phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Finish migration to NixOS modules

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-03-26 23:37:53 +01:00
parent aef5eabce5
commit d944e36197
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
21 changed files with 1071 additions and 1151 deletions
Download patch file Download diff file Expand all files Collapse all files

20
modules/binary-cache.nix
View file

@ -1,20 +1,14 @@
{ config, lib, ... }: { config, lib, ... }:
with lib; let cfg = config.custom.services.binary-cache;
let in {
cfg = config.custom.services.binary-cache;
in
{
options.custom.services.binary-cache = { options.custom.services.binary-cache = {
enable = mkEnableOption "binary-cache"; enable = lib.mkEnableOption "binary-cache";
secretKeyFile = mkOption { secretKeyFile = lib.mkOption { type = lib.types.path; };
type = types.path;
};
}; };
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
services.nix-serve = { services.nix-serve = {
enable = true; enable = true;
port = 1500; port = 1500;
@ -29,7 +23,9 @@ in
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port}; proxy_pass http://localhost:${
toString config.services.nix-serve.port
};
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

17
modules/default.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }: {
{
imports = [ imports = [
./backup-job.nix ./backup-job.nix
./monit.nix ./monit.nix
@ -7,5 +6,19 @@
./openssh.nix ./openssh.nix
./murmur.nix ./murmur.nix
./mastodon.nix ./mastodon.nix
./nginx.nix
./jellyfin.nix
./stb.nix
./monero.nix
./torrents.nix
./jitsi.nix
./binary-cache.nix
./grafana.nix
./monitoring-exporters.nix
./synapse.nix
./nextcloud.nix
./roundcube.nix
./dokuwiki.nix
./postgresql.nix
]; ];
} }

7
modules/dokuwiki.nix
View file

@ -1,5 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let let
cfg = config.custom.services.dokuwiki; cfg = config.custom.services.dokuwiki;
@ -47,11 +46,11 @@ let
in { in {
options.custom.services.dokuwiki = { options.custom.services.dokuwiki = {
enable = mkEnableOption "dokuwiki"; enable = lib.mkEnableOption "dokuwiki";
secretKeyFile = mkOption { type = types.path; }; secretKeyFile = lib.mkOption { type = lib.types.path; };
}; };
config = mkIf cfg.enable config = lib.mkIf cfg.enable
(lib.mkMerge [ (configureWiki "anderia") (configureWiki "arkadia") ]); (lib.mkMerge [ (configureWiki "anderia") (configureWiki "arkadia") ]);
} }

