From 31623b65d6da01e1de9ac4b3c50ec9a01b84c0cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Tue, 25 Nov 2025 19:42:37 +0100 Subject: [PATCH] feat[server]: use confLib to manage services --- modules/nixos/server/ankisync.nix | 19 ++--- modules/nixos/server/atuin.nix | 19 +++-- modules/nixos/server/croc.nix | 14 ++-- modules/nixos/server/disk-encrypt.nix | 65 ++++++++++------- modules/nixos/server/emacs.nix | 5 +- modules/nixos/server/firefly-iii.nix | 21 +++--- modules/nixos/server/forgejo.nix | 21 +++--- modules/nixos/server/freshrss.nix | 20 +++--- modules/nixos/server/garage.nix | 20 ++++-- modules/nixos/server/homebox.nix | 19 +++-- modules/nixos/server/immich.nix | 22 +++--- modules/nixos/server/jellyfin.nix | 23 +++--- modules/nixos/server/jenkins.nix | 18 +++-- modules/nixos/server/kanidm.nix | 100 ++++++++++++++++++++------ modules/nixos/server/kavita.nix | 20 +++--- modules/nixos/server/koillection.nix | 21 +++--- modules/nixos/server/matrix.nix | 21 +++--- modules/nixos/server/microbin.nix | 22 +++--- modules/nixos/server/monitoring.nix | 21 +++--- modules/nixos/server/mpd.nix | 8 +-- modules/nixos/server/navidrome.nix | 21 +++--- modules/nixos/server/network.nix | 15 +++- modules/nixos/server/nextcloud.nix | 22 +++--- modules/nixos/server/nginx.nix | 67 +++++++++++------ modules/nixos/server/oauth2-proxy.nix | 21 +++--- modules/nixos/server/opkssh.nix | 6 +- modules/nixos/server/packages.nix | 1 - modules/nixos/server/paperless.nix | 21 +++--- modules/nixos/server/postgresql.nix | 4 +- modules/nixos/server/radicale.nix | 22 +++--- modules/nixos/server/shlink.nix | 21 +++--- modules/nixos/server/slink.nix | 21 +++--- modules/nixos/server/snipe-it.nix | 22 +++--- modules/nixos/server/spotifyd.nix | 7 +- modules/nixos/server/syncthing.nix | 28 ++++---- modules/nixos/server/transmission.nix | 5 +- modules/shared/config-lib.nix | 25 +++++++ 37 files changed, 512 insertions(+), 316 deletions(-) create mode 100644 modules/shared/config-lib.nix diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix index b845ad7..f9ca2cd 100644 --- a/modules/nixos/server/ankisync.nix +++ b/modules/nixos/server/ankisync.nix @@ -1,11 +1,7 @@ -{ self, lib, config, globals, ... }: +{ self, lib, config, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 27701; - serviceName = "ankisync"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; ankiUser = globals.user.name; in @@ -13,6 +9,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + networking.firewall.allowedTCPPorts = [ servicePort ]; sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; }; @@ -23,7 +23,10 @@ in info = "https://${serviceDomain}"; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.anki-sync-server = { enable = true; @@ -38,7 +41,7 @@ in ]; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/atuin.nix b/modules/nixos/server/atuin.nix index d355e6f..9cb6747 100644 --- a/modules/nixos/server/atuin.nix +++ b/modules/nixos/server/atuin.nix @@ -1,16 +1,21 @@ -{ lib, config, globals, ... }: +{ lib, config, globals, dns, confLib, ... }: let - servicePort = 8888; - serviceName = "atuin"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + topology.self.services.${serviceName}.info = "https://${serviceDomain}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -20,7 +25,7 @@ in openRegistration = false; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/croc.nix b/modules/nixos/server/croc.nix index d9c1286..67e2508 100644 --- a/modules/nixos/server/croc.nix +++ b/modules/nixos/server/croc.nix @@ -1,5 +1,6 @@ -{ self, lib, config, pkgs, ... }: +{ self, lib, config, pkgs, dns, globals, confLib, ... }: let + inherit (confLib.gen { name = "croc"; }) serviceName serviceDomain proxyAddress4 proxyAddress6; servicePorts = [ 9009 9010 @@ -7,8 +8,6 @@ let 9012 9013 ]; - serviceName = "croc"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; inherit (config.swarselsystems) sopsFile; @@ -18,6 +17,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops = { secrets = { croc-password = { inherit sopsFile; }; @@ -39,7 +42,10 @@ in icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; diff --git a/modules/nixos/server/disk-encrypt.nix b/modules/nixos/server/disk-encrypt.nix index c1531dd..61fb055 100644 --- a/modules/nixos/server/disk-encrypt.nix +++ b/modules/nixos/server/disk-encrypt.nix @@ -1,10 +1,15 @@ { self, pkgs, lib, config, globals, minimal, ... }: let - localIp = globals.networks.home.hosts.${config.node.name}.ipv4; - subnetMask = globals.networks.home.subnetMask4; + localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4; + subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4; gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; - hostKeyPath = "/etc/secrets/initrd/ssh_host_ed25519_key"; + hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key"; + hostKeyPath = + if config.swarselsystems.isImpermanence then + "/persist/${hostKeyPathBase}" + else + "${hostKeyPathBase}"; in { options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; @@ -14,35 +19,40 @@ in }; config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { + + system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { + deps = [ "ensureInitrdHostkey" ]; + }; system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) { text = '' [[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath} ''; - deps = [ "users" ]; + deps = [ + "etc" + ]; }; environment.persistence."