phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move everyting to hel1 except emails

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-12-10 11:39:55 +01:00
parent 0d3f1b4afc
commit f18644f8a1
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
18 changed files with 476 additions and 448 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.nix
View file

@ -56,10 +56,11 @@
db1 = nixpkgs.lib.nixosSystem { db1 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit nixpkgs; inherit nixpkgs inputs;
}; };
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
foundryvtt.nixosModules.foundryvtt
./profiles/db.nix ./profiles/db.nix
{ {
sops.defaultSopsFile = ./secrets.enc.yml; sops.defaultSopsFile = ./secrets.enc.yml;
@ -74,11 +75,12 @@
backend1 = nixpkgs.lib.nixosSystem { backend1 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit nixpkgs; inherit nixpkgs inputs;
}; };
modules = [ modules = [
defaultModuleArgs defaultModuleArgs
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
foundryvtt.nixosModules.foundryvtt
./profiles/backend.nix ./profiles/backend.nix
{ {
sops.defaultSopsFile = ./secrets.enc.yml; sops.defaultSopsFile = ./secrets.enc.yml;

4
modules/default.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: { { ... }:
{
imports = [ imports = [
./backup-job.nix ./backup-job.nix
./monit.nix ./monit.nix
@ -20,5 +21,6 @@
./roundcube.nix ./roundcube.nix
./dokuwiki.nix ./dokuwiki.nix
./postgresql.nix ./postgresql.nix
./foundryvtt.nix
]; ];
} }

44
modules/foundryvtt.nix Normal file
View file

@ -0,0 +1,44 @@
{
inputs,
pkgs,
config,
lib,
...
}:
let
cfg = config.custom.services.foundryvtt;
in
{
options.custom.services.foundryvtt = {
enable = lib.mkEnableOption "foundryvtt";
};
config = lib.mkIf cfg.enable {
services.foundryvtt = {
enable = true;
package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_12;
hostName = "vtt.${config.networking.domain}";
language = "fr.core";
proxyPort = 443;
proxySSL = true;
upnp = false;
dataDir = "/nix/var/data/foundryvtt";
};
systemd.services.foundryvtt.serviceConfig = {
StateDirectory = lib.mkForce null;
ReadWritePaths = config.services.foundryvtt.dataDir;
};
services.nginx.virtualHosts."vtt.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
};
}

14
modules/jellyfin.nix
View file

@ -1,15 +1,17 @@
{ config, lib, ... }: { config, lib, ... }:
let cfg = config.custom.services.jellyfin; let
in { cfg = config.custom.services.jellyfin;
in
{
options.custom.services.jellyfin = { options.custom.services.jellyfin = {
enable = lib.mkEnableOption "jellyfin"; enable = lib.mkEnableOption "jellyfin";
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.jellyfin = { enable = true; }; services.jellyfin = {
enable = true;
systemd.services.jellyfin.serviceConfig.ExecStart = lib.mkOverride 10 dataDir = "/nix/var/data/jellyfin";
"${config.services.jellyfin.package}/bin/jellyfin --datadir '/nix/var/data/jellyfin' --cachedir '/var/cache/jellyfin'"; };
services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = { services.nginx.virtualHosts."jellyfin.${config.networking.domain}" = {
enableACME = true; enableACME = true;

1
modules/jitsi.nix
View file

@ -1,5 +1,4 @@
{ {
pkgs,
config, config,
lib, lib,
... ...

11
modules/murmur.nix
View file

@ -1,7 +1,11 @@
{ config, lib, ... }: { config, lib, ... }:
let cfg = config.custom.services.murmur; let
in { cfg = config.custom.services.murmur;
options.custom.services.murmur = { enable = lib.mkEnableOption "murmur"; }; in
{
options.custom.services.murmur = {
enable = lib.mkEnableOption "murmur";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets.murmurEnvFile = { sops.secrets.murmurEnvFile = {
@ -16,6 +20,7 @@ in {
password = "$MURMURD_PASSWORD"; password = "$MURMURD_PASSWORD";
environmentFile = config.sops.secrets.murmurEnvFile.path; environmentFile = config.sops.secrets.murmurEnvFile.path;
imgMsgLength = 13107200; imgMsgLength = 13107200;
openFirewall = true;
}; };
}; };
} }

