phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Finish migration to NixOS modules

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-03-26 23:37:53 +01:00
parent aef5eabce5
commit d944e36197
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
21 changed files with 1071 additions and 1151 deletions
Download patch file Download diff file Expand all files Collapse all files

20
modules/binary-cache.nix
View file

@ -1,20 +1,14 @@
{ config, lib, ... }:
with lib;
let
cfg = config.custom.services.binary-cache;
in
{
let cfg = config.custom.services.binary-cache;
in {
options.custom.services.binary-cache = {
enable = mkEnableOption "binary-cache";
enable = lib.mkEnableOption "binary-cache";
secretKeyFile = mkOption {
type = types.path;
};
secretKeyFile = lib.mkOption { type = lib.types.path; };
};
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
services.nix-serve = {
enable = true;
port = 1500;
@ -29,7 +23,9 @@ in
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
proxy_pass http://localhost:${
toString config.services.nix-serve.port
};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

17
modules/default.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }:
{
{ config, pkgs, ... }: {
imports = [
./backup-job.nix
./monit.nix
@ -7,5 +6,19 @@
./openssh.nix
./murmur.nix
./mastodon.nix
./nginx.nix
./jellyfin.nix
./stb.nix
./monero.nix
./torrents.nix
./jitsi.nix
./binary-cache.nix
./grafana.nix
./monitoring-exporters.nix
./synapse.nix
./nextcloud.nix
./roundcube.nix
./dokuwiki.nix
./postgresql.nix
];
}

7
modules/dokuwiki.nix
View file

@ -1,5 +1,4 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.custom.services.dokuwiki;
@ -47,11 +46,11 @@ let
in {
options.custom.services.dokuwiki = {
enable = mkEnableOption "dokuwiki";
enable = lib.mkEnableOption "dokuwiki";
secretKeyFile = mkOption { type = types.path; };
secretKeyFile = lib.mkOption { type = lib.types.path; };
};
config = mkIf cfg.enable
config = lib.mkIf cfg.enable
(lib.mkMerge [ (configureWiki "anderia") (configureWiki "arkadia") ]);
}

