swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: bootstrap winters

Browse source
This commit is contained in:
Swarsel 2024-09-23 22:09:33 +02:00
parent 713af5d722
commit f376490aee
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
8 changed files with 382 additions and 355 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.sops.yaml
View file

@ -4,7 +4,8 @@
# for a more complex example. # for a more complex example.
keys: keys:
- &admin_swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &admin_swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
- &server_nixos age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4 - &server_sandbox age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4
- &server_nixos age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
- &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
- &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0 - &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0
- &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej - &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej
@ -26,6 +27,7 @@ creation_rules:
- *admin_swarsel - *admin_swarsel
age: age:
- *server_nixos - *server_nixos
- *server_sandbox
- *server_surface - *server_surface
- *server_stand - *server_stand
- *server_fourside - *server_fourside
@ -36,10 +38,17 @@ creation_rules:
- *admin_swarsel - *admin_swarsel
age: age:
- *server_nixos - *server_nixos
- *server_sandbox
- *server_surface - *server_surface
- *server_stand - *server_stand
- *server_fourside - *server_fourside
- *server_transmiss - *server_transmiss
- path_regex: secrets/server/winters/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_swarsel
age:
- *server_nixos
- path_regex: secrets/surface/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/surface/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- pgp: - pgp:

41
SwarselSystems.org
View file

@ -6575,11 +6575,14 @@ Also, the system state version is set here. No need to touch it.
**** NGINX **** NGINX
#+begin_src nix :tangle profiles/server/common/nginx.nix #+begin_src nix :tangle profiles/server/common/nginx.nix
{ pkgs, config, ... }: { pkgs, config, ... }:
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lego lego
]; ];
users.users.acme = {};
sops = { sops = {
secrets.dnstokenfull = { owner = "acme"; }; secrets.dnstokenfull = { owner = "acme"; };
templates."certs.secret".content = '' templates."certs.secret".content = ''
@ -6604,7 +6607,7 @@ Also, the system state version is set here. No need to touch it.
# virtualHosts are defined in the respective sections # virtualHosts are defined in the respective sections
}; };
} }
#+end_src #+end_src
**** ssh **** ssh
@ -6616,6 +6619,9 @@ Also, the system state version is set here. No need to touch it.
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
users.users.swarsel.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
]; ];
@ -6650,7 +6656,7 @@ Also, the system state version is set here. No need to touch it.
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.22:8080"; proxyPass = "http://192.168.1.2:8080";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -6687,7 +6693,7 @@ Also, the system state version is set here. No need to touch it.
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
user = "jellyfin"; user = "jellyfin";
# openFirewall = true; # this works only for the default ports openFirewall = true; # this works only for the default ports
}; };
services.nginx = { services.nginx = {
@ -6698,7 +6704,7 @@ Also, the system state version is set here. No need to touch it.
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.16:8096"; proxyPass = "http://192.168.1.2:8096";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -6715,8 +6721,8 @@ Also, the system state version is set here. No need to touch it.
**** navidrome **** navidrome
#+begin_src nix :tangle profiles/server/common/navidrome.nix #+begin_src nix :tangle profiles/server/common/navidrome.nix
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
{ {
config = lib.mkIf config.swarselsystems.server.navidrome { config = lib.mkIf config.swarselsystems.server.navidrome {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
pciutils pciutils
@ -6746,6 +6752,7 @@ Also, the system state version is set here. No need to touch it.
services.navidrome = { services.navidrome = {
enable = true; enable = true;
openFirewall = true;
settings = { settings = {
Address = "0.0.0.0"; Address = "0.0.0.0";
Port = 4040; Port = 4040;
@ -6772,7 +6779,7 @@ Also, the system state version is set here. No need to touch it.
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.13:4040"; proxyPass = "http://192.168.1.2:4040";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_redirect http:// https://; proxy_redirect http:// https://;
@ -6790,7 +6797,7 @@ Also, the system state version is set here. No need to touch it.
}; };
} }
#+end_src #+end_src
**** spotifyd **** spotifyd
@ -6886,11 +6893,11 @@ Also, the system state version is set here. No need to touch it.
**** matrix **** matrix
#+begin_src nix :tangle profiles/server/common/matrix.nix #+begin_src nix :tangle profiles/server/common/matrix.nix
{ config, lib, pkgs, modulesPath, sops, ... }: { config, lib, pkgs, modulesPath, sops, ... }:
let let
matrixDomain = "swatrix.swarsel.win"; matrixDomain = "swatrix.swarsel.win";
in in
{ {
config = lib.mkIf config.swarselsystems.server.matrix { config = lib.mkIf config.swarselsystems.server.matrix {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -7039,6 +7046,7 @@ in
services.mautrix-whatsapp = { services.mautrix-whatsapp = {
enable = true; enable = true;
registerToSynapse = true;
settings = { settings = {
homeserver = { homeserver = {
address = "http://localhost:8008"; address = "http://localhost:8008";
@ -7085,6 +7093,7 @@ in
services.mautrix-signal = { services.mautrix-signal = {
enable = true; enable = true;
registerToSynapse = true;
settings = { settings = {
homeserver = { homeserver = {
address = "http://localhost:8008"; address = "http://localhost:8008";
@ -7146,7 +7155,7 @@ in
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.23:8008"; proxyPass = "http://192.168.1.2:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -7158,7 +7167,7 @@ in
}; };
} }
#+end_src #+end_src

4
profiles/server/common/jellyfin.nix
View file

@ -19,7 +19,7 @@
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
user = "jellyfin"; user = "jellyfin";
# openFirewall = true; # this works only for the default ports openFirewall = true; # this works only for the default ports
}; };
services.nginx = { services.nginx = {
@ -30,7 +30,7 @@
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.16:8096"; proxyPass = "http://192.168.1.2:8096";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

2
profiles/server/common/kavita.nix
View file

@ -22,7 +22,7 @@
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.22:8080"; proxyPass = "http://192.168.1.2:8080";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

4
profiles/server/common/matrix.nix
View file

@ -151,6 +151,7 @@ in
services.mautrix-whatsapp = { services.mautrix-whatsapp = {
enable = true; enable = true;
registerToSynapse = true;
settings = { settings = {
homeserver = { homeserver = {
address = "http://localhost:8008"; address = "http://localhost:8008";
@ -197,6 +198,7 @@ in
services.mautrix-signal = { services.mautrix-signal = {
enable = true; enable = true;
registerToSynapse = true;
settings = { settings = {
homeserver = { homeserver = {
address = "http://localhost:8008"; address = "http://localhost:8008";
@ -258,7 +260,7 @@ in
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.23:8008"; proxyPass = "http://192.168.1.2:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

3
profiles/server/common/navidrome.nix
View file

@ -29,6 +29,7 @@
services.navidrome = { services.navidrome = {
enable = true; enable = true;
openFirewall = true;
settings = { settings = {
Address = "0.0.0.0"; Address = "0.0.0.0";
Port = 4040; Port = 4040;
@ -55,7 +56,7 @@
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.1.13:4040"; proxyPass = "http://192.168.1.2:4040";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_redirect http:// https://; proxy_redirect http:// https://;

3
profiles/server/common/nginx.nix
View file

@ -3,6 +3,9 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lego lego
]; ];
users.users.acme = { };
sops = { sops = {
secrets.dnstokenfull = { owner = "acme"; }; secrets.dnstokenfull = { owner = "acme"; };
templates."certs.secret".content = '' templates."certs.secret".content = ''

3
profiles/server/common/ssh.nix
View file

@ -4,6 +4,9 @@ _:
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
users.users.swarsel.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
]; ];