swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: clean up flake

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-02 01:16:42 +02:00
parent 178d51cde6
commit 6ca7717d3e
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
63 changed files with 5134 additions and 1157 deletions
Download patch file Download diff file Expand all files Collapse all files

15
modules/nixos/server/ankisync.nix
View file

@ -1,12 +1,14 @@
{ lib, config, ... }:
{ self, lib, config, globals, ... }:
let
serviceDomain = "synki.swarsel.win";
servicePort = 27701;
serviceName = "ankisync";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
ankiUser = globals.user.name;
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
networking.firewall.allowedTCPPorts = [ servicePort ];
@ -14,6 +16,7 @@ in
topology.self.services.${serviceName} = {
name = lib.mkForce "Anki Sync Server";
icon = "${self}/topology/images/${serviceName}.png";
info = "https://${serviceDomain}";
};
@ -26,7 +29,7 @@ in
openFirewall = true;
users = [
{
username = "Swarsel";
username = ankiUser;
passwordFile = config.sops.secrets.swarsel.path;
}
];
@ -34,7 +37,7 @@ in
services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

10
modules/nixos/server/atuin.nix
View file

@ -1,17 +1,17 @@
{ lib, config, ... }:
let
serviceDomain = "shellhistory.swarsel.win";
servicePort = 8888;
serviceName = "atuin";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.atuin = {
services.${serviceName} = {
enable = true;
host = "0.0.0.0";
port = servicePort;
@ -21,7 +21,7 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

10
modules/nixos/server/croc.nix
View file

@ -1,6 +1,5 @@
{ self, lib, config, pkgs, ... }:
let
serviceDomain = "send.swarsel.win";
servicePorts = [
9009
9010
@ -9,12 +8,13 @@ let
9013
];
serviceName = "croc";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
cfg = config.services.croc;
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops = {
secrets = {
@ -39,7 +39,7 @@ in
globals.services.${serviceName}.domain = serviceDomain;
services.croc = {
services.${serviceName} = {
enable = true;
ports = servicePorts;
pass = config.sops.secrets.croc-password.path;
@ -48,7 +48,7 @@ in
systemd.services = {
"${serviceName}" = {
${serviceName} = {
serviceConfig = {
ExecStart = lib.mkForce "${pkgs.croc}/bin/croc ${lib.optionalString cfg.debug "--debug"} relay --ports ${
lib.concatMapStringsSep "," toString cfg.ports}";

12
modules/nixos/server/emacs.nix
View file

@ -1,11 +1,15 @@
{ lib, config, ... }:
let
serviceName = "emacs";
servicePort = 9812;
in
{
options.swarselsystems.modules.server.emacs = lib.mkEnableOption "enable emacs server on server";
config = lib.mkIf config.swarselsystems.modules.server.emacs {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} server on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
networking.firewall.allowedTCPPorts = [ 9812 ];
networking.firewall.allowedTCPPorts = [ servicePort ];
services.emacs = {
services.${serviceName} = {
enable = true;
install = true;
startWithGraphical = false;

43
modules/nixos/server/firefly-iii.nix
View file

@ -1,38 +1,47 @@
{ self, lib, config, ... }:
let
servicePort = 80;
serviceUser = "firefly-iii";
serviceGroup = serviceUser;
serviceName = "firefly-iii";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
nginxGroup = "nginx";
cfg = config.services.firefly-iii;
serviceDomain = "stonks.swarsel.win";
fireflyUser = "firefly-iii";
serviceName = "firefly";
in
{
options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server";
config = lib.mkIf config.swarselsystems.modules.server.firefly {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users.users.firefly-iii = {
group = "nginx";
isSystemUser = true;
users = {
groups.${serviceGroup} = { };
users.${serviceUser} = {
group = lib.mkForce serviceGroup;
extraGroups = lib.mkIf cfg.enableNginx [ nginxGroup ];
isSystemUser = true;
};
};
sops = {
secrets = {
"firefly-iii-app-key" = { owner = fireflyUser; group = "nginx"; mode = "0440"; };
"firefly-iii-app-key" = { owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
};
};
topology.self.services.firefly-iii = {
topology.self.services.${serviceName} = {
name = "Firefly-III";
info = "https://${serviceDomain}";
icon = "${self}/topology/images/firefly-iii.png";
icon = "${self}/topology/images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
services = {
firefly-iii = {
${serviceName} = {
enable = true;
user = fireflyUser;
group = if cfg.enableNginx then "nginx" else fireflyUser;
dataDir = "/Vault/data/firefly-iii";
user = serviceUser;
group = if cfg.enableNginx then nginxGroup else serviceGroup;
dataDir = "/Vault/data/${serviceName}";
settings = {
TZ = config.repo.secrets.common.location.timezone;
APP_URL = "https://${serviceDomain}";
@ -69,9 +78,9 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:80" = { };
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};

