swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: cleanup

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-14 01:08:22 +02:00
parent a8daed1d10
commit e9da090c2a
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
67 changed files with 4146 additions and 2727 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/nixos/server/ankisync.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, globals, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 27701;
serviceName = "ankisync";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
@ -12,11 +14,11 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ];
sops.secrets.swarsel = { owner = "root"; };
sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
topology.self.services.${serviceName} = {
topology.self.services.anki = {
name = lib.mkForce "Anki Sync Server";
icon = "${self}/files/topology-images/${serviceName}.png";
icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png";
info = "https://${serviceDomain}";
};
@ -30,12 +32,12 @@ in
users = [
{
username = ankiUser;
passwordFile = config.sops.secrets.swarsel.path;
passwordFile = config.sops.secrets.anki-pw.path;
}
];
};
services.nginx = {
nodes.moonside.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

4
modules/nixos/server/croc.nix
View file

@ -10,6 +10,8 @@ let
serviceName = "croc";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
cfg = config.services.croc;
in
{
@ -18,7 +20,7 @@ in
sops = {
secrets = {
croc-password = { };
croc-password = { inherit sopsFile; };
};
templates = {

3
modules/nixos/server/firefly-iii.nix
View file

@ -8,6 +8,7 @@ let
nginxGroup = "nginx";
inherit (config.swarselsystems) sopsFile;
cfg = config.services.firefly-iii;
in
{
@ -25,7 +26,7 @@ in
sops = {
secrets = {
"firefly-iii-app-key" = { owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
"firefly-iii-app-key" = { inherit sopsFile; owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
};
};

9
modules/nixos/server/forgejo.nix
View file

@ -1,6 +1,8 @@
{ lib, config, pkgs, globals, ... }:
let
servicePort = 3000;
inherit (config.swarselsystems) sopsFile;
servicePort = 3004;
serviceUser = "forgejo";
serviceGroup = serviceUser;
serviceName = "forgejo";
@ -22,13 +24,14 @@ in
users.groups.${serviceGroup} = { };
sops.secrets = {
kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
globals.services.${serviceName}.domain = serviceDomain;
services.${serviceName} = {
enable = true;
stateDir = "/Vault/data/${serviceName}";
user = serviceUser;
group = serviceGroup;
lfs.enable = lib.mkDefault true;
@ -125,7 +128,7 @@ in
'';
};
services.nginx = {
nodes.moonside.services.nginx = {
upstreams = {
${serviceName} = {
servers = {

32
modules/nixos/server/freshrss.nix
View file

@ -1,12 +1,12 @@
{ self, lib, config, ... }:
let
inherit (config.repo.secrets.local.freshrss) defaultUser;
servicePort = 80;
serviceName = "freshrss";
serviceUser = "freshrss";
serviceGroup = serviceName;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -22,9 +22,9 @@ in
sops = {
secrets = {
fresh = { owner = serviceUser; };
"kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
freshrss-pw = { inherit sopsFile; owner = serviceUser; };
kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
# freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
# templates = {
@ -55,15 +55,19 @@ in
globals.services.${serviceName}.domain = serviceDomain;
services.${serviceName} = {
inherit defaultUser;
enable = true;
virtualHost = serviceDomain;
baseUrl = "https://${serviceDomain}";
authType = "form";
dataDir = "/Vault/data/tt-rss";
passwordFile = config.sops.secrets.fresh.path;
};
services.${serviceName} =
let
inherit (config.repo.secrets.local.freshrss) defaultUser;
in
{
inherit defaultUser;
enable = true;
virtualHost = serviceDomain;
baseUrl = "https://${serviceDomain}";
authType = "form";
dataDir = "/Vault/data/tt-rss";
passwordFile = config.sops.secrets.freshrss-pw.path;
};
# systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [
# config.sops.templates.freshrss-env.path

