swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat[server]: use confLib to manage services

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-11-25 19:42:37 +01:00
parent fd6df781cf
commit 31623b65d6
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
37 changed files with 512 additions and 316 deletions
Download patch file Download diff file Expand all files Collapse all files

19
modules/nixos/server/ankisync.nix
View file

@ -1,11 +1,7 @@
{ self, lib, config, globals, ... }:
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 27701;
serviceName = "ankisync";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
ankiUser = globals.user.name;
in
@ -13,6 +9,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
networking.firewall.allowedTCPPorts = [ servicePort ];
sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
@ -23,7 +23,10 @@ in
info = "https://${serviceDomain}";
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.anki-sync-server = {
enable = true;
@ -38,7 +41,7 @@ in
];
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

19
modules/nixos/server/atuin.nix
View file

@ -1,16 +1,21 @@
{ lib, config, globals, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
servicePort = 8888;
serviceName = "atuin";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
@ -20,7 +25,7 @@ in
openRegistration = false;
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

14
modules/nixos/server/croc.nix
View file

@ -1,5 +1,6 @@
{ self, lib, config, pkgs, ... }:
{ self, lib, config, pkgs, dns, globals, confLib, ... }:
let
inherit (confLib.gen { name = "croc"; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
servicePorts = [
9009
9010
@ -7,8 +8,6 @@ let
9012
9013
];
serviceName = "croc";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
@ -18,6 +17,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops = {
secrets = {
croc-password = { inherit sopsFile; };
@ -39,7 +42,10 @@ in
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;

65
modules/nixos/server/disk-encrypt.nix
View file

@ -1,10 +1,15 @@
{ self, pkgs, lib, config, globals, minimal, ... }:
let
localIp = globals.networks.home.hosts.${config.node.name}.ipv4;
subnetMask = globals.networks.home.subnetMask4;
localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4;
gatewayIp = globals.hosts.${config.node.name}.defaultGateway4;
hostKeyPath = "/etc/secrets/initrd/ssh_host_ed25519_key";
hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key";
hostKeyPath =
if config.swarselsystems.isImpermanence then
"/persist/${hostKeyPathBase}"
else
"${hostKeyPathBase}";
in
{
options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config";
@ -14,35 +19,40 @@ in
};
config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) {
system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
deps = [ "ensureInitrdHostkey" ];
};
system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) {
text = ''
[[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath}
'';
deps = [ "users" ];
deps = [
"etc"
];
};
environment.persistence."/persist" = lib.mkIf (config.swarselsystems.isImpermanence && (config.swarselprofiles.server || minimal)) {
files = [ hostKeyPath ];
files = [ hostKeyPathBase ];
};
boot = lib.mkIf (config.swarselprofiles.server || minimal) {
kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [
boot = lib.mkIf (!config.swarselsystems.isLaptop) {
kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [
"ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
];
initrd = {
availableKernelModules = config.swarselsystems.networkKernelModules;
network = {
enable = true;
udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true;
flushBeforeStage2 = true;
ssh = {
enable = true;
port = 2222; # avoid hostkey changed nag
authorizedKeyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
authorizedKeys = [
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
];
hostKeys = [ hostKeyPath ];
hostKeys = [ hostKeyPathBase ];
};
# postCommands = ''
# echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
@ -52,23 +62,24 @@ in
initrdBin = with pkgs; [
cryptsetup
];
services = {
unlock-luks = {
wantedBy = [ "initrd.target" ];
after = [ "network.target" ];
before = [ "systemd-cryptsetup@cryptroot.service" ];
path = [ "/bin" ];
# NOTE: the below does put the text into /root/.profile, but the command will not be run
# services = {
# unlock-luks = {
# wantedBy = [ "initrd.target" ];
# after = [ "network.target" ];
# before = [ "systemd-cryptsetup@cryptroot.service" ];
# path = [ "/bin" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# };
script = ''
echo "systemctl default" >> /root/.profile
'';
};
};
# script = ''
# echo "systemctl default" >> /root/.profile
# '';
# };
# };
};
};
};

5
modules/nixos/server/emacs.nix
View file

@ -1,7 +1,6 @@
{ lib, config, ... }:
{ lib, config, confLib, ... }:
let
serviceName = "emacs";
servicePort = 9812;
inherit (confLib.gen { name = "emacs"; port = 9812; }) servicePort serviceName;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} server on server";