24
modules/nixos/server/forgejo.nix
View file

@ -1,23 +1,25 @@
{ lib, config, pkgs, ... }:
{ lib, config, pkgs, globals, ... }:
let
serviceDomain = "swagit.swarsel.win";
servicePort = 3000;
serviceUser = "forgejo";
serviceGroup = serviceUser;
serviceName = "forgejo";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
kanidmDomain = globals.services.kanidm.domain;
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
networking.firewall.allowedTCPPorts = [ servicePort ];
users.users."${serviceUser}" = {
users.users.${serviceUser} = {
group = serviceGroup;
isSystemUser = true;
};
users.groups."${serviceGroup}" = { };
users.groups.${serviceGroup} = { };
sops.secrets = {
kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
@ -25,7 +27,7 @@ in
globals.services.${serviceName}.domain = serviceDomain;
services.forgejo = {
services.${serviceName} = {
enable = true;
user = serviceUser;
group = serviceGroup;
@ -67,13 +69,13 @@ in
};
};
systemd.services.forgejo = {
systemd.services.${serviceName} = {
serviceConfig.RestartSec = "60"; # Retry every minute
preStart =
let
exe = lib.getExe config.services.forgejo.package;
providerName = "kanidm";
clientId = "forgejo";
clientId = serviceName;
args = lib.escapeShellArgs (
lib.concatLists [
[
@ -90,7 +92,7 @@ in
]
[
"--auto-discover-url"
"https://sso.swarsel.win/oauth2/openid/${clientId}/.well-known/openid-configuration"
"https://${kanidmDomain}/oauth2/openid/${clientId}/.well-known/openid-configuration"
]
[
"--scopes"
@ -125,7 +127,7 @@ in
services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

25
modules/nixos/server/freshrss.nix
View file

@ -1,21 +1,24 @@
{ self, lib, config, ... }:
let
inherit (config.repo.secrets.local.freshrss) defaultUser;
servicePort = 80;
serviceName = "freshrss";
serviceDomain = "signpost.swarsel.win";
serviceUser = "freshrss";
serviceGroup = serviceName;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
in
{
options.swarselsystems.modules.server.freshrss = lib.mkEnableOption "enable freshrss on server";
config = lib.mkIf config.swarselsystems.modules.server.freshrss {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users.users."${serviceUser}" = {
users.users.${serviceUser} = {
extraGroups = [ "users" ];
group = serviceGroup;
isSystemUser = true;
};
users.groups."${serviceGroup}" = { };
users.groups.${serviceGroup} = { };
sops = {
secrets = {
@ -29,7 +32,7 @@ in
# content = ''
# DATA_PATH=${config.services.freshrss.dataDir}
# OIDC_ENABLED=1
# OIDC_PROVIDER_METADATA_URL=https://sso.swarsel.win/.well-known/openid-configuration
# OIDC_PROVIDER_METADATA_URL=https://${kanidmDomain}/.well-known/openid-configuration
# OIDC_CLIENT_ID=freshrss
# OIDC_CLIENT_SECRET=${config.sops.placeholder.kanidm-freshrss-client}
# OIDC_CLIENT_CRYPTO_KEY=${config.sops.placeholder.oidc-crypto-key}
@ -47,18 +50,18 @@ in
topology.self.services.${serviceName} = {
name = "FreshRSS";
info = "https://${serviceDomain}";
icon = "${self}/topology/images/freshrss.png";
icon = "${self}/topology/images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
services.freshrss = {
services.${serviceName} = {
inherit defaultUser;
enable = true;
virtualHost = serviceDomain;
baseUrl = "https://${serviceDomain}";
authType = "form";
dataDir = "/Vault/data/tt-rss";
defaultUser = "Swarsel";
passwordFile = config.sops.secrets.fresh.path;
};
@ -68,9 +71,9 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:80" = { };
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};

12
modules/nixos/server/immich.nix
View file

@ -1,22 +1,22 @@
{ lib, config, globals, ... }:
let
serviceDomain = "shots.swarsel.win";
servicePort = 3001;
serviceUser = "immich";
serviceName = "immich";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users.users."${serviceUser}" = {
users.users.${serviceUser} = {
extraGroups = [ "video" "render" "users" ];
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.immich = {
services.${serviceName} = {
enable = true;
host = "0.0.0.0";
port = servicePort;
@ -31,7 +31,7 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

12
modules/nixos/server/jellyfin.nix
View file

@ -1,14 +1,14 @@
{ pkgs, lib, config, ... }:
let
serviceDomain = "screen.swarsel.win";
servicePort = 8096;
serviceName = "jellyfin";
serviceUser = "jellyfin";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
users.users."${serviceUser}" = {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users.users.${serviceUser} = {
extraGroups = [ "video" "render" "users" ];
};
nixpkgs.config.packageOverrides = pkgs: {
@ -27,7 +27,7 @@ in
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.jellyfin = {
services.${serviceName} = {
enable = true;
user = serviceUser;
openFirewall = true; # this works only for the default ports
@ -35,7 +35,7 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

12
modules/nixos/server/jenkins.nix
View file

@ -1,25 +1,25 @@
{ pkgs, lib, config, ... }:
let
serviceDomain = "servant.swarsel.win";
servicePort = 8088;
serviceName = "jenkins";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
services.jenkins = {
enable = true;
withCLI = true;
port = 8088;
port = servicePort;
packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ];
listenAddress = "0.0.0.0";
home = "/Vault/apps/jenkins";
home = "/Vault/apps/${serviceName}";
};
services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