/persist" = lib.mkIf (config.swarselsystems.isImpermanence && (config.swarselprofiles.server || minimal)) { - files = [ hostKeyPath ]; + files = [ hostKeyPathBase ]; }; - boot = lib.mkIf (config.swarselprofiles.server || minimal) { - kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [ + boot = lib.mkIf (!config.swarselsystems.isLaptop) { + kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; initrd = { availableKernelModules = config.swarselsystems.networkKernelModules; network = { enable = true; - udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true; flushBeforeStage2 = true; ssh = { enable = true; port = 2222; # avoid hostkey changed nag - authorizedKeyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) + authorizedKeys = [ + ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}'' + ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}'' ]; - hostKeys = [ hostKeyPath ]; + hostKeys = [ hostKeyPathBase ]; }; # postCommands = '' # echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile @@ -52,23 +62,24 @@ in initrdBin = with pkgs; [ cryptsetup ]; - services = { - unlock-luks = { - wantedBy = [ "initrd.target" ]; - after = [ "network.target" ]; - before = [ "systemd-cryptsetup@cryptroot.service" ]; - path = [ "/bin" ]; + # NOTE: the below does put the text into /root/.profile, but the command will not be run + # services = { + # unlock-luks = { + # wantedBy = [ "initrd.target" ]; + # after = [ "network.target" ]; + # before = [ "systemd-cryptsetup@cryptroot.service" ]; + # path = [ "/bin" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; + # serviceConfig = { + # Type = "oneshot"; + # RemainAfterExit = true; + # }; - script = '' - echo "systemctl default" >> /root/.profile - ''; - }; - }; + # script = '' + # echo "systemctl default" >> /root/.profile + # ''; + # }; + # }; }; }; }; diff --git a/modules/nixos/server/emacs.nix b/modules/nixos/server/emacs.nix index 03e1261..311658d 100644 --- a/modules/nixos/server/emacs.nix +++ b/modules/nixos/server/emacs.nix @@ -1,7 +1,6 @@ -{ lib, config, ... }: +{ lib, config, confLib, ... }: let - serviceName = "emacs"; - servicePort = 9812; + inherit (confLib.gen { name = "emacs"; port = 9812; }) servicePort serviceName; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} server on server"; diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix index c0acad1..dc5eece 100644 --- a/modules/nixos/server/firefly-iii.nix +++ b/modules/nixos/server/firefly-iii.nix @@ -1,11 +1,6 @@ -{ self, lib, config, globals, ... }: +{ self, lib, config, globals, dns, confLib, ... }: let - servicePort = 80; - serviceUser = "firefly-iii"; - serviceGroup = serviceUser; - serviceName = "firefly-iii"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; nginxGroup = "nginx"; @@ -16,6 +11,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users = { groups.${serviceGroup} = { }; users.${serviceUser} = { @@ -36,7 +35,11 @@ in info = "https://${serviceDomain}"; icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { ${serviceName} = { @@ -78,7 +81,7 @@ in }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix index a674078..f1f029d 100644 --- a/modules/nixos/server/forgejo.nix +++ b/modules/nixos/server/forgejo.nix @@ -1,13 +1,7 @@ -{ lib, config, pkgs, globals, ... }: +{ lib, config, pkgs, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 3004; - serviceUser = "forgejo"; - serviceGroup = serviceUser; - serviceName = "forgejo"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; kanidmDomain = globals.services.kanidm.domain; in @@ -15,6 +9,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + networking.firewall.allowedTCPPorts = [ servicePort ]; users.users.${serviceUser} = { @@ -28,7 +26,10 @@ in kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -129,7 +130,7 @@ in ''; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix index 0375e64..75787b4 100644 --- a/modules/nixos/server/freshrss.nix +++ b/modules/nixos/server/freshrss.nix @@ -1,11 +1,6 @@ -{ self, lib, config, globals, ... }: +{ self, lib, config, globals, dns, confLib, ... }: let - servicePort = 80; - serviceName = "freshrss"; - serviceUser = "freshrss"; - serviceGroup = serviceName; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; inherit (config.swarselsystems) sopsFile; in @@ -13,6 +8,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "users" ]; group = serviceGroup; @@ -54,7 +53,10 @@ in icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = let @@ -74,7 +76,7 @@ in # config.sops.templates.freshrss-env.path # ]; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/garage.nix b/modules/nixos/server/garage.nix index d537552..042667d 100644 --- a/modules/nixos/server/garage.nix +++ b/modules/nixos/server/garage.nix @@ -1,11 +1,8 @@ -{ self, lib, pkgs, config, configName, globals, ... }: +{ self, lib, pkgs, config, configName, globals, dns, confLib, ... }: let - sopsFile = self + /secrets/${configName}/secrets2.yaml; + inherit (confLib.gen { name = "garage"; port = 3900; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; - serviceName = "garage"; - servicePort = 3900; - serviceDomain = config.repo.secrets.common.services.domains."