21
modules/nixos/server/firefly-iii.nix
View file

@ -1,11 +1,6 @@
{ self, lib, config, globals, ... }:
{ self, lib, config, globals, dns, confLib, ... }:
let
servicePort = 80;
serviceUser = "firefly-iii";
serviceGroup = serviceUser;
serviceName = "firefly-iii";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
nginxGroup = "nginx";
@ -16,6 +11,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users = {
groups.${serviceGroup} = { };
users.${serviceUser} = {
@ -36,7 +35,11 @@ in
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services = {
${serviceName} = {
@ -78,7 +81,7 @@ in
};
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

21
modules/nixos/server/forgejo.nix
View file

@ -1,13 +1,7 @@
{ lib, config, pkgs, globals, ... }:
{ lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 3004;
serviceUser = "forgejo";
serviceGroup = serviceUser;
serviceName = "forgejo";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
kanidmDomain = globals.services.kanidm.domain;
in
@ -15,6 +9,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
networking.firewall.allowedTCPPorts = [ servicePort ];
users.users.${serviceUser} = {
@ -28,7 +26,10 @@ in
kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
@ -129,7 +130,7 @@ in
'';
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

20
modules/nixos/server/freshrss.nix
View file

@ -1,11 +1,6 @@
{ self, lib, config, globals, ... }:
{ self, lib, config, globals, dns, confLib, ... }:
let
servicePort = 80;
serviceName = "freshrss";
serviceUser = "freshrss";
serviceGroup = serviceName;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
inherit (config.swarselsystems) sopsFile;
in
@ -13,6 +8,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users.users.${serviceUser} = {
extraGroups = [ "users" ];
group = serviceGroup;
@ -54,7 +53,10 @@ in
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} =
let
@ -74,7 +76,7 @@ in
# config.sops.templates.freshrss-env.path
# ];
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

20
modules/nixos/server/garage.nix
View file

@ -1,11 +1,8 @@
{ self, lib, pkgs, config, configName, globals, ... }:
{ self, lib, pkgs, config, configName, globals, dns, confLib, ... }:
let
sopsFile = self + /secrets/${configName}/secrets2.yaml;
inherit (confLib.gen { name = "garage"; port = 3900; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
serviceName = "garage";
servicePort = 3900;
serviceDomain = config.repo.secrets.common.services.domains."${serviceName}-${configName}";
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
sopsFile = self + /secrets/${configName}/secrets2.yaml;
cfg = config.services.${serviceName};
metadata_dir = "/var/lib/garage/meta";
@ -22,6 +19,10 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops = {
secrets.garage-admin-token = { inherit sopsFile; };
secrets.garage-rpc-secret = { inherit sopsFile; };
@ -36,6 +37,11 @@ in
];
};
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
systemd.services.${serviceName}.serviceConfig = {
DynamicUser = false;
ProtectHome = lib.mkForce false;
@ -74,7 +80,7 @@ in
};
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

19
modules/nixos/server/homebox.nix
View file

@ -1,16 +1,21 @@
{ lib, pkgs, config, globals, ... }:
{ lib, pkgs, config, globals, dns, confLib, ... }:
let
servicePort = 7745;
serviceName = "homebox";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
@ -26,7 +31,7 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

22
modules/nixos/server/immich.nix
View file

@ -1,21 +1,25 @@
{ lib, pkgs, config, globals, ... }:
{ lib, pkgs, config, globals, dns, confLib, ... }:
let
servicePort = 3001;
serviceUser = "immich";
serviceName = "immich";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users.users.${serviceUser} = {
extraGroups = [ "video" "render" "users" ];
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
@ -29,9 +33,9 @@ in
};
};
networking.firewall.allowedTCPPorts = [ 3001 ];
networking.firewall.allowedTCPPorts = [ servicePort ];
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

23
modules/nixos/server/jellyfin.nix
View file

@ -1,20 +1,23 @@
{ pkgs, lib, config, globals, ... }:
{ pkgs, lib, config, globals, dns, confLib, ... }:
let
servicePort = 8096;
serviceName = "jellyfin";
serviceUser = "jellyfin";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users.users.${serviceUser} = {
extraGroups = [ "video" "render" "users" ];
};
nixpkgs.config.packageOverrides = pkgs: {
intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
@ -26,7 +29,11 @@ in
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
@ -34,7 +41,7 @@ in
openFirewall = true; # this works only for the default ports
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

18
modules/nixos/server/jenkins.nix
View file

@ -1,14 +1,20 @@
{ pkgs, lib, config, globals, ... }:
{ pkgs, lib, config, globals, dns, confLib, ... }:
let
servicePort = 8088;
serviceName = "jenkins";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.jenkins = {
enable = true;
withCLI = true;
@ -18,7 +24,7 @@ in
home = "/Vault/apps/${serviceName}";
};
services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

