phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-24 21:26:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move everyting to hel1 except emails

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-12-10 11:39:55 +01:00
parent 0d3f1b4afc
commit f18644f8a1
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
18 changed files with 476 additions and 448 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.nix
View file

@ -56,10 +56,11 @@
db1 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit nixpkgs;
inherit nixpkgs inputs;
};
modules = [
sops-nix.nixosModules.sops
foundryvtt.nixosModules.foundryvtt
./profiles/db.nix
{
sops.defaultSopsFile = ./secrets.enc.yml;
@ -74,11 +75,12 @@
backend1 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit nixpkgs;
inherit nixpkgs inputs;
};
modules = [
defaultModuleArgs
sops-nix.nixosModules.sops
foundryvtt.nixosModules.foundryvtt
./profiles/backend.nix
{
sops.defaultSopsFile = ./secrets.enc.yml;

4
modules/default.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: {
{ ... }:
{
imports = [
./backup-job.nix
./monit.nix
@ -20,5 +21,6 @@
./roundcube.nix
./dokuwiki.nix
./postgresql.nix
./foundryvtt.nix
];
}

44
modules/foundryvtt.nix Normal file
View file

@ -0,0 +1,44 @@
{
inputs,
pkgs,
config,
lib,
...
}:
let
cfg = config.custom.services.foundryvtt;
in
{
options.custom.services.foundryvtt = {
enable = lib.mkEnableOption "foundryvtt";
};
config = lib.mkIf cfg.enable {
services.foundryvtt = {
enable = true;
package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_12;
hostName = "vtt.${config.networking.domain}";
language = "fr.core";
proxyPort = 443;
proxySSL = true;
upnp = false;
dataDir = "/nix/var/data/foundryvtt";
};
systemd.services.foundryvtt.serviceConfig = {
StateDirectory = lib.mkForce null;
ReadWritePaths = config.services.foundryvtt.dataDir;
};
services.nginx.virtualHosts."vtt.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
};
}

14
modules/jellyfin.nix
View file

@ -1,15 +1,17 @@
{ config, lib, ... }:
let cfg = config.custom.services.jellyfin;
in {
let
cfg = config.custom.services.jellyfin;
in
{
options.custom.services.jellyfin = {
enable = lib.mkEnableOption "jellyfin";
};
config = lib.mkIf cfg.enable {
services.jellyfin = { enable = true; };
systemd.services.jellyfin.serviceConfig.ExecStart = lib.mkOverride 10
"${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'";
services.jellyfin = {
enable = true;
dataDir = "/nix/var/data/jellyfin";
};
services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = {
enableACME = true;

1
modules/jitsi.nix
View file

@ -1,5 +1,4 @@
{
pkgs,
config,
lib,
...

11
modules/murmur.nix
View file

@ -1,7 +1,11 @@
{ config, lib, ... }:
let cfg = config.custom.services.murmur;
in {
options.custom.services.murmur = { enable = lib.mkEnableOption "murmur"; };
let
cfg = config.custom.services.murmur;
in
{
options.custom.services.murmur = {
enable = lib.mkEnableOption "murmur";
};
config = lib.mkIf cfg.enable {
sops.secrets.murmurEnvFile = {
@ -16,6 +20,7 @@ in {
password = "$MURMURD_PASSWORD";
environmentFile = config.sops.secrets.murmurEnvFile.path;
imgMsgLength = 13107200;
openFirewall = true;
};
};
}

