From f18644f8a16cb7c0139394e2df3fc531d028eb5e Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Tue, 10 Dec 2024 11:39:55 +0100 Subject: [PATCH] Move everyting to hel1 except emails --- flake.nix | 6 +- modules/default.nix | 4 +- modules/foundryvtt.nix | 44 +++++++++ modules/jellyfin.nix | 14 +-- modules/jitsi.nix | 1 - modules/murmur.nix | 11 ++- modules/nextcloud.nix | 47 +++------- modules/postgresql.nix | 29 ------ modules/roundcube.nix | 30 ++++--- modules/stb.nix | 39 +++++--- modules/synapse.nix | 125 +++++++++++++++++--------- modules/torrents.nix | 63 ++++++++----- profiles/backend.nix | 128 ++------------------------ profiles/db.nix | 30 +------ profiles/hel.nix | 197 +++++++++++++++++++++++++++++++++++++++-- profiles/storage.nix | 81 ++--------------- secrets.enc.yml | 9 +- terraform/dns.tf | 66 +++++--------- 18 files changed, 476 insertions(+), 448 deletions(-) create mode 100644 modules/foundryvtt.nix diff --git a/flake.nix b/flake.nix index 1c6c31a..d6013b3 100644 --- a/flake.nix +++ b/flake.nix @@ -56,10 +56,11 @@ db1 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { - inherit nixpkgs; + inherit nixpkgs inputs; }; modules = [ sops-nix.nixosModules.sops + foundryvtt.nixosModules.foundryvtt ./profiles/db.nix { sops.defaultSopsFile = ./secrets.enc.yml; @@ -74,11 +75,12 @@ backend1 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { - inherit nixpkgs; + inherit nixpkgs inputs; }; modules = [ defaultModuleArgs sops-nix.nixosModules.sops + foundryvtt.nixosModules.foundryvtt ./profiles/backend.nix { sops.defaultSopsFile = ./secrets.enc.yml; diff --git a/modules/default.nix b/modules/default.nix index f253d65..2e923eb 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: { +{ ... }: +{ imports = [ ./backup-job.nix ./monit.nix @@ -20,5 +21,6 @@ ./roundcube.nix ./dokuwiki.nix ./postgresql.nix + ./foundryvtt.nix ]; } diff --git a/modules/foundryvtt.nix b/modules/foundryvtt.nix new file mode 100644 index 0000000..fd14a8d --- /dev/null +++ b/modules/foundryvtt.nix @@ -0,0 +1,44 @@ +{ + inputs, + pkgs, + config, + lib, + ... +}: +let + cfg = config.custom.services.foundryvtt; +in +{ + options.custom.services.foundryvtt = { + enable = lib.mkEnableOption "foundryvtt"; + }; + + config = lib.mkIf cfg.enable { + services.foundryvtt = { + enable = true; + package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_12; + hostName = "vtt.${config.networking.domain}"; + language = "fr.core"; + proxyPort = 443; + proxySSL = true; + upnp = false; + dataDir = "/nix/var/data/foundryvtt"; + }; + systemd.services.foundryvtt.serviceConfig = { + StateDirectory = lib.mkForce null; + ReadWritePaths = config.services.foundryvtt.dataDir; + }; + services.nginx.virtualHosts."vtt.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}"; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + }; + }; +} diff --git a/modules/jellyfin.nix b/modules/jellyfin.nix index 550c338..e97f601 100644 --- a/modules/jellyfin.nix +++ b/modules/jellyfin.nix @@ -1,15 +1,17 @@ { config, lib, ... }: -let cfg = config.custom.services.jellyfin; -in { +let + cfg = config.custom.services.jellyfin; +in +{ options.custom.services.jellyfin = { enable = lib.mkEnableOption "jellyfin"; }; config = lib.mkIf cfg.enable { - services.jellyfin = { enable = true; }; - - systemd.services.jellyfin.serviceConfig.ExecStart = lib.mkOverride 10 - "${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'"; + services.jellyfin = { + enable = true; + dataDir = "/nix/var/data/jellyfin"; + }; services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = { enableACME = true; diff --git a/modules/jitsi.nix b/modules/jitsi.nix index 1ca09f6..75fbd37 100644 --- a/modules/jitsi.nix +++ b/modules/jitsi.nix @@ -1,5 +1,4 @@ { - pkgs, config, lib, ... diff --git a/modules/murmur.nix b/modules/murmur.nix index a5e4b3c..eed838a 100644 --- a/modules/murmur.nix +++ b/modules/murmur.nix @@ -1,7 +1,11 @@ { config, lib, ... }: -let cfg = config.custom.services.murmur; -in { - options.custom.services.murmur = { enable = lib.mkEnableOption "murmur"; }; +let + cfg = config.custom.services.murmur; +in +{ + options.custom.services.murmur = { + enable = lib.mkEnableOption "murmur"; + }; config = lib.mkIf cfg.enable { sops.secrets.murmurEnvFile = { @@ -16,6 +20,7 @@ in { password = "$MURMURD_PASSWORD"; environmentFile = config.sops.secrets.murmurEnvFile.path; imgMsgLength = 13107200; + openFirewall = true; }; }; } diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 4623fda..1e6b329 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,20 +1,19 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.custom.services.nextcloud; - uidFile = pkgs.writeText "uidfile" '' - nextcloud:993 - ''; - gidFile = pkgs.writeText "gidfile" '' - nextcloud:991 - ''; -in { +in +{ options.custom.services.nextcloud = { enable = lib.mkEnableOption "nextcloud"; }; config = lib.mkIf cfg.enable { sops.secrets = { - sshfsKey = { key = "sshfs_keys/private"; }; nextcloudDbPassword = { owner = config.users.users.nextcloud.name; key = "nextcloud/db_password"; @@ -29,31 +28,6 @@ in { environment.systemPackages = with pkgs; [ sshfs ]; - systemd.services.nextcloud-data-sshfs = { - wantedBy = [ "multi-user.target" "nextcloud-setup.service" ]; - before = [ "phpfpm-nextcloud.service" ]; - restartIfChanged = false; - serviceConfig = { - ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/nextcloud/data"; - ExecStart = let - options = builtins.concatStringsSep "," [ - "identityfile=${config.sops.secrets.sshfsKey.path}" - "ServerAliveInterval=15" - "idmap=file" - "uidfile=${uidFile}" - "gidfile=${gidFile}" - "allow_other" - "default_permissions" - "nomap=ignore" - ]; - in "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.3:/nix/var/data/nextcloud/data " - + "/var/lib/nextcloud/data -o ${options}"; - ExecStopPost = - "-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data"; - KillMode = "process"; - }; - }; - services.nginx.virtualHosts."${config.services.nextcloud.hostName}" = { enableACME = true; forceSSL = true; @@ -61,6 +35,9 @@ in { services.nextcloud = { enable = true; + # Can't be changed for now, could use a bind mount as workaround + # https://github.com/NixOS/nixpkgs/issues/356973 + # home = "/nix/var/data/nextcloud"; package = pkgs.nextcloud29; hostName = "cloud.${config.networking.domain}"; https = true; @@ -69,7 +46,7 @@ in { config = { dbtype = "pgsql"; dbuser = "nextcloud"; - dbhost = "10.0.1.11"; + dbhost = "127.0.0.1"; dbname = "nextcloud"; dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}"; adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}"; diff --git a/modules/postgresql.nix b/modules/postgresql.nix index 3df69b1..78c0c89 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -22,9 +22,6 @@ in root_as_others root synapse root_as_others root nextcloud root_as_others root roundcube - root_as_others root mastodon - root_as_others root dolibarr - root_as_others root odoo ''; authentication = '' local all postgres peer @@ -35,12 +32,10 @@ in sops.secrets = { synapseDbPassword = { - owner = config.services.postgresql.superUser; key = "synapse/db_password"; restartUnits = [ "postgresql-setup.service" ]; }; nextcloudDbPassword = { - owner = config.services.postgresql.superUser; key = "nextcloud/db_password"; restartUnits = [ "postgresql-setup.service" ]; }; @@ -49,16 +44,6 @@ in key = "roundcube/db_password"; restartUnits = [ "postgresql-setup.service" ]; }; - mastodonDbPassword = { - owner = config.services.postgresql.superUser; - key = "mastodon/db_password"; - restartUnits = [ "postgresql-setup.service" ]; - }; - dolibarrDbPassword = { - owner = config.services.postgresql.superUser; - key = "dolibarr/db_password"; - restartUnits = [ "postgresql-setup.service" ]; - }; }; systemd.services.postgresql-setup = @@ -82,23 +67,14 @@ in PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' - PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"' - PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "dolibarr"' - PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'odoo'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "odoo"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' - PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"' - PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "dolibarr" OWNER "dolibarr"' - PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'odoo'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "odoo" OWNER "odoo"' PSQL -tAc "ALTER ROLE synapse LOGIN" PSQL -tAc "ALTER ROLE nextcloud LOGIN" PSQL -tAc "ALTER ROLE roundcube LOGIN" - PSQL -tAc "ALTER ROLE mastodon LOGIN" - PSQL -tAc "ALTER ROLE dolibarr LOGIN" - PSQL -tAc "ALTER ROLE odoo LOGIN" synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')" PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" @@ -106,11 +82,6 @@ in PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'" roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')" PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" - mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')" - PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'" - dolibarr_password="$(<'${config.sops.secrets.dolibarrDbPassword.path}')" - PSQL -tAc "ALTER ROLE dolibarr WITH PASSWORD '$dolibarr_password'" - PSQL -tAc "ALTER ROLE odoo WITH PASSWORD 'odoo'" ''; serviceConfig = { diff --git a/modules/roundcube.nix b/modules/roundcube.nix index eec62eb..8bb25a3 100644 --- a/modules/roundcube.nix +++ b/modules/roundcube.nix @@ -1,6 +1,13 @@ -{ pkgs, lib, config, ... }: -let cfg = config.custom.services.roundcube; -in { +{ + pkgs, + lib, + config, + ... +}: +let + cfg = config.custom.services.roundcube; +in +{ options.custom.services.roundcube = { enable = lib.mkEnableOption "roundcube"; }; @@ -17,16 +24,17 @@ in { }; }; - # Required because roundcube uses psql: https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/services/mail/roundcube.nix#L247 - services.postgresql.package = pkgs.postgresql_15; - services.roundcube = { enable = true; plugins = [ "managesieve" ]; - dicts = with pkgs.aspellDicts; [ en fr de ]; + dicts = with pkgs.aspellDicts; [ + en + fr + de + ]; hostName = "webmail.banditlair.com"; database = { - host = "10.0.1.11"; + host = "127.0.0.1"; username = "roundcube"; dbname = "roundcube"; passwordFile = config.sops.secrets.pgPassFile.path; @@ -35,10 +43,10 @@ in { extraConfig = '' # This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file $password = file_get_contents('${config.sops.secrets.dbPassword.path}'); - $config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@10.0.1.11/roundcube'; + $config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@127.0.0.1/roundcube'; - $config['default_host'] = 'ssl://mail.banditlair.com:993'; - $config['smtp_server'] = 'ssl://%h'; + $config['imap_host'] = 'ssl://mail.banditlair.com:993'; + $config['smtp_host'] = 'ssl://%h'; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; $config['identities_level'] = 0; diff --git a/modules/stb.nix b/modules/stb.nix index 145b4ed..bce7ed9 100644 --- a/modules/stb.nix +++ b/modules/stb.nix @@ -1,4 +1,9 @@ -{ pkgs, config, lib, ... }: +{ + pkgs, + config, + lib, + ... +}: let cfg = config.custom.services.stb; uploadWordpressConfig = pkgs.writeText "upload.ini" '' @@ -8,10 +13,17 @@ let post_max_size = 64M max_execution_time = 600 ''; -in { - options.custom.services.stb = { enable = lib.mkEnableOption "stb"; }; +in +{ + options.custom.services.stb = { + enable = lib.mkEnableOption "stb"; + }; config = lib.mkIf cfg.enable { + + virtualisation.podman.defaultNetwork.settings = { + dns_enabled = true; + }; systemd.services.init-stb-network = { description = "Create the network bridge stb-br for wordpress."; after = [ "network.target" ]; @@ -19,15 +31,17 @@ in { serviceConfig.Type = "oneshot"; script = - let dockercli = "${config.virtualisation.docker.package}/bin/docker"; - in '' + let + podmancli = "${pkgs.podman}/bin/podman"; + in + '' # Put a true at the end to prevent getting non-zero return code, which will # crash the whole service. - check=$(${dockercli} network ls | grep "stb-br" || true) + check=$(${podmancli} pod ps | grep "stb" || true) if [ -z "$check" ]; then - ${dockercli} network create stb-br + ${podmancli} pod create --publish 8180:80 stb else - echo "stb-br already exists in docker" + echo "stb pod already exists" fi ''; }; @@ -42,7 +56,7 @@ in { "MYSQL_DATABASE" = "stb"; }; volumes = [ "/var/lib/mariadb/stb:/var/lib/mysql" ]; - extraOptions = [ "--network=stb-br" ]; + extraOptions = [ "--pod=stb" ]; autoStart = true; }; @@ -52,8 +66,7 @@ in { "/nix/var/data/stb-wordpress:/var/www/html" "${uploadWordpressConfig}:/usr/local/etc/php/conf.d/uploads.ini" ]; - ports = [ "127.0.0.1:8180:80" ]; - extraOptions = [ "--network=stb-br" ]; + extraOptions = [ "--pod=stb" ]; autoStart = true; }; }; @@ -63,7 +76,9 @@ in { forceSSL = true; enableACME = true; - locations."/" = { proxyPass = "http://127.0.0.1:8180"; }; + locations."/" = { + proxyPass = "http://127.0.0.1:8180"; + }; }; }; } diff --git a/modules/synapse.nix b/modules/synapse.nix index f5bea6d..4367d60 100644 --- a/modules/synapse.nix +++ b/modules/synapse.nix @@ -1,16 +1,22 @@ -{ pkgs, config, lib, ... }: +{ + pkgs, + config, + lib, + ... +}: let cfg = config.custom.services.synapse; - fqdn = let - join = hostName: domain: - hostName + lib.optionalString (domain != null) ".${domain}"; - in join "matrix" config.networking.domain; + fqdn = + let + join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}"; + in + join "matrix" config.networking.domain; synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" '' database: name: psycopg2 args: database: synapse - host: "10.0.1.11" + host: "127.0.0.1" user: "synapse" password: "SYNAPSE_DB_PASSWORD" email: @@ -24,8 +30,11 @@ let macaroon_secret_key: "MACAROON_SECRET_KEY" turn_shared_secret: "TURN_SHARED_SECRET" ''; -in { - options.custom.services.synapse = { enable = lib.mkEnableOption "synapse"; }; +in +{ + options.custom.services.synapse = { + enable = lib.mkEnableOption "synapse"; + }; config = lib.mkIf cfg.enable { services.nginx = { @@ -38,25 +47,35 @@ in { forceSSL = true; # acmeFallbackHost = "storage1.banditlair.com"; - locations."= /.well-known/matrix/server".extraConfig = let - # use 443 instead of the default 8448 port to unite - # the client-server and server-server port for simplicity - server = { "m.server" = "${fqdn}:443"; }; - in '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server}'; - ''; - locations."= /.well-known/matrix/client".extraConfig = let - client = { - "m.homeserver" = { "base_url" = "https://${fqdn}"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }; + locations."