47
modules/nixos/server/kanidm.nix
View file

@ -1,23 +1,30 @@
{ self, lib, pkgs, config, globals, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
serviceDomain = "sso.swarsel.win";
servicePort = 8300;
serviceUser = "kanidm";
serviceGroup = serviceUser;
serviceName = "kanidm";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
oauth2ProxyDomain = globals.services.oauth2Proxy.domain;
immichDomain = globals.services.immich.domain;
paperlessDomain = globals.services.paperless.domain;
forgejoDomain = globals.services.forgejo.domain;
grafanaDomain = globals.services.grafana.domain;
nextcloudDomain = globals.services.nextcloud.domain;
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users.users."${serviceUser}" = {
users.users.${serviceUser} = {
group = serviceGroup;
isSystemUser = true;
};
users.groups."${serviceGroup}" = { };
users.groups.${serviceGroup} = { };
sops = {
secrets = {
@ -40,7 +47,7 @@ in
globals.services.${serviceName}.domain = serviceDomain;
services = {
kanidm = {
${serviceName} = {
package = pkgs.kanidmWithSecretProvisioning;
enableServer = true;
serverSettings = {
@ -85,12 +92,12 @@ in
immich = {
displayName = "Immich";
originUrl = [
"https://shots.swarsel.win/auth/login"
"https://shots.swarsel.win/user-settings"
"https://${immichDomain}/auth/login"
"https://${immichDomain}/user-settings"
"app.immich:///oauth-callback"
"https://shots.swarsel.win/api/oauth/mobile-redirect"
"https://${immichDomain}/api/oauth/mobile-redirect"
];
originLanding = "https://shots.swarsel.win/";
originLanding = "https://${immichDomain}/";
basicSecretFile = config.sops.secrets.kanidm-immich.path;
preferShortUsername = true;
enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
@ -102,8 +109,8 @@ in
};
paperless = {
displayName = "Paperless";
originUrl = "https://scan.swarsel.win/accounts/oidc/kanidm/login/callback/";
originLanding = "https://scan.swarsel.win/";
originUrl = "https://${paperlessDomain}/accounts/oidc/kanidm/login/callback/";
originLanding = "https://${paperlessDomain}/";
basicSecretFile = config.sops.secrets.kanidm-paperless.path;
preferShortUsername = true;
scopeMaps."paperless.access" = [
@ -114,8 +121,8 @@ in
};
forgejo = {
displayName = "Forgejo";
originUrl = "https://swagit.swarsel.win/user/oauth2/kanidm/callback";
originLanding = "https://swagit.swarsel.win/";
originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback";
originLanding = "https://${forgejoDomain}/";
basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
scopeMaps."forgejo.access" = [
"openid"
@ -133,8 +140,8 @@ in
};
grafana = {
displayName = "Grafana";
originUrl = "https://status.swarsel.win/login/generic_oauth";
originLanding = "https://status.swarsel.win/";
originUrl = "https://${grafanaDomain}/login/generic_oauth";
originLanding = "https://${grafanaDomain}/";
basicSecretFile = config.sops.secrets.kanidm-grafana.path;
preferShortUsername = true;
scopeMaps."grafana.access" = [
@ -153,8 +160,8 @@ in
};
nextcloud = {
displayName = "Nextcloud";
originUrl = " https://stash.swarsel.win/apps/sociallogin/custom_oidc/kanidm";
originLanding = "https://stash.swarsel.win/";
originUrl = " https://${nextcloudDomain}/apps/sociallogin/custom_oidc/kanidm";
originLanding = "https://${nextcloudDomain}/";
basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
allowInsecureClientDisablePkce = true;
scopeMaps."nextcloud.access" = [
@ -215,12 +222,12 @@ in
};
systemd.services = {
kanidm.serviceConfig.RestartSec = "30";
${serviceName}.serviceConfig.RestartSec = "30";
};
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

20
modules/nixos/server/kavita.nix
View file

@ -1,43 +1,43 @@
{ self, lib, config, pkgs, ... }:
let
servicePort = 8080;
serviceName = "kavita";
serviceUser = "kavita";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
servicePort = 8080;
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
environment.systemPackages = with pkgs; [
calibre
];
users.users."${serviceUser}" = {
users.users.${serviceUser} = {
extraGroups = [ "users" ];
};
sops.secrets.kavita = { owner = serviceUser; };
networking.firewall.allowedTCPPorts = [ 8080 ];
networking.firewall.allowedTCPPorts = [ servicePort ];
topology.self.services.kavita = {
topology.self.services.${serviceName} = {
name = "Kavita";
info = "https://${serviceDomain}";
icon = "${self}/topology/images/kavita.png";
icon = "${self}/topology/images/${serviceName}.png";
};
globals.services.${serviceName}.domain = serviceDomain;
services.kavita = {
services.${serviceName} = {
enable = true;
user = serviceUser;
settings.Port = servicePort;
tokenKeyFile = config.sops.secrets.kavita.path;
dataDir = "/Vault/data/kavita";
dataDir = "/Vault/data/${serviceName}";
};
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

9
modules/nixos/server/koillection.nix
View file

@ -1,17 +1,18 @@
{ self, lib, config, ... }:
let
serviceDomain = "swag.swarsel.win";
serviceUser = "koillection";
serviceDB = "koillection";
serviceName = "koillection";
servicePort = 2282;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
postgresPort = config.services.postgresql.settings.port; # 5432
containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = {
koillection-db-password = { owner = postgresUser; group = postgresUser; mode = "0440"; };
@ -97,7 +98,7 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

