" ];
};
}

14
modules/murmur.nix
View file

@ -1,15 +1,9 @@
{ config, lib, ... }:
with lib;
let
cfg = config.custom.services.murmur;
in
{
options.custom.services.murmur = {
enable = mkEnableOption "murmur";
};
let cfg = config.custom.services.murmur;
in {
options.custom.services.murmur = { enable = lib.mkEnableOption "murmur"; };
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
sops.secrets.murmurEnvFile = {
owner = config.systemd.services.murmur.serviceConfig.User;
key = "murmur.env";

156
modules/nextcloud.nix
View file

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }:
let
cfg = config.custom.services.nextcloud;
uidFile = pkgs.writeText "uidfile" ''
nextcloud:993
'';
@ -7,85 +8,92 @@ let
nextcloud:991
'';
in {
sops.secrets = {
sshfsKey = { key = "sshfs_keys/private"; };
nextcloudDbPassword = {
owner = config.users.users.nextcloud.name;
key = "nextcloud/db_password";
restartUnits = [ "nextcloud-setup.service" ];
};
nextcloudAdminPassword = {
owner = config.users.users.nextcloud.name;
key = "nextcloud/admin_password";
restartUnits = [ "nextcloud-setup.service" ];
};
options.custom.services.nextcloud = {
enable = lib.mkEnableOption "nextcloud";
};
environment.systemPackages = with pkgs; [ sshfs ];
systemd.services.nextcloud-data-sshfs = {
wantedBy = [ "multi-user.target" "nextcloud-setup.service" ];
before = [ "phpfpm-nextcloud.service" ];
restartIfChanged = false;
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/nextcloud/data";
ExecStart = let
options = builtins.concatStringsSep "," [
"identityfile=${config.sops.secrets.sshfsKey.path}"
"ServerAliveInterval=15"
"idmap=file"
"uidfile=${uidFile}"
"gidfile=${gidFile}"
"allow_other"
"default_permissions"
"nomap=ignore"
];
in "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.3:/nix/var/data/nextcloud/data "
+ "/var/lib/nextcloud/data -o ${options}";
ExecStopPost = "-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data";
KillMode = "process";
};
};
services.nginx.virtualHosts."${config.services.nextcloud.hostName}" = {
enableACME = true;
forceSSL = true;
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud28;
hostName = "cloud.${config.networking.domain}";
https = true;
maxUploadSize = "1G";
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "10.0.1.11";
dbname = "nextcloud";
dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}";
adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}";
adminuser = "root";
overwriteProtocol = "https";
defaultPhoneRegion = "BE";
config = lib.mkIf cfg.enable {
sops.secrets = {
sshfsKey = { key = "sshfs_keys/private"; };
nextcloudDbPassword = {
owner = config.users.users.nextcloud.name;
key = "nextcloud/db_password";
restartUnits = [ "nextcloud-setup.service" ];
};
nextcloudAdminPassword = {
owner = config.users.users.nextcloud.name;
key = "nextcloud/admin_password";
restartUnits = [ "nextcloud-setup.service" ];
};
};
extraOptions = { maintenance_window_start = 1; };
environment.systemPackages = with pkgs; [ sshfs ];
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "12";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
systemd.services.nextcloud-data-sshfs = {
wantedBy = [ "multi-user.target" "nextcloud-setup.service" ];
before = [ "phpfpm-nextcloud.service" ];
restartIfChanged = false;
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/nextcloud/data";
ExecStart = let
options = builtins.concatStringsSep "," [
"identityfile=${config.sops.secrets.sshfsKey.path}"
"ServerAliveInterval=15"
"idmap=file"
"uidfile=${uidFile}"
"gidfile=${gidFile}"
"allow_other"
"default_permissions"
"nomap=ignore"
];
in "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.3:/nix/var/data/nextcloud/data "
+ "/var/lib/nextcloud/data -o ${options}";
ExecStopPost =
"-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data";
KillMode = "process";
};
};
services.nginx.virtualHosts."${config.services.nextcloud.hostName}" = {
enableACME = true;
forceSSL = true;
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud28;
hostName = "cloud.${config.networking.domain}";
https = true;
maxUploadSize = "1G";
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "10.0.1.11";
dbname = "nextcloud";
dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}";
adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}";
adminuser = "root";
overwriteProtocol = "https";
defaultPhoneRegion = "BE";
};
extraOptions = { maintenance_window_start = 1; };
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "12";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
};
};
}

27
modules/nginx.nix
View file

@ -1,15 +1,20 @@
{ pkgs, lib, config, ... }:
{
security.acme.defaults.email = "letsencrypt.account@banditlair.com";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
{ config, lib, ... }:
let cfg = config.custom.services.nginx;
in {
options.custom.services.nginx = { enable = lib.mkEnableOption "nginx"; };
services.nginx = {
enable = true;
config = lib.mkIf cfg.enable {
security.acme.defaults.email = "letsencrypt.account@banditlair.com";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
};
}