82
modules/grafana.nix
View file

@ -1,6 +1,9 @@
{ config, ... }:
{
{ config, lib, ... }:
let cfg = config.custom.services.grafana;
in {
options.custom.services.grafana = { enable = lib.mkEnableOption "grafana"; };
config = lib.mkIf cfg.enable {
sops.secrets = {
grafanaAdminPassword = {
owner = config.users.users.grafana.name;
@ -8,15 +11,13 @@
};
};
services.grafana = {
enable = true;
dataDir = "/nix/var/data/grafana";
settings = {
server = {
domain = "grafana.${config.networking.domain}";
};
security.admin_password = "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
server = { domain = "grafana.${config.networking.domain}"; };
security.admin_password =
"$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
};
provision = {
enable = true;
@ -25,23 +26,25 @@
{
name = "Prometheus";
type = "prometheus";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
url =
"http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
url = "http://127.0.0.1:${
toString
config.services.loki.configuration.server.http_listen_port
}";
}
];
};
dashboards.settings.providers = [
{
dashboards.settings.providers = [{
name = "Config";
options.path = ./dashboards;
}
];
}];
};
};
@ -53,7 +56,9 @@
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyPass = "http://127.0.0.1:${
toString config.services.grafana.settings.server.http_port
}";
proxyWebsockets = true;
};
};
@ -68,9 +73,15 @@
job_name = "node";
static_configs = [{
targets = [
"10.0.2.3:${toString config.services.prometheus.exporters.node.port}"
"10.0.1.1:${toString config.services.prometheus.exporters.node.port}"
"10.0.1.11:${toString config.services.prometheus.exporters.node.port}"
"10.0.2.3:${
toString config.services.prometheus.exporters.node.port
}"
"10.0.1.1:${
toString config.services.prometheus.exporters.node.port
}"
"10.0.1.11:${
toString config.services.prometheus.exporters.node.port
}"
];
}];
}
@ -78,18 +89,16 @@
job_name = "synapse";
scrape_interval = "15s";
metrics_path = "/_synapse/metrics";
static_configs = [{
targets = [
"10.0.1.1:9000"
];
}];
static_configs = [{ targets = [ "10.0.1.1:9000" ]; }];
}
{
job_name = "dmarc";
scrape_interval = "15s";
static_configs = [{
targets = [
"10.0.2.3:${toString config.services.prometheus.exporters.dmarc.port}"
"10.0.2.3:${
toString config.services.prometheus.exporters.dmarc.port
}"
];
}];
}
@ -109,9 +118,7 @@
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
kvstore = { store = "inmemory"; };
replication_factor = 1;
};
};
@ -122,9 +129,7 @@
max_transfer_retries = 0;
};
limits_config = {
ingestion_rate_mb = 16;
};
limits_config = { ingestion_rate_mb = 16; };
schema_config = {
configs = [{
@ -141,7 +146,8 @@
storage_config = {
boltdb_shipper = {
active_index_directory = "${config.services.loki.dataDir}/boltdb-index";
active_index_directory =
"${config.services.loki.dataDir}/boltdb-index";
cache_location = "${config.services.loki.dataDir}/boltdb-cache";
cache_ttl = "24h";
shared_store = "filesystem";
@ -157,9 +163,7 @@
reject_old_samples_max_age = "168h";
};
chunk_store_config = {
max_look_back_period = "0s";
};
chunk_store_config = { max_look_back_period = "0s"; };
table_manager = {
retention_deletes_enabled = false;
@ -169,19 +173,11 @@
compactor = {
working_directory = "${config.services.loki.dataDir}";
shared_store = "filesystem";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
compactor_ring = { kvstore = { store = "inmemory"; }; };
};
analytics = {
reporting_enabled = false;
analytics = { reporting_enabled = false; };
};
};
};
}

17
modules/jellyfin.nix
View file

@ -1,11 +1,15 @@
{ config, lib, pkgs, ... }:
{
services.jellyfin = {
enable = true;
{ config, lib, ... }:
let cfg = config.custom.services.jellyfin;
in {
options.custom.services.jellyfin = {
enable = lib.mkEnableOption "jellyfin";
};
systemd.services.jellyfin.serviceConfig.ExecStart =
lib.mkOverride 10 "${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'";
config = lib.mkIf cfg.enable {
services.jellyfin = { enable = true; };
systemd.services.jellyfin.serviceConfig.ExecStart = lib.mkOverride 10
"${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'";
services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = {
enableACME = true;
@ -35,4 +39,5 @@
'';
};
};
};
}

8
modules/jitsi.nix
View file

@ -1,8 +1,14 @@
{ pkgs, lib, config, ... }: {
{ pkgs, config, lib, ... }:
let cfg = config.custom.services.jitsi;
in {
options.custom.services.jitsi = { enable = lib.mkEnableOption "jitsi"; };
config = lib.mkIf cfg.enable {
services.jitsi-meet = {
enable = true;
hostName = "jitsi.froidmont.org";
interfaceConfig = { RECENT_LIST_ENABLED = false; };
};
services.jitsi-videobridge.openFirewall = true;
};
}

