Finish migration to NixOS modules

2025-12-25 05:36:59 +01:00 · 2024-03-26 23:37:53 +01:00 · 2024-03-26 23:37:53 +01:00 · d944e36197
commit d944e36197
parent aef5eabce5
21 changed files with 1071 additions and 1151 deletions
--- a/profiles/backend.nix
+++ b/profiles/backend.nix
@ -1,16 +1,5 @@
 { config, lib, pkgs, ... }: {
-  imports = [
-    ../environment.nix
-    ../hardware/hcloud.nix
-    ../modules
-    ../modules/nginx.nix
-    ../modules/synapse.nix
-    ../modules/nextcloud.nix
-    ../modules/dokuwiki.nix
-    ../modules/website-marie.nix
-    ../modules/roundcube.nix
-    ../modules/monitoring-exporters.nix
-  ];
+  imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ];

  sops.secrets = {
    borgSshKey = {
@ -20,6 +9,7 @@
  };

  custom = {
+
    services.backup-job = {
      enable = true;
      repoName = "bk1";
@ -63,13 +53,15 @@
      '';
    };

+    services.nginx.enable = true;
    services.dokuwiki.enable = true;
-
    services.openssh.enable = true;
-
    services.murmur.enable = true;
-
    services.mastodon.enable = false;
+    services.synapse.enable = true;
+    services.nextcloud.enable = true;
+    services.roundcube.enable = true;
+    services.monitoring-exporters.enable = true;
  };

  services.uptime-kuma = {
@ -77,34 +69,42 @@
    settings = { PORT = "3001"; };
  };

-  services.nginx.virtualHosts."uptime.froidmont.org" = {
-    serverAliases = [ "status.${config.networking.domain}" ];
-    forceSSL = true;
-    enableACME = true;
-
-    locations."/" = {
-      proxyPass =
-        "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
-      proxyWebsockets = true;
+  services.nginx.virtualHosts = {
+    "osteopathie.froidmont.org" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/nix/var/data/website-marie";
    };
-  };

-  services.nginx.virtualHosts."www.fautlfer.com" = {
-    enableACME = true;
-    forceSSL = true;
+    "uptime.froidmont.org" = {
+      serverAliases = [ "status.${config.networking.domain}" ];
+      forceSSL = true;
+      enableACME = true;

-    locations."= /".extraConfig = ''
-      return 302 https://blogz.zaclys.com/faut-l-fer/;
-    '';
-  };
+      locations."/" = {
+        proxyPass =
+          "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
+        proxyWebsockets = true;
+      };
+    };

-  services.nginx.virtualHosts."fautlfer.com" = {
-    enableACME = true;
-    forceSSL = true;
+    "www.fautlfer.com" = {
+      enableACME = true;
+      forceSSL = true;

-    locations."= /".extraConfig = ''
-      return 302 https://blogz.zaclys.com/faut-l-fer/;
-    '';
+      locations."= /".extraConfig = ''
+        return 302 https://blogz.zaclys.com/faut-l-fer/;
+      '';
+    };
+
+    "fautlfer.com" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."= /".extraConfig = ''
+        return 302 https://blogz.zaclys.com/faut-l-fer/;
+      '';
+    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 64738 ];
--- a/profiles/db.nix
+++ b/profiles/db.nix
@ -1,11 +1,5 @@
 { config, lib, pkgs, ... }: {
-  imports = [
-    ../environment.nix
-    ../hardware/hcloud.nix
-    ../modules
-    ../modules/postgresql.nix
-    ../modules/monitoring-exporters.nix
-  ];
+  imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ];

  networking.firewall.interfaces."eth1".allowedTCPPorts = [
    config.services.prometheus.exporters.node.port
@ -35,6 +29,8 @@
    };

    services.openssh.enable = true;
+    services.postgresql.enable = true;
+    services.monitoring-exporters.enable = true;
  };