82
modules/grafana.nix
View file

@ -1,6 +1,9 @@
{ config, ... }: { config, lib, ... }:
{ let cfg = config.custom.services.grafana;
in {
options.custom.services.grafana = { enable = lib.mkEnableOption "grafana"; };
config = lib.mkIf cfg.enable {
sops.secrets = { sops.secrets = {
grafanaAdminPassword = { grafanaAdminPassword = {
owner = config.users.users.grafana.name; owner = config.users.users.grafana.name;
@ -8,15 +11,13 @@
}; };
}; };
services.grafana = { services.grafana = {
enable = true; enable = true;
dataDir = "/nix/var/data/grafana"; dataDir = "/nix/var/data/grafana";
settings = { settings = {
server = { server = { domain = "grafana.${config.networking.domain}"; };
domain = "grafana.${config.networking.domain}"; security.admin_password =
}; "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
security.admin_password = "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
}; };
provision = { provision = {
enable = true; enable = true;
@ -25,23 +26,25 @@
{ {
name = "Prometheus"; name = "Prometheus";
type = "prometheus"; type = "prometheus";
url = "http://127.0.0.1:${toString config.services.prometheus.port}"; url =
"http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true; isDefault = true;
} }
{ {
name = "Loki"; name = "Loki";
type = "loki"; type = "loki";
access = "proxy"; access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}"; url = "http://127.0.0.1:${
toString
config.services.loki.configuration.server.http_listen_port
}";
} }
]; ];
}; };
dashboards.settings.providers = [ dashboards.settings.providers = [{
{
name = "Config"; name = "Config";
options.path = ./dashboards; options.path = ./dashboards;
} }];
];
}; };
}; };
@ -53,7 +56,9 @@
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; proxyPass = "http://127.0.0.1:${
toString config.services.grafana.settings.server.http_port
}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -68,9 +73,15 @@
job_name = "node"; job_name = "node";
static_configs = [{ static_configs = [{
targets = [ targets = [
"10.0.2.3:${toString config.services.prometheus.exporters.node.port}" "10.0.2.3:${
"10.0.1.1:${toString config.services.prometheus.exporters.node.port}" toString config.services.prometheus.exporters.node.port
"10.0.1.11:${toString config.services.prometheus.exporters.node.port}" }"
"10.0.1.1:${
toString config.services.prometheus.exporters.node.port
}"
"10.0.1.11:${
toString config.services.prometheus.exporters.node.port
}"
]; ];
}]; }];
} }
@ -78,18 +89,16 @@
job_name = "synapse"; job_name = "synapse";
scrape_interval = "15s"; scrape_interval = "15s";
metrics_path = "/_synapse/metrics"; metrics_path = "/_synapse/metrics";
static_configs = [{ static_configs = [{ targets = [ "10.0.1.1:9000" ]; }];
targets = [
"10.0.1.1:9000"
];
}];
} }
{ {
job_name = "dmarc"; job_name = "dmarc";
scrape_interval = "15s"; scrape_interval = "15s";
static_configs = [{ static_configs = [{
targets = [ targets = [
"10.0.2.3:${toString config.services.prometheus.exporters.dmarc.port}" "10.0.2.3:${
toString config.services.prometheus.exporters.dmarc.port
}"
]; ];
}]; }];
} }
@ -109,9 +118,7 @@
lifecycler = { lifecycler = {
address = "127.0.0.1"; address = "127.0.0.1";
ring = { ring = {
kvstore = { kvstore = { store = "inmemory"; };
store = "inmemory";
};
replication_factor = 1; replication_factor = 1;
}; };
}; };
@ -122,9 +129,7 @@
max_transfer_retries = 0; max_transfer_retries = 0;
}; };
limits_config = { limits_config = { ingestion_rate_mb = 16; };
ingestion_rate_mb = 16;
};
schema_config = { schema_config = {
configs = [{ configs = [{
@ -141,7 +146,8 @@
storage_config = { storage_config = {
boltdb_shipper = { boltdb_shipper = {
active_index_directory = "${config.services.loki.dataDir}/boltdb-index"; active_index_directory =
"${config.services.loki.dataDir}/boltdb-index";
cache_location = "${config.services.loki.dataDir}/boltdb-cache"; cache_location = "${config.services.loki.dataDir}/boltdb-cache";
cache_ttl = "24h"; cache_ttl = "24h";
shared_store = "filesystem"; shared_store = "filesystem";
@ -157,9 +163,7 @@
reject_old_samples_max_age = "168h"; reject_old_samples_max_age = "168h";
}; };
chunk_store_config = { chunk_store_config = { max_look_back_period = "0s"; };
max_look_back_period = "0s";
};
table_manager = { table_manager = {
retention_deletes_enabled = false; retention_deletes_enabled = false;
@ -169,19 +173,11 @@
compactor = { compactor = {
working_directory = "${config.services.loki.dataDir}"; working_directory = "${config.services.loki.dataDir}";
shared_store = "filesystem"; shared_store = "filesystem";
compactor_ring = { compactor_ring = { kvstore = { store = "inmemory"; }; };
kvstore = {
store = "inmemory";
};
};
}; };
analytics = { analytics = { reporting_enabled = false; };
reporting_enabled = false;
}; };
}; };
}; };
} }

17
modules/jellyfin.nix
View file

@ -1,11 +1,15 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
{ let cfg = config.custom.services.jellyfin;
services.jellyfin = { in {
enable = true; options.custom.services.jellyfin = {
enable = lib.mkEnableOption "jellyfin";
}; };
systemd.services.jellyfin.serviceConfig.ExecStart = config = lib.mkIf cfg.enable {
lib.mkOverride 10 "${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'"; services.jellyfin = { enable = true; };
systemd.services.jellyfin.serviceConfig.ExecStart = lib.mkOverride 10
"${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'";
services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = { services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = {
enableACME = true; enableACME = true;
@ -35,4 +39,5 @@
''; '';
}; };
}; };
};
} }