47
modules/nextcloud.nix
View file

@ -1,20 +1,19 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.services.nextcloud;
uidFile = pkgs.writeText "uidfile" ''
nextcloud:993
'';
gidFile = pkgs.writeText "gidfile" ''
nextcloud:991
'';
in {
in
{
options.custom.services.nextcloud = {
enable = lib.mkEnableOption "nextcloud";
};
config = lib.mkIf cfg.enable {
sops.secrets = {
sshfsKey = { key = "sshfs_keys/private"; };
nextcloudDbPassword = {
owner = config.users.users.nextcloud.name;
key = "nextcloud/db_password";
@ -29,31 +28,6 @@ in {
environment.systemPackages = with pkgs; [ sshfs ];
systemd.services.nextcloud-data-sshfs = {
wantedBy = [ "multi-user.target" "nextcloud-setup.service" ];
before = [ "phpfpm-nextcloud.service" ];
restartIfChanged = false;
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/nextcloud/data";
ExecStart = let
options = builtins.concatStringsSep "," [
"identityfile=${config.sops.secrets.sshfsKey.path}"
"ServerAliveInterval=15"
"idmap=file"
"uidfile=${uidFile}"
"gidfile=${gidFile}"
"allow_other"
"default_permissions"
"nomap=ignore"
];
in "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.3:/nix/var/data/nextcloud/data "
+ "/var/lib/nextcloud/data -o ${options}";
ExecStopPost =
"-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data";
KillMode = "process";
};
};
services.nginx.virtualHosts."${config.services.nextcloud.hostName}" = {
enableACME = true;
forceSSL = true;
@ -61,6 +35,9 @@ in {
services.nextcloud = {
enable = true;
# Can't be changed for now, could use a bind mount as workaround
# https://github.com/NixOS/nixpkgs/issues/356973
# home = "/nix/var/data/nextcloud";
package = pkgs.nextcloud29;
hostName = "cloud.${config.networking.domain}";
https = true;
@ -69,7 +46,7 @@ in {
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "10.0.1.11";
dbhost = "127.0.0.1";
dbname = "nextcloud";
dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}";
adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}";

29
modules/postgresql.nix
View file

@ -22,9 +22,6 @@ in
root_as_others root synapse
root_as_others root nextcloud
root_as_others root roundcube
root_as_others root mastodon
root_as_others root dolibarr
root_as_others root odoo
'';
authentication = ''
local all postgres peer
@ -35,12 +32,10 @@ in
sops.secrets = {
synapseDbPassword = {
owner = config.services.postgresql.superUser;
key = "synapse/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
nextcloudDbPassword = {
owner = config.services.postgresql.superUser;
key = "nextcloud/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
@ -49,16 +44,6 @@ in
key = "roundcube/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
mastodonDbPassword = {
owner = config.services.postgresql.superUser;
key = "mastodon/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
dolibarrDbPassword = {
owner = config.services.postgresql.superUser;
key = "dolibarr/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
};
systemd.services.postgresql-setup =
@ -82,23 +67,14 @@ in
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "dolibarr"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'odoo'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "odoo"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "dolibarr" OWNER "dolibarr"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'odoo'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "odoo" OWNER "odoo"'
PSQL -tAc "ALTER ROLE synapse LOGIN"
PSQL -tAc "ALTER ROLE nextcloud LOGIN"
PSQL -tAc "ALTER ROLE roundcube LOGIN"
PSQL -tAc "ALTER ROLE mastodon LOGIN"
PSQL -tAc "ALTER ROLE dolibarr LOGIN"
PSQL -tAc "ALTER ROLE odoo LOGIN"
synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
@ -106,11 +82,6 @@ in
PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')"
PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')"
PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'"
dolibarr_password="$(<'${config.sops.secrets.dolibarrDbPassword.path}')"
PSQL -tAc "ALTER ROLE dolibarr WITH PASSWORD '$dolibarr_password'"
PSQL -tAc "ALTER ROLE odoo WITH PASSWORD 'odoo'"
'';
serviceConfig = {