${serviceName}-${configName}"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + sopsFile = self + /secrets/${configName}/secrets2.yaml; cfg = config.services.${serviceName}; metadata_dir = "/var/lib/garage/meta"; @@ -22,6 +19,10 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops = { secrets.garage-admin-token = { inherit sopsFile; }; secrets.garage-rpc-secret = { inherit sopsFile; }; @@ -36,6 +37,11 @@ in ]; }; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + systemd.services.${serviceName}.serviceConfig = { DynamicUser = false; ProtectHome = lib.mkForce false; @@ -74,7 +80,7 @@ in }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/homebox.nix b/modules/nixos/server/homebox.nix index c1b62ab..065454d 100644 --- a/modules/nixos/server/homebox.nix +++ b/modules/nixos/server/homebox.nix @@ -1,16 +1,21 @@ -{ lib, pkgs, config, globals, ... }: +{ lib, pkgs, config, globals, dns, confLib, ... }: let - servicePort = 7745; - serviceName = "homebox"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + topology.self.services.${serviceName}.info = "https://${serviceDomain}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -26,7 +31,7 @@ in networking.firewall.allowedTCPPorts = [ servicePort ]; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix index cefa330..455a9e5 100644 --- a/modules/nixos/server/immich.nix +++ b/modules/nixos/server/immich.nix @@ -1,21 +1,25 @@ -{ lib, pkgs, config, globals, ... }: +{ lib, pkgs, config, globals, dns, confLib, ... }: let - servicePort = 3001; - serviceUser = "immich"; - serviceName = "immich"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "video" "render" "users" ]; }; topology.self.services.${serviceName}.info = "https://${serviceDomain}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -29,9 +33,9 @@ in }; }; - networking.firewall.allowedTCPPorts = [ 3001 ]; + networking.firewall.allowedTCPPorts = [ servicePort ]; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/jellyfin.nix b/modules/nixos/server/jellyfin.nix index 552f8bf..5a2899b 100644 --- a/modules/nixos/server/jellyfin.nix +++ b/modules/nixos/server/jellyfin.nix @@ -1,20 +1,23 @@ -{ pkgs, lib, config, globals, ... }: +{ pkgs, lib, config, globals, dns, confLib, ... }: let - servicePort = 8096; - serviceName = "jellyfin"; - serviceUser = "jellyfin"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "video" "render" "users" ]; }; + nixpkgs.config.packageOverrides = pkgs: { intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; }; }; + hardware.graphics = { enable = true; extraPackages = with pkgs; [ @@ -26,7 +29,11 @@ in }; topology.self.services.${serviceName}.info = "https://${serviceDomain}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -34,7 +41,7 @@ in openFirewall = true; # this works only for the default ports }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/jenkins.nix b/modules/nixos/server/jenkins.nix index 808bcef..20c7e25 100644 --- a/modules/nixos/server/jenkins.nix +++ b/modules/nixos/server/jenkins.nix @@ -1,14 +1,20 @@ -{ pkgs, lib, config, globals, ... }: +{ pkgs, lib, config, globals, dns, confLib, ... }: let - servicePort = 8088; - serviceName = "jenkins"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + services.jenkins = { enable = true; withCLI = true; @@ -18,7 +24,7 @@ in home = "/Vault/apps/${serviceName}"; }; - services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix index 16ea0bd..ba4e8f8 100644 --- a/modules/nixos/server/kanidm.nix +++ b/modules/nixos/server/kanidm.nix @@ -1,16 +1,10 @@ -{ self, lib, pkgs, config, globals, ... }: +{ self, lib, pkgs, config, globals, dns, confLib, ... }: let certsSopsFile = self + /secrets/certs/secrets.yaml; inherit (config.swarselsystems) sopsFile; + inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; - servicePort = 8300; - serviceUser = "kanidm"; - serviceGroup = serviceUser; - serviceName = "kanidm"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; - - oauth2ProxyDomain = globals.services.oauth2Proxy.domain; + oauth2ProxyDomain = globals.services.oauth2-proxy.domain; immichDomain = globals.services.immich.domain; paperlessDomain = globals.services.paperless.domain; forgejoDomain = globals.services.forgejo.domain; @@ -37,6 +31,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { group = serviceGroup; isSystemUser = true; @@ -62,7 +60,10 @@ in networking.firewall.allowedTCPPorts = [ servicePort ]; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence { files = [ @@ -70,17 +71,22 @@ in keyPathBase ]; }; - - system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { - deps = [ "generateSSLCert-${serviceName}" "users" "groups" ]; - }; - system.activationScripts."generateSSLCert-${serviceName}" = + systemd.services."generateSSLCert-${serviceName}" = let daysValid = 3650; renewBeforeDays = 365; in { - text = '' + before = [ "${serviceName}.service" ]; + requiredBy = [ "${serviceName}.service" ]; + after = [ "local-fs.target" ]; + requires = [ "local-fs.target" ]; + + serviceConfig = { + Type = "oneshot"; + }; + + script = '' set -eu ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} @@ -89,16 +95,18 @@ in ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""} need_gen=0 - if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then + if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then need_gen=1 else - enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)" + enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)" end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)" now_epoch="$(${pkgs.coreutils}/bin/date +%s)" seconds_left=$(( end_epoch - now_epoch )) days_left=$(( seconds_left / 86400 )) if [ "$days_left" -lt ${toString renewBeforeDays} ]; then need_gen=1 + else + echo 'Certificate exists and is still valid' fi fi @@ -114,12 +122,58 @@ in chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" fi ''; - deps = [ - "etc" - (lib.mkIf config.swarselsystems.isImpermanence "specialfs") - ]; }; + + # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { + # deps = [ "generateSSLCert-${serviceName}" "users" "groups" ]; + # }; + # system.activationScripts."generateSSLCert-${serviceName}" = + # let + # daysValid = 3650; + # renewBeforeDays = 365; + # in + # { + # text = '' + # set -eu + + # ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} + # ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""} + # ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir} + # ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""} + + # need_gen=0 + # if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then + # need_gen=1 + # else + # enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)" + # end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)" + # now_epoch="$(${pkgs.coreutils}/bin/date +%s)" + # seconds_left=$(( end_epoch - now_epoch )) + # days_left=$(( seconds_left / 86400 )) + # if [ "$days_left" -lt ${toString renewBeforeDays} ]; then + # need_gen=1 + # fi + # fi + + # if [ "$need_gen" -eq 1 ]; then + # ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \ + # -keyout "${keyPath}" \ + # -out "${certPath}" \ + # -subj "/CN=${serviceDomain}" \ + # -addext "subjectAltName=DNS:${serviceDomain}" + + # chmod 0644 "${certPath}" + # chmod 0600 "${keyPath}" + # chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" + # fi + # ''; + # deps = [ + # "etc" + # (lib.mkIf config.swarselsystems.isImpermanence "specialfs") + # ]; + # }; + services = { ${serviceName} = { package = pkgs.kanidmWithSecretProvisioning_1_7; @@ -326,7 +380,7 @@ in ${serviceName}.serviceConfig.RestartSec = "30"; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix index dfa915e..8da5e2e 100644 --- a/modules/nixos/server/kavita.nix +++ b/modules/nixos/server/kavita.nix @@ -1,12 +1,8 @@ -{ self, lib, config, pkgs, globals, ... }: +{ self, lib, config, pkgs, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - servicePort = 8080; - serviceName = "kavita"; - serviceUser = "kavita"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -15,6 +11,10 @@ in calibre ]; + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "users" ]; }; @@ -28,7 +28,11 @@ in info = "https://${serviceDomain}"; icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -38,7 +42,7 @@ in dataDir = "/Vault/data/${serviceName}"; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix index eb45709..d6c6f89 100644 --- a/modules/nixos/server/koillection.nix +++ b/modules/nixos/server/koillection.nix @@ -1,12 +1,7 @@ -{ self, lib, config, globals, ... }: +{ self, lib, config, globals, dns, confLib, ... }: let - serviceUser = "koillection"; + inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; serviceDB = "koillection"; - serviceName = "koillection"; - servicePort = 2282; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceDir = "/Vault/data/koillection"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres postgresPort = config.services.postgresql.settings.port; # 5432 @@ -18,6 +13,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; sops.secrets = { koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; }; koillection-env-file = { inherit sopsFile; }; @@ -28,7 +27,11 @@ in info = "https://${serviceDomain}"; icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; virtualisation.oci-containers.containers = { koillection = { @@ -104,7 +107,7 @@ in }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix index ba18600..02f0d60 100644 --- a/modules/nixos/server/matrix.nix +++ b/modules/nixos/server/matrix.nix @@ -1,12 +1,7 @@ -{ lib, config, pkgs, globals, ... }: +{ lib, config, pkgs, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 8008; - serviceName = "matrix"; - serviceDomain = config.repo.secrets.common.services.domains.matrix; - serviceUser = "matrix-synapse"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; federationPort = 8448; whatsappPort = 29318; @@ -24,6 +19,11 @@ in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + environment.systemPackages = with pkgs; [ matrix-synapse lottieconverter @@ -91,7 +91,10 @@ in }; }; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { postgresql = { @@ -290,7 +293,7 @@ in # messages out after a while. - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/microbin.nix b/modules/nixos/server/microbin.nix index 1001d69..8e5517f 100644 --- a/modules/nixos/server/microbin.nix +++ b/modules/nixos/server/microbin.nix @@ -1,10 +1,6 @@ -{ self, lib, config, ... }: +{ self, lib, config, dns, globals, confLib, ... }: let - servicePort = 8777; - serviceName = "microbin"; - serviceUser = "microbin"; - serviceGroup = serviceUser; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; + inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; inherit (config.swarselsystems) sopsFile; @@ -14,6 +10,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users = { groups.${serviceGroup} = { }; @@ -49,7 +49,11 @@ in info = "https://${serviceDomain}"; icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -101,11 +105,11 @@ in { directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; } ]; - services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { - "localhost:${builtins.toString servicePort}" = { }; + "${serviceAddress}:${builtins.toString servicePort}" = { }; }; }; }; diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix index d1ee714..ac7f5af 100644 --- a/modules/nixos/server/monitoring.nix +++ b/modules/nixos/server/monitoring.nix @@ -1,11 +1,6 @@ -{ self, lib, config, globals, ... }: +{ self, lib, config, globals, dns, confLib, ... }: let - servicePort = 3000; - serviceUser = "grafana"; - serviceGroup = serviceUser; - serviceName = "grafana"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; prometheusPort = 9090; prometheusUser = "prometheus"; @@ -21,6 +16,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops = { secrets = { grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; @@ -57,7 +56,11 @@ in networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ]; topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { ${serviceName} = { @@ -206,7 +209,7 @@ in }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { "${grafanaUpstream}" = { servers = { diff --git a/modules/nixos/server/mpd.nix b/modules/nixos/server/mpd.nix index 0f7afc4..e5734f5 100644 --- a/modules/nixos/server/mpd.nix +++ b/modules/nixos/server/mpd.nix @@ -1,11 +1,7 @@ -{ self, lib, config, pkgs, ... }: +{ self, lib, config, pkgs, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 3254; - serviceUser = "mpd"; - serviceGroup = serviceUser; - serviceName = "mpd"; + inherit (confLib.gen { name = "mpd"; port = 3254; }) servicePort serviceName serviceUser serviceGroup; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix index 34b245a..2abd922 100644 --- a/modules/nixos/server/navidrome.nix +++ b/modules/nixos/server/navidrome.nix @@ -1,15 +1,15 @@ -{ pkgs, config, lib, globals, ... }: +{ pkgs, config, lib, globals, dns, confLib, ... }: let - servicePort = 4040; - serviceName = "navidrome"; - serviceUser = "navidrome"; - serviceGroup = serviceUser; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + environment.systemPackages = with pkgs; [ pciutils alsa-utils @@ -39,7 +39,10 @@ in networking.firewall.allowedTCPPorts = [ servicePort ]; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.snapserver = { enable = true; @@ -103,7 +106,7 @@ in }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/network.nix b/modules/nixos/server/network.nix index 661e76b..4ef8d14 100644 --- a/modules/nixos/server/network.nix +++ b/modules/nixos/server/network.nix @@ -1,15 +1,24 @@ { lib, config, ... }: +let + inherit (config.swarselsystems.server) localNetwork; +in { options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + options.swarselsystems.server.localNetwork = lib.mkOption { + type = lib.types.str; + default = "home"; + }; config = lib.mkIf config.swarselmodules.server.network { - globals.networks.home.hosts.${config.node.name} = { - inherit (config.repo.secrets.local.networking.networks.home) id; - mac = config.repo.secrets.local.networking.networks.home.mac or null; + globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = { + inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id; + mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null; }; globals.hosts.