Completely clean up Haven
This commit is contained in:
parent
4c1336d7d4
commit
ff1cb61873
|
@ -23,16 +23,35 @@ in
|
|||
role = "server";
|
||||
apps.development.kubernetes.enable = true;
|
||||
services = {
|
||||
acme = {
|
||||
enable = true;
|
||||
certs = {
|
||||
"${config.secrets.networking.primaryDomain}" = {
|
||||
dnsProvider = "namecheap";
|
||||
extraDomainNames = subdomains;
|
||||
webroot = null; # Required in order to prevent a failed assertion
|
||||
credentialFiles = {
|
||||
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
||||
${config.secrets.networking.namecheap.api.user}
|
||||
''}";
|
||||
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
|
||||
${config.secrets.networking.namecheap.api.key}
|
||||
''}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
apcupsd.enable = true;
|
||||
airsonic = {
|
||||
enable = true;
|
||||
domain = config.secrets.networking.primaryDomain;
|
||||
home = "/storage/services/airsonic-advanced";
|
||||
};
|
||||
boinc.enable = true;
|
||||
duplicacy-web = {
|
||||
enable = true;
|
||||
autostart = false;
|
||||
environment = "${config.users.users.aires.home}";
|
||||
environment = "${config.users.users.aires.home}"; # FIXME: Move to /storage
|
||||
};
|
||||
forgejo = {
|
||||
enable = true;
|
||||
|
@ -40,6 +59,24 @@ in
|
|||
home = "/storage/services/forgejo";
|
||||
};
|
||||
msmtp.enable = true;
|
||||
nginx = {
|
||||
enable = true;
|
||||
autostart = false;
|
||||
virtualHosts = {
|
||||
"${config.secrets.networking.primaryDomain}" = {
|
||||
default = true;
|
||||
enableACME = true; # Enable Let's Encrypt
|
||||
locations."/" = {
|
||||
# Catchall vhost, will redirect users to Forgejo
|
||||
return = "301 https://code.${config.secrets.networking.primaryDomain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ssh = {
|
||||
enable = true;
|
||||
ports = [ config.secrets.hosts.haven.ssh.port ];
|
||||
};
|
||||
};
|
||||
users = {
|
||||
aires = {
|
||||
|
@ -53,88 +90,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
# TLS certificate renewal via Let's Encrypt
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "${config.secrets.users.aires.email}";
|
||||
|
||||
certs."${config.secrets.networking.primaryDomain}" = {
|
||||
dnsProvider = "namecheap";
|
||||
extraDomainNames = subdomains;
|
||||
webroot = null; # Required in order to prevent a failed assertion
|
||||
credentialFiles = {
|
||||
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
||||
${config.secrets.networking.namecheap.api.user}
|
||||
''}";
|
||||
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
|
||||
${config.secrets.networking.namecheap.api.key}
|
||||
''}";
|
||||
};
|
||||
};
|
||||
};
|
||||
# /var/lib/acme/.challenges must be writable by the ACME user
|
||||
# and readable by the Nginx user. The easiest way to achieve
|
||||
# this is to add the Nginx user to the ACME group.
|
||||
users.users.nginx.extraGroups = [ "acme" ];
|
||||
|
||||
services = {
|
||||
nginx = {
|
||||
enable = true;
|
||||
|
||||
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts = {
|
||||
# Base URL: make sure we've got Let's Encrypt running challenges here, and all other requests going to HTTPS
|
||||
"${config.secrets.networking.primaryDomain}" = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
# Catchall vhost, will Redirect users to Forgejo
|
||||
locations."/" = {
|
||||
return = "301 https://code.${config.secrets.networking.primaryDomain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Enable BOINC (distributed research computing)
|
||||
boinc = {
|
||||
enable = true;
|
||||
package = pkgs.boinc-headless;
|
||||
dataDir = "/var/lib/boinc";
|
||||
extraEnvPackages = [ pkgs.ocl-icd ];
|
||||
};
|
||||
|
||||
# Enable SSH
|
||||
openssh = {
|
||||
enable = true;
|
||||
ports = [ config.secrets.hosts.haven.ssh.port ];
|
||||
|
||||
settings = {
|
||||
# require public key authentication and disable root logins
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
PubkeyAuthentication = true;
|
||||
PermitRootLogin = "no";
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: VPN (Check out Wireguard)
|
||||
};
|
||||
|
||||
# Nginx: Disable autostart, and start sub-services first.
|
||||
systemd.services.nginx.wantedBy = lib.mkForce [ ];
|
||||
|
||||
# Open ports
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
};
|
||||
# TODO: VPN (Check out Wireguard)
|
||||
|
||||
# Add Haven's startup script
|
||||
environment.systemPackages = [ start-haven ];
|
||||
|
|
39
modules/services/acme.nix
Normal file
39
modules/services/acme.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.host.services.acme;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
host.services.acme = {
|
||||
enable = lib.mkEnableOption (
|
||||
lib.mdDoc "Enable the ACME client (for Let's Encrypt TLS certificates)."