30
modules/roundcube.nix
View file

@ -1,6 +1,13 @@
{ pkgs, lib, config, ... }:
let cfg = config.custom.services.roundcube;
in {
{
pkgs,
lib,
config,
...
}:
let
cfg = config.custom.services.roundcube;
in
{
options.custom.services.roundcube = {
enable = lib.mkEnableOption "roundcube";
};
@ -17,16 +24,17 @@ in {
};
};
# Required because roundcube uses psql: https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/services/mail/roundcube.nix#L247
services.postgresql.package = pkgs.postgresql_15;
services.roundcube = {
enable = true;
plugins = [ "managesieve" ];
dicts = with pkgs.aspellDicts; [ en fr de ];
dicts = with pkgs.aspellDicts; [
en
fr
de
];
hostName = "webmail.banditlair.com";
database = {
host = "10.0.1.11";
host = "127.0.0.1";
username = "roundcube";
dbname = "roundcube";
passwordFile = config.sops.secrets.pgPassFile.path;
@ -35,10 +43,10 @@ in {
extraConfig = ''
# This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file
$password = file_get_contents('${config.sops.secrets.dbPassword.path}');
$config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@10.0.1.11/roundcube';
$config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@127.0.0.1/roundcube';
$config['default_host'] = 'ssl://mail.banditlair.com:993';
$config['smtp_server'] = 'ssl://%h';
$config['imap_host'] = 'ssl://mail.banditlair.com:993';
$config['smtp_host'] = 'ssl://%h';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['identities_level'] = 0;

39
modules/stb.nix
View file

@ -1,4 +1,9 @@
{ pkgs, config, lib, ... }:
{
pkgs,
config,
lib,
...
}:
let
cfg = config.custom.services.stb;
uploadWordpressConfig = pkgs.writeText "upload.ini" ''
@ -8,10 +13,17 @@ let
post_max_size = 64M
max_execution_time = 600
'';
in {
options.custom.services.stb = { enable = lib.mkEnableOption "stb"; };
in
{
options.custom.services.stb = {
enable = lib.mkEnableOption "stb";
};
config = lib.mkIf cfg.enable {
virtualisation.podman.defaultNetwork.settings = {
dns_enabled = true;
};
systemd.services.init-stb-network = {
description = "Create the network bridge stb-br for wordpress.";
after = [ "network.target" ];
@ -19,15 +31,17 @@ in {
serviceConfig.Type = "oneshot";
script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker";
in ''
let
podmancli = "${pkgs.podman}/bin/podman";
in
''
# Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service.
check=$(${dockercli} network ls | grep "stb-br" || true)
check=$(${podmancli} pod ps | grep "stb" || true)
if [ -z "$check" ]; then
${dockercli} network create stb-br
${podmancli} pod create --publish 8180:80 stb
else
echo "stb-br already exists in docker"
echo "stb pod already exists"
fi
'';
};
@ -42,7 +56,7 @@ in {
"MYSQL_DATABASE" = "stb";
};
volumes = [ "/var/lib/mariadb/stb:/var/lib/mysql" ];
extraOptions = [ "--network=stb-br" ];
extraOptions = [ "--pod=stb" ];
autoStart = true;
};
@ -52,8 +66,7 @@ in {
"/nix/var/data/stb-wordpress:/var/www/html"
"${uploadWordpressConfig}:/usr/local/etc/php/conf.d/uploads.ini"
];
ports = [ "127.0.0.1:8180:80" ];
extraOptions = [ "--network=stb-br" ];
extraOptions = [ "--pod=stb" ];
autoStart = true;
};
};
@ -63,7 +76,9 @@ in {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:8180"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8180";
};
};
};
}