 }
--- a/profiles/storage.nix
+++ b/profiles/storage.nix
@ -3,17 +3,6 @@
    ../environment.nix
    ../hardware/hetzner-dedicated-storage1.nix
    ../modules
-    ../modules/openssh.nix
-    ../modules/mailserver.nix
-    ../modules/nginx.nix
-    ../modules/jellyfin.nix
-    ../modules/stb.nix
-    ../modules/monero.nix
-    ../modules/torrents.nix
-    ../modules/jitsi.nix
-    ../modules/binary-cache.nix
-    ../modules/grafana.nix
-    ../modules/monitoring-exporters.nix
  ];

  sops.secrets = {
@ -23,6 +12,17 @@
    };
    nixCacheKey = { key = "nix/cache_secret_key"; };
    dmarcExporterPassword = { key = "dmarc_exporter/password"; };
+    paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
+    eliosPassword = { key = "email/accounts_passwords/elios"; };
+    mariePassword = { key = "email/accounts_passwords/marie"; };
+    alicePassword = { key = "email/accounts_passwords/alice"; };
+    monitPassword = { key = "email/accounts_passwords/monit"; };
+    noreplyBanditlairPassword = {
+      key = "email/accounts_passwords/noreply_banditlair";
+    };
+    noreplyFroidmontPassword = {
+      key = "email/accounts_passwords/noreply_froidmont";
+    };
  };

  custom = {
@ -95,8 +95,80 @@
      '';
    };

+    services.nginx.enable = true;
    services.gitlab-runner.enable = true;
    services.openssh.enable = true;
+    services.jellyfin.enable = true;
+    services.stb.enable = true;
+    services.monero.enable = true;
+    services.torrents.enable = true;
+    services.jitsi.enable = true;
+    services.grafana.enable = true;
+    services.monitoring-exporters.enable = true;
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.banditlair.com";
+    domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
+    localDnsResolver = false;
+    enableManageSieve = true;
+    mailDirectory = "/nix/var/data/vmail";
+    sieveDirectory = "/nix/var/data/sieve";
+    lmtpSaveToDetailMailbox = "no";
+    policydSPFExtraConfig = ''
+      Domain_Whitelist = skynet.be
+    '';
+    loginAccounts = {
+      "paultrial@banditlair.com" = {
+        # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
+        hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
+        aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
+      };
+      "marie-alice@froidmont.org" = {
+        hashedPasswordFile = config.sops.secrets.mariePassword.path;
+        aliases = [ "osteopathie@froidmont.org" "communication@froidmont.org" ];
+      };
+      "alice@froidmont.org" = {
+        hashedPasswordFile = config.sops.secrets.alicePassword.path;
+      };
+      "elios@banditlair.com" = {
+        hashedPasswordFile = config.sops.secrets.eliosPassword.path;
+        aliases = [ "webshit@banditlair.com" "outlook-pascal@banditlair.com" ];
+      };
+      "monit@banditlair.com" = {
+        hashedPasswordFile = config.sops.secrets.monitPassword.path;
+        sendOnly = true;
+      };
+      "noreply@banditlair.com" = {
+        hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
+        sendOnly = true;
+      };
+      "noreply@froidmont.org" = {
+        hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
+        sendOnly = true;
+      };
+    };
+    extraVirtualAliases = {
+      "info@banditlair.com" = "paultrial@banditlair.com";
+      "postmaster@banditlair.com" = "paultrial@banditlair.com";
+      "abuse@banditlair.com" = "paultrial@banditlair.com";
+
+      "info@froidmont.org" = "paultrial@banditlair.com";
+      "postmaster@froidmont.org" = "paultrial@banditlair.com";
+      "abuse@froidmont.org" = "paultrial@banditlair.com";
+
+      "info@falbo.fr" = "paultrial@banditlair.com";
+      "postmaster@falbo.fr" = "paultrial@banditlair.com";
+      "abuse@falbo.fr" = "paultrial@banditlair.com";
+
+      #Catch all
+      "@banditlair.com" = "paultrial@banditlair.com";
+      "@froidmont.org" = "paultrial@banditlair.com";
+      "@falbo.fr" = "elios@banditlair.com";
+    };
+
+    certificateScheme = "acme-nginx";
  };

  services.prometheus.exporters.dmarc = {