Completely clean up Haven
This commit is contained in:
parent
4c1336d7d4
commit
ff1cb61873
|
@ -23,16 +23,35 @@ in
|
||||||
role = "server";
|
role = "server";
|
||||||
apps.development.kubernetes.enable = true;
|
apps.development.kubernetes.enable = true;
|
||||||
services = {
|
services = {
|
||||||
|
acme = {
|
||||||
|
enable = true;
|
||||||
|
certs = {
|
||||||
|
"${config.secrets.networking.primaryDomain}" = {
|
||||||
|
dnsProvider = "namecheap";
|
||||||
|
extraDomainNames = subdomains;
|
||||||
|
webroot = null; # Required in order to prevent a failed assertion
|
||||||
|
credentialFiles = {
|
||||||
|
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
||||||
|
${config.secrets.networking.namecheap.api.user}
|
||||||
|
''}";
|
||||||
|
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
|
||||||
|
${config.secrets.networking.namecheap.api.key}
|
||||||
|
''}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
apcupsd.enable = true;
|
apcupsd.enable = true;
|
||||||
airsonic = {
|
airsonic = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = config.secrets.networking.primaryDomain;
|
domain = config.secrets.networking.primaryDomain;
|
||||||
home = "/storage/services/airsonic-advanced";
|
home = "/storage/services/airsonic-advanced";
|
||||||
};
|
};
|
||||||
|
boinc.enable = true;
|
||||||
duplicacy-web = {
|
duplicacy-web = {
|
||||||
enable = true;
|
enable = true;
|
||||||
autostart = false;
|
autostart = false;
|
||||||
environment = "${config.users.users.aires.home}";
|
environment = "${config.users.users.aires.home}"; # FIXME: Move to /storage
|
||||||
};
|
};
|
||||||
forgejo = {
|
forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -40,6 +59,24 @@ in
|
||||||
home = "/storage/services/forgejo";
|
home = "/storage/services/forgejo";
|
||||||
};
|
};
|
||||||
msmtp.enable = true;
|
msmtp.enable = true;
|
||||||
|
nginx = {
|
||||||
|
enable = true;
|
||||||
|
autostart = false;
|
||||||
|
virtualHosts = {
|
||||||
|
"${config.secrets.networking.primaryDomain}" = {
|
||||||
|
default = true;
|
||||||
|
enableACME = true; # Enable Let's Encrypt
|
||||||
|
locations."/" = {
|
||||||
|
# Catchall vhost, will redirect users to Forgejo
|
||||||
|
return = "301 https://code.${config.secrets.networking.primaryDomain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ssh = {
|
||||||
|
enable = true;
|
||||||
|
ports = [ config.secrets.hosts.haven.ssh.port ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
users = {
|
users = {
|
||||||
aires = {
|
aires = {
|
||||||
|
@ -53,88 +90,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# TLS certificate renewal via Let's Encrypt
|
# TODO: VPN (Check out Wireguard)
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults.email = "${config.secrets.users.aires.email}";
|
|
||||||
|
|
||||||
certs."${config.secrets.networking.primaryDomain}" = {
|
|
||||||
dnsProvider = "namecheap";
|
|
||||||
extraDomainNames = subdomains;
|
|
||||||
webroot = null; # Required in order to prevent a failed assertion
|
|
||||||
credentialFiles = {
|
|
||||||
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
|
||||||
${config.secrets.networking.namecheap.api.user}
|
|
||||||
''}";