71
modules/nixos/server/matrix.nix
View file

@ -1,16 +1,17 @@
{ lib, config, pkgs, ... }:
let
matrixDomain = "swatrix.swarsel.win";
servicePort = 8008;
serviceName = "matrix";
synapsePort = 8008;
synapseUser = "matrix-synapse";
serviceDomain = config.repo.secrets.common.services.domains.matrix;
serviceUser = "matrix-synapse";
federationPort = 8448;
whatsappPort = 29318;
telegramPort = 29317;
signalPort = 29328;
baseUrl = "https://${matrixDomain}";
baseUrl = "https://${serviceDomain}";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${matrixDomain}:443";
serverConfig."m.server" = "${serviceDomain}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
@ -18,8 +19,8 @@ let
'';
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
environment.systemPackages = with pkgs; [
matrix-synapse
lottieconverter
@ -28,24 +29,24 @@ in
sops = {
secrets = {
matrixsharedsecret = { owner = synapseUser; };
mautrixtelegram_as = { owner = synapseUser; };
mautrixtelegram_hs = { owner = synapseUser; };
mautrixtelegram_api_id = { owner = synapseUser; };
mautrixtelegram_api_hash = { owner = synapseUser; };
matrixsharedsecret = { owner = serviceUser; };
mautrixtelegram_as = { owner = serviceUser; };
mautrixtelegram_hs = { owner = serviceUser; };
mautrixtelegram_api_id = { owner = serviceUser; };
mautrixtelegram_api_hash = { owner = serviceUser; };
};
templates = {
"matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString synapsePort}
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort}
'';
matrixshared = {
owner = synapseUser;
owner = serviceUser;
content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
'';
};
mautrixtelegram = {
owner = synapseUser;
owner = serviceUser;
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
@ -56,7 +57,7 @@ in
};
};
networking.firewall.allowedTCPPorts = [ 8008 8448 ];
networking.firewall.allowedTCPPorts = [ servicePort federationPort ];
systemd = {
timers."restart-bridges" = {
@ -87,7 +88,7 @@ in
};
};
globals.services.${serviceName}.domain = matrixDomain;
globals.services.${serviceName}.domain = serviceDomain;
services = {
postgresql = {
@ -130,11 +131,11 @@ in
"${dataDir}/signal-registration.yaml"
"${dataDir}/doublepuppet.yaml"
];
server_name = matrixDomain;
public_baseurl = "https://${matrixDomain}";
server_name = serviceDomain;
public_baseurl = "https://${serviceDomain}";
listeners = [
{
port = synapsePort;
port = servicePort;
bind_addresses = [
"0.0.0.0"
# "::1"
@ -162,8 +163,8 @@ in
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:${builtins.toString synapsePort}";
domain = matrixDomain;
address = "http://localhost:${builtins.toString servicePort}";
domain = serviceDomain;
};
appservice = {
address = "http://localhost:${builtins.toString telegramPort}";
@ -188,7 +189,7 @@ in
telegram_link_preview = true;
permissions = {
"*" = "relaybot";
"@swarsel:${matrixDomain}" = "admin";
"@swarsel:${serviceDomain}" = "admin";
};
animated_sticker = {
target = "gif";
@ -208,8 +209,8 @@ in
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:${builtins.toString synapsePort}";
domain = matrixDomain;
address = "http://localhost:${builtins.toString servicePort}";
domain = serviceDomain;
};
appservice = {
address = "http://localhost:${builtins.toString whatsappPort}";
@ -234,7 +235,7 @@ in
};
};
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
${serviceDomain} = "as_token:doublepuppet";
};
sync_manual_marked_unread = true;
send_presence_on_typing = true;
@ -244,7 +245,7 @@ in
extev_polls = true;
permissions = {
"*" = "relay";
"@swarsel:${matrixDomain}" = "admin";
"@swarsel:${serviceDomain}" = "admin";
};
};
};
@ -255,8 +256,8 @@ in
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:${builtins.toString synapsePort}";
domain = matrixDomain;
address = "http://localhost:${builtins.toString servicePort}";
domain = serviceDomain;
};
appservice = {
address = "http://localhost:${builtins.toString signalPort}";
@ -270,12 +271,12 @@ in
bridge = {
displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
login_shared_secret_map = {
matrixDomain = "as_token:doublepuppet";
${serviceDomain} = "as_token:doublepuppet";
};
caption_in_message = true;
permissions = {
"*" = "relay";
"@swarsel:${matrixDomain}" = "admin";
"@swarsel:${serviceDomain}" = "admin";
};
};
};
@ -288,14 +289,14 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString synapsePort}" = { };
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${matrixDomain}" = {
"${serviceDomain}" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;