47
modules/nextcloud.nix
View file

@ -1,20 +1,19 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
cfg = config.custom.services.nextcloud; cfg = config.custom.services.nextcloud;
uidFile = pkgs.writeText "uidfile" '' in
nextcloud:993 {
'';
gidFile = pkgs.writeText "gidfile" ''
nextcloud:991
'';
in {
options.custom.services.nextcloud = { options.custom.services.nextcloud = {
enable = lib.mkEnableOption "nextcloud"; enable = lib.mkEnableOption "nextcloud";
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets = { sops.secrets = {
sshfsKey = { key = "sshfs_keys/private"; };
nextcloudDbPassword = { nextcloudDbPassword = {
owner = config.users.users.nextcloud.name; owner = config.users.users.nextcloud.name;
key = "nextcloud/db_password"; key = "nextcloud/db_password";
@ -29,31 +28,6 @@ in {
environment.systemPackages = with pkgs; [ sshfs ]; environment.systemPackages = with pkgs; [ sshfs ];
systemd.services.nextcloud-data-sshfs = {
wantedBy = [ "multi-user.target" "nextcloud-setup.service" ];
before = [ "phpfpm-nextcloud.service" ];
restartIfChanged = false;
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/nextcloud/data";
ExecStart = let
options = builtins.concatStringsSep "," [
"identityfile=${config.sops.secrets.sshfsKey.path}"
"ServerAliveInterval=15"
"idmap=file"
"uidfile=${uidFile}"
"gidfile=${gidFile}"
"allow_other"
"default_permissions"
"nomap=ignore"
];
in "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.3:/nix/var/data/nextcloud/data "
+ "/var/lib/nextcloud/data -o ${options}";
ExecStopPost =
"-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data";
KillMode = "process";
};
};
services.nginx.virtualHosts."${config.services.nextcloud.hostName}" = { services.nginx.virtualHosts."${config.services.nextcloud.hostName}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -61,6 +35,9 @@ in {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
# Can't be changed for now, could use a bind mount as workaround
# https://github.com/NixOS/nixpkgs/issues/356973
# home = "/nix/var/data/nextcloud";
package = pkgs.nextcloud29; package = pkgs.nextcloud29;
hostName = "cloud.${config.networking.domain}"; hostName = "cloud.${config.networking.domain}";
https = true; https = true;
@ -69,7 +46,7 @@ in {
config = { config = {
dbtype = "pgsql"; dbtype = "pgsql";
dbuser = "nextcloud"; dbuser = "nextcloud";
dbhost = "10.0.1.11"; dbhost = "127.0.0.1";
dbname = "nextcloud"; dbname = "nextcloud";
dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}"; dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}";
adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}"; adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}";

29
modules/postgresql.nix
View file

@ -22,9 +22,6 @@ in
root_as_others root synapse root_as_others root synapse
root_as_others root nextcloud root_as_others root nextcloud
root_as_others root roundcube root_as_others root roundcube
root_as_others root mastodon
root_as_others root dolibarr
root_as_others root odoo
''; '';
authentication = '' authentication = ''
local all postgres peer local all postgres peer
@ -35,12 +32,10 @@ in
sops.secrets = { sops.secrets = {
synapseDbPassword = { synapseDbPassword = {
owner = config.services.postgresql.superUser;
key = "synapse/db_password"; key = "synapse/db_password";
restartUnits = [ "postgresql-setup.service" ]; restartUnits = [ "postgresql-setup.service" ];
}; };
nextcloudDbPassword = { nextcloudDbPassword = {
owner = config.services.postgresql.superUser;
key = "nextcloud/db_password"; key = "nextcloud/db_password";
restartUnits = [ "postgresql-setup.service" ]; restartUnits = [ "postgresql-setup.service" ];
}; };
@ -49,16 +44,6 @@ in
key = "roundcube/db_password"; key = "roundcube/db_password";
restartUnits = [ "postgresql-setup.service" ]; restartUnits = [ "postgresql-setup.service" ];
}; };
mastodonDbPassword = {
owner = config.services.postgresql.superUser;
key = "mastodon/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
dolibarrDbPassword = {
owner = config.services.postgresql.superUser;
key = "dolibarr/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
}; };
systemd.services.postgresql-setup = systemd.services.postgresql-setup =
@ -82,23 +67,14 @@ in
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "dolibarr"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'odoo'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "odoo"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "dolibarr" OWNER "dolibarr"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'odoo'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "odoo" OWNER "odoo"'
PSQL -tAc "ALTER ROLE synapse LOGIN" PSQL -tAc "ALTER ROLE synapse LOGIN"
PSQL -tAc "ALTER ROLE nextcloud LOGIN" PSQL -tAc "ALTER ROLE nextcloud LOGIN"
PSQL -tAc "ALTER ROLE roundcube LOGIN" PSQL -tAc "ALTER ROLE roundcube LOGIN"
PSQL -tAc "ALTER ROLE mastodon LOGIN"
PSQL -tAc "ALTER ROLE dolibarr LOGIN"
PSQL -tAc "ALTER ROLE odoo LOGIN"
synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')" synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
@ -106,11 +82,6 @@ in
PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'" PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')" roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')"
PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')"
PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'"
dolibarr_password="$(<'${config.sops.secrets.dolibarrDbPassword.path}')"
PSQL -tAc "ALTER ROLE dolibarr WITH PASSWORD '$dolibarr_password'"
PSQL -tAc "ALTER ROLE odoo WITH PASSWORD 'odoo'"
''; '';
serviceConfig = { serviceConfig = {

