alarsyo/nixos-config
alarsyo/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: alarsyo:37f19dfb2ee64266e13445ebafa6ca15c2fd9a70
Branches Tags
alarsyo:main
alarsyo:framework
alarsyo:matrix-synapse-auto-compress
alarsyo:tmux-thumbs
...
compare: alarsyo:4f96a73d49be1153978d2cbe1cbe3d680e409437
Branches Tags
alarsyo:main
alarsyo:framework
alarsyo:matrix-synapse-auto-compress
alarsyo:tmux-thumbs

3 commits
37f19dfb2e ... 4f96a73d49

Author SHA1 Message Date
Antoine Martin 4f96a73d49 hosts: move miniflux from poseidon to hades 2022-06-12 17:59:41 +02:00
Antoine Martin e635fec1f9 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e0169d7a9d324afebf5679551407756c77af8930' (2022-06-08)
  → 'github:NixOS/nixpkgs/90cd5459a1fd707819b9a3fb9c852beaaac3b79a' (2022-06-11)
• Updated input 'nixpkgs-unstable-small':
    'github:NixOS/nixpkgs/a58de450c514aa1bc5a4999f92656ab6b600dc59' (2022-06-10)
  → 'github:NixOS/nixpkgs/d64abb978cc2fa4b88b074a64d1b456183c8db17' (2022-06-12)
 2022-06-12 17:20:12 +02:00
Antoine Martin 2725d66646 services: use subdomain for ACME cert 
Avoids conflicts now that I have multiple servers sharing the config
 2022-06-12 17:18:58 +02:00
20 changed files with 88 additions and 33 deletions
Show stats Expand all files Collapse all files

12
flake.lock
View file

@ -109,11 +109,11 @@
},
"nixpkgs-unstable-small": {
"locked": {
"lastModified": 1654819923,
"narHash": "sha256-s3m3dbCVWw7XAFbkIJyPKtlqgbcDD+2BrBOGTRn0fIw=",
"lastModified": 1655000332,
"narHash": "sha256-G4rs6nRox0146D6uI+zLxl8PwKXEO4PngyNXtY82DJI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a58de450c514aa1bc5a4999f92656ab6b600dc59",
"rev": "d64abb978cc2fa4b88b074a64d1b456183c8db17",
"type": "github"
},
"original": {
@ -125,11 +125,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1654682581,
"narHash": "sha256-Jb1PQCwKgwdNAp907eR5zPzuxV+kRroA3UIxUxCMJ9s=",
"lastModified": 1654953433,
"narHash": "sha256-TwEeh4r50NdWHFAHQSyjCk2cZxgwUfcCCAJOhPdXB28=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e0169d7a9d324afebf5679551407756c77af8930",
"rev": "90cd5459a1fd707819b9a3fb9c852beaaac3b79a",
"type": "github"
},
"original": {

6
hosts/hades/default.nix
View file

@ -57,6 +57,12 @@ in {
my.services = {
fail2ban.enable = true;
miniflux = {
enable = true;
adminCredentialsFile = config.age.secrets."miniflux/admin-credentials".path;
privatePort = 8080;
};
restic-backup = {
enable = true;
repo = "b2:hades-backup-alarsyo";

2
hosts/hades/secrets.nix
View file

@ -13,6 +13,8 @@
// attrs;
in
lib.mapAttrs toSecret {
"miniflux/admin-credentials" = {};
"restic-backup/hades-credentials" = {};
"restic-backup/hades-password" = {};

6
hosts/poseidon/default.nix
View file

@ -96,12 +96,6 @@ in {
port = 8083;
};
miniflux = {
enable = true;
adminCredentialsFile = config.age.secrets."miniflux/admin-credentials".path;
privatePort = 8080;
};
matrix = {
enable = true;
secretConfigFile = config.age.secrets."matrix-synapse/secret-config".path;

2
hosts/poseidon/secrets.nix
View file

@ -21,8 +21,6 @@
owner = "matrix-synapse";
};
"miniflux/admin-credentials" = {};
"nextcloud/admin-pass" = {
owner = "nextcloud";
};

BIN
modules/secrets/miniflux/admin-credentials.age
View file

Binary file not shown.

2
modules/secrets/secrets.nix
View file

@ -17,7 +17,7 @@ in {
"matrix-synapse/secret-config.age".publicKeys = [alarsyo poseidon];
"miniflux/admin-credentials.age".publicKeys = [alarsyo poseidon];
"miniflux/admin-credentials.age".publicKeys = [alarsyo hades];
"nextcloud/admin-pass.age".publicKeys = [alarsyo poseidon];

8
services/fava.nix
View file

@ -13,7 +13,11 @@
cfg = config.my.services.fava;
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
secrets = config.my.secrets;
in {
options.my.services.fava = let
@ -65,7 +69,7 @@ in {
services.nginx.virtualHosts = {
"fava.${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
listen = [
# FIXME: hardcoded tailscale IP
@ -86,5 +90,7 @@ in {
};
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["fava.${domain}"];
};
}

6
services/gitea/default.nix
View file

@ -15,6 +15,8 @@
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in {
options.my.services.gitea = let
inherit (lib) types;
@ -101,7 +103,7 @@ in {
virtualHosts = {
"git.${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
@ -110,6 +112,8 @@ in {
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["git.${domain}"];
systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates";
};
}