155
modules/postgresql.nix
View file

@ -1,87 +1,94 @@
{ config, lib, pkgs, ... }: {
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
enableTCPIP = true;
identMap = ''
root_as_others root postgres
root_as_others root synapse
root_as_others root nextcloud
root_as_others root roundcube
root_as_others root mastodon
'';
authentication = ''
local all postgres peer
local all all peer map=root_as_others
host all all 10.0.1.0/24 md5
'';
{ config, lib, pkgs, ... }:
let cfg = config.custom.services.postgresql;
in {
options.custom.services.postgresql = {
enable = lib.mkEnableOption "postgresql";
};
sops.secrets = {
synapseDbPassword = {
owner = config.services.postgresql.superUser;
key = "synapse/db_password";
restartUnits = [ "postgresql-setup.service" ];
config = lib.mkIf cfg.enable {
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
enableTCPIP = true;
identMap = ''
root_as_others root postgres
root_as_others root synapse
root_as_others root nextcloud
root_as_others root roundcube
root_as_others root mastodon
'';
authentication = ''
local all postgres peer
local all all peer map=root_as_others
host all all 10.0.1.0/24 md5
'';
};
nextcloudDbPassword = {
owner = config.services.postgresql.superUser;
key = "nextcloud/db_password";
restartUnits = [ "postgresql-setup.service" ];
sops.secrets = {
synapseDbPassword = {
owner = config.services.postgresql.superUser;
key = "synapse/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
nextcloudDbPassword = {
owner = config.services.postgresql.superUser;
key = "nextcloud/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
roundcubeDbPassword = {
owner = config.services.postgresql.superUser;
key = "roundcube/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
mastodonDbPassword = {
owner = config.services.postgresql.superUser;
key = "mastodon/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
};
roundcubeDbPassword = {
owner = config.services.postgresql.superUser;
key = "roundcube/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
mastodonDbPassword = {
owner = config.services.postgresql.superUser;
key = "mastodon/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
};
systemd.services.postgresql-setup = let pgsql = config.services.postgresql;
in {
after = [ "postgresql.service" ];
bindsTo = [ "postgresql.service" ];
wantedBy = [ "postgresql.service" ];
path = [ pgsql.package pkgs.util-linux ];
script = ''
set -u
PSQL() {
psql --port=${toString pgsql.port} "$@"
}
systemd.services.postgresql-setup = let pgsql = config.services.postgresql;
in {
after = [ "postgresql.service" ];
bindsTo = [ "postgresql.service" ];
wantedBy = [ "postgresql.service" ];
path = [ pgsql.package pkgs.util-linux ];
script = ''
set -u
PSQL() {
psql --port=${toString pgsql.port} "$@"
}
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"'
PSQL -tAc "ALTER ROLE synapse LOGIN"
PSQL -tAc "ALTER ROLE nextcloud LOGIN"
PSQL -tAc "ALTER ROLE roundcube LOGIN"
PSQL -tAc "ALTER ROLE mastodon LOGIN"
PSQL -tAc "ALTER ROLE synapse LOGIN"
PSQL -tAc "ALTER ROLE nextcloud LOGIN"
PSQL -tAc "ALTER ROLE roundcube LOGIN"
PSQL -tAc "ALTER ROLE mastodon LOGIN"
synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
nextcloud_password="$(<'${config.sops.secrets.nextcloudDbPassword.path}')"
PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')"
PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')"
PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'"
'';
synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
nextcloud_password="$(<'${config.sops.secrets.nextcloudDbPassword.path}')"
PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')"
PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')"
PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'"
'';
serviceConfig = {
User = pgsql.superUser;
Type = "oneshot";
RemainAfterExit = true;
serviceConfig = {
User = pgsql.superUser;
Type = "oneshot";
RemainAfterExit = true;
};
};
};
}

71
modules/roundcube.nix
View file

@ -1,42 +1,47 @@
{ pkgs, lib, config, ... }:
{
sops.secrets = {
pgPassFile = {
owner = "nginx";
key = "roundcube/pg_pass_file";
};
dbPassword = {
owner = "nginx";
key = "roundcube/db_password";
};
let cfg = config.custom.services.roundcube;
in {
options.custom.services.roundcube = {
enable = lib.mkEnableOption "roundcube";
};
services.roundcube = {
enable = true;
plugins = [ "managesieve" ];
dicts = with pkgs.aspellDicts; [ en fr de ];
hostName = "webmail.banditlair.com";
database = {
host = "10.0.1.11";
username = "roundcube";
dbname = "roundcube";
passwordFile = config.sops.secrets.pgPassFile.path;
config = lib.mkIf cfg.enable {
sops.secrets = {
pgPassFile = {
owner = "nginx";
key = "roundcube/pg_pass_file";
};
dbPassword = {
owner = "nginx";
key = "roundcube/db_password";
};
};
services.roundcube = {
enable = true;
plugins = [ "managesieve" ];
dicts = with pkgs.aspellDicts; [ en fr de ];
hostName = "webmail.banditlair.com";
database = {
host = "10.0.1.11";
username = "roundcube";
dbname = "roundcube";
passwordFile = config.sops.secrets.pgPassFile.path;
};
extraConfig = ''
# This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file
$password = file_get_contents('${config.sops.secrets.dbPassword.path}');
$config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@10.0.1.11/roundcube';
extraConfig = ''
# This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file
$password = file_get_contents('${config.sops.secrets.dbPassword.path}');
$config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@10.0.1.11/roundcube';
$config['default_host'] = 'ssl://mail.banditlair.com:993';
$config['smtp_server'] = 'ssl://%h';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['identities_level'] = 0;
$config['managesieve_host'] = 'tls://%h';
$config['managesieve_auth_type'] = 'PLAIN';
'';
$config['default_host'] = 'ssl://mail.banditlair.com:993';
$config['smtp_server'] = 'ssl://%h';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['identities_level'] = 0;
$config['managesieve_host'] = 'tls://%h';
$config['managesieve_auth_type'] = 'PLAIN';
'';
};
};
}