18
modules/nixos/server/microbin.nix
View file

@ -1,21 +1,21 @@
{ self, lib, config, ... }:
let
serviceDomain = "scratch.swarsel.win";
servicePort = 8777;
serviceName = "microbin";
serviceUser = "microbin";
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
cfg = config.services."${serviceName}";
cfg = config.services.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users = {
groups."${serviceGroup}" = { };
groups.${serviceGroup} = { };
users."${serviceUser}" = {
users.${serviceUser} = {
isSystemUser = true;
group = serviceGroup;
};
@ -49,7 +49,7 @@ in
};
globals.services.${serviceName}.domain = serviceDomain;
services."${serviceName}" = {
services.${serviceName} = {
enable = true;
passwordFile = config.sops.templates.microbin-env.path;
dataDir = "/var/lib/microbin";
@ -84,7 +84,7 @@ in
};
systemd.services = {
"${serviceName}" = {
${serviceName} = {
serviceConfig = {
DynamicUser = lib.mkForce false;
User = serviceUser;
@ -101,7 +101,7 @@ in
services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"localhost:${builtins.toString servicePort}" = { };
};

63
modules/nixos/server/monitoring.nix
View file

@ -1,23 +1,44 @@
{ self, lib, config, ... }:
{ self, lib, config, globals, ... }:
let
serviceDomain = "status.swarsel.win";
servicePort = 3000;
serviceUser = "grafana";
serviceGroup = serviceUser;
moduleName = "monitoring";
serviceName = "grafana";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
prometheusPort = 9090;
prometheusUser = "prometheus";
prometheusGroup = prometheusUser;
nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
grafanaUpstream = "grafana";
prometheusUpstream = "prometheus";
prometheusPort = 9090;
prometheusWebRoot = "prometheus";
kanidmDomain = globals.services.kanidm.domain;
in
{
options.swarselsystems.modules.server."${moduleName}" = lib.mkEnableOption "enable ${moduleName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${moduleName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = {
grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
sops = {
secrets = {
grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
};
templates = {
"web-config" = {
content = ''
basic_auth_users:
admin: ${config.sops.placeholder.prometheus-admin-hash}
'';
owner = prometheusUser;
group = prometheusGroup;
mode = "0440";
};
};
};
users = {
@ -26,7 +47,7 @@ in
extraGroups = [ "nextcloud" ];
};
"${serviceUser}" = {
${serviceUser} = {
extraGroups = [ "users" ];
};
};
@ -35,12 +56,12 @@ in
networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ];
topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}";
globals.services.${moduleName}.domain = serviceDomain;
globals.services.${serviceName}.domain = serviceDomain;
services = {
grafana = {
${serviceName} = {
enable = true;
dataDir = "/Vault/data/grafana";
dataDir = "/Vault/data/${serviceName}";
provision = {
enable = true;
datasources.settings = {
@ -97,9 +118,9 @@ in
client_secret = "$__file{${config.sops.secrets.kanidm-grafana-client.path}}";
scopes = "openid email profile";
login_attribute_path = "preferred_username";
auth_url = "https://sso.swarsel.win/ui/oauth2";
token_url = "https://sso.swarsel.win/oauth2/token";
api_url = "https://sso.swarsel.win/oauth2/openid/grafana/userinfo";
auth_url = "https://${kanidmDomain}/ui/oauth2";
token_url = "https://${kanidmDomain}/oauth2/token";
api_url = "https://${kanidmDomain}/oauth2/openid/grafana/userinfo";
use_pkce = true;
use_refresh_token = true;
# Allow mapping oauth2 roles to server admin
@ -111,13 +132,13 @@ in
prometheus = {
enable = true;
webExternalUrl = "https://status.swarsel.win/${prometheusWebRoot}";
webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
port = prometheusPort;
listenAddress = "0.0.0.0";
globalConfig = {
scrape_interval = "10s";
};
webConfigFile = self + /programs/server/prometheus/web.config;
webConfigFile = config.sops.templates.web-config.path;
scrapeConfigs = [
{
job_name = "node";
@ -171,8 +192,8 @@ in
nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
enable = true;
port = 9205;
url = "https://stash.swarsel.win/ocs/v2.php/apps/serverinfo/api/v1/info";
username = "admin";
url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
username = nextcloudUser;
passwordFile = config.sops.secrets.nextcloudadminpass.path;
};
};

32
modules/nixos/server/mpd.nix
View file

@ -1,23 +1,29 @@
{ self, lib, config, pkgs, ... }:
let
servicePort = 3254;
serviceUser = "mpd";
serviceGroup = serviceUser;
serviceName = "mpd";
in
{
options.swarselsystems.modules.server.mpd = lib.mkEnableOption "enable mpd on server";
config = lib.mkIf config.swarselsystems.modules.server.mpd {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users = {
groups = {
mpd = { };
};
users = {
mpd = {
${serviceUser} = {
isSystemUser = true;
group = "mpd";
group = serviceGroup;
extraGroups = [ "audio" "utmp" ];
};
};
};
sops = {
secrets.mpdpass = { owner = "mpd"; };
secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
environment.systemPackages = with pkgs; [
@ -26,19 +32,19 @@
mpv
];
topology.self.services.mpd = {
name = "MPD";
info = "http://localhost:3254";
icon = "${self}/topology/images/mpd.png";
topology.self.services.${serviceName} = {
name = lib.toUpper serviceName;
info = "http://localhost:${builtins.toString servicePort}";
icon = "${self}/topology/images/${serviceName}.png";
};
services.mpd = {
services.${serviceName} = {
enable = true;
musicDirectory = "/media";
user = "mpd";
group = "mpd";
user = serviceUser;
group = serviceGroup;
network = {
port = 3254;
port = servicePort;
listenAddress = "any";
};
credentials = [