30
modules/roundcube.nix
View file

@ -1,6 +1,13 @@
{ pkgs, lib, config, ... }: {
let cfg = config.custom.services.roundcube; pkgs,
in { lib,
config,
...
}:
let
cfg = config.custom.services.roundcube;
in
{
options.custom.services.roundcube = { options.custom.services.roundcube = {
enable = lib.mkEnableOption "roundcube"; enable = lib.mkEnableOption "roundcube";
}; };
@ -17,16 +24,17 @@ in {
}; };
}; };
# Required because roundcube uses psql: https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/services/mail/roundcube.nix#L247
services.postgresql.package = pkgs.postgresql_15;
services.roundcube = { services.roundcube = {
enable = true; enable = true;
plugins = [ "managesieve" ]; plugins = [ "managesieve" ];
dicts = with pkgs.aspellDicts; [ en fr de ]; dicts = with pkgs.aspellDicts; [
en
fr
de
];
hostName = "webmail.banditlair.com"; hostName = "webmail.banditlair.com";
database = { database = {
host = "10.0.1.11"; host = "127.0.0.1";
username = "roundcube"; username = "roundcube";
dbname = "roundcube"; dbname = "roundcube";
passwordFile = config.sops.secrets.pgPassFile.path; passwordFile = config.sops.secrets.pgPassFile.path;
@ -35,10 +43,10 @@ in {
extraConfig = '' extraConfig = ''
# This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file # This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file
$password = file_get_contents('${config.sops.secrets.dbPassword.path}'); $password = file_get_contents('${config.sops.secrets.dbPassword.path}');
$config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@10.0.1.11/roundcube'; $config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@127.0.0.1/roundcube';
$config['default_host'] = 'ssl://mail.banditlair.com:993'; $config['imap_host'] = 'ssl://mail.banditlair.com:993';
$config['smtp_server'] = 'ssl://%h'; $config['smtp_host'] = 'ssl://%h';
$config['smtp_user'] = '%u'; $config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p'; $config['smtp_pass'] = '%p';
$config['identities_level'] = 0; $config['identities_level'] = 0;

39
modules/stb.nix
View file

@ -1,4 +1,9 @@
{ pkgs, config, lib, ... }: {
pkgs,
config,
lib,
...
}:
let let
cfg = config.custom.services.stb; cfg = config.custom.services.stb;
uploadWordpressConfig = pkgs.writeText "upload.ini" '' uploadWordpressConfig = pkgs.writeText "upload.ini" ''
@ -8,10 +13,17 @@ let
post_max_size = 64M post_max_size = 64M
max_execution_time = 600 max_execution_time = 600
''; '';
in { in
options.custom.services.stb = { enable = lib.mkEnableOption "stb"; }; {
options.custom.services.stb = {
enable = lib.mkEnableOption "stb";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
virtualisation.podman.defaultNetwork.settings = {
dns_enabled = true;
};
systemd.services.init-stb-network = { systemd.services.init-stb-network = {
description = "Create the network bridge stb-br for wordpress."; description = "Create the network bridge stb-br for wordpress.";
after = [ "network.target" ]; after = [ "network.target" ];
@ -19,15 +31,17 @@ in {
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker"; let
in '' podmancli = "${pkgs.podman}/bin/podman";
in
''
# Put a true at the end to prevent getting non-zero return code, which will # Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service. # crash the whole service.
check=$(${dockercli} network ls | grep "stb-br" || true) check=$(${podmancli} pod ps | grep "stb" || true)
if [ -z "$check" ]; then if [ -z "$check" ]; then
${dockercli} network create stb-br ${podmancli} pod create --publish 8180:80 stb
else else
echo "stb-br already exists in docker" echo "stb pod already exists"
fi fi
''; '';
}; };
@ -42,7 +56,7 @@ in {
"MYSQL_DATABASE" = "stb"; "MYSQL_DATABASE" = "stb";
}; };
volumes = [ "/var/lib/mariadb/stb:/var/lib/mysql" ]; volumes = [ "/var/lib/mariadb/stb:/var/lib/mysql" ];
extraOptions = [ "--network=stb-br" ]; extraOptions = [ "--pod=stb" ];
autoStart = true; autoStart = true;
}; };
@ -52,8 +66,7 @@ in {
"/nix/var/data/stb-wordpress:/var/www/html" "/nix/var/data/stb-wordpress:/var/www/html"
"${uploadWordpressConfig}:/usr/local/etc/php/conf.d/uploads.ini" "${uploadWordpressConfig}:/usr/local/etc/php/conf.d/uploads.ini"
]; ];
ports = [ "127.0.0.1:8180:80" ]; extraOptions = [ "--pod=stb" ];
extraOptions = [ "--network=stb-br" ];
autoStart = true; autoStart = true;
}; };
}; };
@ -63,7 +76,9 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:8180"; }; locations."/" = {
proxyPass = "http://127.0.0.1:8180";
};
}; };
}; };
} }