182
modules/mailserver.nix
View file

@ -1,182 +0,0 @@
{ config, lib, pkgs, ... }: {
sops.secrets = {
paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
eliosPassword = { key = "email/accounts_passwords/elios"; };
mariePassword = { key = "email/accounts_passwords/marie"; };
alicePassword = { key = "email/accounts_passwords/alice"; };
monitPassword = { key = "email/accounts_passwords/monit"; };
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
noreplyFroidmontPassword = {
key = "email/accounts_passwords/noreply_froidmont";
};
};
mailserver = {
enable = true;
fqdn = "mail.banditlair.com";
domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
localDnsResolver = false;
enableManageSieve = true;
mailDirectory = "/nix/var/data/vmail";
sieveDirectory = "/nix/var/data/sieve";
lmtpSaveToDetailMailbox = "no";
policydSPFExtraConfig = ''
Domain_Whitelist = skynet.be
'';
loginAccounts = {
"paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
};
"marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path;
aliases = [
"osteopathie@froidmont.org"
"communication@froidmont.org"
"crelan.communication@froidmont.org"
"kerger.communication@froidmont.org"
"3arcs.communication@froidmont.org"
"7days.communication@froidmont.org"
"ulb.communication@froidmont.org"
"baijot.communication@froidmont.org"
"alltrails.communication@froidmont.org"
"alltricks.communication@froidmont.org"
"amazon.communication@froidmont.org"
"athletv.communication@froidmont.org"
"bebecenter.communication@froidmont.org"
"canyon.communication@froidmont.org"
"cbc.communication@froidmont.org"
"coursulb.communication@froidmont.org"
"decathlon.communication@froidmont.org"
"degiro.communication@froidmont.org"
"delogne.communication@froidmont.org"
"diagnosteo.communication@froidmont.org"
"haptis.communication@froidmont.org"
"fortis.communication@froidmont.org"
"fox.communication@froidmont.org"
"vandenborre.communication@froidmont.org"
"swissquote.communication@froidmont.org"
"belso.communication@froidmont.org"
"hibike.communication@froidmont.org"
"giromedical.communication@froidmont.org"
"gymna.communication@froidmont.org"
"hotmail.communication@froidmont.org"
"hubo.communication@froidmont.org"
"infopixel.communication@froidmont.org"
"jysk.communication@froidmont.org"
"kerger.communication@froidmont.org"
"ldlc.communication@froidmont.org"
"location.communication@froidmont.org"
"mainslibres.communication@froidmont.org"
"vistaprint.communication@froidmont.org"
"solidaris.communication@froidmont.org"
"coulon.communication@froidmont.org"
"vlan.communication@froidmont.org"
"hotel.communication@froidmont.org"
"medipost.communication@froidmont.org"
"proximus.communication@froidmont.org"
"marie.communication@froidmont.org"
"tuxedo.communication@froidmont.org"
"corine.wallaux.communication@froidmont.org"
"maziers.communication@froidmont.org"
"miliboo.communication@froidmont.org"
"nike.communication@froidmont.org"
"partena.communication@froidmont.org"
"payconiq.communication@froidmont.org"
"plumart.communication@froidmont.org"
"probikeshop.communication@froidmont.org"
"ring.communication@froidmont.org"
"teams.communication@froidmont.org"
"trail.communication@froidmont.org"
"wikiloc.communication@froidmont.org"
"udemy.communication@froidmont.org"
];
};
"alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.alicePassword.path;
};
"elios@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.eliosPassword.path;
aliases = [
"webshit@banditlair.com"
"outlook-pascal@banditlair.com"
"nexusmods.webshit@banditlair.com"
"pizza.webshit@banditlair.com"
"fnac.webshit@banditlair.com"
"paypal.webshit@banditlair.com"
"zooplus.webshit@banditlair.com"
"event.webshit@banditlair.com"
"reservation.webshit@banditlair.com"
"netflix.webshit@banditlair.com"
"jvc.webshit@banditlair.com"
"kickstarter.webshit@banditlair.com"
"vpn.webshit@banditlair.com"
"VOO.WEBSHIT@banditlair.com"
"proximus.webshit@banditlair.com"
"post.webshit@banditlair.com"
"ikea.webshit@banditlair.com"
"microsoft.webshit@banditlair.com"
"zerotier.webshit@banditlair.com"
"athome.webshit@banditlair.com"
"nordvpn.webshit@banditlair.com"
"sncf.webshit@banditlair.com"
"paradox.webshit@banditlair.com"
"oracle.webshit@banditlair.com"
"kinepolis.webshit@banditlair.com"
"leboncoin.webshit@banditlair.com"
"wondercraft.webshit@banditlair.com"
"petitvapoteur.webshit@banditlair.com"
"ryanair.webshit@banditlair.com"
"europapark.webshit@banditlair.com"
"Tricount.webshit@banditlair.com"
"huawei.webshit@banditlair.com"
"facebook.webshit@banditlair.com"
"roll20.webshit@banditlair.com"
"drivethrurpg.webshit@banditlair.com"
"chrono24.webshit@banditlair.com"
"emby.webshit@banditlair.com"
"amazon.webshit@banditlair.com"
"steam.webshit@banditlair.com"
"tinder.webshit@banditlair.com"
];
};
"monit@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.monitPassword.path;
sendOnly = true;
};
"noreply@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
sendOnly = true;
};
"noreply@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
sendOnly = true;
};
};
extraVirtualAliases = {
"info@banditlair.com" = "paultrial@banditlair.com";
"postmaster@banditlair.com" = "paultrial@banditlair.com";
"abuse@banditlair.com" = "paultrial@banditlair.com";
"info@froidmont.org" = "paultrial@banditlair.com";
"postmaster@froidmont.org" = "paultrial@banditlair.com";
"abuse@froidmont.org" = "paultrial@banditlair.com";
"info@falbo.fr" = "paultrial@banditlair.com";
"postmaster@falbo.fr" = "paultrial@banditlair.com";
"abuse@falbo.fr" = "paultrial@banditlair.com";
#Catch all
"@banditlair.com" = "paultrial@banditlair.com";
"@froidmont.org" = "paultrial@banditlair.com";
"@falbo.fr" = "elios@banditlair.com";
};
certificateScheme = "acme-nginx";
};
}