${config.node.name} = { inherit (config.repo.secrets.local.networking) defaultGateway4; + wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null; + wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null; }; networking = { diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix index c2d5af0..f313593 100644 --- a/modules/nixos/server/nextcloud.nix +++ b/modules/nixos/server/nextcloud.nix @@ -1,14 +1,8 @@ -{ pkgs, lib, config, globals, ... }: +{ pkgs, lib, config, globals, dns, confLib, ... }: let inherit (config.repo.secrets.local.nextcloud) adminuser; inherit (config.swarselsystems) sopsFile; - - servicePort = 80; - serviceUser = "nextcloud"; - serviceGroup = serviceUser; - serviceName = "nextcloud"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; nextcloudVersion = "32"; in @@ -16,13 +10,19 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops.secrets = { nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; - - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { ${serviceName} = { @@ -50,7 +50,7 @@ in }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index cfe9330..a321c21 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -85,6 +85,7 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence { + directories = [{ directory = "/var/lib/acme"; }]; files = [ dhParamsPathBase ]; }; @@ -109,27 +110,51 @@ in ''; }; }; - system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { - deps = [ "generateDHParams" "users" "groups" ]; - }; - system.activationScripts."generateDHParams" = - { - text = '' - set -eu - - ${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath} - ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""} - - if [ ! -f "${dhParamsPathBase}" ]; then - ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096 - chmod 0644 ${dhParamsPath} - chown ${serviceUser}:${serviceGroup} ${dhParamsPath} - fi - ''; - deps = [ - "etc" - (lib.mkIf config.swarselsystems.isImpermanence "specialfs") - ]; + systemd.services.generateDHParams = { + before = [ "nginx.service" ]; + requiredBy = [ "nginx.service" ]; + after = [ "local-fs.target" ]; + requires = [ "local-fs.target" ]; + serviceConfig = { + Type = "oneshot"; }; + + script = '' + set -eu + + install -d -m 0755 ${sslBasePath} + ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""} + + if [ ! -f "${dhParamsPath}" ]; then + ${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096 + chmod 0644 "${dhParamsPath}" + chown ${serviceUser}:${serviceGroup} "${dhParamsPath}" + else + echo 'Already generated DHParams' + fi + ''; + }; + + # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { + # deps = [ "generateDHParams" "users" "groups" ]; + # }; + # system.activationScripts."generateDHParams" = + # { + # text = '' + # set -eu + + # ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else "${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}"} + + # if [ ! -f "${dhParamsPath}" ]; then + # ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096 + # chmod 0644 ${dhParamsPath} + # chown ${serviceUser}:${serviceGroup} ${dhParamsPath} + # fi + # ''; + # deps = [ + # (lib.mkIf config.swarselsystems.isImpermanence "specialfs") + # (lib.mkIf (!config.swarselsystems.isImpermanence) "etc") + # ]; + # }; }; } diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix index d74a441..e4cdf49 100644 --- a/modules/nixos/server/oauth2-proxy.nix +++ b/modules/nixos/server/oauth2-proxy.nix @@ -1,10 +1,6 @@ -{ lib, config, globals, ... }: +{ lib, config, globals, dns, confLib, ... }: let - servicePort = 3004; - serviceUser = "oauth2-proxy"; - serviceGroup = serviceUser; - serviceName = "oauth2-proxy"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; + inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; kanidmDomain = globals.services.kanidm.domain; mainDomain = globals.domains.main; @@ -123,6 +119,10 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops = { secrets = { "oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; @@ -144,7 +144,10 @@ in networking.firewall.allowedTCPPorts = [ servicePort ]; - globals.services.oauth2Proxy.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { ${serviceName} = { @@ -195,11 +198,11 @@ in }; }; - services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { - "localhost:${builtins.toString servicePort}" = { }; + "${serviceAddress}:${builtins.toString servicePort}" = { }; }; }; }; diff --git a/modules/nixos/server/opkssh.nix b/modules/nixos/server/opkssh.nix index 823102a..1cc01bc 100644 --- a/modules/nixos/server/opkssh.nix +++ b/modules/nixos/server/opkssh.nix @@ -1,8 +1,6 @@ -{ lib, config, globals, ... }: +{ lib, config, globals, confLib, ... }: let - serviceName = "opkssh"; - serviceUser = "opksshuser"; - serviceGroup = serviceUser; + inherit (confLib.gen { name = "opkssh"; user = "opksshuser"; group = "opksshuser"; }) serviceName serviceUser serviceGroup; kanidmDomain = globals.services.kanidm.domain; diff --git a/modules/nixos/server/packages.nix b/modules/nixos/server/packages.nix index 6f5f744..f8d3440 100644 --- a/modules/nixos/server/packages.nix +++ b/modules/nixos/server/packages.nix @@ -4,7 +4,6 @@ config = lib.mkIf config.swarselmodules.server.packages { environment.systemPackages = with pkgs; [ gnupg - nix-index nvd nix-output-monitor ssh-to-age diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix index 005bdab..3b2e201 100644 --- a/modules/nixos/server/paperless.nix +++ b/modules/nixos/server/paperless.nix @@ -1,13 +1,7 @@ -{ lib, pkgs, config, globals, ... }: +{ lib, pkgs, config, dns, globals, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - - servicePort = 28981; - serviceUser = "paperless"; - serviceGroup = serviceUser; - serviceName = "paperless"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; tikaPort = 9998; gotenbergPort = 3002; @@ -17,6 +11,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "users" ]; }; @@ -28,7 +26,10 @@ in networking.firewall.allowedTCPPorts = [ servicePort ]; - globals.services.${serviceName}.domain = serviceDomain; + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services = { ${serviceName} = { @@ -98,7 +99,7 @@ in ) ''; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/postgresql.nix b/modules/nixos/server/postgresql.nix index 3cfa47d..16be2cd 100644 --- a/modules/nixos/server/postgresql.nix +++ b/modules/nixos/server/postgresql.nix @@ -1,6 +1,6 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, confLib, ... }: let - serviceName = "postgresql"; + inherit (confLib.gen { name = "postgresql"; port = 3254; }) serviceName; postgresVersion = 14; in { diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix index 411a3e6..db5a9a5 100644 --- a/modules/nixos/server/radicale.nix +++ b/modules/nixos/server/radicale.nix @@ -1,20 +1,18 @@ -{ self, lib, config, globals, ... }: +{ self, lib, config, globals, dns, confLib, ... }: let + inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; sopsFile = self + /secrets/winters/secrets2.yaml; - servicePort = 8000; - serviceName = "radicale"; - serviceUser = "radicale"; - serviceGroup = serviceUser; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; - cfg = config.services.${serviceName}; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops = { secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; @@ -35,7 +33,11 @@ in }; topology.self.services.${serviceName}.info = "https://${serviceDomain}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = { enable = true; @@ -88,7 +90,7 @@ in networking.firewall.allowedTCPPorts = [ servicePort ]; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/shlink.nix b/modules/nixos/server/shlink.nix index 4c61caa..99ed6fd 100644 --- a/modules/nixos/server/shlink.nix +++ b/modules/nixos/server/shlink.nix @@ -1,9 +1,6 @@ -{ self, lib, config, ... }: +{ self, lib, config, dns, globals, confLib, ... }: let - servicePort = 8081; - serviceName = "shlink"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceDir = "/var/lib/shlink"; + inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress serviceProxy proxyAddress4 proxyAddress6; containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a"; @@ -15,6 +12,10 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops = { secrets = { shlink-api = { inherit sopsFile; }; @@ -80,13 +81,17 @@ in info = "https://${serviceDomain}"; icon = "${self}/files/topology-images/${serviceName}.png"; }; - globals.services.${serviceName}.domain = serviceDomain; - services.nginx = { + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { - "localhost:${builtins.toString servicePort}" = { }; + "${serviceAddress}:${builtins.toString servicePort}" = { }; }; }; }; diff --git a/modules/nixos/server/slink.nix b/modules/nixos/server/slink.nix index 1d92892..4edfa0b 100644 --- a/modules/nixos/server/slink.nix +++ b/modules/nixos/server/slink.nix @@ -1,9 +1,6 @@ -{ self, lib, config, ... }: +{ self, lib, config, dns, globals, confLib, ... }: let - servicePort = 3000; - serviceName = "slink"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceDir = "/var/lib/slink"; + inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress serviceProxy proxyAddress4 proxyAddress6; containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9"; in @@ -13,6 +10,10 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + virtualisation.oci-containers.containers.${serviceName} = { image = "anirdev/slink@${containerRev}"; environment = { @@ -57,13 +58,17 @@ in info = "https://${serviceDomain}"; icon = "${self}/files/topology-images/shlink.png"; }; - globals.services.