22
modules/nixos/server/navidrome.nix
View file

@ -1,14 +1,14 @@
{ pkgs, config, lib, ... }:
let
serviceDomain = "sound.swarsel.win";
servicePort = 4040;
serviceName = "navidrome";
serviceUser = "navidrome";
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
environment.systemPackages = with pkgs; [
pciutils
alsa-utils
@ -17,13 +17,13 @@ in
users = {
groups = {
"${serviceGroup}" = {
${serviceGroup} = {
gid = 61593;
};
};
users = {
"${serviceUser}" = {
${serviceUser} = {
isSystemUser = true;
uid = 61593;
group = serviceGroup;
@ -36,11 +36,11 @@ in
enableAllFirmware = lib.mkForce true;
};
networking.firewall.allowedTCPPorts = [ 4040 ];
networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
services.navidrome = {
services.${serviceName} = {
enable = true;
openFirewall = true;
settings = {
@ -82,7 +82,7 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};
@ -108,19 +108,19 @@ in
in
{
"/" = {
proxyPass = "http://navidrome";
proxyPass = "http://${serviceName}";
proxyWebsockets = true;
inherit extraConfig;
};
"/share" = {
proxyPass = "http://navidrome";
proxyPass = "http://${serviceName}";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
"/rest" = {
proxyPass = "http://navidrome";
proxyPass = "http://${serviceName}";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;

21
modules/nixos/server/nextcloud.nix
View file

@ -1,13 +1,16 @@
{ pkgs, lib, config, ... }:
let
serviceDomain = "stash.swarsel.win";
inherit (config.repo.secrets.local.nextcloud) adminuser;
servicePort = 80;
serviceUser = "nextcloud";
serviceGroup = serviceUser;
serviceName = "nextcloud";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = {
nextcloudadminpass = {
@ -26,7 +29,7 @@ in
globals.services.${serviceName}.domain = serviceDomain;
services = {
nextcloud = {
${serviceName} = {
enable = true;
settings = {
trusted_proxies = [ "0.0.0.0" ];
@ -34,8 +37,8 @@ in
};
package = pkgs.nextcloud31;
hostName = serviceDomain;
home = "/Vault/data/nextcloud";
datadir = "/Vault/data/nextcloud";
home = "/Vault/data/${serviceName}";
datadir = "/Vault/data/${serviceName}";
https = true;
configureRedis = true;
maxUploadSize = "4G";
@ -44,7 +47,7 @@ in
};
extraAppsEnable = true;
config = {
adminuser = "admin";
inherit adminuser;
adminpassFile = config.sops.secrets.nextcloudadminpass.path;
dbtype = "sqlite";
};
@ -53,9 +56,9 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:80" = { };
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};

7
modules/nixos/server/nfs.nix
View file

@ -1,4 +1,7 @@
{ lib, config, pkgs, ... }:
{ lib, config, pkgs, globals, ... }:
let
nfsUser = globals.user.name;
in
{
options.swarselsystems.modules.server.nfs = lib.mkEnableOption "enable nfs on server";
config = lib.mkIf config.swarselsystems.modules.server.nfs {
@ -29,7 +32,7 @@
path = "/Vault/Eternor";
writable = "true";
comment = "Eternor";
"valid users" = "Swarsel";
"valid users" = nfsUser;
};
};

8
modules/nixos/server/nginx.nix
View file

@ -1,4 +1,8 @@
{ pkgs, lib, config, ... }:
let
inherit (config.repo.secrets.common) dnsProvider;
inherit (config.repo.secrets.common.mail) address3;
in
{
options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server";
config = lib.mkIf config.swarselsystems.modules.server.nginx {
@ -18,8 +22,8 @@
acceptTerms = true;
preliminarySelfsigned = false;
defaults = {
email = "mrswarsel@gmail.com";
dnsProvider = "cloudflare";
inherit dnsProvider;
email = address3;
environmentFile = "${config.sops.templates."certs.secret".path}";
};
};

49
modules/nixos/server/oauth2-proxy.nix
View file

@ -1,12 +1,17 @@
{ lib, config, globals, ... }:
let
servicePort = 3004;
serviceUser = "oauth2-proxy";
serviceGroup = serviceUser;
serviceName = "oauth2-proxy";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
kanidmDomain = globals.services.kanidm.domain;
oauth2ProxyDomain = "soauth.swarsel.win";
oauth2ProxyPort = 3004;
mainDomain = globals.domains.main;
in
{
options = {
swarselsystems.modules.server.oauth2Proxy = lib.mkEnableOption "enable oauth2-proxy on server";
swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/oauth2-proxy.nix
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
@ -114,12 +119,12 @@ in
);
};
};
config = lib.mkIf config.swarselsystems.modules.server.oauth2Proxy {
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops = {
secrets = {
"oauth2-cookie-secret" = { owner = "oauth2-proxy"; group = "oauth2-proxy"; mode = "0440"; };
"kanidm-oauth2-proxy-client" = { owner = "oauth2-proxy"; group = "oauth2-proxy"; mode = "0440"; };
"oauth2-cookie-secret" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {
@ -128,34 +133,34 @@ in
OAUTH2_PROXY_CLIENT_SECRET="${config.sops.placeholder.kanidm-oauth2-proxy-client}"
OAUTH2_PROXY_COOKIE_SECRET=${config.sops.placeholder.oauth2-cookie-secret}
'';
owner = "oauth2-proxy";
group = "oauth2-proxy";
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
};
};
networking.firewall.allowedTCPPorts = [ oauth2ProxyPort ];
networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.oauth2Proxy.domain = oauth2ProxyDomain;
globals.services.oauth2Proxy.domain = serviceDomain;
services = {
oauth2-proxy = {
${serviceName} = {
enable = true;
cookie = {
domain = ".swarsel.win";
domain = ".${mainDomain}";
secure = true;
expire = "900m";
secret = null; # set by service EnvironmentFile
};
clientSecret = null; # set by service EnvironmentFile
reverseProxy = true;
httpAddress = "0.0.0.0:${builtins.toString oauth2ProxyPort}";
redirectURL = "https://${oauth2ProxyDomain}/oauth2/callback";
httpAddress = "0.0.0.0:${builtins.toString servicePort}";
redirectURL = "https://${serviceDomain}/oauth2/callback";
setXauthrequest = true;
extraConfig = {
code-challenge-method = "S256";
whitelist-domain = ".swarsel.win";
whitelist-domain = ".${mainDomain}";
set-authorization-header = true;
pass-access-token = true;
skip-jwt-bearer-tokens = true;
@ -168,16 +173,16 @@ in
loginURL = "https://${kanidmDomain}/ui/oauth2";
redeemURL = "https://${kanidmDomain}/oauth2/token";
validateURL = "https://${kanidmDomain}/oauth2/openid/oauth2-proxy/userinfo";
clientID = "oauth2-proxy";
clientID = serviceName;
email.domains = [ "*" ];
};
};
systemd.services = {
oauth2-proxy = {
${serviceName} = {
# after = [ "kanidm.service" ];
serviceConfig = {
RuntimeDirectory = "oauth2-proxy";
RuntimeDirectory = serviceName;
RuntimeDirectoryMode = "0750";
UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
RestartSec = "60"; # Retry every minute
@ -190,20 +195,20 @@ in
services.nginx = {
upstreams = {
oauth2-proxy = {
${serviceName} = {
servers = {
"localhost:${builtins.toString oauth2ProxyPort}" = { };
"localhost:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${oauth2ProxyDomain}" = {
"${serviceDomain}" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://oauth2-proxy";
proxyPass = "http://${serviceName}";
};
};
extraConfig = ''

32
modules/nixos/server/paperless.nix
View file

@ -1,16 +1,20 @@
{ lib, pkgs, config, ... }:
{ lib, pkgs, config, globals, ... }:
let
serviceDomain = "scan.swarsel.win";
servicePort = 28981;
serviceUser = "paperless";
serviceGroup = serviceUser;
serviceName = "paperless";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
tikaPort = 9998;
gotenbergPort = 3002;
kanidmDomain = globals.services.kanidm.domain;
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users.users."${serviceUser}" = {
users.users.${serviceUser} = {
extraGroups = [ "users" ];
};
@ -28,25 +32,25 @@ in
globals.services.${serviceName}.domain = serviceDomain;
services = {
paperless = {
${serviceName} = {
enable = true;
mediaDir = "/Vault/Eternor/Paperless";
dataDir = "/Vault/data/paperless";
dataDir = "/Vault/data/${serviceName}";
user = serviceUser;
port = servicePort;
passwordFile = config.sops.secrets.paperless_admin.path;
address = "0.0.0.0";
settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_URL = "https://scan.swarsel.win";
PAPERLESS_URL = "https://${serviceDomain}";
PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
optimize = 1;
invalidate_digital_signatures = true;
pdfa_image_compression = "lossless";
};
PAPERLESS_TIKA_ENABLED = "true";
PAPERLESS_TIKA_ENDPOINT = "http://localhost:9998";
PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3002";
PAPERLESS_TIKA_ENDPOINT = "http://localhost:${builtins.toString tikaPort}";
PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${builtins.toString gotenbergPort}";
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
openid_connect = {
@ -58,7 +62,7 @@ in
client_id = "paperless";
# secret will be added by paperless-web.service (see below)
#secret = "";
settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
settings.server_url = "https://${kanidmDomain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
}
];
};
@ -68,7 +72,7 @@ in
tika = {
enable = true;
port = 9998;
port = tikaPort;
openFirewall = false;
listenAddress = "127.0.0.1";
enableOcr = true;
@ -77,7 +81,7 @@ in
gotenberg = {
enable = true;
package = pkgs.stable.gotenberg;
port = 3002;
port = gotenbergPort;
bindIP = "127.0.0.1";
timeout = "600s";
chromium.package = pkgs.stable.chromium;
@ -97,7 +101,7 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

8
modules/nixos/server/postgresql.nix
View file

@ -4,13 +4,13 @@ let
postgresVersion = 14;
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
services = {
postgresql = {
${serviceName} = {
enable = true;
package = pkgs."postgresql_${builtins.toString postgresVersion}";
dataDir = "/Vault/data/postgresql/${builtins.toString postgresVersion}";
dataDir = "/Vault/data/${serviceName}/${builtins.toString postgresVersion}";
};
};
};

14
modules/nixos/server/radicale.nix
View file

@ -2,17 +2,18 @@
let
inherit (config.repo.secrets.local.radicale) user1;
sopsFile = self + /secrets/winters/secrets2.yaml;
serviceDomain = "schedule.swarsel.win";
servicePort = 8000;
serviceName = "radicale";
serviceUser = "radicale";
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
cfg = config.services."${serviceName}";
cfg = config.services.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops = {
secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@ -32,7 +33,7 @@ in
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.radicale = {
services.${serviceName} = {
enable = true;
settings = {
server = {
@ -75,11 +76,10 @@ in
];
networking.firewall.allowedTCPPorts = [ servicePort ];
networking.firewall.allowedUDPPorts = [ servicePort ];
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

11
modules/nixos/server/shlink.nix
View file

@ -1,15 +1,16 @@
{ self, lib, config, ... }:
let
serviceDomain = "s.swarsel.win";
servicePort = 8081;
serviceName = "shlink";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
in
{
options = {
swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops = {
secrets = {
@ -25,7 +26,7 @@ in
};
};
virtualisation.oci-containers.containers."shlink" = {
virtualisation.oci-containers.containers.${serviceName} = {
image = "shlinkio/shlink@${containerRev}";
environment = {
"DEFAULT_DOMAIN" = serviceDomain;
@ -57,7 +58,7 @@ in
services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"localhost:${builtins.toString servicePort}" = { };
};

8
modules/nixos/server/spotifyd.nix
View file

@ -6,13 +6,13 @@ let
serviceGroup = serviceUser;
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
users.groups."${serviceGroup}" = {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users.groups.${serviceGroup} = {
gid = 65136;
};
users.users."${serviceUser}" = {
users.users.${serviceUser} = {
isSystemUser = true;
uid = 65136;
group = serviceGroup;

33
modules/nixos/server/syncthing.nix
View file

@ -1,34 +1,37 @@
{ lib, config, ... }:
let
inherit (config.repo.secrets.common) workHostName;
serviceDomain = "storync.swarsel.win";
servicePort = 8384;
serviceUser = "syncthing";
serviceGroup = serviceUser;
serviceName = "syncthing";
serviceDomain = config.repo.secrets.common.services.domains.syncthing1;
cfg = config.services.${serviceName};
in
{
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
users.users."${serviceUser}" = {
users.users.${serviceUser} = {
extraGroups = [ "users" ];
group = serviceGroup;
isSystemUser = true;
};
users.groups."${serviceGroup}" = { };
users.groups.${serviceGroup} = { };
networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
globals.services."${serviceName}-${config.networking.hostName}".domain = serviceDomain;
services.syncthing = {
services.${serviceName} = rec {
enable = true;
user = serviceUser;
group = serviceGroup;
dataDir = "/Vault/data/syncthing";
configDir = "/Vault/data/syncthing/.config/syncthing";
dataDir = "/Vault/data/${serviceName}";
configDir = "${cfg.dataDir}/.config/${serviceName}";
guiAddress = "0.0.0.0:${builtins.toString servicePort}";
openDefaultPorts = true; # opens ports TCP/UDP 22000 and UDP 21027 for discovery
relay.enable = false;
@ -50,14 +53,14 @@ in
};
folders = {
"Default Folder" = lib.mkForce {
path = "/Vault/data/syncthing/Sync";
path = "${cfg.dataDir}/Sync";
type = "receiveonly";
versioning = null;
devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
id = "default";
};
"Obsidian" = {
path = "/Vault/data/syncthing/Obsidian";
path = "${cfg.dataDir}/Obsidian";
type = "receiveonly";
versioning = {
type = "simple";
@ -67,7 +70,7 @@ in
id = "yjvni-9eaa7";
};
"Org" = {
path = "/Vault/data/syncthing/Org";
path = "${cfg.dataDir}/Org";
type = "receiveonly";
versioning = {
type = "simple";
@ -77,7 +80,7 @@ in
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "/Vault/data/syncthing/Vpn";
path = "${cfg.dataDir}/Vpn";
type = "receiveonly";
versioning = {
type = "simple";
@ -87,7 +90,7 @@ in
id = "hgp9s-fyq3p";
};
# "Documents" = {
# path = "/Vault/data/syncthing/Documents";
# path = "${cfg.dataDir}/Documents";
# type = "receiveonly";
# versioning = {
# type = "simple";
@ -102,7 +105,7 @@ in
nodes.moonside.services.nginx = {
upstreams = {
"${serviceName}" = {
${serviceName} = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};

8
modules/nixos/server/transmission.nix
View file

@ -1,6 +1,8 @@
{ self, pkgs, lib, config, ... }:
let
serviceDomain = "store.swarsel.win";
serviceName = "transmission";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
lidarrUser = "lidarr";
lidarrGroup = lidarrUser;
lidarrPort = 8686;
@ -18,8 +20,8 @@ let
prowlarrPort = 9696;
in
{
options.swarselsystems.modules.server.transmission = lib.mkEnableOption "enable transmission and friends on server";
config = lib.mkIf config.swarselsystems.modules.server.transmission {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} and friends on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
# this user/group section is probably unneeded
users = {