9
modules/monero.nix
View file

@ -1,6 +1,9 @@
{ config, lib, pkgs, ... }:
{
{ config, lib, ... }:
let cfg = config.custom.services.monero;
in {
options.custom.services.monero = { enable = lib.mkEnableOption "monero"; };
config = lib.mkIf cfg.enable {
services.monero = {
enable = true;
rpc.restricted = true;
@ -17,5 +20,5 @@
'';
};
};
};
}

22
modules/monitoring-exporters.nix
View file

@ -1,5 +1,11 @@
{ config, lib, ... }:
{
let cfg = config.custom.services.monitoring-exporters;
in {
options.custom.services.monitoring-exporters = {
enable = lib.mkEnableOption "monitoring-exporters";
};
config = lib.mkIf cfg.enable {
services.prometheus = {
exporters = {
node = {
@ -16,9 +22,7 @@
http_listen_port = 3101;
grpc_listen_port = 0;
};
clients = [{
url = "http://10.0.2.3:3100/loki/api/v1/push";
}];
clients = [{ url = "http://10.0.2.3:3100/loki/api/v1/push"; }];
scrape_configs = [
{
job_name = "journal";
@ -36,16 +40,14 @@
}
(lib.mkIf config.services.nginx.enable {
job_name = "nginx";
static_configs = [
{
static_configs = [{
targets = [ "localhost" ];
labels = {
job = "nginx";
host = "${config.networking.hostName}";
__path__ = "/var/log/nginx/*.log";
};
}
];
}];
})
];
};
@ -55,7 +57,5 @@
ReadOnlyPaths = lib.mkIf config.services.nginx.enable "/var/log/nginx";
SupplementaryGroups = lib.mkIf config.services.nginx.enable [ "nginx" ];
};
};
}