103
modules/stb.nix
View file

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }:
{ pkgs, config, lib, ... }:
let
cfg = config.custom.services.stb;
uploadWordpressConfig = pkgs.writeText "upload.ini" ''
file_uploads = On
memory_limit = 64M
@ -7,62 +8,62 @@ let
post_max_size = 64M
max_execution_time = 600
'';
in
{
systemd.services.init-stb-network = {
description = "Create the network bridge stb-br for wordpress.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
in {
options.custom.services.stb = { enable = lib.mkEnableOption "stb"; };
serviceConfig.Type = "oneshot";
script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker";
in
''
# Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service.
check=$(${dockercli} network ls | grep "stb-br" || true)
if [ -z "$check" ]; then
${dockercli} network create stb-br
else
echo "stb-br already exists in docker"
fi
'';
};
config = lib.mkIf cfg.enable {
systemd.services.init-stb-network = {
description = "Create the network bridge stb-br for wordpress.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
virtualisation.oci-containers.containers = {
"stb-mariadb" = {
image = "mariadb:10.7";
environment = {
"MYSQL_ROOT_PASSWORD" = "root";
"MYSQL_USER" = "stb";
"MYSQL_PASSWORD" = "stb";
"MYSQL_DATABASE" = "stb";
serviceConfig.Type = "oneshot";
script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker";
in ''
# Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service.
check=$(${dockercli} network ls | grep "stb-br" || true)
if [ -z "$check" ]; then
${dockercli} network create stb-br
else
echo "stb-br already exists in docker"
fi
'';
};
virtualisation.oci-containers.containers = {
"stb-mariadb" = {
image = "mariadb:10.7";
environment = {
"MYSQL_ROOT_PASSWORD" = "root";
"MYSQL_USER" = "stb";
"MYSQL_PASSWORD" = "stb";
"MYSQL_DATABASE" = "stb";
};
volumes = [ "/var/lib/mariadb/stb:/var/lib/mysql" ];
extraOptions = [ "--network=stb-br" ];
autoStart = true;
};
"stb-wordpress" = {
image = "wordpress:5.8-php7.4-apache";
volumes = [
"/nix/var/data/stb-wordpress:/var/www/html"
"${uploadWordpressConfig}:/usr/local/etc/php/conf.d/uploads.ini"
];
ports = [ "127.0.0.1:8180:80" ];
extraOptions = [ "--network=stb-br" ];
autoStart = true;
};
volumes = [ "/var/lib/mariadb/stb:/var/lib/mysql" ];
extraOptions = [ "--network=stb-br" ];
autoStart = true;
};
"stb-wordpress" = {
image = "wordpress:5.8-php7.4-apache";
volumes = [
"/nix/var/data/stb-wordpress:/var/www/html"
"${uploadWordpressConfig}:/usr/local/etc/php/conf.d/uploads.ini"
];
ports = [ "127.0.0.1:8180:80" ];
extraOptions = [ "--network=stb-br" ];
autoStart = true;
};
};
services.nginx.virtualHosts."www.societe-de-tir-bertrix.com" = {
serverAliases = [ "societe-de-tir-bertrix.com" ];
forceSSL = true;
enableACME = true;
services.nginx.virtualHosts."www.societe-de-tir-bertrix.com" = {
serverAliases = [ "societe-de-tir-bertrix.com" ];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8180";
locations."/" = { proxyPass = "http://127.0.0.1:8180"; };
};
};
}