125
modules/synapse.nix
View file

@ -1,16 +1,22 @@
{ pkgs, config, lib, ... }:
{
pkgs,
config,
lib,
...
}:
let
cfg = config.custom.services.synapse;
fqdn = let
join = hostName: domain:
hostName + lib.optionalString (domain != null) ".${domain}";
in join "matrix" config.networking.domain;
fqdn =
let
join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
in
join "matrix" config.networking.domain;
synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" ''
database:
name: psycopg2
args:
database: synapse
host: "10.0.1.11"
host: "127.0.0.1"
user: "synapse"
password: "SYNAPSE_DB_PASSWORD"
email:
@ -24,8 +30,11 @@ let
macaroon_secret_key: "MACAROON_SECRET_KEY"
turn_shared_secret: "TURN_SHARED_SECRET"
'';
in {
options.custom.services.synapse = { enable = lib.mkEnableOption "synapse"; };
in
{
options.custom.services.synapse = {
enable = lib.mkEnableOption "synapse";
};
config = lib.mkIf cfg.enable {
services.nginx = {
@ -38,25 +47,35 @@ in {
forceSSL = true;
# acmeFallbackHost = "storage1.banditlair.com";
locations."= /.well-known/matrix/server".extraConfig = let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = {
"m.server" = "${fqdn}:443";
};
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = {
"base_url" = "https://${fqdn}";
};
"m.identity_server" = {
"base_url" = "https://vector.im";
};
};
in
# ACAO required to allow element-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# Reverse proxy for Matrix client-server and server-server communication
@ -98,7 +117,10 @@ in {
group = "turnserver";
mode = "0440";
key = "synapse/turn_shared_secret";
restartUnits = [ "matrix-synapse-setup" "coturn" ];
restartUnits = [
"matrix-synapse-setup"
"coturn"
];
};
};
@ -124,7 +146,10 @@ in {
};
systemd.services.matrix-synapse = {
after = [ "matrix-synapse-setup.service" "network.target" ];
after = [
"matrix-synapse-setup.service"
"network.target"
];
bindsTo = [ "matrix-synapse-setup.service" ];
};
@ -138,14 +163,22 @@ in {
listeners = [
{
port = 8008;
bind_addresses = [ "::1" "127.0.0.1" ];
bind_addresses = [
"::1"
"127.0.0.1"
];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = false;
}];
resources = [
{
names = [
"client"
"federation"
];
compress = false;
}
];
}
{
port = 9000;
@ -214,17 +247,21 @@ in {
'';
};
networking.firewall = let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ];
};
networking.firewall =
let
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ];
};
security.acme.certs.${config.services.coturn.realm} = {
postRun = "systemctl restart coturn.service";

63
modules/torrents.nix
View file

@ -1,14 +1,25 @@
{ config, lib, pkgs, ... }:
let cfg = config.custom.services.torrents;
in {
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.services.torrents;
in
{
options.custom.services.torrents = {
enable = lib.mkEnableOption "torrents";
};
config = lib.mkIf cfg.enable {
sops.secrets = {
vpnCredentials = { key = "openvpn/credentials"; };
transmissionRpcCredentials = { key = "transmission/rpc_config.json"; };
vpnCredentials = {
key = "openvpn/credentials";
};
transmissionRpcCredentials = {
key = "transmission/rpc_config.json";
};
};
containers.torrents = {
@ -60,7 +71,9 @@ in {
isSystemUser = true;
group = config.users.groups.www-data.name;
};
users.groups.www-data = { gid = 991; };
users.groups.www-data = {
gid = 991;
};
services.openvpn.servers.client = {
updateResolvConf = true;
config = ''
@ -194,41 +207,51 @@ in {
};
};
virtualisation.oci-containers.containers.flaresolverr = {
image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11";
environment = {
"LOG_LEVEL" = "debug";
"CAPTCHA_SOLVER" = "hcaptcha-solver";
};
ports = [ "192.168.1.1:8191:8191" ];
autoStart = true;
};
# virtualisation.oci-containers.containers.flaresolverr = {
# image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11";
# environment = {
# "LOG_LEVEL" = "debug";
# "CAPTCHA_SOLVER" = "hcaptcha-solver";
# };
# ports = [ "192.168.1.1:8191:8191" ];
# autoStart = true;
# };
services.nginx.virtualHosts = {
"transmission.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:9091"; };
locations."/" = {
proxyPass = "http://192.168.1.2:9091";
};
};
"jackett.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:9117"; };
locations."/" = {
proxyPass = "http://192.168.1.2:9117";
};
};
"sonarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:8989"; };
locations."/" = {
proxyPass = "http://192.168.1.2:8989";
};
};
"radarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:7878"; };
locations."/" = {
proxyPass = "http://192.168.1.2:7878";
};
};
"lidarr.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:8686"; };
locations."/" = {
proxyPass = "http://192.168.1.2:8686";
};
};
};
};