14
modules/murmur.nix
View file

@ -1,15 +1,9 @@
{ config, lib, ... }:
with lib;
let
cfg = config.custom.services.murmur;
in
{
options.custom.services.murmur = {
enable = mkEnableOption "murmur";
};
let cfg = config.custom.services.murmur;
in {
options.custom.services.murmur = { enable = lib.mkEnableOption "murmur"; };
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
sops.secrets.murmurEnvFile = {
owner = config.systemd.services.murmur.serviceConfig.User;
key = "murmur.env";

10
modules/nextcloud.nix
View file

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }:
let
cfg = config.custom.services.nextcloud;
uidFile = pkgs.writeText "uidfile" ''
nextcloud:993
'';
@ -7,6 +8,11 @@ let
nextcloud:991
'';
in {
options.custom.services.nextcloud = {
enable = lib.mkEnableOption "nextcloud";
};
config = lib.mkIf cfg.enable {
sops.secrets = {
sshfsKey = { key = "sshfs_keys/private"; };
nextcloudDbPassword = {
@ -42,7 +48,8 @@ in {
];
in "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.3:/nix/var/data/nextcloud/data "
+ "/var/lib/nextcloud/data -o ${options}";
ExecStopPost = "-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data";
ExecStopPost =
"-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data";
KillMode = "process";
};
};
@ -88,4 +95,5 @@ in {
catch_workers_output = "yes";
};
};
};
}

9
modules/nginx.nix
View file

@ -1,5 +1,9 @@
{ pkgs, lib, config, ... }:
{
{ config, lib, ... }:
let cfg = config.custom.services.nginx;
in {
options.custom.services.nginx = { enable = lib.mkEnableOption "nginx"; };
config = lib.mkIf cfg.enable {
security.acme.defaults.email = "letsencrypt.account@banditlair.com";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
@ -12,4 +16,5 @@
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
};
}

9
modules/postgresql.nix
View file

@ -1,5 +1,11 @@
{ config, lib, pkgs, ... }: {
{ config, lib, pkgs, ... }:
let cfg = config.custom.services.postgresql;
in {
options.custom.services.postgresql = {
enable = lib.mkEnableOption "postgresql";
};
config = lib.mkIf cfg.enable {
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
@ -84,4 +90,5 @@
RemainAfterExit = true;
};
};
};
}

9
modules/roundcube.nix
View file

@ -1,6 +1,11 @@
{ pkgs, lib, config, ... }:
{
let cfg = config.custom.services.roundcube;
in {
options.custom.services.roundcube = {
enable = lib.mkEnableOption "roundcube";
};
config = lib.mkIf cfg.enable {
sops.secrets = {
pgPassFile = {
owner = "nginx";
@ -24,7 +29,6 @@
passwordFile = config.sops.secrets.pgPassFile.path;
};
extraConfig = ''
# This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file
$password = file_get_contents('${config.sops.secrets.dbPassword.path}');
@ -39,4 +43,5 @@
$config['managesieve_auth_type'] = 'PLAIN';
'';
};
};
}

15
modules/stb.nix
View file

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }:
{ pkgs, config, lib, ... }:
let
cfg = config.custom.services.stb;
uploadWordpressConfig = pkgs.writeText "upload.ini" ''
file_uploads = On
memory_limit = 64M
@ -7,8 +8,10 @@ let
post_max_size = 64M
max_execution_time = 600
'';
in
{
in {
options.custom.services.stb = { enable = lib.mkEnableOption "stb"; };
config = lib.mkIf cfg.enable {
systemd.services.init-stb-network = {
description = "Create the network bridge stb-br for wordpress.";
after = [ "network.target" ];
@ -17,8 +20,7 @@ in
serviceConfig.Type = "oneshot";
script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker";
in
''
in ''
# Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service.
check=$(${dockercli} network ls | grep "stb-br" || true)
@ -61,8 +63,7 @@ in
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8180";
locations."/" = { proxyPass = "http://127.0.0.1:8180"; };
};
};
}