125
modules/synapse.nix
View file

@ -1,16 +1,22 @@
{ pkgs, config, lib, ... }: {
pkgs,
config,
lib,
...
}:
let let
cfg = config.custom.services.synapse; cfg = config.custom.services.synapse;
fqdn = let fqdn =
join = hostName: domain: let
hostName + lib.optionalString (domain != null) ".${domain}"; join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
in join "matrix" config.networking.domain; in
join "matrix" config.networking.domain;
synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" '' synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" ''
database: database:
name: psycopg2 name: psycopg2
args: args:
database: synapse database: synapse
host: "10.0.1.11" host: "127.0.0.1"
user: "synapse" user: "synapse"
password: "SYNAPSE_DB_PASSWORD" password: "SYNAPSE_DB_PASSWORD"
email: email:
@ -24,8 +30,11 @@ let
macaroon_secret_key: "MACAROON_SECRET_KEY" macaroon_secret_key: "MACAROON_SECRET_KEY"
turn_shared_secret: "TURN_SHARED_SECRET" turn_shared_secret: "TURN_SHARED_SECRET"
''; '';
in { in
options.custom.services.synapse = { enable = lib.mkEnableOption "synapse"; }; {
options.custom.services.synapse = {
enable = lib.mkEnableOption "synapse";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.nginx = { services.nginx = {
@ -38,25 +47,35 @@ in {
forceSSL = true; forceSSL = true;
# acmeFallbackHost = "storage1.banditlair.com"; # acmeFallbackHost = "storage1.banditlair.com";
locations."= /.well-known/matrix/server".extraConfig = let locations."= /.well-known/matrix/server".extraConfig =
# use 443 instead of the default 8448 port to unite let
# the client-server and server-server port for simplicity # use 443 instead of the default 8448 port to unite
server = { "m.server" = "${fqdn}:443"; }; # the client-server and server-server port for simplicity
in '' server = {
add_header Content-Type application/json; "m.server" = "${fqdn}:443";
return 200 '${builtins.toJSON server}'; };
''; in
locations."= /.well-known/matrix/client".extraConfig = let ''
client = { add_header Content-Type application/json;
"m.homeserver" = { "base_url" = "https://${fqdn}"; }; return 200 '${builtins.toJSON server}';
"m.identity_server" = { "base_url" = "https://vector.im"; }; '';
}; locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = {
"base_url" = "https://${fqdn}";
};
"m.identity_server" = {
"base_url" = "https://vector.im";
};
};
in
# ACAO required to allow element-web on any URL to request this json file # ACAO required to allow element-web on any URL to request this json file
in '' ''
add_header Content-Type application/json; add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}'; return 200 '${builtins.toJSON client}';
''; '';
}; };
# Reverse proxy for Matrix client-server and server-server communication # Reverse proxy for Matrix client-server and server-server communication
@ -98,7 +117,10 @@ in {
group = "turnserver"; group = "turnserver";
mode = "0440"; mode = "0440";
key = "synapse/turn_shared_secret"; key = "synapse/turn_shared_secret";
restartUnits = [ "matrix-synapse-setup" "coturn" ]; restartUnits = [
"matrix-synapse-setup"
"coturn"
];
}; };
}; };
@ -124,7 +146,10 @@ in {
}; };
systemd.services.matrix-synapse = { systemd.services.matrix-synapse = {
after = [ "matrix-synapse-setup.service" "network.target" ]; after = [
"matrix-synapse-setup.service"
"network.target"
];
bindsTo = [ "matrix-synapse-setup.service" ]; bindsTo = [ "matrix-synapse-setup.service" ];
}; };
@ -138,14 +163,22 @@ in {
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
bind_addresses = [ "::1" "127.0.0.1" ]; bind_addresses = [
"::1"
"127.0.0.1"
];
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [{ resources = [
names = [ "client" "federation" ]; {
compress = false; names = [
}]; "client"
"federation"
];
compress = false;
}
];
} }
{ {
port = 9000; port = 9000;
@ -214,17 +247,21 @@ in {
''; '';
}; };
networking.firewall = let networking.firewall =
range = with config.services.coturn; [{ let
from = min-port; range = with config.services.coturn; [
to = max-port; {
}]; from = min-port;
in { to = max-port;
allowedUDPPortRanges = range; }
allowedUDPPorts = [ 3478 ]; ];
allowedTCPPortRanges = range; in
allowedTCPPorts = [ 3478 ]; {
}; allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ];
};
security.acme.certs.${config.services.coturn.realm} = { security.acme.certs.${config.services.coturn.realm} = {
postRun = "systemctl restart coturn.service"; postRun = "systemctl restart coturn.service";

63
modules/torrents.nix
View file

@ -1,14 +1,25 @@
{ config, lib, pkgs, ... }: {
let cfg = config.custom.services.torrents; config,
in { lib,
pkgs,
...
}:
let
cfg = config.custom.services.torrents;
in
{
options.custom.services.torrents = { options.custom.services.torrents = {
enable = lib.mkEnableOption "torrents"; enable = lib.mkEnableOption "torrents";
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets = { sops.secrets = {
vpnCredentials = { key = "openvpn/credentials"; }; vpnCredentials = {
transmissionRpcCredentials = { key = "transmission/rpc_config.json"; }; key = "openvpn/credentials";
};
transmissionRpcCredentials = {
key = "transmission/rpc_config.json";
};
}; };
containers.torrents = { containers.torrents = {
@ -60,7 +71,9 @@ in {
isSystemUser = true; isSystemUser = true;
group = config.users.groups.www-data.name; group = config.users.groups.www-data.name;
}; };
users.groups.www-data = { gid = 991; }; users.groups.www-data = {
gid = 991;
};
services.openvpn.servers.client = { services.openvpn.servers.client = {
updateResolvConf = true; updateResolvConf = true;
config = '' config = ''
@ -194,41 +207,51 @@ in {
}; };
}; };
virtualisation.oci-containers.containers.flaresolverr = { # virtualisation.oci-containers.containers.flaresolverr = {
image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11"; # image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11";
environment = { # environment = {
"LOG_LEVEL" = "debug"; # "LOG_LEVEL" = "debug";
"CAPTCHA_SOLVER" = "hcaptcha-solver"; # "CAPTCHA_SOLVER" = "hcaptcha-solver";
}; # };
ports = [ "192.168.1.1:8191:8191" ]; # ports = [ "192.168.1.1:8191:8191" ];
autoStart = true; # autoStart = true;
}; # };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"transmission.${config.networking.domain}" = { "transmission.${config.networking.domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:9091"; }; locations."/" = {
proxyPass = "http://192.168.1.2:9091";
};
}; };
"jackett.${config.networking.domain}" = { "jackett.${config.networking.domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:9117"; }; locations."/" = {
proxyPass = "http://192.168.1.2:9117";
};
}; };
"sonarr.${config.networking.domain}" = { "sonarr.${config.networking.domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:8989"; }; locations."/" = {
proxyPass = "http://192.168.1.2:8989";
};
}; };
"radarr.${config.networking.domain}" = { "radarr.${config.networking.domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:7878"; }; locations."/" = {
proxyPass = "http://192.168.1.2:7878";
};
}; };
"lidarr.${config.networking.domain}" = { "lidarr.${config.networking.domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://192.168.1.2:8686"; }; locations."/" = {
proxyPass = "http://192.168.1.2:8686";
};
}; };
}; };
}; };

