phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move everyting to hel1 except emails

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-12-10 11:39:55 +01:00
parent 0d3f1b4afc
commit f18644f8a1
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
18 changed files with 476 additions and 448 deletions
Download patch file Download diff file Expand all files Collapse all files

128
profiles/backend.nix
View file

@ -1,10 +1,4 @@
{
config,
lib,
pkgs,
pkgs-unstable,
...
}:
{ config, ... }:
{
imports = [
../environment.nix
@ -12,129 +6,17 @@
../modules
];
sops.secrets = {
borgSshKey = {
owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/backend1/private";
};
dolibarrDbPassword = {
owner = config.users.users.dolibarr.name;
key = "dolibarr/db_password";
restartUnits = [ "phpfpm-dolibarr.service" ];
};
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
];
custom = {
services.backup-job = {
enable = true;
repoName = "bk1";
additionalPaths = [
"/var/lib/nextcloud/config"
"/var/lib/mastodon"
];
readWritePaths = [
"/nix/var/data/murmur"
"/nix/var/data/backup/"
];
preHook = ''
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
'';
startAt = "03:30";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check file nextcloud-data-mounted with path /var/lib/nextcloud/data/index.html
start = "${pkgs.systemd}/bin/systemctl start nextcloud-data-sshfs.service"
check host jellyfin with address jellyfin.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host stb with address www.societe-de-tir-bertrix.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
'';
};
services.nginx.enable = true;
services.dokuwiki.enable = true;
services.openssh.enable = true;
services.murmur.enable = true;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.monitoring-exporters.enable = true;
};
services.uptime-kuma = {
enable = true;
settings = {
PORT = "3001";
};
};
services.nginx.virtualHosts = {
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true;
};
};
"www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
"fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
};
networking.firewall.allowedTCPPorts = [
80
443
64738
];
networking.firewall.allowedUDPPorts = [ 64738 ];
networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port
9000

30
profiles/db.nix
View file

@ -13,38 +13,14 @@
networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port
config.services.postgresql.settings.port
];
sops.secrets = {
borgSshKey = {
owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/db1/private";
};
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
];
custom = {
services.backup-job = {
enable = true;
repoName = "db1";
readWritePaths = [
"/nix/var/data/postgresql"
"/nix/var/data/backup/"
];
preHook = ''
${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
${config.services.postgresql.package}/bin/pg_dump -U mastodon mastodon > /nix/var/data/postgresql/mastodon.dmp
${config.services.postgresql.package}/bin/pg_dump -U dolibarr dolibarr > /nix/var/data/postgresql/dolibarr.dmp
${config.services.postgresql.package}/bin/pg_dump -U odoo odoo > /nix/var/data/postgresql/odoo.dmp
'';
startAt = "03:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.openssh.enable = true;
services.postgresql.enable = true;
services.monitoring-exporters.enable = true;
};