49
modules/synapse.nix
View file

@ -1,10 +1,10 @@
{ pkgs, lib, config, ... }:
{ pkgs, config, lib, ... }:
let
fqdn =
let
join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
in
join "matrix" config.networking.domain;
cfg = config.custom.services.synapse;
fqdn = let
join = hostName: domain:
hostName + lib.optionalString (domain != null) ".${domain}";
in join "matrix" config.networking.domain;
synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" ''
database:
name: psycopg2
@ -24,8 +24,10 @@ let
macaroon_secret_key: "MACAROON_SECRET_KEY"
turn_shared_secret: "TURN_SHARED_SECRET"
'';
in
{
in {
options.custom.services.synapse = { enable = lib.mkEnableOption "synapse"; };
config = lib.mkIf cfg.enable {
services.nginx = {
virtualHosts = {
# This host section can be placed on a different host than the rest,
@ -36,25 +38,21 @@ in
forceSSL = true;
# acmeFallbackHost = "storage1.banditlair.com";
locations."= /.well-known/matrix/server".extraConfig =
let
locations."= /.well-known/matrix/server".extraConfig = let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in
''
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
locations."= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
@ -144,12 +142,10 @@ in
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
resources = [{
names = [ "client" "federation" ];
compress = false;
}
];
}];
}
{
port = 9000;
@ -167,7 +163,10 @@ in
};
};
turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ];
turn_uris = [
"turn:${realm}:3478?transport=udp"
"turn:${realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
};
dataDir = "/nix/var/data/matrix-synapse";
@ -215,23 +214,21 @@ in
'';
};
networking.firewall =
let
networking.firewall = let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
in
{
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ];
};
security.acme.certs.${config.services.coturn.realm} = {
postRun = "systemctl restart coturn.service";
group = "turnserver";
};
};
}

9
modules/torrents.nix
View file

@ -1,5 +1,11 @@
{ config, lib, pkgs, ... }: {
{ config, lib, pkgs, ... }:
let cfg = config.custom.services.torrents;
in {
options.custom.services.torrents = {
enable = lib.mkEnableOption "torrents";
};
config = lib.mkIf cfg.enable {
sops.secrets = {
vpnCredentials = { key = "openvpn/credentials"; };
transmissionRpcCredentials = { key = "transmission/rpc_config.json"; };
@ -224,4 +230,5 @@
locations."/" = { proxyPass = "http://192.168.1.2:8686"; };
};
};
};
}

8
modules/website-marie.nix
View file

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.nginx.virtualHosts."osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
}

36
profiles/backend.nix
View file

@ -1,16 +1,5 @@
{ config, lib, pkgs, ... }: {
imports = [
../environment.nix
../hardware/hcloud.nix
../modules
../modules/nginx.nix
../modules/synapse.nix
../modules/nextcloud.nix
../modules/dokuwiki.nix
../modules/website-marie.nix
../modules/roundcube.nix
../modules/monitoring-exporters.nix
];
imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ];
sops.secrets = {
borgSshKey = {
@ -20,6 +9,7 @@
};
custom = {
services.backup-job = {
enable = true;
repoName = "bk1";
@ -63,13 +53,15 @@
'';
};
services.nginx.enable = true;
services.dokuwiki.enable = true;
services.openssh.enable = true;
services.murmur.enable = true;
services.mastodon.enable = false;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.monitoring-exporters.enable = true;
};
services.uptime-kuma = {
@ -77,7 +69,14 @@
settings = { PORT = "3001"; };
};
services.nginx.virtualHosts."uptime.froidmont.org" = {
services.nginx.virtualHosts = {
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
@ -89,7 +88,7 @@
};
};
services.nginx.virtualHosts."www.fautlfer.com" = {
"www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
@ -98,7 +97,7 @@
'';
};
services.nginx.virtualHosts."fautlfer.com" = {
"fautlfer.com" = {
enableACME = true;
forceSSL = true;
@ -106,6 +105,7 @@
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
};
networking.firewall.allowedTCPPorts = [ 80 443 64738 ];
networking.firewall.allowedUDPPorts = [ 64738 ];