128
profiles/backend.nix
View file

@ -1,10 +1,4 @@
{ { config, ... }:
config,
lib,
pkgs,
pkgs-unstable,
...
}:
{ {
imports = [ imports = [
../environment.nix ../environment.nix
@ -12,129 +6,17 @@
../modules ../modules
]; ];
sops.secrets = { users.users.root.openssh.authorizedKeys.keys = [
borgSshKey = { "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
owner = config.services.borgbackup.jobs.data.user; ];
key = "borg/client_keys/backend1/private";
};
dolibarrDbPassword = {
owner = config.users.users.dolibarr.name;
key = "dolibarr/db_password";
restartUnits = [ "phpfpm-dolibarr.service" ];
};
};
custom = { custom = {
services.backup-job = {
enable = true;
repoName = "bk1";
additionalPaths = [
"/var/lib/nextcloud/config"
"/var/lib/mastodon"
];
readWritePaths = [
"/nix/var/data/murmur"
"/nix/var/data/backup/"
];
preHook = ''
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
'';
startAt = "03:30";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check file nextcloud-data-mounted with path /var/lib/nextcloud/data/index.html
start = "${pkgs.systemd}/bin/systemctl start nextcloud-data-sshfs.service"
check host jellyfin with address jellyfin.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host stb with address www.societe-de-tir-bertrix.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
'';
};
services.nginx.enable = true; services.nginx.enable = true;
services.dokuwiki.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.murmur.enable = true;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.monitoring-exporters.enable = true; services.monitoring-exporters.enable = true;
}; };
services.uptime-kuma = {
enable = true;
settings = {
PORT = "3001";
};
};
services.nginx.virtualHosts = {
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true;
};
};
"www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
"fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
};
networking.firewall.allowedTCPPorts = [
80
443
64738
];
networking.firewall.allowedUDPPorts = [ 64738 ];
networking.firewall.interfaces."eth1".allowedTCPPorts = [ networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
9000 9000

30
profiles/db.nix
View file

@ -13,38 +13,14 @@
networking.firewall.interfaces."eth1".allowedTCPPorts = [ networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
config.services.postgresql.settings.port
]; ];
sops.secrets = { users.users.root.openssh.authorizedKeys.keys = [
borgSshKey = { "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
owner = config.services.borgbackup.jobs.data.user; ];
key = "borg/client_keys/db1/private";
};
};
custom = { custom = {
services.backup-job = {
enable = true;
repoName = "db1";
readWritePaths = [
"/nix/var/data/postgresql"
"/nix/var/data/backup/"
];
preHook = ''
${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
${config.services.postgresql.package}/bin/pg_dump -U mastodon mastodon > /nix/var/data/postgresql/mastodon.dmp
${config.services.postgresql.package}/bin/pg_dump -U dolibarr dolibarr > /nix/var/data/postgresql/dolibarr.dmp
${config.services.postgresql.package}/bin/pg_dump -U odoo odoo > /nix/var/data/postgresql/odoo.dmp
'';
startAt = "03:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.openssh.enable = true; services.openssh.enable = true;
services.postgresql.enable = true;
services.monitoring-exporters.enable = true; services.monitoring-exporters.enable = true;
}; };