128
profiles/backend.nix
View file

@ -1,10 +1,4 @@
{
config,
lib,
pkgs,
pkgs-unstable,
...
}:
{ config, ... }:
{
imports = [
../environment.nix
@ -12,129 +6,17 @@
../modules
];
sops.secrets = {
borgSshKey = {
owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/backend1/private";
};
dolibarrDbPassword = {
owner = config.users.users.dolibarr.name;
key = "dolibarr/db_password";
restartUnits = [ "phpfpm-dolibarr.service" ];
};
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
];
custom = {
services.backup-job = {
enable = true;
repoName = "bk1";
additionalPaths = [
"/var/lib/nextcloud/config"
"/var/lib/mastodon"
];
readWritePaths = [
"/nix/var/data/murmur"
"/nix/var/data/backup/"
];
preHook = ''
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
'';
startAt = "03:30";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check file nextcloud-data-mounted with path /var/lib/nextcloud/data/index.html
start = "${pkgs.systemd}/bin/systemctl start nextcloud-data-sshfs.service"
check host jellyfin with address jellyfin.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host stb with address www.societe-de-tir-bertrix.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
'';
};
services.nginx.enable = true;
services.dokuwiki.enable = true;
services.openssh.enable = true;
services.murmur.enable = true;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.monitoring-exporters.enable = true;
};
services.uptime-kuma = {
enable = true;
settings = {
PORT = "3001";
};
};
services.nginx.virtualHosts = {
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true;
};
};
"www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
"fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
};
networking.firewall.allowedTCPPorts = [
80
443
64738
];
networking.firewall.allowedUDPPorts = [ 64738 ];
networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port
9000

30
profiles/db.nix
View file

@ -13,38 +13,14 @@
networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port
config.services.postgresql.settings.port
];
sops.secrets = {
borgSshKey = {
owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/db1/private";
};
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
];
custom = {
services.backup-job = {
enable = true;
repoName = "db1";
readWritePaths = [
"/nix/var/data/postgresql"
"/nix/var/data/backup/"
];
preHook = ''
${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
${config.services.postgresql.package}/bin/pg_dump -U mastodon mastodon > /nix/var/data/postgresql/mastodon.dmp
${config.services.postgresql.package}/bin/pg_dump -U dolibarr dolibarr > /nix/var/data/postgresql/dolibarr.dmp
${config.services.postgresql.package}/bin/pg_dump -U odoo odoo > /nix/var/data/postgresql/odoo.dmp
'';
startAt = "03:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.openssh.enable = true;
services.postgresql.enable = true;
services.monitoring-exporters.enable = true;
};