333
modules/synapse.nix
View file

@ -1,10 +1,10 @@
{ pkgs, lib, config, ... }:
{ pkgs, config, lib, ... }:
let
fqdn =
let
join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
in
join "matrix" config.networking.domain;
cfg = config.custom.services.synapse;
fqdn = let
join = hostName: domain:
hostName + lib.optionalString (domain != null) ".${domain}";
in join "matrix" config.networking.domain;
synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" ''
database:
name: psycopg2
@ -24,214 +24,211 @@ let
macaroon_secret_key: "MACAROON_SECRET_KEY"
turn_shared_secret: "TURN_SHARED_SECRET"
'';
in
{
services.nginx = {
virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host being accessible as ${config.networking.domain}
# to another host actually running the Matrix homeserver.
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
# acmeFallbackHost = "storage1.banditlair.com";
in {
options.custom.services.synapse = { enable = lib.mkEnableOption "synapse"; };
locations."= /.well-known/matrix/server".extraConfig =
let
config = lib.mkIf cfg.enable {
services.nginx = {
virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host being accessible as ${config.networking.domain}
# to another host actually running the Matrix homeserver.
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
# acmeFallbackHost = "storage1.banditlair.com";
locations."= /.well-known/matrix/server".extraConfig = let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in
''
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
locations."= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
};
# Reverse proxy for Matrix client-server and server-server communication
${fqdn} = {
enableACME = true;
forceSSL = true;
# Reverse proxy for Matrix client-server and server-server communication
${fqdn} = {
enableACME = true;
forceSSL = true;
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Element web section below.
locations."/".extraConfig = ''
return 404;
'';
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Element web section below.
locations."/".extraConfig = ''
return 404;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."~ ^(/_matrix|/health)" = {
proxyPass = "http://[::1]:8008"; # without a trailing /
# forward all Matrix API calls to the synapse Matrix homeserver
locations."~ ^(/_matrix|/health)" = {
proxyPass = "http://[::1]:8008"; # without a trailing /
};
};
};
};
};
sops.secrets = {
synapseDbPassword = {
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
key = "synapse/db_password";
restartUnits = [ "matrix-synapse-setup" ];
sops.secrets = {
synapseDbPassword = {
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
key = "synapse/db_password";
restartUnits = [ "matrix-synapse-setup" ];
};
noreplySmtpPassword = {
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
key = "email/accounts_passwords/noreply_banditlair_clear";
};
macaroonSecretKey = {
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
key = "synapse/macaroon_secret_key";
restartUnits = [ "matrix-synapse-setup" ];
};
turnSharedSecret = {
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
group = "turnserver";
mode = "0440";
key = "synapse/turn_shared_secret";
restartUnits = [ "matrix-synapse-setup" "coturn" ];
};
};
noreplySmtpPassword = {
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
key = "email/accounts_passwords/noreply_banditlair_clear";
systemd.services.matrix-synapse-setup = {
before = [ "matrix-synapse.service" ];
script = ''
set -euo pipefail
install -m 600 ${synapseDbConfig} /run/synapse/synapse-db-config.yaml
${pkgs.replace-secret}/bin/replace-secret 'SYNAPSE_DB_PASSWORD' '${config.sops.secrets.synapseDbPassword.path}' /run/synapse/synapse-db-config.yaml
${pkgs.replace-secret}/bin/replace-secret 'SMTP_PASSWORD' '${config.sops.secrets.noreplySmtpPassword.path}' /run/synapse/synapse-db-config.yaml
${pkgs.replace-secret}/bin/replace-secret 'MACAROON_SECRET_KEY' '${config.sops.secrets.noreplySmtpPassword.path}' /run/synapse/synapse-db-config.yaml
${pkgs.replace-secret}/bin/replace-secret 'TURN_SHARED_SECRET' '${config.sops.secrets.turnSharedSecret.path}' /run/synapse/synapse-db-config.yaml
'';
serviceConfig = {
User = config.systemd.services.matrix-synapse.serviceConfig.User;
Group = config.systemd.services.matrix-synapse.serviceConfig.Group;
Type = "oneshot";
RemainAfterExit = true;
RuntimeDirectory = "synapse";
};
};
macaroonSecretKey = {
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
key = "synapse/macaroon_secret_key";
restartUnits = [ "matrix-synapse-setup" ];
systemd.services.matrix-synapse = {
after = [ "matrix-synapse-setup.service" "network.target" ];
bindsTo = [ "matrix-synapse-setup.service" ];
};
turnSharedSecret = {
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
group = "turnserver";
mode = "0440";
key = "synapse/turn_shared_secret";
restartUnits = [ "matrix-synapse-setup" "coturn" ];
};
};
systemd.services.matrix-synapse-setup = {
before = [ "matrix-synapse.service" ];
services.matrix-synapse = with config.services.coturn; {
enable = true;
settings = {
server_name = config.networking.domain;
script = ''
set -euo pipefail
install -m 600 ${synapseDbConfig} /run/synapse/synapse-db-config.yaml
${pkgs.replace-secret}/bin/replace-secret 'SYNAPSE_DB_PASSWORD' '${config.sops.secrets.synapseDbPassword.path}' /run/synapse/synapse-db-config.yaml
${pkgs.replace-secret}/bin/replace-secret 'SMTP_PASSWORD' '${config.sops.secrets.noreplySmtpPassword.path}' /run/synapse/synapse-db-config.yaml
${pkgs.replace-secret}/bin/replace-secret 'MACAROON_SECRET_KEY' '${config.sops.secrets.noreplySmtpPassword.path}' /run/synapse/synapse-db-config.yaml
${pkgs.replace-secret}/bin/replace-secret 'TURN_SHARED_SECRET' '${config.sops.secrets.turnSharedSecret.path}' /run/synapse/synapse-db-config.yaml
'';
enable_metrics = true;
serviceConfig = {
User = config.systemd.services.matrix-synapse.serviceConfig.User;
Group = config.systemd.services.matrix-synapse.serviceConfig.Group;
Type = "oneshot";
RemainAfterExit = true;
RuntimeDirectory = "synapse";
};
};
systemd.services.matrix-synapse = {
after = [ "matrix-synapse-setup.service" "network.target" ];
bindsTo = [ "matrix-synapse-setup.service" ];
};
services.matrix-synapse = with config.services.coturn; {
enable = true;
settings = {
server_name = config.networking.domain;
enable_metrics = true;
listeners = [
{
port = 8008;
bind_addresses = [ "::1" "127.0.0.1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
listeners = [
{
port = 8008;
bind_addresses = [ "::1" "127.0.0.1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = false;
}
];
}
{
port = 9000;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [ ];
}
];
}];
}
{
port = 9000;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [ ];
}
];
database = {
name = "psycopg2";
args = {
host = "fake"; # This section is overriden by "extraConfigFiles"
database = {
name = "psycopg2";
args = {
host = "fake"; # This section is overriden by "extraConfigFiles"
};
};
turn_uris = [
"turn:${realm}:3478?transport=udp"
"turn:${realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
};
turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ];
turn_user_lifetime = "1h";
dataDir = "/nix/var/data/matrix-synapse";
extraConfigFiles = [ "/run/synapse/synapse-db-config.yaml" ];
};
dataDir = "/nix/var/data/matrix-synapse";
extraConfigFiles = [ "/run/synapse/synapse-db-config.yaml" ];
};
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets.turnSharedSecret.path;
realm = "turn.${config.networking.domain}";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets.turnSharedSecret.path;
realm = "turn.${config.networking.domain}";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
networking.firewall =
let
networking.firewall = let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
in
{
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ];
};
security.acme.certs.${config.services.coturn.realm} = {
postRun = "systemctl restart coturn.service";
group = "turnserver";
security.acme.certs.${config.services.coturn.realm} = {
postRun = "systemctl restart coturn.service";
group = "turnserver";
};
};
}