197
profiles/hel.nix
View file

@ -1,7 +1,4 @@
{ { config, pkgs, ... }:
config,
...
}:
{ {
imports = [ imports = [
../environment.nix ../environment.nix
@ -10,6 +7,10 @@
]; ];
sops.secrets = { sops.secrets = {
borgSshKey = {
owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/storage1/private";
};
runnerRegistrationConfig = { runnerRegistrationConfig = {
owner = config.users.users.gitlab-runner.name; owner = config.users.users.gitlab-runner.name;
key = "gitlab/runner_registration_config/hel1"; key = "gitlab/runner_registration_config/hel1";
@ -18,10 +19,22 @@
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
networking.nat = { # Prevent mdmon from crashing
enable = true; boot.swraid.mdadmConf = ''
internalInterfaces = [ "ve-+" ]; HOMEHOST <ignore>
externalInterface = "enp41s0"; PROGRAM true
'';
networking = {
firewall.allowedTCPPorts = [
80
443
];
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "enp41s0";
};
}; };
disko.devices = { disko.devices = {
@ -168,11 +181,179 @@
}; };
custom = { custom = {
services.nginx.enable = true;
services.postgresql.enable = true;
services.dokuwiki.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.gitlab-runner = { services.gitlab-runner = {
enable = true; enable = true;
runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path; runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path;
}; };
services.jellyfin.enable = true;
services.torrents.enable = true;
services.foundryvtt.enable = true;
services.jitsi.enable = true;
services.stb.enable = true;
services.murmur.enable = true;
services.synapse.enable = true;
services.nextcloud.enable = true;
services.roundcube.enable = true;
services.backup-job = {
enable = true;
repoName = "bl";
additionalPaths = [
"/var/lib/acme"
"/var/lib/nextcloud"
];
patterns = [
"- /nix/var/data/media"
"- /nix/var/data/transmission/downloads"
"- /nix/var/data/transmission/.incomplete"
];
readWritePaths = [
"/nix/var/data/murmur"
"/nix/var/data/postgresql"
"/nix/var/data/backup/"
"/var/lib/containers/storage"
"/run"
];
preHook = ''
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
${pkgs.podman}/bin/podman exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql
${pkgs.systemd}/bin/systemctl stop jellyfin.service
${pkgs.systemd}/bin/systemctl stop container@torrents
'';
postHook = ''
${pkgs.systemd}/bin/systemctl start jellyfin.service
${pkgs.systemd}/bin/systemctl start container@torrents
'';
startAt = "02:00";
sshKey = config.sops.secrets.borgSshKey.path;
};
services.monit = {
enable = true;
additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host jellyfin with address jellyfin.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host stb with address www.societe-de-tir-bertrix.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
check program raid-md126 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert
check filesystem data with path /nix/var/data
if SPACE usage > 90% then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
check host osteoview-demo with address demo.osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
'';
};
};
services.uptime-kuma = {
enable = true;
settings = {
PORT = "3001";
};
};
services.nginx.virtualHosts = {
"uptime.froidmont.org" = {
serverAliases = [ "status.${config.networking.domain}" ];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true;
};
};
"osteopathie.froidmont.org" = {
enableACME = true;
forceSSL = true;
root = "/nix/var/data/website-marie";
};
"www.fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
"fautlfer.com" = {
enableACME = true;
forceSSL = true;
locations."= /".extraConfig = ''
return 302 https://blogz.zaclys.com/faut-l-fer/;
'';
};
};
# virtualisation.oci-containers.containers = {
# "minecraft" = {
# image = "itzg/minecraft-server";
# environment = {
# EULA = "TRUE";
# VERSION = "1.18.2";
# TYPE = "AUTO_CURSEFORGE";
# MEMORY = "4G";
# CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files
# };
# ports = [ "25565:25565" ];
# volumes = [ "/nix/var/data/minecraft-modded:/data" ];
# autoStart = true;
# };
# };
users.users.www-data = {
uid = 993;
group = config.users.groups.www-data.name;
};
users.groups.www-data = {
gid = 991;
}; };
} }

81
profiles/storage.nix
View file

@ -1,9 +1,7 @@
{ {
config, config,
lib,
pkgs, pkgs,
pkgs-unstable, pkgs-unstable,
inputs,
... ...
}: }:
{ {
@ -56,24 +54,12 @@
services.backup-job = { services.backup-job = {
enable = true; enable = true;
repoName = "bl"; repoName = "bl";
additionalPaths = [ config.services.foundryvtt.dataDir ];
patterns = [ patterns = [
"- /nix/var/data/media" "- /nix/var/data/media"
"- /nix/var/data/transmission/downloads" "- /nix/var/data/transmission/downloads"
"- /nix/var/data/transmission/.incomplete" "- /nix/var/data/transmission/.incomplete"
]; ];
readWritePaths = [ "/nix/var/data/backup" ]; readWritePaths = [ "/nix/var/data/backup" ];
preHook = ''
${pkgs.docker}/bin/docker exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql
${pkgs.systemd}/bin/systemctl stop jellyfin.service
${pkgs.systemd}/bin/systemctl stop minecraft-server.service
${pkgs.systemd}/bin/systemctl stop container@torrents
'';
postHook = ''
${pkgs.systemd}/bin/systemctl start jellyfin.service
${pkgs.systemd}/bin/systemctl start minecraft-server.service
${pkgs.systemd}/bin/systemctl start container@torrents
'';
startAt = "04:00"; startAt = "04:00";
sshKey = config.sops.secrets.borgSshKey.path; sshKey = config.sops.secrets.borgSshKey.path;
}; };
@ -81,49 +67,15 @@
services.monit = { services.monit = {
enable = true; enable = true;
additionalConfig = '' additionalConfig = ''
check host nextcloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host arkadia-wiki with address arkadia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host website-marie with address osteopathie.froidmont.org
if failed port 443 protocol https with timeout 20 seconds then alert
check host webmail with address webmail.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127" check program raid-md127 with path "${pkgs.mdadm}/bin/mdadm --misc --detail --test /dev/md127"
if status != 0 then alert if status != 0 then alert
check host osteoview with address osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
check host osteoview-demo with address demo.osteoview.app
if failed
port 443
protocol https
status = 200
request "/api/_health"
with timeout 5 seconds
content = "Healthy"
then alert
''; '';
}; };
services.nginx.enable = true; services.nginx.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.jellyfin.enable = true;
services.stb.enable = true; services.monero.enable = false;
services.monero.enable = true;
services.torrents.enable = true;
services.jitsi.enable = true;
services.grafana.enable = true; services.grafana.enable = true;
services.monitoring-exporters.enable = true; services.monitoring-exporters.enable = true;
}; };
@ -238,6 +190,10 @@
networking.nat.internalInterfaces = [ "ve-+" ]; networking.nat.internalInterfaces = [ "ve-+" ];
networking.nat.externalInterface = "enp2s0"; networking.nat.externalInterface = "enp2s0";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1"
];
users.users.www-data = { users.users.www-data = {
uid = 993; uid = 993;
createHome = true; createHome = true;
@ -266,7 +222,7 @@
users.groups.steam = { }; users.groups.steam = { };
services.minecraft-server = { services.minecraft-server = {
enable = true; enable = false;
package = pkgs-unstable.minecraft-server; package = pkgs-unstable.minecraft-server;
eula = true; eula = true;
openFirewall = false; openFirewall = false;
@ -305,34 +261,11 @@
# }; # };
# }; # };
services.foundryvtt = {
enable = true;
package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_12;
hostName = "vtt.${config.networking.domain}";
language = "fr.core";
proxyPort = 443;
proxySSL = true;
upnp = false;
};
# services.rustdesk-server = { # services.rustdesk-server = {
# enable = true; # enable = true;
# openFirewall = true; # openFirewall = true;
# }; # };
services.nginx.virtualHosts."vtt.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
services.borgbackup.repos = { services.borgbackup.repos = {
epicerie_du_cellier = { epicerie_du_cellier = {
authorizedKeys = [ authorizedKeys = [