|
|
||||||
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
|
|
||||||
${config.secrets.networking.namecheap.api.key}
|
|
||||||
''}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
# /var/lib/acme/.challenges must be writable by the ACME user
|
|
||||||
# and readable by the Nginx user. The easiest way to achieve
|
|
||||||
# this is to add the Nginx user to the ACME group.
|
|
||||||
users.users.nginx.extraGroups = [ "acme" ];
|
|
||||||
|
|
||||||
services = {
|
|
||||||
nginx = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
|
|
||||||
virtualHosts = {
|
|
||||||
# Base URL: make sure we've got Let's Encrypt running challenges here, and all other requests going to HTTPS
|
|
||||||
"${config.secrets.networking.primaryDomain}" = {
|
|
||||||
default = true;
|
|
||||||
enableACME = true;
|
|
||||||
# Catchall vhost, will Redirect users to Forgejo
|
|
||||||
locations."/" = {
|
|
||||||
return = "301 https://code.${config.secrets.networking.primaryDomain}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Enable BOINC (distributed research computing)
|
|
||||||
boinc = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.boinc-headless;
|
|
||||||
dataDir = "/var/lib/boinc";
|
|
||||||
extraEnvPackages = [ pkgs.ocl-icd ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Enable SSH
|
|
||||||
openssh = {
|
|
||||||
enable = true;
|
|
||||||
ports = [ config.secrets.hosts.haven.ssh.port ];
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
# require public key authentication and disable root logins
|
|
||||||
PasswordAuthentication = false;
|
|
||||||
KbdInteractiveAuthentication = false;
|
|
||||||
PubkeyAuthentication = true;
|
|
||||||
PermitRootLogin = "no";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# TODO: VPN (Check out Wireguard)
|
|
||||||
};
|
|
||||||
|
|
||||||
# Nginx: Disable autostart, and start sub-services first.
|
|
||||||
systemd.services.nginx.wantedBy = lib.mkForce [ ];
|
|
||||||
|
|
||||||
# Open ports
|
|
||||||
networking.firewall = {
|
|
||||||
enable = true;
|
|
||||||
allowedTCPPorts = [
|
|
||||||
80
|
|
||||||
443
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Add Haven's startup script
|
# Add Haven's startup script
|
||||||
environment.systemPackages = [ start-haven ];
|
environment.systemPackages = [ start-haven ];
|
||||||
|
|
39
modules/services/acme.nix
Normal file
39
modules/services/acme.nix
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.host.services.acme;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
host.services.acme = {
|
||||||
|
enable = lib.mkEnableOption (
|
||||||
|
lib.mdDoc "Enable the ACME client (for Let's Encrypt TLS certificates)."
|
||||||
|
);
|
||||||
|
|
||||||
|
certs = lib.mkOption {
|
||||||
|
default = { };
|
||||||
|
type = lib.types.attrs;
|
||||||
|
description = "Cert configurations for ACME.";
|
||||||
|
};
|
||||||
|
|
||||||
|
defaultEmail = lib.mkOption {
|
||||||
|
default = "";
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Default admin email to use for problems.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = cfg.defaultEmail;
|
||||||
|
certs = cfg.certs;
|
||||||
|
};
|
||||||
|
|
||||||
|
# /var/lib/acme/.challenges must be writable by the ACME user
|
||||||
|
# and readable by the Nginx user. The easiest way to achieve
|
||||||
|
# this is to add the Nginx user to the ACME group.
|
||||||
|
users.users.nginx.extraGroups = lib.mkIf config.host.services.nginx.enable [ "acme" ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,15 +2,16 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
subdomains,
|
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
cfg = config.host.services.airsonic;
|
cfg = config.host.services.airsonic;
|
||||||
|
subdomain = "music";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
host.services.airsonic = {
|
host.services.airsonic = {
|
||||||
|
autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Airsonic at boot.");
|
||||||
enable = lib.mkEnableOption (lib.mdDoc "Enables Airsonic Advanced media streaming service.");
|
enable = lib.mkEnableOption (lib.mdDoc "Enables Airsonic Advanced media streaming service.");
|
||||||
home = lib.mkOption {
|
home = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
|
@ -28,7 +29,7 @@ in
|
||||||
users.users.airsonic.extraGroups = [ "media" ];
|
users.users.airsonic.extraGroups = [ "media" ];
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
nginx.virtualHosts."music.${cfg.domain}" = {
|
nginx.virtualHosts."${subdomain}.${cfg.domain}" = {
|
||||||
useACMEHost = cfg.domain;
|
useACMEHost = cfg.domain;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
|
@ -53,8 +54,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services = {
|
systemd.services = {
|
||||||
airsonic.wantedBy = lib.mkForce [ ];
|
|
||||||
nginx.wants = [ config.systemd.services.airsonic.name ];
|
nginx.wants = [ config.systemd.services.airsonic.name ];
|
||||||
};
|
} // lib.optionalAttrs (!cfg.autostart) { airsonic.wantedBy = lib.mkForce [ ]; };
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
26
modules/services/boinc.nix
Normal file
26
modules/services/boinc.nix
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.host.services.boinc;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
host.services.boinc.enable = lib.mkEnableOption (
|
||||||
|
lib.mdDoc "Enables BOINC distributed computing service."