100
modules/nixos/server/kanidm.nix
View file

@ -1,16 +1,10 @@
{ self, lib, pkgs, config, globals, ... }:
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
servicePort = 8300;
serviceUser = "kanidm";
serviceGroup = serviceUser;
serviceName = "kanidm";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
oauth2ProxyDomain = globals.services.oauth2Proxy.domain;
oauth2ProxyDomain = globals.services.oauth2-proxy.domain;
immichDomain = globals.services.immich.domain;
paperlessDomain = globals.services.paperless.domain;
forgejoDomain = globals.services.forgejo.domain;
@ -37,6 +31,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users.users.${serviceUser} = {
group = serviceGroup;
isSystemUser = true;
@ -62,7 +60,10 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [
@ -70,17 +71,22 @@ in
keyPathBase
];
};
system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
};
system.activationScripts."generateSSLCert-${serviceName}" =
systemd.services."generateSSLCert-${serviceName}" =
let
daysValid = 3650;
renewBeforeDays = 365;
in
{
text = ''
before = [ "${serviceName}.service" ];
requiredBy = [ "${serviceName}.service" ];
after = [ "local-fs.target" ];
requires = [ "local-fs.target" ];
serviceConfig = {
Type = "oneshot";
};
script = ''
set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
@ -89,16 +95,18 @@ in
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
need_gen=0
if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
need_gen=1
else
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
seconds_left=$(( end_epoch - now_epoch ))
days_left=$(( seconds_left / 86400 ))
if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
need_gen=1
else
echo 'Certificate exists and is still valid'
fi
fi
@ -114,12 +122,58 @@ in
chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
fi
'';
deps = [
"etc"
(lib.mkIf config.swarselsystems.isImpermanence "specialfs")
];
};
# system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
# deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
# };
# system.activationScripts."generateSSLCert-${serviceName}" =
# let
# daysValid = 3650;
# renewBeforeDays = 365;
# in
# {
# text = ''
# set -eu
# ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
# ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
# ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
# ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
# need_gen=0
# if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
# need_gen=1
# else
# enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
# end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
# now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
# seconds_left=$(( end_epoch - now_epoch ))
# days_left=$(( seconds_left / 86400 ))
# if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
# need_gen=1
# fi
# fi
# if [ "$need_gen" -eq 1 ]; then
# ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
# -keyout "${keyPath}" \
# -out "${certPath}" \
# -subj "/CN=${serviceDomain}" \
# -addext "subjectAltName=DNS:${serviceDomain}"
# chmod 0644 "${certPath}"
# chmod 0600 "${keyPath}"
# chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
# fi
# '';
# deps = [
# "etc"
# (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
# ];
# };
services = {
${serviceName} = {
package = pkgs.kanidmWithSecretProvisioning_1_7;
@ -326,7 +380,7 @@ in
${serviceName}.serviceConfig.RestartSec = "30";
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

20
modules/nixos/server/kavita.nix
View file

@ -1,12 +1,8 @@
{ self, lib, config, pkgs, globals, ... }:
{ self, lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 8080;
serviceName = "kavita";
serviceUser = "kavita";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -15,6 +11,10 @@ in
calibre
];
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users.users.${serviceUser} = {
extraGroups = [ "users" ];
};
@ -28,7 +28,11 @@ in
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
@ -38,7 +42,7 @@ in
dataDir = "/Vault/data/${serviceName}";
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

21
modules/nixos/server/koillection.nix
View file

@ -1,12 +1,7 @@
{ self, lib, config, globals, ... }:
{ self, lib, config, globals, dns, confLib, ... }:
let
serviceUser = "koillection";
inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
serviceDB = "koillection";
serviceName = "koillection";
servicePort = 2282;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceDir = "/Vault/data/koillection";
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
postgresPort = config.services.postgresql.settings.port; # 5432
@ -18,6 +13,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops.secrets = {
koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
koillection-env-file = { inherit sopsFile; };
@ -28,7 +27,11 @@ in
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
virtualisation.oci-containers.containers = {
koillection = {
@ -104,7 +107,7 @@ in
};
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