19
modules/nixos/server/kanidm.nix
View file

@ -1,6 +1,7 @@
{ self, lib, pkgs, config, globals, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
inherit (config.swarselsystems) sopsFile;
servicePort = 8300;
serviceUser = "kanidm";
@ -30,15 +31,15 @@ in
secrets = {
"kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-idm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-immich" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-paperless" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-forgejo" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-grafana" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-nextcloud" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-freshrss" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
};

6
modules/nixos/server/kavita.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 8080;
serviceName = "kavita";
serviceUser = "kavita";
@ -16,7 +18,7 @@ in
extraGroups = [ "users" ];
};
sops.secrets.kavita = { owner = serviceUser; };
sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; };
networking.firewall.allowedTCPPorts = [ servicePort ];
@ -31,7 +33,7 @@ in
enable = true;
user = serviceUser;
settings.Port = servicePort;
tokenKeyFile = config.sops.secrets.kavita.path;
tokenKeyFile = config.sops.secrets.kavita-token.path;
dataDir = "/Vault/data/${serviceName}";
};

8
modules/nixos/server/koillection.nix
View file

@ -9,14 +9,16 @@ let
postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
postgresPort = config.services.postgresql.settings.port; # 5432
containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = {
koillection-db-password = { owner = postgresUser; group = postgresUser; mode = "0440"; };
koillection-env-file = { };
koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
koillection-env-file = { inherit sopsFile; };
};
topology.self.services.${serviceName} = {
@ -70,7 +72,7 @@ in
passwordPath = config.sops.secrets.koillection-db-password.path;
in
''
$PSQL -tA <<'EOF'
${config.services.postgresql.package}/bin/psql -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN

24
modules/nixos/server/matrix.nix
View file

@ -1,5 +1,7 @@
{ lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 8008;
serviceName = "matrix";
serviceDomain = config.repo.secrets.common.services.domains.matrix;
@ -29,29 +31,29 @@ in
sops = {
secrets = {
matrixsharedsecret = { owner = serviceUser; };
mautrixtelegram_as = { owner = serviceUser; };
mautrixtelegram_hs = { owner = serviceUser; };
mautrixtelegram_api_id = { owner = serviceUser; };
mautrixtelegram_api_hash = { owner = serviceUser; };
matrix-shared-secret = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; };
};
templates = {
"matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort}
register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort}
'';
matrixshared = {
owner = serviceUser;
content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret}
'';
};
mautrixtelegram = {
owner = serviceUser;
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash}
'';
};
};

8
modules/nixos/server/microbin.nix
View file

@ -6,6 +6,8 @@ let
serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
cfg = config.services.${serviceName};
in
{
@ -23,9 +25,9 @@ in
sops = {
secrets = {
microbin-admin-username = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-uploader-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {

148
modules/nixos/server/monitoring.nix
View file

@ -1,6 +1,5 @@
{ self, lib, config, globals, ... }:
let
servicePort = 3000;
serviceUser = "grafana";
serviceGroup = serviceUser;
@ -10,11 +9,12 @@ let
prometheusPort = 9090;
prometheusUser = "prometheus";
prometheusGroup = prometheusUser;
nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
grafanaUpstream = "grafana";
prometheusUpstream = "prometheus";
prometheusWebRoot = "prometheus";
kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -22,9 +22,9 @@ in
sops = {
secrets = {
grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
};
@ -84,7 +84,7 @@ in
incrementalQueryOverlapWindow = "10m";
};
secureJsonData = {
basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}";
basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}";
};
}
];
@ -95,7 +95,7 @@ in
analytics.reporting_enabled = false;
users.allow_sign_up = false;
security = {
admin_password = "$__file{/run/secrets/grafanaadminpass}";
admin_password = "$__file{/run/secrets/grafana-admin-pw}";
cookie_secure = true;
disable_gravatar = true;
};
@ -130,74 +130,78 @@ in
};
};
prometheus = {
enable = true;
webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
port = prometheusPort;
listenAddress = "0.0.0.0";
globalConfig = {
scrape_interval = "10s";
};
webConfigFile = config.sops.templates.web-config.path;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "zfs";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
}];
}
{
job_name = "nextcloud";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
}];
}
];
exporters = {
node = {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
prometheus =
let
nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
in
{
enable = true;
webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
port = prometheusPort;
listenAddress = "0.0.0.0";
globalConfig = {
scrape_interval = "10s";
};
zfs = {
enable = true;
port = 9134;
pools = [
"Vault"
];
};
restic = {
enable = false;
port = 9753;
};
nginx = {
enable = true;
port = 9113;
sslVerify = false;
scrapeUri = "http://localhost/nginx_status";
};
nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
enable = true;
port = 9205;
url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
username = nextcloudUser;
passwordFile = config.sops.secrets.nextcloudadminpass.path;
webConfigFile = config.sops.templates.web-config.path;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "zfs";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
}];
}
{
job_name = "nextcloud";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
}];
}
];
exporters = {
node = {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
};
zfs = {
enable = true;
port = 9134;
pools = [
"Vault"
];
};
restic = {
enable = false;
port = 9753;
};
nginx = {
enable = true;
port = 9113;
sslVerify = false;
scrapeUri = "http://localhost/nginx_status";
};
nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
enable = true;
port = 9205;
url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
username = nextcloudUser;
passwordFile = config.sops.secrets.nextcloud-admin-pw.path;
};
};
};
};
};

6
modules/nixos/server/mpd.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 3254;
serviceUser = "mpd";
serviceGroup = serviceUser;
@ -23,7 +25,7 @@ in
};
sops = {
secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
environment.systemPackages = with pkgs; [
@ -49,7 +51,7 @@ in
};
credentials = [
{
passwordFile = config.sops.secrets.mpdpass.path;
passwordFile = config.sops.secrets.mpd-pw.path;
permissions = [
"read"
"add"

15
modules/nixos/server/nextcloud.nix
View file

@ -1,6 +1,7 @@
{ pkgs, lib, config, ... }:
let
inherit (config.repo.secrets.local.nextcloud) adminuser;
inherit (config.swarselsystems) sopsFile;
servicePort = 80;
serviceUser = "nextcloud";
@ -13,16 +14,8 @@ in
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = {
nextcloudadminpass = {
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
kanidm-nextcloud-client = {
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
@ -48,7 +41,7 @@ in
extraAppsEnable = true;
config = {
inherit adminuser;
adminpassFile = config.sops.secrets.nextcloudadminpass.path;
adminpassFile = config.sops.secrets.nextcloud-admin-pw.path;
dbtype = "sqlite";
};
};

6
modules/nixos/server/nginx.nix
View file

@ -2,6 +2,7 @@
let
inherit (config.repo.secrets.common) dnsProvider;
inherit (config.repo.secrets.common.mail) address3;
in
{
options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server";
@ -11,10 +12,9 @@ in
];
sops = {
# secrets.dnstokenfull = { owner = "acme"; };
secrets.dnstokenfull = { };
secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
'';
};

6
modules/nixos/server/oauth2-proxy.nix
View file

@ -8,6 +8,8 @@ let
kanidmDomain = globals.services.kanidm.domain;
mainDomain = globals.domains.main;
inherit (config.swarselsystems) sopsFile;
in
{
options = {
@ -123,8 +125,8 @@ in
sops = {
secrets = {
"oauth2-cookie-secret" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy-client" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {

1
modules/nixos/server/packages.nix
View file

@ -13,6 +13,7 @@
vim
sops
swarsel-deploy
tmux
];
};
}

12
modules/nixos/server/paperless.nix
View file

@ -1,5 +1,7 @@
{ lib, pkgs, config, globals, ... }:
let
inherit (config.swarselsystems) sopsFile;
servicePort = 28981;
serviceUser = "paperless";
serviceGroup = serviceUser;
@ -19,12 +21,8 @@ in
};
sops.secrets = {
paperless_admin = { owner = serviceUser; };
kanidm-paperless-client = {
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
networking.firewall.allowedTCPPorts = [ servicePort ];
@ -38,7 +36,7 @@ in
dataDir = "/Vault/data/${serviceName}";
user = serviceUser;
port = servicePort;
passwordFile = config.sops.secrets.paperless_admin.path;
passwordFile = config.sops.secrets.paperless-admin-pw.path;
address = "0.0.0.0";
settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";

34
modules/nixos/server/radicale.nix
View file

@ -1,6 +1,5 @@
{ self, lib, config, ... }:
let
inherit (config.repo.secrets.local.radicale) user1;
sopsFile = self + /secrets/winters/secrets2.yaml;
servicePort = 8000;
@ -18,16 +17,20 @@ in
sops = {
secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
templates = {
"radicale-users" = {
content = ''
${user1}:${config.sops.placeholder.radicale-user}
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
templates =
let
inherit (config.repo.secrets.local.radicale) user1;
in
{
"radicale-users" = {
content = ''
${user1}:${config.sops.placeholder.radicale-user}
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
};
};
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
@ -42,11 +45,12 @@ in
"[::]:${builtins.toString servicePort}"
];
};
auth = {
type = "htpasswd";
htpasswd_filename = config.sops.templates.radicale-users.path;
htpasswd_encryption = "autodetect";
};
auth =
{
type = "htpasswd";
htpasswd_filename = config.sops.templates.radicale-users.path;
htpasswd_encryption = "autodetect";
};
storage = {
filesystem_folder = "/Vault/data/radicale/collections";
};

64
modules/nixos/server/restic.nix
View file

@ -1,6 +1,6 @@
{ lib, pkgs, config, ... }:
let
inherit (config.repo.secrets.local) resticRepo;
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
@ -8,9 +8,9 @@ in
sops = {
secrets = {
resticpw = { };
resticaccesskey = { };
resticsecretaccesskey = { };
resticpw = { inherit sopsFile; };
resticaccesskey = { inherit sopsFile; };
resticsecretaccesskey = { inherit sopsFile; };
};
templates = {
"restic-env".content = ''
@ -20,35 +20,39 @@ in
};
};
services.restic = {
backups = {
SwarselWinters = {
environmentFile = config.sops.templates."restic-env".path;
passwordFile = config.sops.secrets.resticpw.path;
paths = [
"/Vault/data/paperless"
"/Vault/Eternor/Paperless"
"/Vault/Eternor/Bilder"
"/Vault/Eternor/Immich"
];
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 2"
"--keep-monthly 3"
"--keep-yearly 100"
];
backupPrepareCommand = ''
${pkgs.restic}/bin/restic prune
'';
repository = "${resticRepo}";
initialize = true;
timerConfig = {
OnCalendar = "03:00";
services.restic =
let
inherit (config.repo.secrets.local) resticRepo;
in
{
backups = {
SwarselWinters = {
environmentFile = config.sops.templates."restic-env".path;
passwordFile = config.sops.secrets.resticpw.path;
paths = [
"/Vault/data/paperless"
"/Vault/Eternor/Paperless"
"/Vault/Eternor/Bilder"
"/Vault/Eternor/Immich"
];
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 2"
"--keep-monthly 3"
"--keep-yearly 100"
];
backupPrepareCommand = ''
${pkgs.restic}/bin/restic prune
'';
repository = "${resticRepo}";
initialize = true;
timerConfig = {
OnCalendar = "03:00";
};
};
};
};
};
};
};
}

4
modules/nixos/server/shlink.nix
View file

@ -5,6 +5,8 @@ let
serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
inherit (config.swarselsystems) sopsFile;
in
{
options = {
@ -14,7 +16,7 @@ in
sops = {
secrets = {
shlink-api = { };
shlink-api = { inherit sopsFile; };
};
templates = {