1
0
Fork 0

Completely clean up Haven

This commit is contained in:
Aires 2024-05-20 20:52:57 -04:00
parent 4c1336d7d4
commit ff1cb61873
8 changed files with 190 additions and 93 deletions

View file

@ -23,42 +23,10 @@ in
role = "server";
apps.development.kubernetes.enable = true;
services = {
apcupsd.enable = true;
airsonic = {
acme = {
enable = true;
domain = config.secrets.networking.primaryDomain;
home = "/storage/services/airsonic-advanced";
};
duplicacy-web = {
enable = true;
autostart = false;
environment = "${config.users.users.aires.home}";
};
forgejo = {
enable = true;
domain = config.secrets.networking.primaryDomain;
home = "/storage/services/forgejo";
};
msmtp.enable = true;
};
users = {
aires = {
enable = true;
services.syncthing = {
enable = true;
autostart = false;
};
};
media.enable = true;
};
};
# TLS certificate renewal via Let's Encrypt
security.acme = {
acceptTerms = true;
defaults.email = "${config.secrets.users.aires.email}";
certs."${config.secrets.networking.primaryDomain}" = {
certs = {
"${config.secrets.networking.primaryDomain}" = {
dnsProvider = "namecheap";
extraDomainNames = subdomains;
webroot = null; # Required in order to prevent a failed assertion
@ -72,69 +40,57 @@ in
};
};
};
# /var/lib/acme/.challenges must be writable by the ACME user
# and readable by the Nginx user. The easiest way to achieve
# this is to add the Nginx user to the ACME group.
users.users.nginx.extraGroups = [ "acme" ];
services = {
};
apcupsd.enable = true;
airsonic = {
enable = true;
domain = config.secrets.networking.primaryDomain;
home = "/storage/services/airsonic-advanced";
};
boinc.enable = true;
duplicacy-web = {
enable = true;
autostart = false;
environment = "${config.users.users.aires.home}"; # FIXME: Move to /storage
};
forgejo = {
enable = true;
domain = config.secrets.networking.primaryDomain;
home = "/storage/services/forgejo";
};
msmtp.enable = true;
nginx = {
enable = true;
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
autostart = false;
virtualHosts = {
# Base URL: make sure we've got Let's Encrypt running challenges here, and all other requests going to HTTPS
"${config.secrets.networking.primaryDomain}" = {
default = true;
enableACME = true;
# Catchall vhost, will Redirect users to Forgejo
enableACME = true; # Enable Let's Encrypt
locations."/" = {
# Catchall vhost, will redirect users to Forgejo
return = "301 https://code.${config.secrets.networking.primaryDomain}";
};
};
};
};
# Enable BOINC (distributed research computing)
boinc = {
enable = true;
package = pkgs.boinc-headless;
dataDir = "/var/lib/boinc";
extraEnvPackages = [ pkgs.ocl-icd ];
};
# Enable SSH
openssh = {
ssh = {
enable = true;
ports = [ config.secrets.hosts.haven.ssh.port ];
settings = {
# require public key authentication and disable root logins
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PubkeyAuthentication = true;
PermitRootLogin = "no";
};
};
users = {
aires = {
enable = true;
services.syncthing = {
enable = true;
autostart = false;
};
};
media.enable = true;
};
};
# TODO: VPN (Check out Wireguard)
};
# Nginx: Disable autostart, and start sub-services first.
systemd.services.nginx.wantedBy = lib.mkForce [ ];
# Open ports
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
# Add Haven's startup script
environment.systemPackages = [ start-haven ];

39
modules/services/acme.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, lib, ... }:
let
cfg = config.host.services.acme;
in
{
options = {
host.services.acme = {
enable = lib.mkEnableOption (
lib.mdDoc "Enable the ACME client (for Let's Encrypt TLS certificates)."
);
certs = lib.mkOption {
default = { };
type = lib.types.attrs;
description = "Cert configurations for ACME.";
};
defaultEmail = lib.mkOption {
default = "";
type = lib.types.str;
description = "Default admin email to use for problems.";
};
};
};
config = lib.mkIf cfg.enable {
security.acme = {
acceptTerms = true;
defaults.email = cfg.defaultEmail;
certs = cfg.certs;
};
# /var/lib/acme/.challenges must be writable by the ACME user
# and readable by the Nginx user. The easiest way to achieve
# this is to add the Nginx user to the ACME group.
users.users.nginx.extraGroups = lib.mkIf config.host.services.nginx.enable [ "acme" ];
};
}