21
modules/nixos/server/matrix.nix
View file

@ -1,12 +1,7 @@
{ lib, config, pkgs, globals, ... }:
{ lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 8008;
serviceName = "matrix";
serviceDomain = config.repo.secrets.common.services.domains.matrix;
serviceUser = "matrix-synapse";
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
federationPort = 8448;
whatsappPort = 29318;
@ -24,6 +19,11 @@ in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
environment.systemPackages = with pkgs; [
matrix-synapse
lottieconverter
@ -91,7 +91,10 @@ in
};
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services = {
postgresql = {
@ -290,7 +293,7 @@ in
# messages out after a while.
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

22
modules/nixos/server/microbin.nix
View file

@ -1,10 +1,6 @@
{ self, lib, config, ... }:
{ self, lib, config, dns, globals, confLib, ... }:
let
servicePort = 8777;
serviceName = "microbin";
serviceUser = "microbin";
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
inherit (config.swarselsystems) sopsFile;
@ -14,6 +10,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users = {
groups.${serviceGroup} = { };
@ -49,7 +49,11 @@ in
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
@ -101,11 +105,11 @@ in
{ directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
];
services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {
"localhost:${builtins.toString servicePort}" = { };
"${serviceAddress}:${builtins.toString servicePort}" = { };
};
};
};

21
modules/nixos/server/monitoring.nix
View file

@ -1,11 +1,6 @@
{ self, lib, config, globals, ... }:
{ self, lib, config, globals, dns, confLib, ... }:
let
servicePort = 3000;
serviceUser = "grafana";
serviceGroup = serviceUser;
serviceName = "grafana";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
prometheusPort = 9090;
prometheusUser = "prometheus";
@ -21,6 +16,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops = {
secrets = {
grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@ -57,7 +56,11 @@ in
networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ];
topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}";
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services = {
${serviceName} = {
@ -206,7 +209,7 @@ in
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
"${grafanaUpstream}" = {
servers = {

8
modules/nixos/server/mpd.nix
View file

@ -1,11 +1,7 @@
{ self, lib, config, pkgs, ... }:
{ self, lib, config, pkgs, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 3254;
serviceUser = "mpd";
serviceGroup = serviceUser;
serviceName = "mpd";
inherit (confLib.gen { name = "mpd"; port = 3254; }) servicePort serviceName serviceUser serviceGroup;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";

21
modules/nixos/server/navidrome.nix
View file

@ -1,15 +1,15 @@
{ pkgs, config, lib, globals, ... }:
{ pkgs, config, lib, globals, dns, confLib, ... }:
let
servicePort = 4040;
serviceName = "navidrome";
serviceUser = "navidrome";
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
environment.systemPackages = with pkgs; [
pciutils
alsa-utils
@ -39,7 +39,10 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.snapserver = {
enable = true;
@ -103,7 +106,7 @@ in
};
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

15
modules/nixos/server/network.nix
View file

@ -1,15 +1,24 @@
{ lib, config, ... }:
let
inherit (config.swarselsystems.server) localNetwork;
in
{
options.swarselmodules.server.network = lib.mkEnableOption "enable server network config";
options.swarselsystems.server.localNetwork = lib.mkOption {
type = lib.types.str;
default = "home";
};
config = lib.mkIf config.swarselmodules.server.network {
globals.networks.home.hosts.${config.node.name} = {
inherit (config.repo.secrets.local.networking.networks.home) id;
mac = config.repo.secrets.local.networking.networks.home.mac or null;
globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = {
inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id;
mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null;
};
globals.hosts.${config.node.name} = {
inherit (config.repo.secrets.local.networking) defaultGateway4;
wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null;
wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null;
};
networking = {

22
modules/nixos/server/nextcloud.nix
View file

@ -1,14 +1,8 @@
{ pkgs, lib, config, globals, ... }:
{ pkgs, lib, config, globals, dns, confLib, ... }:
let
inherit (config.repo.secrets.local.nextcloud) adminuser;
inherit (config.swarselsystems) sopsFile;
servicePort = 80;
serviceUser = "nextcloud";
serviceGroup = serviceUser;
serviceName = "nextcloud";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
nextcloudVersion = "32";
in
@ -16,13 +10,19 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops.secrets = {
nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services = {
${serviceName} = {
@ -50,7 +50,7 @@ in
};
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