10
profiles/db.nix
View file

@ -1,11 +1,5 @@
{ config, lib, pkgs, ... }: {
imports = [
../environment.nix
../hardware/hcloud.nix
../modules
../modules/postgresql.nix
../modules/monitoring-exporters.nix
];
imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ];
networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port
@ -35,6 +29,8 @@
};
services.openssh.enable = true;
services.postgresql.enable = true;
services.monitoring-exporters.enable = true;
};
}

94
profiles/storage.nix
View file

@ -3,17 +3,6 @@
../environment.nix
../hardware/hetzner-dedicated-storage1.nix
../modules
../modules/openssh.nix
../modules/mailserver.nix
../modules/nginx.nix
../modules/jellyfin.nix
../modules/stb.nix
../modules/monero.nix
../modules/torrents.nix
../modules/jitsi.nix
../modules/binary-cache.nix
../modules/grafana.nix
../modules/monitoring-exporters.nix
];
sops.secrets = {
@ -23,6 +12,17 @@
};
nixCacheKey = { key = "nix/cache_secret_key"; };
dmarcExporterPassword = { key = "dmarc_exporter/password"; };
paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
eliosPassword = { key = "email/accounts_passwords/elios"; };
mariePassword = { key = "email/accounts_passwords/marie"; };
alicePassword = { key = "email/accounts_passwords/alice"; };
monitPassword = { key = "email/accounts_passwords/monit"; };
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
noreplyFroidmontPassword = {
key = "email/accounts_passwords/noreply_froidmont";
};
};
custom = {
@ -95,8 +95,80 @@
'';
};
services.nginx.enable = true;
services.gitlab-runner.enable = true;
services.openssh.enable = true;
services.jellyfin.enable = true;
services.stb.enable = true;
services.monero.enable = true;
services.torrents.enable = true;
services.jitsi.enable = true;
services.grafana.enable = true;
services.monitoring-exporters.enable = true;
};
mailserver = {
enable = true;
fqdn = "mail.banditlair.com";
domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
localDnsResolver = false;
enableManageSieve = true;
mailDirectory = "/nix/var/data/vmail";
sieveDirectory = "/nix/var/data/sieve";
lmtpSaveToDetailMailbox = "no";
policydSPFExtraConfig = ''
Domain_Whitelist = skynet.be
'';
loginAccounts = {
"paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
};
"marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path;
aliases = [ "osteopathie@froidmont.org" "communication@froidmont.org" ];
};
"alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.alicePassword.path;
};
"elios@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.eliosPassword.path;
aliases = [ "webshit@banditlair.com" "outlook-pascal@banditlair.com" ];
};
"monit@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.monitPassword.path;
sendOnly = true;
};
"noreply@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
sendOnly = true;
};
"noreply@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
sendOnly = true;
};
};
extraVirtualAliases = {
"info@banditlair.com" = "paultrial@banditlair.com";
"postmaster@banditlair.com" = "paultrial@banditlair.com";
"abuse@banditlair.com" = "paultrial@banditlair.com";
"info@froidmont.org" = "paultrial@banditlair.com";
"postmaster@froidmont.org" = "paultrial@banditlair.com";
"abuse@froidmont.org" = "paultrial@banditlair.com";
"info@falbo.fr" = "paultrial@banditlair.com";
"postmaster@falbo.fr" = "paultrial@banditlair.com";
"abuse@falbo.fr" = "paultrial@banditlair.com";
#Catch all
"@banditlair.com" = "paultrial@banditlair.com";
"@froidmont.org" = "paultrial@banditlair.com";
"@falbo.fr" = "elios@banditlair.com";
};
certificateScheme = "acme-nginx";
};
services.prometheus.exporters.dmarc = {