8
modules/jitsi.nix
View file

@ -1,8 +1,14 @@
{ pkgs, lib, config, ... }: { { pkgs, config, lib, ... }:
let cfg = config.custom.services.jitsi;
in {
options.custom.services.jitsi = { enable = lib.mkEnableOption "jitsi"; };
config = lib.mkIf cfg.enable {
services.jitsi-meet = { services.jitsi-meet = {
enable = true; enable = true;
hostName = "jitsi.froidmont.org"; hostName = "jitsi.froidmont.org";
interfaceConfig = { RECENT_LIST_ENABLED = false; }; interfaceConfig = { RECENT_LIST_ENABLED = false; };
}; };
services.jitsi-videobridge.openFirewall = true; services.jitsi-videobridge.openFirewall = true;
};
} }

182
modules/mailserver.nix
View file

@ -1,182 +0,0 @@
{ config, lib, pkgs, ... }: {
sops.secrets = {
paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
eliosPassword = { key = "email/accounts_passwords/elios"; };
mariePassword = { key = "email/accounts_passwords/marie"; };
alicePassword = { key = "email/accounts_passwords/alice"; };
monitPassword = { key = "email/accounts_passwords/monit"; };
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
noreplyFroidmontPassword = {
key = "email/accounts_passwords/noreply_froidmont";
};
};
mailserver = {
enable = true;
fqdn = "mail.banditlair.com";
domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
localDnsResolver = false;
enableManageSieve = true;
mailDirectory = "/nix/var/data/vmail";
sieveDirectory = "/nix/var/data/sieve";
lmtpSaveToDetailMailbox = "no";
policydSPFExtraConfig = ''
Domain_Whitelist = skynet.be
'';
loginAccounts = {
"paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
};
"marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path;
aliases = [
"osteopathie@froidmont.org"
"communication@froidmont.org"
"crelan.communication@froidmont.org"
"kerger.communication@froidmont.org"
"3arcs.communication@froidmont.org"
"7days.communication@froidmont.org"
"ulb.communication@froidmont.org"
"baijot.communication@froidmont.org"
"alltrails.communication@froidmont.org"
"alltricks.communication@froidmont.org"
"amazon.communication@froidmont.org"
"athletv.communication@froidmont.org"
"bebecenter.communication@froidmont.org"
"canyon.communication@froidmont.org"
"cbc.communication@froidmont.org"
"coursulb.communication@froidmont.org"
"decathlon.communication@froidmont.org"
"degiro.communication@froidmont.org"
"delogne.communication@froidmont.org"
"diagnosteo.communication@froidmont.org"
"haptis.communication@froidmont.org"
"fortis.communication@froidmont.org"
"fox.communication@froidmont.org"
"vandenborre.communication@froidmont.org"
"swissquote.communication@froidmont.org"
"belso.communication@froidmont.org"
"hibike.communication@froidmont.org"
"giromedical.communication@froidmont.org"
"gymna.communication@froidmont.org"
"hotmail.communication@froidmont.org"
"hubo.communication@froidmont.org"
"infopixel.communication@froidmont.org"
"jysk.communication@froidmont.org"
"kerger.communication@froidmont.org"
"ldlc.communication@froidmont.org"
"location.communication@froidmont.org"
"mainslibres.communication@froidmont.org"
"vistaprint.communication@froidmont.org"
"solidaris.communication@froidmont.org"
"coulon.communication@froidmont.org"
"vlan.communication@froidmont.org"
"hotel.communication@froidmont.org"
"medipost.communication@froidmont.org"
"proximus.communication@froidmont.org"
"marie.communication@froidmont.org"
"tuxedo.communication@froidmont.org"
"corine.wallaux.communication@froidmont.org"
"maziers.communication@froidmont.org"
"miliboo.communication@froidmont.org"
"nike.communication@froidmont.org"
"partena.communication@froidmont.org"
"payconiq.communication@froidmont.org"
"plumart.communication@froidmont.org"
"probikeshop.communication@froidmont.org"
"ring.communication@froidmont.org"
"teams.communication@froidmont.org"
"trail.communication@froidmont.org"
"wikiloc.communication@froidmont.org"
"udemy.communication@froidmont.org"
];
};
"alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.alicePassword.path;
};
"elios@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.eliosPassword.path;
aliases = [
"webshit@banditlair.com"
"outlook-pascal@banditlair.com"
"nexusmods.webshit@banditlair.com"
"pizza.webshit@banditlair.com"
"fnac.webshit@banditlair.com"
"paypal.webshit@banditlair.com"
"zooplus.webshit@banditlair.com"
"event.webshit@banditlair.com"
"reservation.webshit@banditlair.com"
"netflix.webshit@banditlair.com"
"jvc.webshit@banditlair.com"
"kickstarter.webshit@banditlair.com"
"vpn.webshit@banditlair.com"
"VOO.WEBSHIT@banditlair.com"
"proximus.webshit@banditlair.com"
"post.webshit@banditlair.com"
"ikea.webshit@banditlair.com"
"microsoft.webshit@banditlair.com"
"zerotier.webshit@banditlair.com"
"athome.webshit@banditlair.com"
"nordvpn.webshit@banditlair.com"
"sncf.webshit@banditlair.com"
"paradox.webshit@banditlair.com"
"oracle.webshit@banditlair.com"
"kinepolis.webshit@banditlair.com"
"leboncoin.webshit@banditlair.com"
"wondercraft.webshit@banditlair.com"
"petitvapoteur.webshit@banditlair.com"
"ryanair.webshit@banditlair.com"
"europapark.webshit@banditlair.com"
"Tricount.webshit@banditlair.com"
"huawei.webshit@banditlair.com"
"facebook.webshit@banditlair.com"
"roll20.webshit@banditlair.com"
"drivethrurpg.webshit@banditlair.com"
"chrono24.webshit@banditlair.com"
"emby.webshit@banditlair.com"
"amazon.webshit@banditlair.com"
"steam.webshit@banditlair.com"
"tinder.webshit@banditlair.com"
];
};
"monit@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.monitPassword.path;
sendOnly = true;
};
"noreply@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
sendOnly = true;
};
"noreply@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
sendOnly = true;
};
};
extraVirtualAliases = {
"info@banditlair.com" = "paultrial@banditlair.com";
"postmaster@banditlair.com" = "paultrial@banditlair.com";
"abuse@banditlair.com" = "paultrial@banditlair.com";
"info@froidmont.org" = "paultrial@banditlair.com";
"postmaster@froidmont.org" = "paultrial@banditlair.com";
"abuse@froidmont.org" = "paultrial@banditlair.com";
"info@falbo.fr" = "paultrial@banditlair.com";
"postmaster@falbo.fr" = "paultrial@banditlair.com";
"abuse@falbo.fr" = "paultrial@banditlair.com";
#Catch all
"@banditlair.com" = "paultrial@banditlair.com";
"@froidmont.org" = "paultrial@banditlair.com";
"@falbo.fr" = "elios@banditlair.com";
};
certificateScheme = "acme-nginx";
};
}