6
services/jellyfin.nix
View file

@ -14,6 +14,8 @@
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
# hardcoded in NixOS module :(
jellyfinPort = 8096;
@ -31,12 +33,14 @@ in {
# Proxy to Jellyfin
services.nginx.virtualHosts."jellyfin.${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
locations."/" = {
proxyPass = "http://localhost:${toString jellyfinPort}/";
proxyWebsockets = true;
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["jellyfin.${domain}"];
};
}

8
services/lohr.nix
View file

@ -13,7 +13,11 @@
cfg = config.my.services.lohr;
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
secrets = config.my.secrets;
lohrPkg = let
flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd";
@ -73,12 +77,14 @@ in {
services.nginx.virtualHosts = {
"lohr.${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["lohr.${domain}"];
};
}

13
services/matrix.nix
View file

@ -32,7 +32,10 @@
public = 443;
private = 11339;
};
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in {
options.my.services.matrix = let
inherit (lib) types;
@ -147,7 +150,7 @@ in {
virtualHosts = {
"matrix.${domain}" = {
onlySSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
locations = let
proxyToClientPort = {
@ -181,7 +184,7 @@ in {
"matrix.${domain}_federation" = rec {
onlySSL = true;
serverName = "matrix.${domain}";
useACMEHost = domain;
useACMEHost = fqdn;
locations."/".return = "404";
@ -205,7 +208,7 @@ in {
"${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
locations."= /.well-known/matrix/server".extraConfig = let
server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";};
@ -230,7 +233,7 @@ in {
# Element Web app deployment
#
"chat.${domain}" = {
useACMEHost = domain;
useACMEHost = fqdn;
forceSSL = true;
root = pkgs.element-web.override {
@ -259,6 +262,8 @@ in {
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["chat.${domain}" "matrix.${domain}" domain];
# For administration tools.
environment.systemPackages = [pkgs.matrix-synapse];

6
services/miniflux.nix
View file

@ -15,6 +15,8 @@
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in {
options.my.services.miniflux = let
inherit (lib) types;
@ -60,7 +62,7 @@ in {
virtualHosts = {
"reader.${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
@ -68,5 +70,7 @@ in {
};
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["reader.${domain}"];
};
}

8
services/monitoring.nix
View file

@ -13,6 +13,8 @@
cfg = config.my.services.monitoring;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in {
options.my.services.monitoring = let
inherit (lib) types;
@ -103,15 +105,17 @@ in {
};
services.nginx = {
virtualHosts.${config.services.grafana.domain} = {
virtualHosts.${cfg.domain} = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;
};
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
};
};
security.acme.certs.${fqdn}.extraDomainNames = [cfg.domain];
};
}

6
services/navidrome.nix
View file

@ -14,6 +14,8 @@
cfg = config.my.services.navidrome;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in {
options.my.services.navidrome = let
inherit (lib) types;
@ -46,7 +48,7 @@ in {
services.nginx.virtualHosts."music.${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
listen = [
# FIXME: hardcoded tailscale IP
@ -67,5 +69,7 @@ in {
proxyWebsockets = true;
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["music.${domain}"];
};
}

6
services/nextcloud.nix
View file

@ -16,6 +16,8 @@ let
cfg = config.my.services.nextcloud;
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
dbName = "nextcloud";
in {
options.my.services.nextcloud = let
@ -85,11 +87,13 @@ in {
virtualHosts = {
"cloud.${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
};
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["cloud.${domain}"];
my.services.restic-backup = let
nextcloudHome = config.services.nextcloud.home;
in

5
services/nginx.nix
View file

@ -54,10 +54,11 @@ in {
certs = let
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
gandiKey = config.my.secrets.gandiKey;
in {
"${domain}" = {
extraDomainNames = ["*.${domain}"];
"${fqdn}" = {
dnsProvider = "gandiv5";
credentialsFile = config.age.secrets."gandi/api-key".path;
group = "nginx";

6
services/paperless.nix
View file

@ -14,6 +14,8 @@
cfg = config.my.services.paperless;
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
paperlessDomain = "paperless.${domain}";
in {
options.my.services.paperless = let
@ -99,7 +101,7 @@ in {
services.nginx.virtualHosts = {
"${paperlessDomain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
listen = [
# FIXME: hardcoded tailscale IP
@ -122,6 +124,8 @@ in {
};
};
security.acme.certs.${fqdn}.extraDomainNames = [paperlessDomain];
my.services.restic-backup = mkIf cfg.enable {
paths = [
config.services.paperless.dataDir

7
services/transmission.nix
View file

@ -14,6 +14,8 @@
cfg = config.my.services.transmission;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
webuiDomain = "transmission.${domain}";
transmissionRpcPort = 9091;
@ -73,7 +75,7 @@ in {
services.nginx.virtualHosts."${webuiDomain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
@ -91,5 +93,8 @@ in {
}
];
};
security.acme.certs.${fqdn}.extraDomainNames = [webuiDomain];
};
}

6
services/vaultwarden.nix
View file

@ -15,6 +15,8 @@
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in {
options.my.services.vaultwarden = let
inherit (lib) types;
@ -68,7 +70,7 @@ in {
virtualHosts = {
"pass.${domain}" = {
forceSSL = true;
useACMEHost = domain;
useACMEHost = fqdn;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
@ -86,6 +88,8 @@ in {
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"];
# FIXME: should be renamed to vaultwarden eventually
my.services.restic-backup = mkIf cfg.enable {
paths = ["/var/lib/bitwarden_rs"];