197
profiles/hel.nix
View file

@ -1,7 +1,4 @@
{
config,
...
}:
{ config, pkgs, ... }:
{
imports = [
../environment.nix
@ -10,6 +7,10 @@
];
sops.secrets = {
borgSshKey = {
owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/storage1/private";
};
runnerRegistrationConfig = {
owner = config.users.users.gitlab-runner.name;
key = "gitlab/runner_registration_config/hel1";
@ -18,10 +19,22 @@
time.timeZone = "Europe/Amsterdam";
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "enp41s0";
# Prevent mdmon from crashing
boot.swraid.mdadmConf = ''
HOMEHOST <ignore>
PROGRAM true
'';
networking = {
firewall.allowedTCPPorts = [
80
443
];
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "enp41s0";
};
};
disko.devices = {
@ -168,11 +181,179 @@
};
custom = {
services.nginx.enable = true;
services.postgresql.enable = true;
services.dokuwiki.enable = true;
services.openssh.enable = true;
services.gitlab-runner = {
enable = true;
runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path;
};
services.jellyfin.enable = true;
services.torrents.enable = true;
services.foundryvtt.enable = true;
services.jitsi.enable = true;
services.stb.enable = true;
services.murmur.enable = true;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.backup-job = {
enable = true;
repoName = "bl";
additionalPaths = [
"/var/lib/acme"
"/var/lib/nextcloud"
];
patterns = [
"- /nix/var/data/media"
"- /nix/var/data/transmission/downloads"
"- /nix/var/data/transmission/.incomplete"
];
readWritePaths = [
"/nix/var/data/murmur"
"/nix/var/data/postgresql"
"/nix/var/data/backup/"
"/var/lib/containers/storage"
"/run"
];
preHook = ''
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
${pkgs.podman}/bin/podman exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql
${pkgs.systemd}/bin/systemctl stop jellyfin.service
${pkgs.systemd}/bin/systemctl stop container@torrents
'';
postHook = ''
${pkgs.systemd}/bin/systemctl start jellyfin.service
${pkgs.systemd}/bin/systemctl start container@torrents
'';
startAt = "02:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host jellyfin with address jellyfin.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host stb with address www.societe-de-tir-bertrix.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
check program raid-md126 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
check filesystem data with path /nix/var/data
if SPACE usage > 90% then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
check host osteoview-demo with address demo.osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
'';
};
};
services.uptime-kuma = {
enable = true;
settings = {
PORT = "3001";
};
};
services.nginx.virtualHosts = {
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true;
};
};
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
"www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
"fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
};
# virtualisation.oci-containers.containers = {
# "minecraft" = {
# image = "itzg/minecraft-server";
# environment = {
# EULA = "TRUE";
# VERSION = "1.18.2";
# TYPE = "AUTO_CURSEFORGE";
# MEMORY = "4G";
# CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files
# };
# ports = [ "25565:25565" ];
# volumes = [ "/nix/var/data/minecraft-modded:/data" ];
# autoStart = true;
# };
# };
users.users.www-data = {
uid = 993;
group = config.users.groups.www-data.name;
};
users.groups.www-data = {
gid = 991;
};
}

81
profiles/storage.nix
View file

@ -1,9 +1,7 @@
{
config,
lib,
pkgs,
pkgs-unstable,
inputs,
...
}:
{
@ -56,24 +54,12 @@
services.backup-job = {
enable = true;
repoName = "bl";
additionalPaths = [ config.services.foundryvtt.dataDir ];
patterns = [
"- /nix/var/data/media"
"- /nix/var/data/transmission/downloads"
"- /nix/var/data/transmission/.incomplete"
];
readWritePaths = [ "/nix/var/data/backup" ];
preHook = ''
${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql
${pkgs.systemd}/bin/systemctl stop jellyfin.service
${pkgs.systemd}/bin/systemctl stop minecraft-server.service
${pkgs.systemd}/bin/systemctl stop container@torrents
'';
postHook = ''
${pkgs.systemd}/bin/systemctl start jellyfin.service
${pkgs.systemd}/bin/systemctl start minecraft-server.service
${pkgs.systemd}/bin/systemctl start container@torrents
'';
startAt = "04:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
@ -81,49 +67,15 @@
services.monit = {
enable = true;
additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
check host osteoview-demo with address demo.osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
'';
};
services.nginx.enable = true;
services.openssh.enable = true;
services.jellyfin.enable = true;
services.stb.enable = true;
services.monero.enable = true;
services.torrents.enable = true;
services.jitsi.enable = true;
services.monero.enable = false;
services.grafana.enable = true;
services.monitoring-exporters.enable = true;
};
@ -238,6 +190,10 @@
networking.nat.internalInterfaces = [ "ve-+" ];
networking.nat.externalInterface = "enp2s0";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
];
users.users.www-data = {
uid = 993;
createHome = true;
@ -266,7 +222,7 @@
users.groups.steam = { };
services.minecraft-server = {
enable = true;
enable = false;
package = pkgs-unstable.minecraft-server;
eula = true;
openFirewall = false;
@ -305,34 +261,11 @@
# };
# };
services.foundryvtt = {
enable = true;
package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_12;
hostName = "vtt.${config.networking.domain}";
language = "fr.core";
proxyPort = 443;
proxySSL = true;
upnp = false;
};
# services.rustdesk-server = {
# enable = true;
# openFirewall = true;
# };
services.nginx.virtualHosts."vtt.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
services.borgbackup.repos = {
epicerie_du_cellier = {
authorizedKeys = [