9
modules/monero.nix
View file

@ -1,6 +1,9 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
{ let cfg = config.custom.services.monero;
in {
options.custom.services.monero = { enable = lib.mkEnableOption "monero"; };
config = lib.mkIf cfg.enable {
services.monero = { services.monero = {
enable = true; enable = true;
rpc.restricted = true; rpc.restricted = true;
@ -17,5 +20,5 @@
''; '';
}; };
}; };
};
} }

22
modules/monitoring-exporters.nix
View file

@ -1,5 +1,11 @@
{ config, lib, ... }: { config, lib, ... }:
{ let cfg = config.custom.services.monitoring-exporters;
in {
options.custom.services.monitoring-exporters = {
enable = lib.mkEnableOption "monitoring-exporters";
};
config = lib.mkIf cfg.enable {
services.prometheus = { services.prometheus = {
exporters = { exporters = {
node = { node = {
@ -16,9 +22,7 @@
http_listen_port = 3101; http_listen_port = 3101;
grpc_listen_port = 0; grpc_listen_port = 0;
}; };
clients = [{ clients = [{ url = "http://10.0.2.3:3100/loki/api/v1/push"; }];
url = "http://10.0.2.3:3100/loki/api/v1/push";
}];
scrape_configs = [ scrape_configs = [
{ {
job_name = "journal"; job_name = "journal";
@ -36,16 +40,14 @@
} }
(lib.mkIf config.services.nginx.enable { (lib.mkIf config.services.nginx.enable {
job_name = "nginx"; job_name = "nginx";
static_configs = [ static_configs = [{
{
targets = [ "localhost" ]; targets = [ "localhost" ];
labels = { labels = {
job = "nginx"; job = "nginx";
host = "${config.networking.hostName}"; host = "${config.networking.hostName}";
__path__ = "/var/log/nginx/*.log"; __path__ = "/var/log/nginx/*.log";
}; };
} }];
];
}) })
]; ];
}; };
@ -55,7 +57,5 @@
ReadOnlyPaths = lib.mkIf config.services.nginx.enable "/var/log/nginx"; ReadOnlyPaths = lib.mkIf config.services.nginx.enable "/var/log/nginx";
SupplementaryGroups = lib.mkIf config.services.nginx.enable [ "nginx" ]; SupplementaryGroups = lib.mkIf config.services.nginx.enable [ "nginx" ];
}; };
};
} }