429
modules/torrents.nix
View file

@ -1,227 +1,234 @@
{ config, lib, pkgs, ... }: {
sops.secrets = {
vpnCredentials = { key = "openvpn/credentials"; };
transmissionRpcCredentials = { key = "transmission/rpc_config.json"; };
{ config, lib, pkgs, ... }:
let cfg = config.custom.services.torrents;
in {
options.custom.services.torrents = {
enable = lib.mkEnableOption "torrents";
};
containers.torrents = {
ephemeral = true;
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "192.168.1.1";
localAddress = "192.168.1.2";
bindMounts = {
"${config.sops.secrets.vpnCredentials.path}" = {
hostPath = config.sops.secrets.vpnCredentials.path;
};
"${config.sops.secrets.transmissionRpcCredentials.path}" = {
hostPath = config.sops.secrets.transmissionRpcCredentials.path;
};
"/nix/var/data/media" = {
hostPath = "/nix/var/data/media";
isReadOnly = false;
};
"/nix/var/data/jackett" = {
hostPath = "/nix/var/data/jackett";
isReadOnly = false;
};
"/nix/var/data/sonarr" = {
hostPath = "/nix/var/data/sonarr";
isReadOnly = false;
};
"/nix/var/data/radarr" = {
hostPath = "/nix/var/data/radarr";
isReadOnly = false;
};
"/nix/var/data/lidarr" = {
hostPath = "/nix/var/data/lidarr";
isReadOnly = false;
};
"/nix/var/data/transmission" = {
hostPath = "/nix/var/data/transmission";
isReadOnly = false;
};
config = lib.mkIf cfg.enable {
sops.secrets = {
vpnCredentials = { key = "openvpn/credentials"; };
transmissionRpcCredentials = { key = "transmission/rpc_config.json"; };
};
config = {
time.timeZone = "Europe/Amsterdam";
users.users.www-data = {
uid = 993;
isSystemUser = true;
group = config.users.groups.www-data.name;
};
users.groups.www-data = { gid = 991; };
services.openvpn.servers.client = {
updateResolvConf = true;
config = ''
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto udp
<ca>
-----BEGIN CERTIFICATE-----
MIIGIzCCBAugAwIBAgIJAK6BqXN9GHI0MA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD
VQQGEwJTRTERMA8GA1UECAwIR290YWxhbmQxEzARBgNVBAcMCkdvdGhlbmJ1cmcx
FDASBgNVBAoMC0FtYWdpY29tIEFCMRAwDgYDVQQLDAdNdWxsdmFkMRswGQYDVQQD
DBJNdWxsdmFkIFJvb3QgQ0EgdjIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyaXR5QG11
bGx2YWQubmV0MB4XDTE4MTEwMjExMTYxMVoXDTI4MTAzMDExMTYxMVowgZ8xCzAJ
BgNVBAYTAlNFMREwDwYDVQQIDAhHb3RhbGFuZDETMBEGA1UEBwwKR290aGVuYnVy
ZzEUMBIGA1UECgwLQW1hZ2ljb20gQUIxEDAOBgNVBAsMB011bGx2YWQxGzAZBgNV
BAMMEk11bGx2YWQgUm9vdCBDQSB2MjEjMCEGCSqGSIb3DQEJARYUc2VjdXJpdHlA
bXVsbHZhZC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCifDn7
5E/Zdx1qsy31rMEzuvbTXqZVZp4bjWbmcyyXqvnayRUHHoovG+lzc+HDL3HJV+kj
xKpCMkEVWwjY159lJbQbm8kkYntBBREdzRRjjJpTb6haf/NXeOtQJ9aVlCc4dM66
bEmyAoXkzXVZTQJ8h2FE55KVxHi5Sdy4XC5zm0wPa4DPDokNp1qm3A9Xicq3Hsfl
LbMZRCAGuI+Jek6caHqiKjTHtujn6Gfxv2WsZ7SjerUAk+mvBo2sfKmB7octxG7y
AOFFg7YsWL0AxddBWqgq5R/1WDJ9d1Cwun9WGRRQ1TLvzF1yABUerjjKrk89RCzY
ISwsKcgJPscaDqZgO6RIruY/xjuTtrnZSv+FXs+Woxf87P+QgQd76LC0MstTnys+
AfTMuMPOLy9fMfEzs3LP0Nz6v5yjhX8ff7+3UUI3IcMxCvyxdTPClY5IvFdW7CCm
mLNzakmx5GCItBWg/EIg1K1SG0jU9F8vlNZUqLKz42hWy/xB5C4QYQQ9ILdu4ara
PnrXnmd1D1QKVwKQ1DpWhNbpBDfE776/4xXD/tGM5O0TImp1NXul8wYsDi8g+e0p
xNgY3Pahnj1yfG75Yw82spZanUH0QSNoMVMWnmV2hXGsWqypRq0pH8mPeLzeKa82
gzsAZsouRD1k8wFlYA4z9HQFxqfcntTqXuwQcQIDAQABo2AwXjAdBgNVHQ4EFgQU
faEyaBpGNzsqttiSMETq+X/GJ0YwHwYDVR0jBBgwFoAUfaEyaBpGNzsqttiSMETq
+X/GJ0YwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggIBADH5izxu4V8Javal8EA4DxZxIHUsWCg5cuopB28PsyJYpyKipsBoI8+R
XqbtrLLue4WQfNPZHLXlKi+A3GTrLdlnenYzXVipPd+n3vRZyofaB3Jtb03nirVW
Ga8FG21Xy/f4rPqwcW54lxrnnh0SA0hwuZ+b2yAWESBXPxrzVQdTWCqoFI6/aRnN
8RyZn0LqRYoW7WDtKpLmfyvshBmmu4PCYSh/SYiFHgR9fsWzVcxdySDsmX8wXowu
Ffp8V9sFhD4TsebAaplaICOuLUgj+Yin5QzgB0F9Ci3Zh6oWwl64SL/OxxQLpzMW
zr0lrWsQrS3PgC4+6JC4IpTXX5eUqfSvHPtbRKK0yLnd9hYgvZUBvvZvUFR/3/fW
+mpBHbZJBu9+/1uux46M4rJ2FeaJUf9PhYCPuUj63yu0Grn0DreVKK1SkD5V6qXN
0TmoxYyguhfsIPCpI1VsdaSWuNjJ+a/HIlKIU8vKp5iN/+6ZTPAg9Q7s3Ji+vfx/
AhFtQyTpIYNszVzNZyobvkiMUlK+eUKGlHVQp73y6MmGIlbBbyzpEoedNU4uFu57
mw4fYGHqYZmYqFaiNQv4tVrGkg6p+Ypyu1zOfIHF7eqlAOu/SyRTvZkt9VtSVEOV
H7nDIGdrCC9U/g1Lqk8Td00Oj8xesyKzsG214Xd8m7/7GmJ7nXe5
-----END CERTIFICATE-----
</ca>
tun-ipv6
script-security 2
fast-io
remote-random
remote de-fra-101.mullvad.net 1194
remote de-fra-201.mullvad.net 1194
remote de-fra-009.mullvad.net 1194
remote de-fra-002.mullvad.net 1194