${serviceName}.domain = serviceDomain; - services.nginx = { + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { - "localhost:${builtins.toString servicePort}" = { }; + "${serviceAddress}:${builtins.toString servicePort}" = { }; }; }; }; diff --git a/modules/nixos/server/snipe-it.nix b/modules/nixos/server/snipe-it.nix index 3ae183e..03b9666 100644 --- a/modules/nixos/server/snipe-it.nix +++ b/modules/nixos/server/snipe-it.nix @@ -1,22 +1,20 @@ -{ self, lib, config, globals, ... }: +{ self, lib, config, globals, dns, confLib, ... }: let + inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; sopsFile = self + /secrets/winters/secrets2.yaml; serviceDB = "snipeit"; - servicePort = 80; - serviceName = "snipeit"; - serviceUser = "snipeit"; - serviceGroup = serviceUser; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; - mysqlPort = 3306; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + sops = { secrets = { snipe-it-appkey = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; @@ -24,7 +22,11 @@ in }; topology.self.services.${serviceName}.info = "https://${serviceDomain}"; - globals.services.${serviceName}.domain = serviceDomain; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.snipe-it = { enable = true; @@ -43,7 +45,7 @@ in }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { servers = { diff --git a/modules/nixos/server/spotifyd.nix b/modules/nixos/server/spotifyd.nix index fd12435..e5dc58d 100644 --- a/modules/nixos/server/spotifyd.nix +++ b/modules/nixos/server/spotifyd.nix @@ -1,9 +1,6 @@ -{ lib, config, ... }: +{ lib, config, confLib, ... }: let - servicePort = 1025; - serviceName = "spotifyd"; - serviceUser = "spotifyd"; - serviceGroup = serviceUser; + inherit (confLib.gen { name = "spotifyd"; port = 1025; }) servicePort serviceName serviceUser serviceGroup; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/syncthing.nix b/modules/nixos/server/syncthing.nix index 6eb61c6..09986d3 100644 --- a/modules/nixos/server/syncthing.nix +++ b/modules/nixos/server/syncthing.nix @@ -1,14 +1,9 @@ -{ lib, config, configName, globals, ... }: +{ lib, config, globals, dns, confLib, ... }: let inherit (config.swarselsystems.syncthing) serviceDomain; - inherit (config.swarselsystems.syncthing) serviceIP; + inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress serviceProxy proxyAddress4 proxyAddress6; - servicePort = 8384; - serviceUser = "syncthing"; - serviceGroup = serviceUser; - serviceName = "syncthing"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; - specificServiceName = "syncthing-${configName}"; + specificServiceName = "${serviceName}-${config.node.name}"; cfg = config.services.${serviceName}; devices = config.swarselsystems.syncthing.syncDevices; @@ -22,10 +17,6 @@ in type = lib.types.str; default = config.repo.secrets.common.services.domains.syncthing1; }; - serviceIP = lib.mkOption { - type = lib.types.str; - default = "${serviceAddress}"; - }; syncDevices = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ "magicant" "winters" "pyramid" "moonside@oracle" ]; @@ -51,6 +42,10 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { + "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + users.users.${serviceUser} = { extraGroups = [ "users" ]; group = serviceGroup; @@ -61,7 +56,10 @@ in networking.firewall.allowedTCPPorts = [ servicePort ]; - globals.services."${specificServiceName}".domain = serviceDomain; + globals.services.${specificServiceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; services.${serviceName} = rec { enable = true; @@ -117,11 +115,11 @@ in }; }; - nodes.moonside.services.nginx = { + nodes.${serviceProxy}.services.nginx = { upstreams = { ${specificServiceName} = { servers = { - "${serviceIP}:${builtins.toString servicePort}" = { }; + "${serviceAddress}:${builtins.toString servicePort}" = { }; }; }; }; diff --git a/modules/nixos/server/transmission.nix b/modules/nixos/server/transmission.nix index 64c2199..7dfcd87 100644 --- a/modules/nixos/server/transmission.nix +++ b/modules/nixos/server/transmission.nix @@ -1,7 +1,6 @@ -{ self, pkgs, lib, config, ... }: +{ self, pkgs, lib, config, confLib, ... }: let - serviceName = "transmission"; - serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; + inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain; lidarrUser = "lidarr"; lidarrGroup = lidarrUser; diff --git a/modules/shared/config-lib.nix b/modules/shared/config-lib.nix new file mode 100644 index 0000000..cb8e68f --- /dev/null +++ b/modules/shared/config-lib.nix @@ -0,0 +1,25 @@ +{ config, globals, ... }: +{ + _module.args = { + confLib = rec { + + addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4 else "localhost"; + + domainDefault = service: config.repo.secrets.common.services.domains.${service}; + proxyDefault = config.swarselsystems.proxyHost; + + gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec { + servicePort = port; + serviceName = name; + serviceUser = user; + serviceGroup = group; + serviceDomain = domain; + serviceDir = dir; + serviceAddress = address; + serviceProxy = proxy; + proxyAddress4 = globals.hosts.${proxy}.wanAddress4; + proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null; + }; + }; + }; +}