14
modules/murmur.nix
View file

@ -1,15 +1,9 @@
{ config, lib, ... }: { config, lib, ... }:
with lib; let cfg = config.custom.services.murmur;
let in {
cfg = config.custom.services.murmur; options.custom.services.murmur = { enable = lib.mkEnableOption "murmur"; };
in
{
options.custom.services.murmur = {
enable = mkEnableOption "murmur";
};
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
sops.secrets.murmurEnvFile = { sops.secrets.murmurEnvFile = {
owner = config.systemd.services.murmur.serviceConfig.User; owner = config.systemd.services.murmur.serviceConfig.User;
key = "murmur.env"; key = "murmur.env";

10
modules/nextcloud.nix
View file

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.custom.services.nextcloud;
uidFile = pkgs.writeText "uidfile" '' uidFile = pkgs.writeText "uidfile" ''
nextcloud:993 nextcloud:993
''; '';
@ -7,6 +8,11 @@ let
nextcloud:991 nextcloud:991
''; '';
in { in {
options.custom.services.nextcloud = {
enable = lib.mkEnableOption "nextcloud";
};
config = lib.mkIf cfg.enable {
sops.secrets = { sops.secrets = {
sshfsKey = { key = "sshfs_keys/private"; }; sshfsKey = { key = "sshfs_keys/private"; };
nextcloudDbPassword = { nextcloudDbPassword = {
@ -42,7 +48,8 @@ in {
]; ];
in "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.3:/nix/var/data/nextcloud/data " in "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.3:/nix/var/data/nextcloud/data "
+ "/var/lib/nextcloud/data -o ${options}"; + "/var/lib/nextcloud/data -o ${options}";
ExecStopPost = "-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data"; ExecStopPost =
"-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data";
KillMode = "process"; KillMode = "process";
}; };
}; };
@ -88,4 +95,5 @@ in {
catch_workers_output = "yes"; catch_workers_output = "yes";
}; };
}; };
};
} }

9
modules/nginx.nix
View file

@ -1,5 +1,9 @@
{ pkgs, lib, config, ... }: { config, lib, ... }:
{ let cfg = config.custom.services.nginx;
in {
options.custom.services.nginx = { enable = lib.mkEnableOption "nginx"; };
config = lib.mkIf cfg.enable {
security.acme.defaults.email = "letsencrypt.account@banditlair.com"; security.acme.defaults.email = "letsencrypt.account@banditlair.com";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge"; security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
@ -12,4 +16,5 @@
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
}; };
};
} }

9
modules/postgresql.nix
View file

@ -1,5 +1,11 @@
{ config, lib, pkgs, ... }: { { config, lib, pkgs, ... }:
let cfg = config.custom.services.postgresql;
in {
options.custom.services.postgresql = {
enable = lib.mkEnableOption "postgresql";
};
config = lib.mkIf cfg.enable {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_15; package = pkgs.postgresql_15;
@ -84,4 +90,5 @@
RemainAfterExit = true; RemainAfterExit = true;
}; };
}; };
};
} }