= /.well-known/matrix/server".extraConfig = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { + "m.server" = "${fqdn}:443"; + }; + in + '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { + "base_url" = "https://${fqdn}"; + }; + "m.identity_server" = { + "base_url" = "https://vector.im"; + }; + }; + in # ACAO required to allow element-web on any URL to request this json file - in '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client}'; - ''; + '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; }; # Reverse proxy for Matrix client-server and server-server communication @@ -98,7 +117,10 @@ in { group = "turnserver"; mode = "0440"; key = "synapse/turn_shared_secret"; - restartUnits = [ "matrix-synapse-setup" "coturn" ]; + restartUnits = [ + "matrix-synapse-setup" + "coturn" + ]; }; }; @@ -124,7 +146,10 @@ in { }; systemd.services.matrix-synapse = { - after = [ "matrix-synapse-setup.service" "network.target" ]; + after = [ + "matrix-synapse-setup.service" + "network.target" + ]; bindsTo = [ "matrix-synapse-setup.service" ]; }; @@ -138,14 +163,22 @@ in { listeners = [ { port = 8008; - bind_addresses = [ "::1" "127.0.0.1" ]; + bind_addresses = [ + "::1" + "127.0.0.1" + ]; type = "http"; tls = false; x_forwarded = true; - resources = [{ - names = [ "client" "federation" ]; - compress = false; - }]; + resources = [ + { + names = [ + "client" + "federation" + ]; + compress = false; + } + ]; } { port = 9000; @@ -214,17 +247,21 @@ in { ''; }; - networking.firewall = let - range = with config.services.coturn; [{ - from = min-port; - to = max-port; - }]; - in { - allowedUDPPortRanges = range; - allowedUDPPorts = [ 3478 ]; - allowedTCPPortRanges = range; - allowedTCPPorts = [ 3478 ]; - }; + networking.firewall = + let + range = with config.services.coturn; [ + { + from = min-port; + to = max-port; + } + ]; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = [ 3478 ]; + allowedTCPPortRanges = range; + allowedTCPPorts = [ 3478 ]; + }; security.acme.certs.${config.services.coturn.realm} = { postRun = "systemctl restart coturn.service"; diff --git a/modules/torrents.nix b/modules/torrents.nix index 7019ee1..8f6d9ab 100644 --- a/modules/torrents.nix +++ b/modules/torrents.nix @@ -1,14 +1,25 @@ -{ config, lib, pkgs, ... }: -let cfg = config.custom.services.torrents; -in { +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.services.torrents; +in +{ options.custom.services.torrents = { enable = lib.mkEnableOption "torrents"; }; config = lib.mkIf cfg.enable { sops.secrets = { - vpnCredentials = { key = "openvpn/credentials"; }; - transmissionRpcCredentials = { key = "transmission/rpc_config.json"; }; + vpnCredentials = { + key = "openvpn/credentials"; + }; + transmissionRpcCredentials = { + key = "transmission/rpc_config.json"; + }; }; containers.torrents = { @@ -60,7 +71,9 @@ in { isSystemUser = true; group = config.users.groups.www-data.name; }; - users.groups.www-data = { gid = 991; }; + users.groups.www-data = { + gid = 991; + }; services.openvpn.servers.client = { updateResolvConf = true; config = '' @@ -194,41 +207,51 @@ in { }; }; - virtualisation.oci-containers.containers.flaresolverr = { - image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11"; - environment = { - "LOG_LEVEL" = "debug"; - "CAPTCHA_SOLVER" = "hcaptcha-solver"; - }; - ports = [ "192.168.1.1:8191:8191" ]; - autoStart = true; - }; + # virtualisation.oci-containers.containers.flaresolverr = { + # image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11"; + # environment = { + # "LOG_LEVEL" = "debug"; + # "CAPTCHA_SOLVER" = "hcaptcha-solver"; + # }; + # ports = [ "192.168.1.1:8191:8191" ]; + # autoStart = true; + # }; services.nginx.virtualHosts = { "transmission.${config.networking.domain}" = { forceSSL = true; enableACME = true; - locations."/" = { proxyPass = "http://192.168.1.2:9091"; }; + locations."/" = { + proxyPass = "http://192.168.1.2:9091"; + }; }; "jackett.${config.networking.domain}" = { forceSSL = true; enableACME = true; - locations."/" = { proxyPass = "http://192.168.1.2:9117"; }; + locations."/" = { + proxyPass = "http://192.168.1.2:9117"; + }; }; "sonarr.${config.networking.domain}" = { forceSSL = true; enableACME = true; - locations."/" = { proxyPass = "http://192.168.1.2:8989"; }; + locations."/" = { + proxyPass = "http://192.168.1.2:8989"; + }; }; "radarr.${config.networking.domain}" = { forceSSL = true; enableACME = true; - locations."/" = { proxyPass = "http://192.168.1.2:7878"; }; + locations."/" = { + proxyPass = "http://192.168.1.2:7878"; + }; }; "lidarr.${config.networking.domain}" = { forceSSL = true; enableACME = true; - locations."/" = { proxyPass = "http://192.168.1.2:8686"; }; + locations."