View file

@ -2,15 +2,16 @@
pkgs,
config,
lib,
subdomains,
...
}:
let
cfg = config.host.services.airsonic;
subdomain = "music";
in
{
options = {
host.services.airsonic = {
autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Airsonic at boot.");
enable = lib.mkEnableOption (lib.mdDoc "Enables Airsonic Advanced media streaming service.");
home = lib.mkOption {
type = lib.types.str;
@ -28,7 +29,7 @@ in
users.users.airsonic.extraGroups = [ "media" ];
services = {
nginx.virtualHosts."music.${cfg.domain}" = {
nginx.virtualHosts."${subdomain}.${cfg.domain}" = {
useACMEHost = cfg.domain;
forceSSL = true;
locations."/" = {
@ -53,8 +54,7 @@ in
};
systemd.services = {
airsonic.wantedBy = lib.mkForce [ ];
nginx.wants = [ config.systemd.services.airsonic.name ];
};
} // lib.optionalAttrs (!cfg.autostart) { airsonic.wantedBy = lib.mkForce [ ]; };
};
}

View file

@ -0,0 +1,26 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.host.services.boinc;
in
{
options = {
host.services.boinc.enable = lib.mkEnableOption (
lib.mdDoc "Enables BOINC distributed computing service."
);
};
config = lib.mkIf cfg.enable {
services.boinc = {
enable = true;
package = pkgs.boinc-headless;
dataDir = "/var/lib/boinc";
extraEnvPackages = [ pkgs.ocl-icd ];
};
};
}

View file

@ -2,10 +2,10 @@
pkgs,
config,
lib,
subdomains,
...
}:
let
subdomain = "code";
cfg = config.host.services.forgejo;
cli-cfg = config.services.forgejo;
@ -26,10 +26,11 @@ in
{
options = {
host.services.forgejo = {
autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Forgejo at boot.");
enable = lib.mkEnableOption (lib.mdDoc "Enables Forgejo Git hosting service.");
home = lib.mkOption {
type = lib.types.str;
description = "Where to store Airsonic's files";
description = "Where to store Forgejo's files";
};
domain = lib.mkOption {
type = lib.types.str;
@ -41,7 +42,7 @@ in
config = lib.mkIf cfg.enable {
environment.systemPackages = [ forgejo-cli ];
services = {
nginx.virtualHosts."code.${cfg.domain}" = {
nginx.virtualHosts."${subdomain}.${cfg.domain}" = {
useACMEHost = cfg.domain;
forceSSL = true;
locations."/" = {
@ -64,8 +65,7 @@ in
};
systemd.services = {
forgejo.wantedBy = lib.mkForce [ ];
nginx.wants = [ config.systemd.services.forgejo.name ];
};
} // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };
};
}

View file

@ -0,0 +1,44 @@
{ config, lib, ... }:
let
cfg = config.host.services.nginx;
in
{
options = {
host.services.nginx = {
autostart = lib.mkEnableOption (lib.mdDoc "Whether to autostart Nginx at boot.");
enable = lib.mkEnableOption (lib.mdDoc "Enable the Nginx web server.");
virtualHosts = lib.mkOption {
default = { };
type = lib.types.attrs;
description = "Virtualhost configurations for Nginx.";
};
};
};
config = lib.mkIf cfg.enable {
services.nginx = {
enable = true;
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = cfg.virtualHosts;
};
# Open ports
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
# Disable autostart if needed
systemd.services.nginx.wantedBy = lib.mkIf (!cfg.autostart) [ ];
};
}

32
modules/services/ssh.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, ... }:
let
cfg = config.host.services.ssh;
in
{
options = {
host.services.ssh = {
enable = lib.mkEnableOption (lib.mdDoc "Enables SSH server.");
ports = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.int;
description = "Ports for SSH to listen on.";
};
};
};
config = lib.mkIf cfg.enable {
services.openssh = {
enable = true;
ports = cfg.ports;
settings = {
# require public key authentication and disable root logins
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PubkeyAuthentication = true;
PermitRootLogin = "no";
};
};
};
}

@ -1 +1 @@
Subproject commit 104d68506e51dc5d5526f122747c0da4cbf6756a
Subproject commit 1bc67c9f5e4cfc11ff664b9d8a447276408638bd