remote de-fra-202.mullvad.net 1194
remote de-fra-005.mullvad.net 1194
remote de-fra-203.mullvad.net 1194
remote de-fra-003.mullvad.net 1194
remote de-fra-004.mullvad.net 1194
remote de-fra-008.mullvad.net 1194
remote de-fra-006.mullvad.net 1194
remote de-fra-007.mullvad.net 1194
remote de-fra-102.mullvad.net 1194
auth-user-pass ${config.sops.secrets.vpnCredentials.path}
'';
};
containers.torrents = {
ephemeral = true;
autoStart = true;
enableTun = true;
services.transmission = {
enable = true;
openRPCPort = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
credentialsFile = config.sops.secrets.transmissionRpcCredentials.path;
home = "/nix/var/data/transmission";
settings = {
rpc-bind-address = "0.0.0.0";
rpc-whitelist = "127.0.0.1,192.168.1.1";
rpc-authentication-required = true;
rpc-host-whitelist-enabled = false;
incomplete-dir = "/nix/var/data/transmission/.incomplete";
watch-dir = "/nix/var/data/transmission/watchdir";
download-dir = "/nix/var/data/transmission/downloads";
privateNetwork = true;
hostAddress = "192.168.1.1";
localAddress = "192.168.1.2";
bindMounts = {
"${config.sops.secrets.vpnCredentials.path}" = {
hostPath = config.sops.secrets.vpnCredentials.path;
};
"${config.sops.secrets.transmissionRpcCredentials.path}" = {
hostPath = config.sops.secrets.transmissionRpcCredentials.path;
};
"/nix/var/data/media" = {
hostPath = "/nix/var/data/media";
isReadOnly = false;
};
"/nix/var/data/jackett" = {
hostPath = "/nix/var/data/jackett";
isReadOnly = false;
};
"/nix/var/data/sonarr" = {
hostPath = "/nix/var/data/sonarr";
isReadOnly = false;
};
"/nix/var/data/radarr" = {
hostPath = "/nix/var/data/radarr";
isReadOnly = false;
};
"/nix/var/data/lidarr" = {
hostPath = "/nix/var/data/lidarr";
isReadOnly = false;
};
"/nix/var/data/transmission" = {
hostPath = "/nix/var/data/transmission";
isReadOnly = false;
};
};
systemd.services.transmission.serviceConfig.BindReadOnlyPaths =
lib.mkForce [
builtins.storeDir
"/etc"
]; # https://github.com/NixOS/nixpkgs/issues/258793
services.jackett = {
enable = true;
openFirewall = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
dataDir = "/nix/var/data/jackett";
};
services.sonarr = {
enable = true;
openFirewall = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
dataDir = "/nix/var/data/sonarr";
};
services.radarr = {
enable = true;
openFirewall = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
dataDir = "/nix/var/data/radarr";
};
services.lidarr = {
enable = true;
openFirewall = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
dataDir = "/nix/var/data/lidarr";
};
config = {
time.timeZone = "Europe/Amsterdam";
users.users.www-data = {
uid = 993;
isSystemUser = true;
group = config.users.groups.www-data.name;
};
users.groups.www-data = { gid = 991; };
services.openvpn.servers.client = {
updateResolvConf = true;
config = ''
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto udp
<ca>
-----BEGIN CERTIFICATE-----
MIIGIzCCBAugAwIBAgIJAK6BqXN9GHI0MA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD
VQQGEwJTRTERMA8GA1UECAwIR290YWxhbmQxEzARBgNVBAcMCkdvdGhlbmJ1cmcx
FDASBgNVBAoMC0FtYWdpY29tIEFCMRAwDgYDVQQLDAdNdWxsdmFkMRswGQYDVQQD
DBJNdWxsdmFkIFJvb3QgQ0EgdjIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyaXR5QG11
bGx2YWQubmV0MB4XDTE4MTEwMjExMTYxMVoXDTI4MTAzMDExMTYxMVowgZ8xCzAJ
BgNVBAYTAlNFMREwDwYDVQQIDAhHb3RhbGFuZDETMBEGA1UEBwwKR290aGVuYnVy
ZzEUMBIGA1UECgwLQW1hZ2ljb20gQUIxEDAOBgNVBAsMB011bGx2YWQxGzAZBgNV
BAMMEk11bGx2YWQgUm9vdCBDQSB2MjEjMCEGCSqGSIb3DQEJARYUc2VjdXJpdHlA
bXVsbHZhZC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCifDn7
5E/Zdx1qsy31rMEzuvbTXqZVZp4bjWbmcyyXqvnayRUHHoovG+lzc+HDL3HJV+kj
xKpCMkEVWwjY159lJbQbm8kkYntBBREdzRRjjJpTb6haf/NXeOtQJ9aVlCc4dM66
bEmyAoXkzXVZTQJ8h2FE55KVxHi5Sdy4XC5zm0wPa4DPDokNp1qm3A9Xicq3Hsfl
LbMZRCAGuI+Jek6caHqiKjTHtujn6Gfxv2WsZ7SjerUAk+mvBo2sfKmB7octxG7y
AOFFg7YsWL0AxddBWqgq5R/1WDJ9d1Cwun9WGRRQ1TLvzF1yABUerjjKrk89RCzY
ISwsKcgJPscaDqZgO6RIruY/xjuTtrnZSv+FXs+Woxf87P+QgQd76LC0MstTnys+
AfTMuMPOLy9fMfEzs3LP0Nz6v5yjhX8ff7+3UUI3IcMxCvyxdTPClY5IvFdW7CCm
mLNzakmx5GCItBWg/EIg1K1SG0jU9F8vlNZUqLKz42hWy/xB5C4QYQQ9ILdu4ara
PnrXnmd1D1QKVwKQ1DpWhNbpBDfE776/4xXD/tGM5O0TImp1NXul8wYsDi8g+e0p
xNgY3Pahnj1yfG75Yw82spZanUH0QSNoMVMWnmV2hXGsWqypRq0pH8mPeLzeKa82