197
profiles/hel.nix
View file

@ -1,7 +1,4 @@
{
config,
...
}:
{ config, pkgs, ... }:
{
imports = [
../environment.nix
@ -10,6 +7,10 @@
];
sops.secrets = {
borgSshKey = {
owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/storage1/private";
};
runnerRegistrationConfig = {
owner = config.users.users.gitlab-runner.name;
key = "gitlab/runner_registration_config/hel1";
@ -18,10 +19,22 @@
time.timeZone = "Europe/Amsterdam";
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "enp41s0";
# Prevent mdmon from crashing
boot.swraid.mdadmConf = ''
HOMEHOST <ignore>
PROGRAM true
'';
networking = {
firewall.allowedTCPPorts = [
80
443
];
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "enp41s0";
};
};
disko.devices = {
@ -168,11 +181,179 @@
};
custom = {
services.nginx.enable = true;
services.postgresql.enable = true;
services.dokuwiki.enable = true;
services.openssh.enable = true;
services.gitlab-runner = {
enable = true;
runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path;
};
services.jellyfin.enable = true;
services.torrents.enable = true;
services.foundryvtt.enable = true;
services.jitsi.enable = true;
services.stb.enable = true;
services.murmur.enable = true;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.backup-job = {
enable = true;
repoName = "bl";
additionalPaths = [
"/var/lib/acme"
"/var/lib/nextcloud"
];
patterns = [
"- /nix/var/data/media"
"- /nix/var/data/transmission/downloads"
"- /nix/var/data/transmission/.incomplete"
];
readWritePaths = [
"/nix/var/data/murmur"
"/nix/var/data/postgresql"
"/nix/var/data/backup/"
"/var/lib/containers/storage"
"/run"
];
preHook = ''
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
${pkgs.podman}/bin/podman exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql
${pkgs.systemd}/bin/systemctl stop jellyfin.service
${pkgs.systemd}/bin/systemctl stop container@torrents
'';
postHook = ''
${pkgs.systemd}/bin/systemctl start jellyfin.service
${pkgs.systemd}/bin/systemctl start container@torrents
'';
startAt = "02:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host jellyfin with address jellyfin.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host stb with address www.societe-de-tir-bertrix.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
check program raid-md126 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
check filesystem data with path /nix/var/data
if SPACE usage > 90% then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
check host osteoview-demo with address demo.osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
'';
};
};
services.uptime-kuma = {
enable = true;
settings = {
PORT = "3001";
};
};
services.nginx.virtualHosts = {
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true;
};
};
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
"www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
"fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
};
# virtualisation.oci-containers.containers = {
# "minecraft" = {
# image = "itzg/minecraft-server";
# environment = {
# EULA = "TRUE";
# VERSION = "1.18.2";
# TYPE = "AUTO_CURSEFORGE";
# MEMORY = "4G";
# CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files
# };
# ports = [ "25565:25565" ];
# volumes = [ "/nix/var/data/minecraft-modded:/data" ];
# autoStart = true;
# };
# };
users.users.www-data = {
uid = 993;
group = config.users.groups.www-data.name;
};
users.groups.www-data = {
gid = 991;
};
}

81
profiles/storage.nix
View file

@ -1,9 +1,7 @@
{
config,
lib,
pkgs,
pkgs-unstable,
inputs,
...
}:
{
@ -56,24 +54,12 @@
services.backup-job = {
enable = true;
repoName = "bl";
additionalPaths = [ config.services.foundryvtt.dataDir ];
patterns = [
"- /nix/var/data/media"
"- /nix/var/data/transmission/downloads"
"- /nix/var/data/transmission/.incomplete"
];
readWritePaths = [ "/nix/var/data/backup" ];
preHook = ''
${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql
${pkgs.systemd}/bin/systemctl stop jellyfin.service
${pkgs.systemd}/bin/systemctl stop minecraft-server.service
${pkgs.systemd}/bin/systemctl stop container@torrents
'';
postHook = ''
${pkgs.systemd}/bin/systemctl start jellyfin.service
${pkgs.systemd}/bin/systemctl start minecraft-server.service
${pkgs.systemd}/bin/systemctl start container@torrents
'';
startAt = "04:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
@ -81,49 +67,15 @@
services.monit = {
enable = true;
additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
check host osteoview-demo with address demo.osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
'';
};
services.nginx.enable = true;
services.openssh.enable = true;
services.jellyfin.enable = true;
services.stb.enable = true;
services.monero.enable = true;
services.torrents.enable = true;
services.jitsi.enable = true;
services.monero.enable = false;
services.grafana.enable = true;
services.monitoring-exporters.enable = true;
};
@ -238,6 +190,10 @@
networking.nat.internalInterfaces = [ "ve-+" ];
networking.nat.externalInterface = "enp2s0";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
];
users.users.www-data = {
uid = 993;
createHome = true;
@ -266,7 +222,7 @@
users.groups.steam = { };
services.minecraft-server = {
enable = true;
enable = false;
package = pkgs-unstable.minecraft-server;
eula = true;
openFirewall = false;
@ -305,34 +261,11 @@
# };
# };
services.foundryvtt = {
enable = true;
package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_12;
hostName = "vtt.${config.networking.domain}";
language = "fr.core";
proxyPort = 443;
proxySSL = true;
upnp = false;
};
# services.rustdesk-server = {
# enable = true;
# openFirewall = true;
# };
services.nginx.virtualHosts."vtt.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
services.borgbackup.repos = {
epicerie_du_cellier = {
authorizedKeys = [