53
modules/nixos/server/nginx.nix
View file

@ -85,6 +85,7 @@ in
networking.firewall.allowedTCPPorts = [ 80 443 ];
environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
directories = [{ directory = "/var/lib/acme"; }];
files = [ dhParamsPathBase ];
};
@ -109,27 +110,51 @@ in
'';
};
};
system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
deps = [ "generateDHParams" "users" "groups" ];
systemd.services.generateDHParams = {
before = [ "nginx.service" ];
requiredBy = [ "nginx.service" ];
after = [ "local-fs.target" ];
requires = [ "local-fs.target" ];
serviceConfig = {
Type = "oneshot";
};
system.activationScripts."generateDHParams" =
{
text = ''
script = ''
set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}
install -d -m 0755 ${sslBasePath}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}
if [ ! -f "${dhParamsPathBase}" ]; then
${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096
chmod 0644 ${dhParamsPath}
chown ${serviceUser}:${serviceGroup} ${dhParamsPath}
if [ ! -f "${dhParamsPath}" ]; then
${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
chmod 0644 "${dhParamsPath}"
chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
else
echo 'Already generated DHParams'
fi
'';
deps = [
"etc"
(lib.mkIf config.swarselsystems.isImpermanence "specialfs")
];
};
# system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
# deps = [ "generateDHParams" "users" "groups" ];
# };
# system.activationScripts."generateDHParams" =
# {
# text = ''
# set -eu
# ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else "${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}"}
# if [ ! -f "${dhParamsPath}" ]; then
# ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096
# chmod 0644 ${dhParamsPath}
# chown ${serviceUser}:${serviceGroup} ${dhParamsPath}
# fi
# '';
# deps = [
# (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
# (lib.mkIf (!config.swarselsystems.isImpermanence) "etc")
# ];
# };
};
}

21
modules/nixos/server/oauth2-proxy.nix
View file

@ -1,10 +1,6 @@
{ lib, config, globals, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
servicePort = 3004;
serviceUser = "oauth2-proxy";
serviceGroup = serviceUser;
serviceName = "oauth2-proxy";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
kanidmDomain = globals.services.kanidm.domain;
mainDomain = globals.domains.main;
@ -123,6 +119,10 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops = {
secrets = {
"oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@ -144,7 +144,10 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.oauth2Proxy.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services = {
${serviceName} = {
@ -195,11 +198,11 @@ in
};
};
services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {
"localhost:${builtins.toString servicePort}" = { };
"${serviceAddress}:${builtins.toString servicePort}" = { };
};
};
};

6
modules/nixos/server/opkssh.nix
View file

@ -1,8 +1,6 @@
{ lib, config, globals, ... }:
{ lib, config, globals, confLib, ... }:
let
serviceName = "opkssh";
serviceUser = "opksshuser";
serviceGroup = serviceUser;
inherit (confLib.gen { name = "opkssh"; user = "opksshuser"; group = "opksshuser"; }) serviceName serviceUser serviceGroup;
kanidmDomain = globals.services.kanidm.domain;

1
modules/nixos/server/packages.nix
View file

@ -4,7 +4,6 @@
config = lib.mkIf config.swarselmodules.server.packages {
environment.systemPackages = with pkgs; [
gnupg
nix-index
nvd
nix-output-monitor
ssh-to-age

21
modules/nixos/server/paperless.nix
View file

@ -1,13 +1,7 @@
{ lib, pkgs, config, globals, ... }:
{ lib, pkgs, config, dns, globals, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 28981;
serviceUser = "paperless";
serviceGroup = serviceUser;
serviceName = "paperless";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
tikaPort = 9998;
gotenbergPort = 3002;
@ -17,6 +11,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users.users.${serviceUser} = {
extraGroups = [ "users" ];
};
@ -28,7 +26,10 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services = {
${serviceName} = {
@ -98,7 +99,7 @@ in
)
'';
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

4
modules/nixos/server/postgresql.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, confLib, ... }:
let
serviceName = "postgresql";
inherit (confLib.gen { name = "postgresql"; port = 3254; }) serviceName;
postgresVersion = 14;
in
{

22
modules/nixos/server/radicale.nix
View file

@ -1,20 +1,18 @@
{ self, lib, config, globals, ... }:
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
sopsFile = self + /secrets/winters/secrets2.yaml;
servicePort = 8000;
serviceName = "radicale";
serviceUser = "radicale";
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
cfg = config.services.${serviceName};
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops = {
secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@ -35,7 +33,11 @@ in
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
@ -88,7 +90,7 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

21
modules/nixos/server/shlink.nix
View file

@ -1,9 +1,6 @@
{ self, lib, config, ... }:
{ self, lib, config, dns, globals, confLib, ... }:
let
servicePort = 8081;
serviceName = "shlink";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceDir = "/var/lib/shlink";
inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress serviceProxy proxyAddress4 proxyAddress6;
containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
@ -15,6 +12,10 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops = {
secrets = {
shlink-api = { inherit sopsFile; };
@ -80,13 +81,17 @@ in
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
services.nginx = {
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {
"localhost:${builtins.toString servicePort}" = { };
"${serviceAddress}:${builtins.toString servicePort}" = { };
};
};
};