gzsAZsouRD1k8wFlYA4z9HQFxqfcntTqXuwQcQIDAQABo2AwXjAdBgNVHQ4EFgQU
faEyaBpGNzsqttiSMETq+X/GJ0YwHwYDVR0jBBgwFoAUfaEyaBpGNzsqttiSMETq
+X/GJ0YwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggIBADH5izxu4V8Javal8EA4DxZxIHUsWCg5cuopB28PsyJYpyKipsBoI8+R
XqbtrLLue4WQfNPZHLXlKi+A3GTrLdlnenYzXVipPd+n3vRZyofaB3Jtb03nirVW
Ga8FG21Xy/f4rPqwcW54lxrnnh0SA0hwuZ+b2yAWESBXPxrzVQdTWCqoFI6/aRnN
8RyZn0LqRYoW7WDtKpLmfyvshBmmu4PCYSh/SYiFHgR9fsWzVcxdySDsmX8wXowu
Ffp8V9sFhD4TsebAaplaICOuLUgj+Yin5QzgB0F9Ci3Zh6oWwl64SL/OxxQLpzMW
zr0lrWsQrS3PgC4+6JC4IpTXX5eUqfSvHPtbRKK0yLnd9hYgvZUBvvZvUFR/3/fW
+mpBHbZJBu9+/1uux46M4rJ2FeaJUf9PhYCPuUj63yu0Grn0DreVKK1SkD5V6qXN
0TmoxYyguhfsIPCpI1VsdaSWuNjJ+a/HIlKIU8vKp5iN/+6ZTPAg9Q7s3Ji+vfx/
AhFtQyTpIYNszVzNZyobvkiMUlK+eUKGlHVQp73y6MmGIlbBbyzpEoedNU4uFu57
mw4fYGHqYZmYqFaiNQv4tVrGkg6p+Ypyu1zOfIHF7eqlAOu/SyRTvZkt9VtSVEOV
H7nDIGdrCC9U/g1Lqk8Td00Oj8xesyKzsG214Xd8m7/7GmJ7nXe5
-----END CERTIFICATE-----
</ca>
tun-ipv6
script-security 2
fast-io
remote-random
remote de-fra-101.mullvad.net 1194
remote de-fra-201.mullvad.net 1194
remote de-fra-009.mullvad.net 1194
remote de-fra-002.mullvad.net 1194
remote de-fra-202.mullvad.net 1194
remote de-fra-005.mullvad.net 1194
remote de-fra-203.mullvad.net 1194
remote de-fra-003.mullvad.net 1194
remote de-fra-004.mullvad.net 1194
remote de-fra-008.mullvad.net 1194
remote de-fra-006.mullvad.net 1194
remote de-fra-007.mullvad.net 1194
remote de-fra-102.mullvad.net 1194
auth-user-pass ${config.sops.secrets.vpnCredentials.path}
'';
};
system.stateVersion = "21.11";
};
};
services.transmission = {
enable = true;
openRPCPort = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
credentialsFile = config.sops.secrets.transmissionRpcCredentials.path;
home = "/nix/var/data/transmission";
settings = {
rpc-bind-address = "0.0.0.0";
rpc-whitelist = "127.0.0.1,192.168.1.1";
rpc-authentication-required = true;
rpc-host-whitelist-enabled = false;
incomplete-dir = "/nix/var/data/transmission/.incomplete";
watch-dir = "/nix/var/data/transmission/watchdir";
download-dir = "/nix/var/data/transmission/downloads";
};
};
systemd.services.transmission.serviceConfig.BindReadOnlyPaths =
lib.mkForce [
builtins.storeDir
"/etc"
]; # https://github.com/NixOS/nixpkgs/issues/258793
virtualisation.oci-containers.containers.flaresolverr = {
image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11";
environment = {
"LOG_LEVEL" = "debug";
"CAPTCHA_SOLVER" = "hcaptcha-solver";
};
ports = [ "192.168.1.1:8191:8191" ];
autoStart = true;
};
services.jackett = {
enable = true;
openFirewall = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
dataDir = "/nix/var/data/jackett";
};
services.sonarr = {
enable = true;
openFirewall = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
dataDir = "/nix/var/data/sonarr";
};
services.radarr = {
enable = true;
openFirewall = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
dataDir = "/nix/var/data/radarr";
};
services.lidarr = {
enable = true;
openFirewall = true;
user = config.users.users.www-data.name;
group = config.users.groups.www-data.name;
dataDir = "/nix/var/data/lidarr";
};
services.nginx.virtualHosts = {
"transmission.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:9091"; };
system.stateVersion = "21.11";
};
};
"jackett.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:9117"; };
virtualisation.oci-containers.containers.flaresolverr = {
image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11";
environment = {
"LOG_LEVEL" = "debug";
"CAPTCHA_SOLVER" = "hcaptcha-solver";
};
ports = [ "192.168.1.1:8191:8191" ];
autoStart = true;
};
"sonarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:8989"; };
};
"radarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:7878"; };
};
"lidarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:8686"; };
services.nginx.virtualHosts = {
"transmission.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:9091"; };
};
"jackett.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:9117"; };
};
"sonarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:8989"; };
};
"radarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:7878"; };
};
"lidarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:8686"; };
};
};
};
}