9
secrets.enc.yml
View file

@ -17,11 +17,6 @@ synapse:
nextcloud: nextcloud:
db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str] db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str]
admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str] admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str]
mastodon:
db_password: ENC[AES256_GCM,data:XY/C6n3T7iINN1Sk2GdhQgHK0+vltLssOVfRLA2rFmqdxLHjvpKQTPHWxDbzELVcGqgGyiMH4AG240lo,iv:8M/fLo1MjIpUIW54WgddILmcgtofeh0rIBvKQaX/Csw=,tag:Al6LjmcPOlza5iJivf0agg==,type:str]
smtp_password: ENC[AES256_GCM,data:uhtPw/1uuKsDifdPzaczWFdZm3TP3e25U69bGysJdudnjY9rjf8HrDJ1/wqXR4hbLMaJP41fVN9WXYSE,iv:VjIQCBx6BFzATuALewU6Dc7Ti+uekmAUIJ+r2iOcFHg=,tag:vhCvRbkRxuYyf/qLeoaFzA==,type:str]
dolibarr:
db_password: ENC[AES256_GCM,data:1aDUyV+JLklbbP5dJBmviPWKKxQF7xAuQ/lKIZ5M4TtHbeH9PDuEoyxJJ08k7RtJyLrBRCwBd2pgLyYs,iv:rn6aGEPG9i3Uu4xlMIDIdK8T8bPt8t1pRl4SUsgK8nI=,tag:qacpyDDsj0pYWO1Kur9Ugw==,type:str]
roundcube: roundcube:
db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str] db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str]
pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str] pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str]
@ -73,8 +68,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-12-05T15:21:41Z" lastmodified: "2024-12-10T00:50:13Z"
mac: ENC[AES256_GCM,data:8p+Am3IjJZoBmZDwOSymSVeMrbaXfgHO1BZhq8Sdn/pFCGC2/et8xg/heQ7JGBRQMER2AzIdtreTe9f+6NJLYdRuh0CghwxKHfcykUSBNkgzc2bDFLD+xAFWhFoYJx9YZvuDuOeU6rQ/YVSunDYu4K7aX5KdCLon2+1MOtDHZXo=,iv:gW1hBzHSxugVl09FT1HhL2J/9HccwfLFwSEKdei5mLg=,tag:ncQof/HBVGht+xfna6AC2Q==,type:str] mac: ENC[AES256_GCM,data:yM21T3BYoC9/jH9n7tdSK6Bgkw7n32SA17tKUoxZ7AgHuKDQRHdwGW1ujfGEBxo337uHdOaTW9mjjvMAy8KnrOQReipuM6yPKf8Fi8ptX+JXtxfg9QmcdjxMHX8vxpWHIFIkz4ScOQ2MSCwa3UXakhhpNJUssp31MMKlkpABOkA=,iv:2PwpgEGidQW2yiUg0qszf5FRw3f5wWM7vgydQL9dzGU=,tag:tRLFzeLNyrpDFVlBTjq2uQ==,type:str]
pgp: pgp:
- created_at: "2024-12-05T00:56:17Z" - created_at: "2024-12-05T00:56:17Z"
enc: |- enc: |-