/" = { + proxyPass = "http://192.168.1.2:8686"; + }; }; }; }; diff --git a/profiles/backend.nix b/profiles/backend.nix index 8a9066e..07f5c80 100644 --- a/profiles/backend.nix +++ b/profiles/backend.nix @@ -1,10 +1,4 @@ -{ - config, - lib, - pkgs, - pkgs-unstable, - ... -}: +{ config, ... }: { imports = [ ../environment.nix @@ -12,129 +6,17 @@ ../modules ]; - sops.secrets = { - borgSshKey = { - owner = config.services.borgbackup.jobs.data.user; - key = "borg/client_keys/backend1/private"; - }; - dolibarrDbPassword = { - owner = config.users.users.dolibarr.name; - key = "dolibarr/db_password"; - restartUnits = [ "phpfpm-dolibarr.service" ]; - }; - }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1" + ]; custom = { - - services.backup-job = { - enable = true; - repoName = "bk1"; - additionalPaths = [ - "/var/lib/nextcloud/config" - "/var/lib/mastodon" - ]; - readWritePaths = [ - "/nix/var/data/murmur" - "/nix/var/data/backup/" - ]; - preHook = '' - cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite - ''; - startAt = "03:30"; - sshKey = config.sops.secrets.borgSshKey.path; - }; - - services.monit = { - enable = true; - additionalConfig = '' - check file nextcloud-data-mounted with path /var/lib/nextcloud/data/index.html - start = "${pkgs.systemd}/bin/systemctl start nextcloud-data-sshfs.service" - - check host jellyfin with address jellyfin.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check host stb with address www.societe-de-tir-bertrix.com - if failed port 443 protocol https with timeout 20 seconds then alert - - check host transmission with address transmission.banditlair.com - if failed - port 443 - protocol https - status = 401 - with timeout 20 seconds - then alert - - check host osteoview with address osteoview.app - if failed - port 443 - protocol https - status = 200 - request "/api/_health" - with timeout 5 seconds - content = "Healthy" - then alert - ''; - }; - services.nginx.enable = true; - services.dokuwiki.enable = true; services.openssh.enable = true; - services.murmur.enable = true; - services.synapse.enable = true; - services.nextcloud.enable = true; - services.roundcube.enable = true; + services.monitoring-exporters.enable = true; }; - services.uptime-kuma = { - enable = true; - settings = { - PORT = "3001"; - }; - }; - - services.nginx.virtualHosts = { - "osteopathie.froidmont.org" = { - enableACME = true; - forceSSL = true; - root = "/nix/var/data/website-marie"; - }; - - "uptime.froidmont.org" = { - serverAliases = [ "status.${config.networking.domain}" ]; - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}"; - proxyWebsockets = true; - }; - }; - - "www.fautlfer.com" = { - enableACME = true; - forceSSL = true; - - locations."= /".extraConfig = '' - return 302 https://blogz.zaclys.com/faut-l-fer/; - ''; - }; - - "fautlfer.com" = { - enableACME = true; - forceSSL = true; - - locations."= /".extraConfig = '' - return 302 https://blogz.zaclys.com/faut-l-fer/; - ''; - }; - }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - 64738 - ]; - networking.firewall.allowedUDPPorts = [ 64738 ]; networking.firewall.interfaces."eth1".allowedTCPPorts = [ config.services.prometheus.exporters.node.port 9000 diff --git a/profiles/db.nix b/profiles/db.nix index c210504..488e137 100644 --- a/profiles/db.nix +++ b/profiles/db.nix @@ -13,38 +13,14 @@ networking.firewall.interfaces."eth1".allowedTCPPorts = [ config.services.prometheus.exporters.node.port - config.services.postgresql.settings.port ]; - sops.secrets = { - borgSshKey = { - owner = config.services.borgbackup.jobs.data.user; - key = "borg/client_keys/db1/private"; - }; - }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1" + ]; custom = { - services.backup-job = { - enable = true; - repoName = "db1"; - readWritePaths = [ - "/nix/var/data/postgresql" - "/nix/var/data/backup/" - ]; - preHook = '' - ${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp - ${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp - ${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp - ${config.services.postgresql.package}/bin/pg_dump -U mastodon mastodon > /nix/var/data/postgresql/mastodon.dmp - ${config.services.postgresql.package}/bin/pg_dump -U dolibarr dolibarr > /nix/var/data/postgresql/dolibarr.dmp - ${config.services.postgresql.package}/bin/pg_dump -U odoo odoo > /nix/var/data/postgresql/odoo.dmp - ''; - startAt = "03:00"; - sshKey = config.sops.secrets.borgSshKey.path; - }; - services.openssh.enable = true; - services.postgresql.enable = true; services.monitoring-exporters.enable = true; }; diff --git a/profiles/hel.nix b/profiles/hel.nix index b35e8bf..f205556 100644 --- a/profiles/hel.nix +++ b/profiles/hel.nix @@ -1,7 +1,4 @@ -{ - config, - ... -}: +{ config, pkgs, ... }: { imports = [ ../environment.nix @@ -10,6 +7,10 @@ ]; sops.secrets = { + borgSshKey = { + owner = config.services.borgbackup.jobs.data.user; + key = "borg/client_keys/storage1/private"; + }; runnerRegistrationConfig = { owner = config.users.users.gitlab-runner.name; key = "gitlab/runner_registration_config/hel1"; @@ -18,10 +19,22 @@ time.timeZone = "Europe/Amsterdam"; - networking.nat = { - enable = true; - internalInterfaces = [ "ve-+" ]; - externalInterface = "enp41s0"; + # Prevent mdmon from crashing + boot.swraid.mdadmConf = '' + HOMEHOST + PROGRAM true + ''; + + networking = { + firewall.allowedTCPPorts = [ + 80 + 443 + ]; + nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "enp41s0"; + }; }; disko.devices = { @@ -168,11 +181,179 @@ }; custom = { + services.nginx.enable = true; + services.postgresql.enable = true; + services.dokuwiki.enable = true; services.openssh.enable = true; services.gitlab-runner = { enable = true; runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path; }; + services.jellyfin.enable = true; + services.torrents.enable = true; + services.foundryvtt.enable = true; + services.jitsi.enable = true; + services.stb.enable = true; + services.murmur.enable = true; + services.synapse.enable = true; + services.nextcloud.enable = true; + services.roundcube.enable = true; + + services.backup-job = { + enable = true; + repoName = "bl"; + additionalPaths = [ + "/var/lib/acme" + "/var/lib/nextcloud" + ]; + patterns = [ + "- /nix/var/data/media" + "- /nix/var/data/transmission/downloads" + "- /nix/var/data/transmission/.incomplete" + ]; + readWritePaths = [ + "/nix/var/data/murmur" + "/nix/var/data/postgresql" + "/nix/var/data/backup/" + "/var/lib/containers/storage" + "/run" + ]; + preHook = '' + cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite + ${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp + ${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp + ${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp + ${pkgs.podman}/bin/podman exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql + ${pkgs.systemd}/bin/systemctl stop jellyfin.service + ${pkgs.systemd}/bin/systemctl stop container@torrents + ''; + postHook = '' + ${pkgs.systemd}/bin/systemctl start jellyfin.service + ${pkgs.systemd}/bin/systemctl start container@torrents + ''; + startAt = "02:00"; + sshKey = config.sops.secrets.borgSshKey.path; + }; + + services.monit = { + enable = true; + additionalConfig = '' + check host nextcloud with address cloud.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host anderia-wiki with address anderia.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host arkadia-wiki with address arkadia.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host website-marie with address osteopathie.froidmont.org + if failed port 443 protocol https with timeout 20 seconds then alert + check host webmail with address webmail.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host jellyfin with address jellyfin.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host stb with address www.societe-de-tir-bertrix.com + if failed port 443 protocol https with timeout 20 seconds then alert + check host transmission with address transmission.banditlair.com + if failed + port 443 + protocol https + status = 401 + with timeout 20 seconds + then alert + + check program raid-md126 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127" + if status != 0 then alert + check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127" + if status != 0 then alert + + check filesystem data with path /nix/var/data + if SPACE usage > 90% then alert + + check host osteoview with address osteoview.app + if failed + port 443 + protocol https + status = 200 + request "/api/_health" + with timeout 5 seconds + content = "Healthy" + then alert + + check host osteoview-demo with address demo.osteoview.app + if failed + port 443 + protocol https + status = 200 + request "/api/_health" + with timeout 5 seconds + content = "Healthy" + then alert + ''; + }; + }; + + services.uptime-kuma = { + enable = true; + settings = { + PORT = "3001"; + }; + }; + + services.nginx.virtualHosts = { + "uptime.froidmont.org" = { + serverAliases = [ "status.${config.networking.domain}" ]; + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}"; + proxyWebsockets = true; + }; + }; + "osteopathie.froidmont.org" = { + enableACME = true; + forceSSL = true; + root = "/nix/var/data/website-marie"; + }; + "www.fautlfer.com" = { + enableACME = true; + forceSSL = true; + + locations."= /".extraConfig = '' + return 302 https://blogz.zaclys.com/faut-l-fer/; + ''; + }; + "fautlfer.com" = { + enableACME = true; + forceSSL = true; + + locations."= /".extraConfig = '' + return 302 https://blogz.zaclys.com/faut-l-fer/; + ''; + }; + }; + # virtualisation.oci-containers.containers = { + # "minecraft" = { + # image = "itzg/minecraft-server"; + # environment = { + # EULA = "TRUE"; + # VERSION = "1.18.2"; + # TYPE = "AUTO_CURSEFORGE"; + # MEMORY = "4G"; + # CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files + # }; + # ports = [ "25565:25565" ]; + # volumes = [ "/nix/var/data/minecraft-modded:/data" ]; + # autoStart = true; + # }; + # }; + + users.users.www-data = { + uid = 993; + group = config.users.groups.www-data.name; + }; + + users.groups.www-data = { + gid = 991; }; } diff --git a/profiles/storage.nix b/profiles/storage.nix index aa5028a..8342857 100644 --- a/profiles/storage.nix +++ b/profiles/storage.nix @@ -1,9 +1,7 @@ { config, - lib, pkgs, pkgs-unstable, - inputs, ... }: { @@ -56,24 +54,12 @@ services.backup-job = { enable = true; repoName = "bl"; - additionalPaths = [ config.services.foundryvtt.dataDir ]; patterns = [ "- /nix/var/data/media" "- /nix/var/data/transmission/downloads" "- /nix/var/data/transmission/.incomplete" ]; readWritePaths = [ "/nix/var/data/backup" ]; - preHook = '' - ${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql - ${pkgs.systemd}/bin/systemctl stop jellyfin.service - ${pkgs.systemd}/bin/systemctl stop minecraft-server.service - ${pkgs.systemd}/bin/systemctl stop container@torrents - ''; - postHook = '' - ${pkgs.systemd}/bin/systemctl start jellyfin.service - ${pkgs.systemd}/bin/systemctl start minecraft-server.service - ${pkgs.systemd}/bin/systemctl start container@torrents - ''; startAt = "04:00"; sshKey = config.sops.secrets.borgSshKey.path; }; @@ -81,49 +67,15 @@ services.monit = { enable = true; additionalConfig = '' - check host nextcloud with address cloud.