9
modules/roundcube.nix
View file

@ -1,6 +1,11 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
{ let cfg = config.custom.services.roundcube;
in {
options.custom.services.roundcube = {
enable = lib.mkEnableOption "roundcube";
};
config = lib.mkIf cfg.enable {
sops.secrets = { sops.secrets = {
pgPassFile = { pgPassFile = {
owner = "nginx"; owner = "nginx";
@ -24,7 +29,6 @@
passwordFile = config.sops.secrets.pgPassFile.path; passwordFile = config.sops.secrets.pgPassFile.path;
}; };
extraConfig = '' extraConfig = ''
# This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file # This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file
$password = file_get_contents('${config.sops.secrets.dbPassword.path}'); $password = file_get_contents('${config.sops.secrets.dbPassword.path}');
@ -39,4 +43,5 @@
$config['managesieve_auth_type'] = 'PLAIN'; $config['managesieve_auth_type'] = 'PLAIN';
''; '';
}; };
};
} }

15
modules/stb.nix
View file

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }: { pkgs, config, lib, ... }:
let let
cfg = config.custom.services.stb;
uploadWordpressConfig = pkgs.writeText "upload.ini" '' uploadWordpressConfig = pkgs.writeText "upload.ini" ''
file_uploads = On file_uploads = On
memory_limit = 64M memory_limit = 64M
@ -7,8 +8,10 @@ let
post_max_size = 64M post_max_size = 64M
max_execution_time = 600 max_execution_time = 600
''; '';
in in {
{ options.custom.services.stb = { enable = lib.mkEnableOption "stb"; };
config = lib.mkIf cfg.enable {
systemd.services.init-stb-network = { systemd.services.init-stb-network = {
description = "Create the network bridge stb-br for wordpress."; description = "Create the network bridge stb-br for wordpress.";
after = [ "network.target" ]; after = [ "network.target" ];
@ -17,8 +20,7 @@ in
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker"; let dockercli = "${config.virtualisation.docker.package}/bin/docker";
in in ''
''
# Put a true at the end to prevent getting non-zero return code, which will # Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service. # crash the whole service.
check=$(${dockercli} network ls | grep "stb-br" || true) check=$(${dockercli} network ls | grep "stb-br" || true)
@ -61,8 +63,7 @@ in
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = { proxyPass = "http://127.0.0.1:8180"; };
proxyPass = "http://127.0.0.1:8180";
}; };
}; };
} }

49
modules/synapse.nix
View file

@ -1,10 +1,10 @@
{ pkgs, lib, config, ... }: { pkgs, config, lib, ... }:
let let
fqdn = cfg = config.custom.services.synapse;
let fqdn = let
join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}"; join = hostName: domain:
in hostName + lib.optionalString (domain != null) ".${domain}";
join "matrix" config.networking.domain; in join "matrix" config.networking.domain;
synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" '' synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" ''
database: database:
name: psycopg2 name: psycopg2
@ -24,8 +24,10 @@ let
macaroon_secret_key: "MACAROON_SECRET_KEY" macaroon_secret_key: "MACAROON_SECRET_KEY"
turn_shared_secret: "TURN_SHARED_SECRET" turn_shared_secret: "TURN_SHARED_SECRET"
''; '';
in in {
{ options.custom.services.synapse = { enable = lib.mkEnableOption "synapse"; };
config = lib.mkIf cfg.enable {
services.nginx = { services.nginx = {
virtualHosts = { virtualHosts = {
# This host section can be placed on a different host than the rest, # This host section can be placed on a different host than the rest,
@ -36,25 +38,21 @@ in
forceSSL = true; forceSSL = true;
# acmeFallbackHost = "storage1.banditlair.com"; # acmeFallbackHost = "storage1.banditlair.com";
locations."= /.well-known/matrix/server".extraConfig = locations."= /.well-known/matrix/server".extraConfig = let
let
# use 443 instead of the default 8448 port to unite # use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity # the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; }; server = { "m.server" = "${fqdn}:443"; };
in in ''
''
add_header Content-Type application/json; add_header Content-Type application/json;
return 200 '${builtins.toJSON server}'; return 200 '${builtins.toJSON server}';
''; '';
locations."= /.well-known/matrix/client".extraConfig = locations."= /.well-known/matrix/client".extraConfig = let
let
client = { client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; }; "m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; }; "m.identity_server" = { "base_url" = "https://vector.im"; };
}; };
# ACAO required to allow element-web on any URL to request this json file # ACAO required to allow element-web on any URL to request this json file
in in ''
''
add_header Content-Type application/json; add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}'; return 200 '${builtins.toJSON client}';
@ -144,12 +142,10 @@ in
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [ resources = [{
{
names = [ "client" "federation" ]; names = [ "client" "federation" ];
compress = false; compress = false;
} }];
];
} }
{ {
port = 9000; port = 9000;
@ -167,7 +163,10 @@ in
}; };
}; };
turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ]; turn_uris = [
"turn:${realm}:3478?transport=udp"
"turn:${realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h"; turn_user_lifetime = "1h";
}; };
dataDir = "/nix/var/data/matrix-synapse"; dataDir = "/nix/var/data/matrix-synapse";
@ -215,23 +214,21 @@ in
''; '';
}; };
networking.firewall = networking.firewall = let
let
range = with config.services.coturn; [{ range = with config.services.coturn; [{
from = min-port; from = min-port;
to = max-port; to = max-port;
}]; }];
in in {
{
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ]; allowedUDPPorts = [ 3478 ];
allowedTCPPortRanges = range; allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ]; allowedTCPPorts = [ 3478 ];
}; };
security.acme.certs.${config.services.coturn.realm} = { security.acme.certs.${config.services.coturn.realm} = {
postRun = "systemctl restart coturn.service"; postRun = "systemctl restart coturn.service";
group = "turnserver"; group = "turnserver";
}; };
};
} }

