aires/nix-configuration
aires/nix-configuration
1
0
Fork 0
Code Actions Activity

Completely clean up Haven

Browse source
This commit is contained in:
Aires 2024-05-20 20:52:57 -04:00
parent 4c1336d7d4
commit ff1cb61873
8 changed files with 190 additions and 93 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

122
hosts/Haven/default.nix
View file

@ -23,16 +23,35 @@ in
role = "server"; role = "server";
apps.development.kubernetes.enable = true; apps.development.kubernetes.enable = true;
services = { services = {
acme = {
enable = true;
certs = {
"${config.secrets.networking.primaryDomain}" = {
dnsProvider = "namecheap";
extraDomainNames = subdomains;
webroot = null; # Required in order to prevent a failed assertion
credentialFiles = {
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
${config.secrets.networking.namecheap.api.user}
''}";
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
${config.secrets.networking.namecheap.api.key}
''}";
};
};
};
};
apcupsd.enable = true; apcupsd.enable = true;
airsonic = { airsonic = {
enable = true; enable = true;
domain = config.secrets.networking.primaryDomain; domain = config.secrets.networking.primaryDomain;
home = "/storage/services/airsonic-advanced"; home = "/storage/services/airsonic-advanced";
}; };
boinc.enable = true;
duplicacy-web = { duplicacy-web = {
enable = true; enable = true;
autostart = false; autostart = false;
environment = "${config.users.users.aires.home}"; environment = "${config.users.users.aires.home}"; # FIXME: Move to /storage
}; };
forgejo = { forgejo = {
enable = true; enable = true;
@ -40,6 +59,24 @@ in
home = "/storage/services/forgejo"; home = "/storage/services/forgejo";
}; };
msmtp.enable = true; msmtp.enable = true;
nginx = {
enable = true;
autostart = false;
virtualHosts = {
"${config.secrets.networking.primaryDomain}" = {
default = true;
enableACME = true; # Enable Let's Encrypt
locations."/" = {
# Catchall vhost, will redirect users to Forgejo
return = "301 https://code.${config.secrets.networking.primaryDomain}";
};
};
};
};
ssh = {
enable = true;
ports = [ config.secrets.hosts.haven.ssh.port ];
};
}; };
users = { users = {
aires = { aires = {
@ -53,88 +90,7 @@ in
}; };
}; };
# TLS certificate renewal via Let's Encrypt # TODO: VPN (Check out Wireguard)
security.acme = {
acceptTerms = true;
defaults.email = "${config.secrets.users.aires.email}";
certs."${config.secrets.networking.primaryDomain}" = {
dnsProvider = "namecheap";
extraDomainNames = subdomains;
webroot = null; # Required in order to prevent a failed assertion
credentialFiles = {
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
${config.secrets.networking.namecheap.api.user}
''}";
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
${config.secrets.networking.namecheap.api.key}
''}";
};
};
};
# /var/lib/acme/.challenges must be writable by the ACME user
# and readable by the Nginx user. The easiest way to achieve
# this is to add the Nginx user to the ACME group.
users.users.nginx.extraGroups = [ "acme" ];
services = {
nginx = {
enable = true;
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
# Base URL: make sure we've got Let's Encrypt running challenges here, and all other requests going to HTTPS
"${config.secrets.networking.primaryDomain}" = {
default = true;
enableACME = true;
# Catchall vhost, will Redirect users to Forgejo
locations."/" = {
return = "301 https://code.${config.secrets.networking.primaryDomain}";
};
};
};
};
# Enable BOINC (distributed research computing)
boinc = {
enable = true;
package = pkgs.boinc-headless;
dataDir = "/var/lib/boinc";
extraEnvPackages = [ pkgs.ocl-icd ];
};
# Enable SSH
openssh = {
enable = true;
ports = [ config.secrets.hosts.haven.ssh.port ];
settings = {
# require public key authentication and disable root logins
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PubkeyAuthentication = true;
PermitRootLogin = "no";
};
};
# TODO: VPN (Check out Wireguard)
};
# Nginx: Disable autostart, and start sub-services first.
systemd.services.nginx.wantedBy = lib.mkForce [ ];
# Open ports
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
# Add Haven's startup script # Add Haven's startup script
environment.systemPackages = [ start-haven ]; environment.systemPackages = [ start-haven ];

39
modules/services/acme.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, lib, ... }:
let
cfg = config.host.services.acme;
in
{
options = {
host.services.acme = {
enable = lib.mkEnableOption (
lib.mdDoc "Enable the ACME client (for Let's Encrypt TLS certificates)."
);
certs = lib.mkOption {
default = { };
type = lib.types.attrs;
description = "Cert configurations for ACME.";
};
defaultEmail = lib.mkOption {
default = "";
type = lib.types.str;
description = "Default admin email to use for problems.";
};
};
};
config = lib.mkIf cfg.enable {
security.acme = {
acceptTerms = true;
defaults.email = cfg.defaultEmail;
certs = cfg.certs;
};
# /var/lib/acme/.challenges must be writable by the ACME user
# and readable by the Nginx user. The easiest way to achieve
# this is to add the Nginx user to the ACME group.
users.users.nginx.extraGroups = lib.mkIf config.host.services.nginx.enable [ "acme" ];
};
}