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check host anderia-wiki with address anderia.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check host arkadia-wiki with address arkadia.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check host website-marie with address osteopathie.froidmont.org - if failed port 443 protocol https with timeout 20 seconds then alert - check host webmail with address webmail.banditlair.com - if failed port 443 protocol https with timeout 20 seconds then alert - check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127" if status != 0 then alert - - check host osteoview with address osteoview.app - if failed - port 443 - protocol https - status = 200 - request "/api/_health" - with timeout 5 seconds - content = "Healthy" - then alert - - check host osteoview-demo with address demo.osteoview.app - if failed - port 443 - protocol https - status = 200 - request "/api/_health" - with timeout 5 seconds - content = "Healthy" - then alert ''; }; services.nginx.enable = true; services.openssh.enable = true; - services.jellyfin.enable = true; - services.stb.enable = true; - services.monero.enable = true; - services.torrents.enable = true; - services.jitsi.enable = true; + + services.monero.enable = false; services.grafana.enable = true; services.monitoring-exporters.enable = true; }; @@ -238,6 +190,10 @@ networking.nat.internalInterfaces = [ "ve-+" ]; networking.nat.externalInterface = "enp2s0"; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1" + ]; + users.users.www-data = { uid = 993; createHome = true; @@ -266,7 +222,7 @@ users.groups.steam = { }; services.minecraft-server = { - enable = true; + enable = false; package = pkgs-unstable.minecraft-server; eula = true; openFirewall = false; @@ -305,34 +261,11 @@ # }; # }; - services.foundryvtt = { - enable = true; - package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_12; - hostName = "vtt.${config.networking.domain}"; - language = "fr.core"; - proxyPort = 443; - proxySSL = true; - upnp = false; - }; - # services.rustdesk-server = { # enable = true; # openFirewall = true; # }; - services.nginx.virtualHosts."vtt.${config.networking.domain}" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}"; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - ''; - }; - }; - services.borgbackup.repos = { epicerie_du_cellier = { authorizedKeys = [ diff --git a/secrets.enc.yml b/secrets.enc.yml index f51ed5f..b184c7e 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -17,11 +17,6 @@ synapse: nextcloud: db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str] admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str] -mastodon: - db_password: ENC[AES256_GCM,data:XY/C6n3T7iINN1Sk2GdhQgHK0+vltLssOVfRLA2rFmqdxLHjvpKQTPHWxDbzELVcGqgGyiMH4AG240lo,iv:8M/fLo1MjIpUIW54WgddILmcgtofeh0rIBvKQaX/Csw=,tag:Al6LjmcPOlza5iJivf0agg==,type:str] - smtp_password: ENC[AES256_GCM,data:uhtPw/1uuKsDifdPzaczWFdZm3TP3e25U69bGysJdudnjY9rjf8HrDJ1/wqXR4hbLMaJP41fVN9WXYSE,iv:VjIQCBx6BFzATuALewU6Dc7Ti+uekmAUIJ+r2iOcFHg=,tag:vhCvRbkRxuYyf/qLeoaFzA==,type:str] -dolibarr: - db_password: ENC[AES256_GCM,data:1aDUyV+JLklbbP5dJBmviPWKKxQF7xAuQ/lKIZ5M4TtHbeH9PDuEoyxJJ08k7RtJyLrBRCwBd2pgLyYs,iv:rn6aGEPG9i3Uu4xlMIDIdK8T8bPt8t1pRl4SUsgK8nI=,tag:qacpyDDsj0pYWO1Kur9Ugw==,type:str] roundcube: db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str] pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str] @@ -73,8 +68,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-12-05T15:21:41Z" - mac: ENC[AES256_GCM,data:8p+Am3IjJZoBmZDwOSymSVeMrbaXfgHO1BZhq8Sdn/pFCGC2/et8xg/heQ7JGBRQMER2AzIdtreTe9f+6NJLYdRuh0CghwxKHfcykUSBNkgzc2bDFLD+xAFWhFoYJx9YZvuDuOeU6rQ/YVSunDYu4K7aX5KdCLon2+1MOtDHZXo=,iv:gW1hBzHSxugVl09FT1HhL2J/9HccwfLFwSEKdei5mLg=,tag:ncQof/HBVGht+xfna6AC2Q==,type:str] + lastmodified: "2024-12-10T00:50:13Z" + mac: ENC[AES256_GCM,data:yM21T3BYoC9/jH9n7tdSK6Bgkw7n32SA17tKUoxZ7AgHuKDQRHdwGW1ujfGEBxo337uHdOaTW9mjjvMAy8KnrOQReipuM6yPKf8Fi8ptX+JXtxfg9QmcdjxMHX8vxpWHIFIkz4ScOQ2MSCwa3UXakhhpNJUssp31MMKlkpABOkA=,iv:2PwpgEGidQW2yiUg0qszf5FRw3f5wWM7vgydQL9dzGU=,tag:tRLFzeLNyrpDFVlBTjq2uQ==,type:str] pgp: - created_at: "2024-12-05T00:56:17Z" enc: |- diff --git a/terraform/dns.tf b/terraform/dns.tf index 7b77b2b..81bff1a 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -16,7 +16,7 @@ data "hetznerdns_zone" "froidmont_solutions_zone" { resource "hetznerdns_record" "banditlair_hcloud_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "@" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -32,7 +32,7 @@ resource "hetznerdns_record" "backend1_a" { resource "hetznerdns_record" "webmail_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "webmail" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -88,7 +88,7 @@ resource "hetznerdns_record" "cache_a" { resource "hetznerdns_record" "jellyfin_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "jellyfin" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -96,23 +96,7 @@ resource "hetznerdns_record" "jellyfin_a" { resource "hetznerdns_record" "status_banditlair_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "status" - value = hcloud_server.backend1.ipv4_address - type = "A" - ttl = 600 -} - -resource "hetznerdns_record" "dolibarr_a" { - zone_id = data.hetznerdns_zone.froidmont_solutions_zone.id - name = "dolibarr" - value = hcloud_server.backend1.ipv4_address - type = "A" - ttl = 600 -} - -resource "hetznerdns_record" "odoo_a" { - zone_id = data.hetznerdns_zone.froidmont_solutions_zone.id - name = "odoo" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -120,15 +104,7 @@ resource "hetznerdns_record" "odoo_a" { resource "hetznerdns_record" "jitsi_a" { zone_id = data.hetznerdns_zone.froidmont_zone.id name = "jitsi" - value = local.storage1_ip - type = "A" - ttl = 600 -} - -resource "hetznerdns_record" "mastodon_a" { - zone_id = data.hetznerdns_zone.froidmont_zone.id - name = "social" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -136,7 +112,7 @@ resource "hetznerdns_record" "mastodon_a" { resource "hetznerdns_record" "uptime_a" { zone_id = data.hetznerdns_zone.froidmont_zone.id name = "uptime" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -144,7 +120,7 @@ resource "hetznerdns_record" "uptime_a" { resource "hetznerdns_record" "transmission_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "transmission" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -152,7 +128,7 @@ resource "hetznerdns_record" "transmission_a" { resource "hetznerdns_record" "jackett_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "jackett" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -160,7 +136,7 @@ resource "hetznerdns_record" "jackett_a" { resource "hetznerdns_record" "sonarr_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "sonarr" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -168,7 +144,7 @@ resource "hetznerdns_record" "sonarr_a" { resource "hetznerdns_record" "radarr_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "radarr" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -176,7 +152,7 @@ resource "hetznerdns_record" "radarr_a" { resource "hetznerdns_record" "lidarr_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "lidarr" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -184,7 +160,7 @@ resource "hetznerdns_record" "lidarr_a" { resource "hetznerdns_record" "vtt_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "vtt" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -192,7 +168,7 @@ resource "hetznerdns_record" "vtt_a" { resource "hetznerdns_record" "monero_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "monero" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -200,7 +176,7 @@ resource "hetznerdns_record" "monero_a" { resource "hetznerdns_record" "anderia_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "anderia" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -208,7 +184,7 @@ resource "hetznerdns_record" "anderia_a" { resource "hetznerdns_record" "arkadia_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "arkadia" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -216,7 +192,7 @@ resource "hetznerdns_record" "arkadia_a" { resource "hetznerdns_record" "cifirpg_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "scifirpg" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -240,7 +216,7 @@ resource "hetznerdns_record" "banditlair_dedicated_a" { resource "hetznerdns_record" "nextcloud_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "cloud" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -249,7 +225,7 @@ resource "hetznerdns_record" "nextcloud_a" { resource "hetznerdns_record" "matrix_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "matrix" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -265,7 +241,7 @@ resource "hetznerdns_record" "matrix_srv" { resource "hetznerdns_record" "coturn_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "turn" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -386,7 +362,7 @@ resource "hetznerdns_record" "froidmont_a" { resource "hetznerdns_record" "website_marie_a" { zone_id = data.hetznerdns_zone.froidmont_zone.id name = "osteopathie" - value = hcloud_server.backend1.ipv4_address + value = local.hel1_ip type = "A" ttl = 600 } @@ -438,7 +414,7 @@ data "hetznerdns_zone" "stb_zone" { resource "hetznerdns_record" "stb_a" { zone_id = data.hetznerdns_zone.stb_zone.id name = "@" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 }