9
modules/torrents.nix
View file

@ -1,5 +1,11 @@
{ config, lib, pkgs, ... }: { { config, lib, pkgs, ... }:
let cfg = config.custom.services.torrents;
in {
options.custom.services.torrents = {
enable = lib.mkEnableOption "torrents";
};
config = lib.mkIf cfg.enable {
sops.secrets = { sops.secrets = {
vpnCredentials = { key = "openvpn/credentials"; }; vpnCredentials = { key = "openvpn/credentials"; };
transmissionRpcCredentials = { key = "transmission/rpc_config.json"; }; transmissionRpcCredentials = { key = "transmission/rpc_config.json"; };
@ -224,4 +230,5 @@
locations."/" = { proxyPass = "http://192.168.1.2:8686"; }; locations."/" = { proxyPass = "http://192.168.1.2:8686"; };
}; };
}; };
};
} }

8
modules/website-marie.nix
View file

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.nginx.virtualHosts."osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
}

36
profiles/backend.nix
View file

@ -1,16 +1,5 @@
{ config, lib, pkgs, ... }: { { config, lib, pkgs, ... }: {
imports = [ imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ];
../environment.nix
../hardware/hcloud.nix
../modules
../modules/nginx.nix
../modules/synapse.nix
../modules/nextcloud.nix
../modules/dokuwiki.nix
../modules/website-marie.nix
../modules/roundcube.nix
../modules/monitoring-exporters.nix
];
sops.secrets = { sops.secrets = {
borgSshKey = { borgSshKey = {
@ -20,6 +9,7 @@
}; };
custom = { custom = {
services.backup-job = { services.backup-job = {
enable = true; enable = true;
repoName = "bk1"; repoName = "bk1";
@ -63,13 +53,15 @@
''; '';
}; };
services.nginx.enable = true;
services.dokuwiki.enable = true; services.dokuwiki.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.murmur.enable = true; services.murmur.enable = true;
services.mastodon.enable = false; services.mastodon.enable = false;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.monitoring-exporters.enable = true;
}; };
services.uptime-kuma = { services.uptime-kuma = {
@ -77,7 +69,14 @@
settings = { PORT = "3001"; }; settings = { PORT = "3001"; };
}; };
services.nginx.virtualHosts."uptime.froidmont.org" = { services.nginx.virtualHosts = {
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ]; serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -89,7 +88,7 @@
}; };
}; };
services.nginx.virtualHosts."www.fautlfer.com" = { "www.fautlfer.com" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -98,7 +97,7 @@
''; '';
}; };
services.nginx.virtualHosts."fautlfer.com" = { "fautlfer.com" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -106,6 +105,7 @@
return 302 https://blogz.zaclys.com/faut-l-fer/; return 302 https://blogz.zaclys.com/faut-l-fer/;
''; '';
}; };
};
networking.firewall.allowedTCPPorts = [ 80 443 64738 ]; networking.firewall.allowedTCPPorts = [ 80 443 64738 ];
networking.firewall.allowedUDPPorts = [ 64738 ]; networking.firewall.allowedUDPPorts = [ 64738 ];