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
services.boinc = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.boinc-headless;
|
||||||
|
dataDir = "/var/lib/boinc";
|
||||||
|
extraEnvPackages = [ pkgs.ocl-icd ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,10 +2,10 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
subdomains,
|
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
|
subdomain = "code";
|
||||||
cfg = config.host.services.forgejo;
|
cfg = config.host.services.forgejo;
|
||||||
|
|
||||||
cli-cfg = config.services.forgejo;
|
cli-cfg = config.services.forgejo;
|
||||||
|
@ -26,10 +26,11 @@ in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
host.services.forgejo = {
|
host.services.forgejo = {
|
||||||
|
autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Forgejo at boot.");
|
||||||
enable = lib.mkEnableOption (lib.mdDoc "Enables Forgejo Git hosting service.");
|
enable = lib.mkEnableOption (lib.mdDoc "Enables Forgejo Git hosting service.");
|
||||||
home = lib.mkOption {
|
home = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "Where to store Airsonic's files";
|
description = "Where to store Forgejo's files";
|
||||||
};
|
};
|
||||||
domain = lib.mkOption {
|
domain = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
|
@ -41,7 +42,7 @@ in
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
environment.systemPackages = [ forgejo-cli ];
|
environment.systemPackages = [ forgejo-cli ];
|
||||||
services = {
|
services = {
|
||||||
nginx.virtualHosts."code.${cfg.domain}" = {
|
nginx.virtualHosts."${subdomain}.${cfg.domain}" = {
|
||||||
useACMEHost = cfg.domain;
|
useACMEHost = cfg.domain;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
|
@ -64,8 +65,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services = {
|
systemd.services = {
|
||||||
forgejo.wantedBy = lib.mkForce [ ];
|
|
||||||
nginx.wants = [ config.systemd.services.forgejo.name ];
|
nginx.wants = [ config.systemd.services.forgejo.name ];
|
||||||
};
|
} // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
44
modules/services/nginx.nix
Normal file
44
modules/services/nginx.nix
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.host.services.nginx;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
host.services.nginx = {
|
||||||
|
autostart = lib.mkEnableOption (lib.mdDoc "Whether to autostart Nginx at boot.");
|
||||||
|
enable = lib.mkEnableOption (lib.mdDoc "Enable the Nginx web server.");
|
||||||
|
|
||||||
|
virtualHosts = lib.mkOption {
|
||||||
|
default = { };
|
||||||
|
type = lib.types.attrs;
|
||||||
|
description = "Virtualhost configurations for Nginx.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
virtualHosts = cfg.virtualHosts;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Open ports
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [
|
||||||
|
80
|
||||||
|
443
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Disable autostart if needed
|
||||||
|
systemd.services.nginx.wantedBy = lib.mkIf (!cfg.autostart) [ ];
|
||||||
|
};
|
||||||
|
}
|
32
modules/services/ssh.nix
Normal file
32
modules/services/ssh.nix
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.host.services.ssh;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
host.services.ssh = {
|
||||||
|
enable = lib.mkEnableOption (lib.mdDoc "Enables SSH server.");
|
||||||
|
ports = lib.mkOption {
|
||||||
|
default = [ ];
|
||||||
|
type = lib.types.listOf lib.types.int;
|
||||||
|
description = "Ports for SSH to listen on.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
ports = cfg.ports;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
# require public key authentication and disable root logins
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
KbdInteractiveAuthentication = false;
|
||||||
|
PubkeyAuthentication = true;
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1 +1 @@
|
||||||
Subproject commit 104d68506e51dc5d5526f122747c0da4cbf6756a
|
Subproject commit 1bc67c9f5e4cfc11ff664b9d8a447276408638bd
|
Loading…
Reference in a new issue