|
||||
);
|
||||
|
||||
certs = lib.mkOption {
|
||||
default = { };
|
||||
type = lib.types.attrs;
|
||||
description = "Cert configurations for ACME.";
|
||||
};
|
||||
|
||||
defaultEmail = lib.mkOption {
|
||||
default = "";
|
||||
type = lib.types.str;
|
||||
description = "Default admin email to use for problems.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = cfg.defaultEmail;
|
||||
certs = cfg.certs;
|
||||
};
|
||||
|
||||
# /var/lib/acme/.challenges must be writable by the ACME user
|
||||
# and readable by the Nginx user. The easiest way to achieve
|
||||
# this is to add the Nginx user to the ACME group.
|
||||
users.users.nginx.extraGroups = lib.mkIf config.host.services.nginx.enable [ "acme" ];
|
||||
};
|
||||
}
|
|
@ -2,15 +2,16 @@
|
|||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
subdomains,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.host.services.airsonic;
|
||||
subdomain = "music";
|
||||
in
|
||||
{
|
||||
options = {
|
||||
host.services.airsonic = {
|
||||
autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Airsonic at boot.");
|
||||
enable = lib.mkEnableOption (lib.mdDoc "Enables Airsonic Advanced media streaming service.");
|
||||
home = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
|
@ -28,7 +29,7 @@ in
|
|||
users.users.airsonic.extraGroups = [ "media" ];
|
||||
|
||||
services = {
|
||||
nginx.virtualHosts."music.${cfg.domain}" = {
|
||||
nginx.virtualHosts."${subdomain}.${cfg.domain}" = {
|
||||
useACMEHost = cfg.domain;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
|
@ -53,8 +54,7 @@ in
|
|||
};
|
||||
|
||||
systemd.services = {
|
||||
airsonic.wantedBy = lib.mkForce [ ];
|
||||
nginx.wants = [ config.systemd.services.airsonic.name ];
|
||||
};
|
||||
} // lib.optionalAttrs (!cfg.autostart) { airsonic.wantedBy = lib.mkForce [ ]; };
|
||||
};
|
||||
}
|
||||
|
|
26
modules/services/boinc.nix
Normal file
26
modules/services/boinc.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.host.services.boinc;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
host.services.boinc.enable = lib.mkEnableOption (
|
||||
lib.mdDoc "Enables BOINC distributed computing service."
|
||||
);
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.boinc = {
|
||||
enable = true;
|
||||
package = pkgs.boinc-headless;
|
||||
dataDir = "/var/lib/boinc";
|
||||
extraEnvPackages = [ pkgs.ocl-icd ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -2,10 +2,10 @@
|
|||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
subdomains,
|
||||
...
|
||||
}:
|
||||
let
|
||||
subdomain = "code";
|
||||
cfg = config.host.services.forgejo;
|
||||
|
||||
cli-cfg = config.services.forgejo;
|
||||
|
@ -26,10 +26,11 @@ in
|
|||
{
|
||||
options = {
|
||||
host.services.forgejo = {
|
||||
autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Forgejo at boot.");
|
||||
enable = lib.mkEnableOption (lib.mdDoc "Enables Forgejo Git hosting service.");
|
||||
home = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Where to store Airsonic's files";
|
||||
description = "Where to store Forgejo's files";
|
||||
};
|
||||
domain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
|
@ -41,7 +42,7 @@ in
|
|||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = [ forgejo-cli ];
|
||||
services = {
|
||||
nginx.virtualHosts."code.${cfg.domain}" = {
|
||||
nginx.virtualHosts."${subdomain}.${cfg.domain}" = {
|
||||
useACMEHost = cfg.domain;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
|
@ -64,8 +65,7 @@ in
|
|||
};
|
||||
|
||||
systemd.services = {
|
||||
forgejo.wantedBy = lib.mkForce [ ];
|
||||
nginx.wants = [ config.systemd.services.forgejo.name ];
|
||||
};
|
||||
} // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };
|
||||
};
|
||||
}
|
||||
|
|
44
modules/services/nginx.nix
Normal file
44
modules/services/nginx.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.host.services.nginx;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
host.services.nginx = {
|
||||
autostart = lib.mkEnableOption (lib.mdDoc "Whether to autostart Nginx at boot.");
|
||||
enable = lib.mkEnableOption (lib.mdDoc "Enable the Nginx web server.");
|
||||
|
||||
virtualHosts = lib.mkOption {
|
||||
default = { };
|
||||
type = lib.types.attrs;
|
||||
description = "Virtualhost configurations for Nginx.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts = cfg.virtualHosts;
|
||||
};
|
||||
|
||||
# Open ports
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
};
|
||||
|
||||
# Disable autostart if needed
|
||||
systemd.services.nginx.wantedBy = lib.mkIf (!cfg.autostart) [ ];
|
||||
};
|
||||
}
|
32
modules/services/ssh.nix
Normal file
32
modules/services/ssh.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.host.services.ssh;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
host.services.ssh = {
|
||||
enable = lib.mkEnableOption (lib.mdDoc "Enables SSH server.");
|
||||
ports = lib.mkOption {
|
||||
default = [ ];
|
||||
type = lib.types.listOf lib.types.int;
|
||||
description = "Ports for SSH to listen on.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
ports = cfg.ports;
|
||||
|
||||
settings = {
|
||||
# require public key authentication and disable root logins
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
PubkeyAuthentication = true;
|
||||
PermitRootLogin = "no";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1 +1 @@
|
|||
Subproject commit 104d68506e51dc5d5526f122747c0da4cbf6756a
|
||||
Subproject commit 1bc67c9f5e4cfc11ff664b9d8a447276408638bd
|
Loading…
Reference in a new issue