9
secrets.enc.yml
View file

@ -17,11 +17,6 @@ synapse:
nextcloud:
db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str]
admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str]
mastodon:
db_password: ENC[AES256_GCM,data:XY/C6n3T7iINN1Sk2GdhQgHK0+vltLssOVfRLA2rFmqdxLHjvpKQTPHWxDbzELVcGqgGyiMH4AG240lo,iv:8M/fLo1MjIpUIW54WgddILmcgtofeh0rIBvKQaX/Csw=,tag:Al6LjmcPOlza5iJivf0agg==,type:str]
smtp_password: ENC[AES256_GCM,data:uhtPw/1uuKsDifdPzaczWFdZm3TP3e25U69bGysJdudnjY9rjf8HrDJ1/wqXR4hbLMaJP41fVN9WXYSE,iv:VjIQCBx6BFzATuALewU6Dc7Ti+uekmAUIJ+r2iOcFHg=,tag:vhCvRbkRxuYyf/qLeoaFzA==,type:str]
dolibarr:
db_password: ENC[AES256_GCM,data:1aDUyV+JLklbbP5dJBmviPWKKxQF7xAuQ/lKIZ5M4TtHbeH9PDuEoyxJJ08k7RtJyLrBRCwBd2pgLyYs,iv:rn6aGEPG9i3Uu4xlMIDIdK8T8bPt8t1pRl4SUsgK8nI=,tag:qacpyDDsj0pYWO1Kur9Ugw==,type:str]
roundcube:
db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str]
pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str]
@ -73,8 +68,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-12-05T15:21:41Z"
mac: ENC[AES256_GCM,data:8p+Am3IjJZoBmZDwOSymSVeMrbaXfgHO1BZhq8Sdn/pFCGC2/et8xg/heQ7JGBRQMER2AzIdtreTe9f+6NJLYdRuh0CghwxKHfcykUSBNkgzc2bDFLD+xAFWhFoYJx9YZvuDuOeU6rQ/YVSunDYu4K7aX5KdCLon2+1MOtDHZXo=,iv:gW1hBzHSxugVl09FT1HhL2J/9HccwfLFwSEKdei5mLg=,tag:ncQof/HBVGht+xfna6AC2Q==,type:str]
lastmodified: "2024-12-10T00:50:13Z"
mac: ENC[AES256_GCM,data:yM21T3BYoC9/jH9n7tdSK6Bgkw7n32SA17tKUoxZ7AgHuKDQRHdwGW1ujfGEBxo337uHdOaTW9mjjvMAy8KnrOQReipuM6yPKf8Fi8ptX+JXtxfg9QmcdjxMHX8vxpWHIFIkz4ScOQ2MSCwa3UXakhhpNJUssp31MMKlkpABOkA=,iv:2PwpgEGidQW2yiUg0qszf5FRw3f5wWM7vgydQL9dzGU=,tag:tRLFzeLNyrpDFVlBTjq2uQ==,type:str]
pgp:
- created_at: "2024-12-05T00:56:17Z"
enc: |-