10
profiles/db.nix
View file

@ -1,11 +1,5 @@
{ config, lib, pkgs, ... }: { { config, lib, pkgs, ... }: {
imports = [ imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ];
../environment.nix
../hardware/hcloud.nix
../modules
../modules/postgresql.nix
../modules/monitoring-exporters.nix
];
networking.firewall.interfaces."eth1".allowedTCPPorts = [ networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
@ -35,6 +29,8 @@
}; };
services.openssh.enable = true; services.openssh.enable = true;
services.postgresql.enable = true;
services.monitoring-exporters.enable = true;
}; };
} }

94
profiles/storage.nix
View file

@ -3,17 +3,6 @@
../environment.nix ../environment.nix
../hardware/hetzner-dedicated-storage1.nix ../hardware/hetzner-dedicated-storage1.nix
../modules ../modules
../modules/openssh.nix
../modules/mailserver.nix
../modules/nginx.nix
../modules/jellyfin.nix
../modules/stb.nix
../modules/monero.nix
../modules/torrents.nix
../modules/jitsi.nix
../modules/binary-cache.nix
../modules/grafana.nix
../modules/monitoring-exporters.nix
]; ];
sops.secrets = { sops.secrets = {
@ -23,6 +12,17 @@
}; };
nixCacheKey = { key = "nix/cache_secret_key"; }; nixCacheKey = { key = "nix/cache_secret_key"; };
dmarcExporterPassword = { key = "dmarc_exporter/password"; }; dmarcExporterPassword = { key = "dmarc_exporter/password"; };
paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
eliosPassword = { key = "email/accounts_passwords/elios"; };
mariePassword = { key = "email/accounts_passwords/marie"; };
alicePassword = { key = "email/accounts_passwords/alice"; };
monitPassword = { key = "email/accounts_passwords/monit"; };
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
noreplyFroidmontPassword = {
key = "email/accounts_passwords/noreply_froidmont";
};
}; };
custom = { custom = {
@ -95,8 +95,80 @@
''; '';
}; };
services.nginx.enable = true;
services.gitlab-runner.enable = true; services.gitlab-runner.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.jellyfin.enable = true;
services.stb.enable = true;
services.monero.enable = true;
services.torrents.enable = true;
services.jitsi.enable = true;
services.grafana.enable = true;
services.monitoring-exporters.enable = true;
};
mailserver = {
enable = true;
fqdn = "mail.banditlair.com";
domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
localDnsResolver = false;
enableManageSieve = true;
mailDirectory = "/nix/var/data/vmail";
sieveDirectory = "/nix/var/data/sieve";
lmtpSaveToDetailMailbox = "no";
policydSPFExtraConfig = ''
Domain_Whitelist = skynet.be
'';
loginAccounts = {
"paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
};
"marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path;
aliases = [ "osteopathie@froidmont.org" "communication@froidmont.org" ];
};
"alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.alicePassword.path;
};
"elios@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.eliosPassword.path;
aliases = [ "webshit@banditlair.com" "outlook-pascal@banditlair.com" ];
};
"monit@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.monitPassword.path;
sendOnly = true;
};
"noreply@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
sendOnly = true;
};
"noreply@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
sendOnly = true;
};
};
extraVirtualAliases = {
"info@banditlair.com" = "paultrial@banditlair.com";
"postmaster@banditlair.com" = "paultrial@banditlair.com";
"abuse@banditlair.com" = "paultrial@banditlair.com";
"info@froidmont.org" = "paultrial@banditlair.com";
"postmaster@froidmont.org" = "paultrial@banditlair.com";
"abuse@froidmont.org" = "paultrial@banditlair.com";
"info@falbo.fr" = "paultrial@banditlair.com";
"postmaster@falbo.fr" = "paultrial@banditlair.com";
"abuse@falbo.fr" = "paultrial@banditlair.com";
#Catch all
"@banditlair.com" = "paultrial@banditlair.com";
"@froidmont.org" = "paultrial@banditlair.com";
"@falbo.fr" = "elios@banditlair.com";
};
certificateScheme = "acme-nginx";
}; };
services.prometheus.exporters.dmarc = { services.prometheus.exporters.dmarc = {