66
terraform/dns.tf
View file

@ -16,7 +16,7 @@ data "hetznerdns_zone" "froidmont_solutions_zone" {
resource "hetznerdns_record" "banditlair_hcloud_a" { resource "hetznerdns_record" "banditlair_hcloud_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "@" name = "@"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -32,7 +32,7 @@ resource "hetznerdns_record" "backend1_a" {
resource "hetznerdns_record" "webmail_a" { resource "hetznerdns_record" "webmail_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "webmail" name = "webmail"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -88,7 +88,7 @@ resource "hetznerdns_record" "cache_a" {
resource "hetznerdns_record" "jellyfin_a" { resource "hetznerdns_record" "jellyfin_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "jellyfin" name = "jellyfin"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -96,23 +96,7 @@ resource "hetznerdns_record" "jellyfin_a" {
resource "hetznerdns_record" "status_banditlair_a" { resource "hetznerdns_record" "status_banditlair_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "status" name = "status"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A"
ttl = 600
}
resource "hetznerdns_record" "dolibarr_a" {
zone_id = data.hetznerdns_zone.froidmont_solutions_zone.id
name = "dolibarr"
value = hcloud_server.backend1.ipv4_address
type = "A"
ttl = 600
}
resource "hetznerdns_record" "odoo_a" {
zone_id = data.hetznerdns_zone.froidmont_solutions_zone.id
name = "odoo"
value = hcloud_server.backend1.ipv4_address
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -120,15 +104,7 @@ resource "hetznerdns_record" "odoo_a" {
resource "hetznerdns_record" "jitsi_a" { resource "hetznerdns_record" "jitsi_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "jitsi" name = "jitsi"
value = local.storage1_ip value = local.hel1_ip
type = "A"
ttl = 600
}
resource "hetznerdns_record" "mastodon_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "social"
value = hcloud_server.backend1.ipv4_address
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -136,7 +112,7 @@ resource "hetznerdns_record" "mastodon_a" {
resource "hetznerdns_record" "uptime_a" { resource "hetznerdns_record" "uptime_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "uptime" name = "uptime"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -144,7 +120,7 @@ resource "hetznerdns_record" "uptime_a" {
resource "hetznerdns_record" "transmission_a" { resource "hetznerdns_record" "transmission_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "transmission" name = "transmission"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -152,7 +128,7 @@ resource "hetznerdns_record" "transmission_a" {
resource "hetznerdns_record" "jackett_a" { resource "hetznerdns_record" "jackett_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "jackett" name = "jackett"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -160,7 +136,7 @@ resource "hetznerdns_record" "jackett_a" {
resource "hetznerdns_record" "sonarr_a" { resource "hetznerdns_record" "sonarr_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "sonarr" name = "sonarr"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -168,7 +144,7 @@ resource "hetznerdns_record" "sonarr_a" {
resource "hetznerdns_record" "radarr_a" { resource "hetznerdns_record" "radarr_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "radarr" name = "radarr"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -176,7 +152,7 @@ resource "hetznerdns_record" "radarr_a" {
resource "hetznerdns_record" "lidarr_a" { resource "hetznerdns_record" "lidarr_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "lidarr" name = "lidarr"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -184,7 +160,7 @@ resource "hetznerdns_record" "lidarr_a" {
resource "hetznerdns_record" "vtt_a" { resource "hetznerdns_record" "vtt_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "vtt" name = "vtt"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -192,7 +168,7 @@ resource "hetznerdns_record" "vtt_a" {
resource "hetznerdns_record" "monero_a" { resource "hetznerdns_record" "monero_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "monero" name = "monero"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -200,7 +176,7 @@ resource "hetznerdns_record" "monero_a" {
resource "hetznerdns_record" "anderia_a" { resource "hetznerdns_record" "anderia_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "anderia" name = "anderia"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -208,7 +184,7 @@ resource "hetznerdns_record" "anderia_a" {
resource "hetznerdns_record" "arkadia_a" { resource "hetznerdns_record" "arkadia_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "arkadia" name = "arkadia"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -216,7 +192,7 @@ resource "hetznerdns_record" "arkadia_a" {
resource "hetznerdns_record" "cifirpg_a" { resource "hetznerdns_record" "cifirpg_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "scifirpg" name = "scifirpg"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -240,7 +216,7 @@ resource "hetznerdns_record" "banditlair_dedicated_a" {
resource "hetznerdns_record" "nextcloud_a" { resource "hetznerdns_record" "nextcloud_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "cloud" name = "cloud"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -249,7 +225,7 @@ resource "hetznerdns_record" "nextcloud_a" {
resource "hetznerdns_record" "matrix_a" { resource "hetznerdns_record" "matrix_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "matrix" name = "matrix"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -265,7 +241,7 @@ resource "hetznerdns_record" "matrix_srv" {
resource "hetznerdns_record" "coturn_a" { resource "hetznerdns_record" "coturn_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "turn" name = "turn"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -386,7 +362,7 @@ resource "hetznerdns_record" "froidmont_a" {
resource "hetznerdns_record" "website_marie_a" { resource "hetznerdns_record" "website_marie_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "osteopathie" name = "osteopathie"
value = hcloud_server.backend1.ipv4_address value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }
@ -438,7 +414,7 @@ data "hetznerdns_zone" "stb_zone" {
resource "hetznerdns_record" "stb_a" { resource "hetznerdns_record" "stb_a" {
zone_id = data.hetznerdns_zone.stb_zone.id zone_id = data.hetznerdns_zone.stb_zone.id
name = "@" name = "@"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }