swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: cleanup

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-14 01:08:22 +02:00
parent a8daed1d10
commit e9da090c2a
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
67 changed files with 4146 additions and 2727 deletions
Download patch file Download diff file Expand all files Collapse all files

7
modules/nixos/client/default.nix
View file

@ -1,10 +1,7 @@
{ lib, inputs, ... }:
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos/client";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos/client" ++ [
inputs.stylix.nixosModules.stylix
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
];
imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
}

403
modules/nixos/client/network.nix
View file

@ -1,11 +1,10 @@
{ self, lib, pkgs, config, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml;
clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
in
@ -91,222 +90,226 @@ in
environmentFiles = [
"${config.sops.templates."network-manager.env".path}"
];
profiles = {
${wlan1} = {
connection = {
id = wlan1;
permissions = "";
type = "wifi";
profiles =
let
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
in
{
${wlan1} = {
connection = {
id = wlan1;
permissions = "";
type = "wifi";
};
ipv4 = {
dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
dns-search = "";
method = "auto";
};
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = wlan1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "WLAN1_PW";
};
};
ipv4 = {
dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
dns-search = "";
method = "auto";
};
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = wlan1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "WLAN1_PW";
};
};
LAN-Party = {
connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
LAN-Party = {
connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
eduroam = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$EDUROAM_USER";
password = "$EDUROAM_PW";
phase2-auth = "mschapv2";
anonymous-identity = lib.mkIf iwd eduroam-anon;
eduroam = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$EDUROAM_USER";
password = "$EDUROAM_PW";
phase2-auth = "mschapv2";
anonymous-identity = lib.mkIf iwd eduroam-anon;
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
local = {
connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
local = {
connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
};
ethernet = { };
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
ethernet = { };
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
${wlan2} = {
connection = {
id = wlan2;
type = "wifi";
${wlan2} = {
connection = {
id = wlan2;
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
wifi = {
band = "bg";
mode = "infrastructure";
ssid = wlan2;
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$WLAN2_PW";
};
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
wifi = {
band = "bg";
mode = "infrastructure";
ssid = wlan2;
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$WLAN2_PW";
};
};
${mobile1} = {
connection = {
id = mobile1;
type = "wifi";
${mobile1} = {
connection = {
id = mobile1;
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = mobile1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$MOBILE_HOTSPOT_PW";
};
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = mobile1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$MOBILE_HOTSPOT_PW";
};
};
home-wireguard = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
home-wireguard = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
};
wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
"wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
endpoint = "$HOME_WIREGUARD_ENDPOINT";
allowed-ips = home-wireguard-allowed-ips;
};
ipv4 = {
method = "ignore";
address1 = home-wireguard-address;
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "ignore";
};
proxy = { };
};
wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
"wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
endpoint = "$HOME_WIREGUARD_ENDPOINT";
allowed-ips = home-wireguard-allowed-ips;
};
ipv4 = {
method = "ignore";
address1 = home-wireguard-address;
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "ignore";
};
proxy = { };
};
pia-vpn1 = {
connection = {
autoconnect = "false";
id = "PIA ${vpn1-location}";
type = "vpn";
pia-vpn1 = {
connection = {
autoconnect = "false";
id = "PIA ${vpn1-location}";
type = "vpn";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."pia-vpn1-ca-pem".path;
challenge-response-flags = "2";
cipher = vpn1-cipher;
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
dev = "tun";
password-flags = "0";
remote = vpn1-address;
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$PIA_VPN_USER";
};
vpn-secrets = { password = "$PIA_VPN_PW"; };
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."pia-vpn1-ca-pem".path;
challenge-response-flags = "2";
cipher = vpn1-cipher;
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
dev = "tun";
password-flags = "0";
remote = vpn1-address;
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$PIA_VPN_USER";
};
vpn-secrets = { password = "$PIA_VPN_PW"; };
};
Hotspot = {
connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
Hotspot = {
connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = { };
wifi = {
mode = "ap";
ssid = "Hotspot-${config.swarselsystems.mainUser}";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$MOBILE_HOTSPOT_PW";
};
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = { };
wifi = {
mode = "ap";
ssid = "Hotspot-${config.swarselsystems.mainUser}";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$MOBILE_HOTSPOT_PW";
};
};
};
};
};
};
};

5
modules/nixos/client/nvd-rebuild.nix
View file

@ -2,6 +2,11 @@
{
options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config";
config = lib.mkIf config.swarselsystems.modules.nvd {
environment.systemPackages = [
pkgs.nvd
];
system.activationScripts.diff = {
supportsDryActivation = true;
text = ''

1
modules/nixos/client/packages.nix
View file

@ -75,6 +75,7 @@
elk-to-svg
] ++ lib.optionals minimal [
networkmanager
curl
git
gnupg

20
modules/nixos/client/stylix.nix
View file

@ -1,13 +1,17 @@
{ lib, config, ... }:
{ self, lib, config, ... }:
{
options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config";
config = lib.mkIf config.swarselsystems.modules.stylix {
stylix = lib.recursiveUpdate
{
targets.grub.enable = false; # the styling makes grub more ugly
image = config.swarselsystems.wallpaper;
}
config.swarselsystems.stylix;
config = {
stylix = {
enable = true;
base16Scheme = "${self}/files/stylix/swarsel.yaml";
} // lib.optionalAttrs config.swarselsystems.modules.stylix
(lib.recursiveUpdate
{
targets.grub.enable = false; # the styling makes grub more ugly
image = config.swarselsystems.wallpaper;
}
config.swarselsystems.stylix);
home-manager.users."${config.swarselsystems.mainUser}" = {
stylix = {
targets = config.swarselsystems.stylixHomeTargets;

6
modules/nixos/client/swayosd.nix
View file

@ -2,8 +2,8 @@
{
options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
config = lib.mkIf config.swarselsystems.modules.swayosd {
environment.systemPackages = [ pkgs.swayosd ];
services.udev.packages = [ pkgs.swayosd ];
environment.systemPackages = [ pkgs.dev.swayosd ];
services.udev.packages = [ pkgs.dev.swayosd ];
systemd.services.swayosd-libinput-backend = {
description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc.";
documentation = [ "https://github.com/ErikReider/SwayOSD" ];
@ -14,7 +14,7 @@
serviceConfig = {
Type = "dbus";
BusName = "org.erikreider.swayosd";
ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend";
ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend";
Restart = "on-failure";
};
};

15
modules/nixos/common/home-manager.nix
View file

@ -6,23 +6,24 @@
useGlobalPkgs = true;
useUserPackages = true;
verbose = true;
sharedModules = [
users.swarsel.imports = [
inputs.nix-index-database.hmModules.nix-index
inputs.sops-nix.homeManagerModules.sops
# inputs.stylix.homeModules.stylix
{
imports = [
"${self}/profiles/home"
"${self}/modules/home"
"${self}/modules/nixos/common/pii.nix"
"${self}/modules/nixos/common/meta.nix"
# "${self}/modules/nixos/common/pii.nix"
# "${self}/modules/nixos/common/meta.nix"
];
node = {
secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets;
};
# node = {
# secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets;
# };
home.stateVersion = lib.mkDefault config.system.stateVersion;
}
];
extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; };
extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal configName; };
};
};
}

7
modules/nixos/common/lanzaboote.nix
View file

@ -1,7 +1,12 @@
{ lib, config, minimal, ... }:
{ lib, pkgs, config, minimal, ... }:
{
options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
config = lib.mkIf config.swarselsystems.modules.lanzaboote {
environment.systemPackages = lib.mkIf config.swarselsystems.isSecureBoot [
pkgs.sbctl
];
boot = {
loader = {
efi.canTouchEfiVariables = true;

4
modules/nixos/common/settings.nix
View file

@ -54,7 +54,9 @@ in
config = lib.mkIf config.swarselsystems.modules.general
(lib.recursiveUpdate
{
sops.secrets.github-api-token = lib.mkIf (!minimal) { };
sops.secrets.github-api-token = lib.mkIf (!minimal) {
sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
};
nix = {
package = pkgs.nixVersions.nix_2_28;

12
modules/nixos/server/ankisync.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, globals, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 27701;
serviceName = "ankisync";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
@ -12,11 +14,11 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
sops.secrets.swarsel = { owner = "root"; };
sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
topology.self.services.${serviceName} = {
topology.self.services.anki = {
name = lib.mkForce "Anki Sync Server";
icon = "${self}/files/topology-images/${serviceName}.png";
icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png";
info = "https://${serviceDomain}";
};
@ -30,12 +32,12 @@ in
users = [
{
username = ankiUser;
passwordFile = config.sops.secrets.swarsel.path;
passwordFile = config.sops.secrets.anki-pw.path;
}
];
};
services.nginx = {
nodes.moonside.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

4
modules/nixos/server/croc.nix
View file

@ -10,6 +10,8 @@ let
serviceName = "croc";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
cfg = config.services.croc;
in
{
@ -18,7 +20,7 @@ in
sops = {
secrets = {
croc-password = { };
croc-password = { inherit sopsFile; };
};
templates = {

3
modules/nixos/server/firefly-iii.nix
View file

@ -8,6 +8,7 @@ let
nginxGroup = "nginx";
inherit (config.swarselsystems) sopsFile;
cfg = config.services.firefly-iii;
in
{
@ -25,7 +26,7 @@ in
sops = {
secrets = {
"firefly-iii-app-key" = { owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
"firefly-iii-app-key" = { inherit sopsFile; owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
};
};

9
modules/nixos/server/forgejo.nix
View file

@ -1,6 +1,8 @@
{ lib, config, pkgs, globals, ... }:
let
servicePort = 3000;
inherit (config.swarselsystems) sopsFile;
servicePort = 3004;
serviceUser = "forgejo";
serviceGroup = serviceUser;
serviceName = "forgejo";
@ -22,13 +24,14 @@ in
users.groups.${serviceGroup} = { };
sops.secrets = {
kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
globals.services.${serviceName}.domain = serviceDomain;
services.${serviceName} = {
enable = true;
stateDir = "/Vault/data/${serviceName}";
user = serviceUser;
group = serviceGroup;
lfs.enable = lib.mkDefault true;
@ -125,7 +128,7 @@ in
'';
};
services.nginx = {
nodes.moonside.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

32
modules/nixos/server/freshrss.nix
View file

@ -1,12 +1,12 @@
{ self, lib, config, ... }:
let
inherit (config.repo.secrets.local.freshrss) defaultUser;
servicePort = 80;
serviceName = "freshrss";
serviceUser = "freshrss";
serviceGroup = serviceName;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -22,9 +22,9 @@ in
sops = {
secrets = {
fresh = { owner = serviceUser; };
"kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
freshrss-pw = { inherit sopsFile; owner = serviceUser; };
kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
# freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
# templates = {
@ -55,15 +55,19 @@ in
globals.services.${serviceName}.domain = serviceDomain;
services.${serviceName} = {
inherit defaultUser;
enable = true;
virtualHost = serviceDomain;
baseUrl = "https://${serviceDomain}";
authType = "form";
dataDir = "/Vault/data/tt-rss";
passwordFile = config.sops.secrets.fresh.path;
};
services.${serviceName} =
let
inherit (config.repo.secrets.local.freshrss) defaultUser;
in
{
inherit defaultUser;
enable = true;
virtualHost = serviceDomain;
baseUrl = "https://${serviceDomain}";
authType = "form";
dataDir = "/Vault/data/tt-rss";
passwordFile = config.sops.secrets.freshrss-pw.path;
};
# systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [
# config.sops.templates.freshrss-env.path

19
modules/nixos/server/kanidm.nix
View file

@ -1,6 +1,7 @@
{ self, lib, pkgs, config, globals, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
inherit (config.swarselsystems) sopsFile;
servicePort = 8300;
serviceUser = "kanidm";
@ -30,15 +31,15 @@ in
secrets = {
"kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-idm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-immich" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-paperless" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-forgejo" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-grafana" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-nextcloud" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-freshrss" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
};

6
modules/nixos/server/kavita.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 8080;
serviceName = "kavita";
serviceUser = "kavita";
@ -16,7 +18,7 @@ in
extraGroups = [ "users" ];
};
sops.secrets.kavita = { owner = serviceUser; };
sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; };
networking.firewall.allowedTCPPorts = [ servicePort ];
@ -31,7 +33,7 @@ in
enable = true;
user = serviceUser;
settings.Port = servicePort;
tokenKeyFile = config.sops.secrets.kavita.path;
tokenKeyFile = config.sops.secrets.kavita-token.path;
dataDir = "/Vault/data/${serviceName}";
};

8
modules/nixos/server/koillection.nix
View file

@ -9,14 +9,16 @@ let
postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
postgresPort = config.services.postgresql.settings.port; # 5432
containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = {
koillection-db-password = { owner = postgresUser; group = postgresUser; mode = "0440"; };
koillection-env-file = { };
koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
koillection-env-file = { inherit sopsFile; };
};
topology.self.services.${serviceName} = {
@ -70,7 +72,7 @@ in
passwordPath = config.sops.secrets.koillection-db-password.path;
in
''
$PSQL -tA <<'EOF'
${config.services.postgresql.package}/bin/psql -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN

24
modules/nixos/server/matrix.nix
View file

@ -1,5 +1,7 @@
{ lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 8008;
serviceName = "matrix";
serviceDomain = config.repo.secrets.common.services.domains.matrix;
@ -29,29 +31,29 @@ in
sops = {
secrets = {
matrixsharedsecret = { owner = serviceUser; };
mautrixtelegram_as = { owner = serviceUser; };
mautrixtelegram_hs = { owner = serviceUser; };
mautrixtelegram_api_id = { owner = serviceUser; };
mautrixtelegram_api_hash = { owner = serviceUser; };
matrix-shared-secret = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; };
};
templates = {
"matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort}
register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort}
'';
matrixshared = {
owner = serviceUser;
content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret}
'';
};
mautrixtelegram = {
owner = serviceUser;
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash}
'';
};
};

8
modules/nixos/server/microbin.nix
View file

@ -6,6 +6,8 @@ let
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
cfg = config.services.${serviceName};
in
{
@ -23,9 +25,9 @@ in
sops = {
secrets = {
microbin-admin-username = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-uploader-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {

148
modules/nixos/server/monitoring.nix
View file

@ -1,6 +1,5 @@
{ self, lib, config, globals, ... }:
let
servicePort = 3000;
serviceUser = "grafana";
serviceGroup = serviceUser;
@ -10,11 +9,12 @@ let
prometheusPort = 9090;
prometheusUser = "prometheus";
prometheusGroup = prometheusUser;
nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
grafanaUpstream = "grafana";
prometheusUpstream = "prometheus";
prometheusWebRoot = "prometheus";
kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -22,9 +22,9 @@ in
sops = {
secrets = {
grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
};
@ -84,7 +84,7 @@ in
incrementalQueryOverlapWindow = "10m";
};
secureJsonData = {
basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}";
basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}";
};
}
];
@ -95,7 +95,7 @@ in
analytics.reporting_enabled = false;
users.allow_sign_up = false;
security = {
admin_password = "$__file{/run/secrets/grafanaadminpass}";
admin_password = "$__file{/run/secrets/grafana-admin-pw}";
cookie_secure = true;
disable_gravatar = true;
};
@ -130,74 +130,78 @@ in
};
};
prometheus = {
enable = true;
webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
port = prometheusPort;
listenAddress = "0.0.0.0";
globalConfig = {
scrape_interval = "10s";
};
webConfigFile = config.sops.templates.web-config.path;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "zfs";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
}];
}
{
job_name = "nextcloud";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
}];
}
];
exporters = {
node = {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
prometheus =
let
nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
in
{
enable = true;
webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
port = prometheusPort;
listenAddress = "0.0.0.0";
globalConfig = {
scrape_interval = "10s";
};
zfs = {
enable = true;
port = 9134;
pools = [
"Vault"
];
};
restic = {
enable = false;
port = 9753;
};
nginx = {
enable = true;
port = 9113;
sslVerify = false;
scrapeUri = "http://localhost/nginx_status";
};
nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
enable = true;
port = 9205;
url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
username = nextcloudUser;
passwordFile = config.sops.secrets.nextcloudadminpass.path;
webConfigFile = config.sops.templates.web-config.path;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "zfs";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
}];
}
{
job_name = "nextcloud";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
}];
}
];
exporters = {
node = {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
};
zfs = {
enable = true;
port = 9134;
pools = [
"Vault"
];
};
restic = {
enable = false;
port = 9753;
};
nginx = {
enable = true;
port = 9113;
sslVerify = false;
scrapeUri = "http://localhost/nginx_status";
};
nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
enable = true;
port = 9205;
url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
username = nextcloudUser;
passwordFile = config.sops.secrets.nextcloud-admin-pw.path;
};
};
};
};
};

6
modules/nixos/server/mpd.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 3254;
serviceUser = "mpd";
serviceGroup = serviceUser;
@ -23,7 +25,7 @@ in
};
sops = {
secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
environment.systemPackages = with pkgs; [
@ -49,7 +51,7 @@ in
};
credentials = [
{
passwordFile = config.sops.secrets.mpdpass.path;
passwordFile = config.sops.secrets.mpd-pw.path;
permissions = [
"read"
"add"

15
modules/nixos/server/nextcloud.nix
View file

@ -1,6 +1,7 @@
{ pkgs, lib, config, ... }:
let
inherit (config.repo.secrets.local.nextcloud) adminuser;
inherit (config.swarselsystems) sopsFile;
servicePort = 80;
serviceUser = "nextcloud";
@ -13,16 +14,8 @@ in
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = {
nextcloudadminpass = {
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
kanidm-nextcloud-client = {
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
@ -48,7 +41,7 @@ in
extraAppsEnable = true;
config = {
inherit adminuser;
adminpassFile = config.sops.secrets.nextcloudadminpass.path;
adminpassFile = config.sops.secrets.nextcloud-admin-pw.path;
dbtype = "sqlite";
};
};

6
modules/nixos/server/nginx.nix
View file

@ -2,6 +2,7 @@
let
inherit (config.repo.secrets.common) dnsProvider;
inherit (config.repo.secrets.common.mail) address3;
in
{
options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server";
@ -11,10 +12,9 @@ in
];
sops = {
# secrets.dnstokenfull = { owner = "acme"; };
secrets.dnstokenfull = { };
secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
'';
};

6
modules/nixos/server/oauth2-proxy.nix
View file

@ -8,6 +8,8 @@ let
kanidmDomain = globals.services.kanidm.domain;
mainDomain = globals.domains.main;
inherit (config.swarselsystems) sopsFile;
in
{
options = {
@ -123,8 +125,8 @@ in
sops = {
secrets = {
"oauth2-cookie-secret" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy-client" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {

1
modules/nixos/server/packages.nix
View file

@ -13,6 +13,7 @@
vim
sops
swarsel-deploy
tmux
];
};
}

12
modules/nixos/server/paperless.nix
View file

@ -1,5 +1,7 @@
{ lib, pkgs, config, globals, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 28981;
serviceUser = "paperless";
serviceGroup = serviceUser;
@ -19,12 +21,8 @@ in
};
sops.secrets = {
paperless_admin = { owner = serviceUser; };
kanidm-paperless-client = {
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
networking.firewall.allowedTCPPorts = [ servicePort ];
@ -38,7 +36,7 @@ in
dataDir = "/Vault/data/${serviceName}";
user = serviceUser;
port = servicePort;
passwordFile = config.sops.secrets.paperless_admin.path;
passwordFile = config.sops.secrets.paperless-admin-pw.path;
address = "0.0.0.0";
settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";

34
modules/nixos/server/radicale.nix
View file

@ -1,6 +1,5 @@
{ self, lib, config, ... }:
let
inherit (config.repo.secrets.local.radicale) user1;
sopsFile = self + /secrets/winters/secrets2.yaml;
servicePort = 8000;
@ -18,16 +17,20 @@ in
sops = {
secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
templates = {
"radicale-users" = {
content = ''
${user1}:${config.sops.placeholder.radicale-user}
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
templates =
let
inherit (config.repo.secrets.local.radicale) user1;
in
{
"radicale-users" = {
content = ''
${user1}:${config.sops.placeholder.radicale-user}
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
};
};
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
@ -42,11 +45,12 @@ in
"[::]:${builtins.toString servicePort}"
];
};
auth = {
type = "htpasswd";
htpasswd_filename = config.sops.templates.radicale-users.path;
htpasswd_encryption = "autodetect";
};
auth =
{
type = "htpasswd";
htpasswd_filename = config.sops.templates.radicale-users.path;
htpasswd_encryption = "autodetect";
};
storage = {
filesystem_folder = "/Vault/data/radicale/collections";
};

64
modules/nixos/server/restic.nix
View file

@ -1,6 +1,6 @@
{ lib, pkgs, config, ... }:
let
inherit (config.repo.secrets.local) resticRepo;
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
@ -8,9 +8,9 @@ in
sops = {
secrets = {
resticpw = { };
resticaccesskey = { };
resticsecretaccesskey = { };
resticpw = { inherit sopsFile; };
resticaccesskey = { inherit sopsFile; };
resticsecretaccesskey = { inherit sopsFile; };
};
templates = {
"restic-env".content = ''
@ -20,35 +20,39 @@ in
};
};
services.restic = {
backups = {
SwarselWinters = {
environmentFile = config.sops.templates."restic-env".path;
passwordFile = config.sops.secrets.resticpw.path;
paths = [
"/Vault/data/paperless"
"/Vault/Eternor/Paperless"
"/Vault/Eternor/Bilder"
"/Vault/Eternor/Immich"
];
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 2"
"--keep-monthly 3"
"--keep-yearly 100"
];
backupPrepareCommand = ''
${pkgs.restic}/bin/restic prune
'';
repository = "${resticRepo}";
initialize = true;
timerConfig = {
OnCalendar = "03:00";
services.restic =
let
inherit (config.repo.secrets.local) resticRepo;
in
{
backups = {
SwarselWinters = {
environmentFile = config.sops.templates."restic-env".path;
passwordFile = config.sops.secrets.resticpw.path;
paths = [
"/Vault/data/paperless"
"/Vault/Eternor/Paperless"
"/Vault/Eternor/Bilder"
"/Vault/Eternor/Immich"
];
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 2"
"--keep-monthly 3"
"--keep-yearly 100"
];
backupPrepareCommand = ''
${pkgs.restic}/bin/restic prune
'';
repository = "${resticRepo}";
initialize = true;
timerConfig = {
OnCalendar = "03:00";
};
};
};
};
};
};
};
}

4
modules/nixos/server/shlink.nix
View file

@ -5,6 +5,8 @@ let
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
inherit (config.swarselsystems) sopsFile;
in
{
options = {
@ -14,7 +16,7 @@ in
sops = {
secrets = {
shlink-api = { };
shlink-api = { inherit sopsFile; };
};
templates = {