8
modules/website-marie.nix
View file

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.nginx.virtualHosts."osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
}

76
profiles/backend.nix
View file

@ -1,16 +1,5 @@
{ config, lib, pkgs, ... }: {
imports = [
../environment.nix
../hardware/hcloud.nix
../modules
../modules/nginx.nix
../modules/synapse.nix
../modules/nextcloud.nix
../modules/dokuwiki.nix
../modules/website-marie.nix
../modules/roundcube.nix
../modules/monitoring-exporters.nix
];
imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ];
sops.secrets = {
borgSshKey = {
@ -20,6 +9,7 @@
};
custom = {
services.backup-job = {
enable = true;
repoName = "bk1";
@ -63,13 +53,15 @@
'';
};
services.nginx.enable = true;
services.dokuwiki.enable = true;
services.openssh.enable = true;
services.murmur.enable = true;
services.mastodon.enable = false;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.monitoring-exporters.enable = true;
};
services.uptime-kuma = {
@ -77,34 +69,42 @@
settings = { PORT = "3001"; };
};
services.nginx.virtualHosts."uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass =
"http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true;
services.nginx.virtualHosts = {
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
};
services.nginx.virtualHosts."www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
locations."/" = {
proxyPass =
"http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts."fautlfer.com" = {
enableACME = true;
forceSSL = true;
"www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
"fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
};
networking.firewall.allowedTCPPorts = [ 80 443 64738 ];

10
profiles/db.nix
View file

@ -1,11 +1,5 @@
{ config, lib, pkgs, ... }: {
imports = [
../environment.nix
../hardware/hcloud.nix
../modules
../modules/postgresql.nix
../modules/monitoring-exporters.nix
];
imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ];
networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port
@ -35,6 +29,8 @@
};
services.openssh.enable = true;
services.postgresql.enable = true;
services.monitoring-exporters.enable = true;
};
}

94
profiles/storage.nix
View file

@ -3,17 +3,6 @@
../environment.nix
../hardware/hetzner-dedicated-storage1.nix
../modules
../modules/openssh.nix
../modules/mailserver.nix
../modules/nginx.nix
../modules/jellyfin.nix
../modules/stb.nix
../modules/monero.nix
../modules/torrents.nix
../modules/jitsi.nix
../modules/binary-cache.nix
../modules/grafana.nix
../modules/monitoring-exporters.nix
];
sops.secrets = {
@ -23,6 +12,17 @@
};
nixCacheKey = { key = "nix/cache_secret_key"; };
dmarcExporterPassword = { key = "dmarc_exporter/password"; };
paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
eliosPassword = { key = "email/accounts_passwords/elios"; };
mariePassword = { key = "email/accounts_passwords/marie"; };
alicePassword = { key = "email/accounts_passwords/alice"; };
monitPassword = { key = "email/accounts_passwords/monit"; };
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
noreplyFroidmontPassword = {
key = "email/accounts_passwords/noreply_froidmont";
};
};
custom = {
@ -95,8 +95,80 @@
'';
};
services.nginx.enable = true;
services.gitlab-runner.enable = true;
services.openssh.enable = true;
services.jellyfin.enable = true;
services.stb.enable = true;
services.monero.enable = true;
services.torrents.enable = true;
services.jitsi.enable = true;
services.grafana.enable = true;
services.monitoring-exporters.enable = true;
};
mailserver = {
enable = true;
fqdn = "mail.banditlair.com";
domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
localDnsResolver = false;
enableManageSieve = true;
mailDirectory = "/nix/var/data/vmail";
sieveDirectory = "/nix/var/data/sieve";
lmtpSaveToDetailMailbox = "no";
policydSPFExtraConfig = ''
Domain_Whitelist = skynet.be
'';
loginAccounts = {
"paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
};
"marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path;
aliases = [ "osteopathie@froidmont.org" "communication@froidmont.org" ];
};
"alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.alicePassword.path;
};
"elios@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.eliosPassword.path;
aliases = [ "webshit@banditlair.com" "outlook-pascal@banditlair.com" ];
};
"monit@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.monitPassword.path;
sendOnly = true;
};
"noreply@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
sendOnly = true;
};
"noreply@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
sendOnly = true;
};
};
extraVirtualAliases = {
"info@banditlair.com" = "paultrial@banditlair.com";
"postmaster@banditlair.com" = "paultrial@banditlair.com";
"abuse@banditlair.com" = "paultrial@banditlair.com";
"info@froidmont.org" = "paultrial@banditlair.com";
"postmaster@froidmont.org" = "paultrial@banditlair.com";
"abuse@froidmont.org" = "paultrial@banditlair.com";
"info@falbo.fr" = "paultrial@banditlair.com";
"postmaster@falbo.fr" = "paultrial@banditlair.com";
"abuse@falbo.fr" = "paultrial@banditlair.com";
#Catch all
"@banditlair.com" = "paultrial@banditlair.com";
"@froidmont.org" = "paultrial@banditlair.com";
"@falbo.fr" = "elios@banditlair.com";
};
certificateScheme = "acme-nginx";
};
services.prometheus.exporters.dmarc = {