66
terraform/dns.tf
View file

@ -16,7 +16,7 @@ data "hetznerdns_zone" "froidmont_solutions_zone" {
resource "hetznerdns_record" "banditlair_hcloud_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "@"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -32,7 +32,7 @@ resource "hetznerdns_record" "backend1_a" {
resource "hetznerdns_record" "webmail_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "webmail"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -88,7 +88,7 @@ resource "hetznerdns_record" "cache_a" {
resource "hetznerdns_record" "jellyfin_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "jellyfin"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -96,23 +96,7 @@ resource "hetznerdns_record" "jellyfin_a" {
resource "hetznerdns_record" "status_banditlair_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "status"
value = hcloud_server.backend1.ipv4_address
type = "A"
ttl = 600
}
resource "hetznerdns_record" "dolibarr_a" {
zone_id = data.hetznerdns_zone.froidmont_solutions_zone.id
name = "dolibarr"
value = hcloud_server.backend1.ipv4_address
type = "A"
ttl = 600
}
resource "hetznerdns_record" "odoo_a" {
zone_id = data.hetznerdns_zone.froidmont_solutions_zone.id
name = "odoo"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -120,15 +104,7 @@ resource "hetznerdns_record" "odoo_a" {
resource "hetznerdns_record" "jitsi_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "jitsi"
value = local.storage1_ip
type = "A"
ttl = 600
}
resource "hetznerdns_record" "mastodon_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "social"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -136,7 +112,7 @@ resource "hetznerdns_record" "mastodon_a" {
resource "hetznerdns_record" "uptime_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "uptime"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -144,7 +120,7 @@ resource "hetznerdns_record" "uptime_a" {
resource "hetznerdns_record" "transmission_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "transmission"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -152,7 +128,7 @@ resource "hetznerdns_record" "transmission_a" {
resource "hetznerdns_record" "jackett_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "jackett"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -160,7 +136,7 @@ resource "hetznerdns_record" "jackett_a" {
resource "hetznerdns_record" "sonarr_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "sonarr"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -168,7 +144,7 @@ resource "hetznerdns_record" "sonarr_a" {
resource "hetznerdns_record" "radarr_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "radarr"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -176,7 +152,7 @@ resource "hetznerdns_record" "radarr_a" {
resource "hetznerdns_record" "lidarr_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "lidarr"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -184,7 +160,7 @@ resource "hetznerdns_record" "lidarr_a" {
resource "hetznerdns_record" "vtt_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "vtt"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -192,7 +168,7 @@ resource "hetznerdns_record" "vtt_a" {
resource "hetznerdns_record" "monero_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "monero"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -200,7 +176,7 @@ resource "hetznerdns_record" "monero_a" {
resource "hetznerdns_record" "anderia_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "anderia"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -208,7 +184,7 @@ resource "hetznerdns_record" "anderia_a" {
resource "hetznerdns_record" "arkadia_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "arkadia"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -216,7 +192,7 @@ resource "hetznerdns_record" "arkadia_a" {
resource "hetznerdns_record" "cifirpg_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "scifirpg"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -240,7 +216,7 @@ resource "hetznerdns_record" "banditlair_dedicated_a" {
resource "hetznerdns_record" "nextcloud_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "cloud"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -249,7 +225,7 @@ resource "hetznerdns_record" "nextcloud_a" {
resource "hetznerdns_record" "matrix_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "matrix"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -265,7 +241,7 @@ resource "hetznerdns_record" "matrix_srv" {
resource "hetznerdns_record" "coturn_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "turn"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -386,7 +362,7 @@ resource "hetznerdns_record" "froidmont_a" {
resource "hetznerdns_record" "website_marie_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "osteopathie"
value = hcloud_server.backend1.ipv4_address
value = local.hel1_ip
type = "A"
ttl = 600
}
@ -438,7 +414,7 @@ data "hetznerdns_zone" "stb_zone" {
resource "hetznerdns_record" "stb_a" {
zone_id = data.hetznerdns_zone.stb_zone.id
name = "@"
value = local.storage1_ip
value = local.hel1_ip
type = "A"
ttl = 600
}