21
modules/nixos/server/slink.nix
View file

@ -1,9 +1,6 @@
{ self, lib, config, ... }:
{ self, lib, config, dns, globals, confLib, ... }:
let
servicePort = 3000;
serviceName = "slink";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceDir = "/var/lib/slink";
inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress serviceProxy proxyAddress4 proxyAddress6;
containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
in
@ -13,6 +10,10 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
virtualisation.oci-containers.containers.${serviceName} = {
image = "anirdev/slink@${containerRev}";
environment = {
@ -57,13 +58,17 @@ in
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/shlink.png";
};
globals.services.${serviceName}.domain = serviceDomain;
services.nginx = {
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {
"localhost:${builtins.toString servicePort}" = { };
"${serviceAddress}:${builtins.toString servicePort}" = { };
};
};
};

22
modules/nixos/server/snipe-it.nix
View file

@ -1,22 +1,20 @@
{ self, lib, config, globals, ... }:
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
sopsFile = self + /secrets/winters/secrets2.yaml;
serviceDB = "snipeit";
servicePort = 80;
serviceName = "snipeit";
serviceUser = "snipeit";
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
mysqlPort = 3306;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops = {
secrets = {
snipe-it-appkey = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@ -24,7 +22,11 @@ in
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.snipe-it = {
enable = true;
@ -43,7 +45,7 @@ in
};
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

7
modules/nixos/server/spotifyd.nix
View file

@ -1,9 +1,6 @@
{ lib, config, ... }:
{ lib, config, confLib, ... }:
let
servicePort = 1025;
serviceName = "spotifyd";
serviceUser = "spotifyd";
serviceGroup = serviceUser;
inherit (confLib.gen { name = "spotifyd"; port = 1025; }) servicePort serviceName serviceUser serviceGroup;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";

28
modules/nixos/server/syncthing.nix
View file

@ -1,14 +1,9 @@
{ lib, config, configName, globals, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems.syncthing) serviceDomain;
inherit (config.swarselsystems.syncthing) serviceIP;
inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress serviceProxy proxyAddress4 proxyAddress6;
servicePort = 8384;
serviceUser = "syncthing";
serviceGroup = serviceUser;
serviceName = "syncthing";
serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4;
specificServiceName = "syncthing-${configName}";
specificServiceName = "${serviceName}-${config.node.name}";
cfg = config.services.${serviceName};
devices = config.swarselsystems.syncthing.syncDevices;
@ -22,10 +17,6 @@ in
type = lib.types.str;
default = config.repo.secrets.common.services.domains.syncthing1;
};
serviceIP = lib.mkOption {
type = lib.types.str;
default = "${serviceAddress}";
};
syncDevices = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "magicant" "winters" "pyramid" "moonside@oracle" ];
@ -51,6 +42,10 @@ in
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
"${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users.users.${serviceUser} = {
extraGroups = [ "users" ];
group = serviceGroup;
@ -61,7 +56,10 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services."${specificServiceName}".domain = serviceDomain;
globals.services.${specificServiceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = rec {
enable = true;
@ -117,11 +115,11 @@ in
};
};
nodes.moonside.services.nginx = {
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${specificServiceName} = {
servers = {
"${serviceIP}:${builtins.toString servicePort}" = { };
"${serviceAddress}:${builtins.toString servicePort}" = { };
};
};
};

5
modules/nixos/server/transmission.nix
View file

@ -1,7 +1,6 @@
{ self, pkgs, lib, config, ... }:
{ self, pkgs, lib, config, confLib, ... }:
let
serviceName = "transmission";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain;
lidarrUser = "lidarr";
lidarrGroup = lidarrUser;

25
modules/shared/config-lib.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, globals, ... }:
{
_module.args = {
confLib = rec {
addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4 else "localhost";
domainDefault = service: config.repo.secrets.common.services.domains.${service};
proxyDefault = config.swarselsystems.proxyHost;
gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec {
servicePort = port;
serviceName = name;
serviceUser = user;
serviceGroup = group;
serviceDomain = domain;
serviceDir = dir;
serviceAddress = address;
serviceProxy = proxy;
proxyAddress4 = globals.hosts.${proxy}.wanAddress4;
proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
};
};
};
}