8
modules/services/airsonic.nix
View file

@ -2,15 +2,16 @@
pkgs, pkgs,
config, config,
lib, lib,
subdomains,
... ...
}: }:
let let
cfg = config.host.services.airsonic; cfg = config.host.services.airsonic;
subdomain = "music";
in in
{ {
options = { options = {
host.services.airsonic = { host.services.airsonic = {
autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Airsonic at boot.");
enable = lib.mkEnableOption (lib.mdDoc "Enables Airsonic Advanced media streaming service."); enable = lib.mkEnableOption (lib.mdDoc "Enables Airsonic Advanced media streaming service.");
home = lib.mkOption { home = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@ -28,7 +29,7 @@ in
users.users.airsonic.extraGroups = [ "media" ]; users.users.airsonic.extraGroups = [ "media" ];
services = { services = {
nginx.virtualHosts."music.${cfg.domain}" = { nginx.virtualHosts."${subdomain}.${cfg.domain}" = {
useACMEHost = cfg.domain; useACMEHost = cfg.domain;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -53,8 +54,7 @@ in
}; };
systemd.services = { systemd.services = {
airsonic.wantedBy = lib.mkForce [ ];
nginx.wants = [ config.systemd.services.airsonic.name ]; nginx.wants = [ config.systemd.services.airsonic.name ];
}; } // lib.optionalAttrs (!cfg.autostart) { airsonic.wantedBy = lib.mkForce [ ]; };
}; };
} }

26
modules/services/boinc.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.host.services.boinc;
in
{
options = {
host.services.boinc.enable = lib.mkEnableOption (
lib.mdDoc "Enables BOINC distributed computing service."
);
};
config = lib.mkIf cfg.enable {
services.boinc = {
enable = true;
package = pkgs.boinc-headless;
dataDir = "/var/lib/boinc";
extraEnvPackages = [ pkgs.ocl-icd ];
};
};
}

10
modules/services/forgejo.nix
View file

@ -2,10 +2,10 @@
pkgs, pkgs,
config, config,
lib, lib,
subdomains,
... ...
}: }:
let let
subdomain = "code";
cfg = config.host.services.forgejo; cfg = config.host.services.forgejo;
cli-cfg = config.services.forgejo; cli-cfg = config.services.forgejo;
@ -26,10 +26,11 @@ in
{ {
options = { options = {
host.services.forgejo = { host.services.forgejo = {
autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Forgejo at boot.");
enable = lib.mkEnableOption (lib.mdDoc "Enables Forgejo Git hosting service."); enable = lib.mkEnableOption (lib.mdDoc "Enables Forgejo Git hosting service.");
home = lib.mkOption { home = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Where to store Airsonic's files"; description = "Where to store Forgejo's files";
}; };
domain = lib.mkOption { domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@ -41,7 +42,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ forgejo-cli ]; environment.systemPackages = [ forgejo-cli ];
services = { services = {
nginx.virtualHosts."code.${cfg.domain}" = { nginx.virtualHosts."${subdomain}.${cfg.domain}" = {
useACMEHost = cfg.domain; useACMEHost = cfg.domain;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -64,8 +65,7 @@ in
}; };
systemd.services = { systemd.services = {
forgejo.wantedBy = lib.mkForce [ ];
nginx.wants = [ config.systemd.services.forgejo.name ]; nginx.wants = [ config.systemd.services.forgejo.name ];
}; } // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };
}; };
} }

44
modules/services/nginx.nix Normal file
View file

@ -0,0 +1,44 @@
{ config, lib, ... }:
let
cfg = config.host.services.nginx;
in
{
options = {
host.services.nginx = {
autostart = lib.mkEnableOption (lib.mdDoc "Whether to autostart Nginx at boot.");
enable = lib.mkEnableOption (lib.mdDoc "Enable the Nginx web server.");
virtualHosts = lib.mkOption {
default = { };
type = lib.types.attrs;
description = "Virtualhost configurations for Nginx.";
};
};
};
config = lib.mkIf cfg.enable {
services.nginx = {
enable = true;
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = cfg.virtualHosts;
};
# Open ports
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
# Disable autostart if needed
systemd.services.nginx.wantedBy = lib.mkIf (!cfg.autostart) [ ];
};
}

32
modules/services/ssh.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, ... }:
let
cfg = config.host.services.ssh;
in
{
options = {
host.services.ssh = {
enable = lib.mkEnableOption (lib.mdDoc "Enables SSH server.");
ports = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.int;
description = "Ports for SSH to listen on.";
};
};
};
config = lib.mkIf cfg.enable {
services.openssh = {
enable = true;
ports = cfg.ports;
settings = {
# require public key authentication and disable root logins
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PubkeyAuthentication = true;
PermitRootLogin = "no";
};
};
};
}

2
nix-secrets

@ -1 +1 @@
Subproject commit 104d68506e51dc5d5526f122747c0da4cbf6756a Subproject commit 1bc67c9f5e4cfc11ff664b9d8a447276408638bd