diff --git a/machine-confs/cert-store.nix b/machine-confs/cert-store.nix index 93e3e0c..2c83775 100644 --- a/machine-confs/cert-store.nix +++ b/machine-confs/cert-store.nix @@ -4,7 +4,7 @@ imports = [ ../base.nix - ../services/acme-cert-store.nix + ../servers/acme-cert-store.nix ]; #Many installs will need this, and it won't hurt either way diff --git a/machine-confs/forgejo.nix b/machine-confs/forgejo.nix index 53f4f78..e7ad024 100644 --- a/machine-confs/forgejo.nix +++ b/machine-confs/forgejo.nix @@ -4,7 +4,7 @@ imports = [ ../base.nix - ../services/forgejo.nix + ../servers/forgejo.nix ]; # HARDWARE SPECIFIC diff --git a/machine-confs/gaming.nix b/machine-confs/gaming.nix index 4e2201b..eda7ba5 100644 --- a/machine-confs/gaming.nix +++ b/machine-confs/gaming.nix @@ -6,7 +6,7 @@ ../base.nix ../desktop.nix ../users/vili.nix - ../services/gaming-server.nix + ../servers/gaming-server.nix ../hardware-specific/nvidia.nix ]; diff --git a/machine-confs/idacloud.nix b/machine-confs/idacloud.nix index 2ec4498..fc4d305 100644 --- a/machine-confs/idacloud.nix +++ b/machine-confs/idacloud.nix @@ -6,7 +6,7 @@ imports = [ ../base.nix - ../services/nextcloud.nix + ../servers/nextcloud.nix ]; # Networking conf including WireGuard diff --git a/machine-confs/nextcloud.nix b/machine-confs/nextcloud.nix index a974cd9..17afba1 100644 --- a/machine-confs/nextcloud.nix +++ b/machine-confs/nextcloud.nix @@ -5,7 +5,7 @@ imports = [ ../base.nix - ../services/nextcloud.nix + ../servers/nextcloud.nix ]; # HARDWARE SPECIFIC diff --git a/machine-confs/siit-dc.nix b/machine-confs/siit-dc.nix index c0ad541..051899c 100644 --- a/machine-confs/siit-dc.nix +++ b/machine-confs/siit-dc.nix @@ -4,7 +4,7 @@ imports = [ ../base.nix - ../services/siit-dc.nix + ../servers/siit-dc.nix ]; # HARDWARE SPECIFIC diff --git a/machine-confs/syncthing.nix b/machine-confs/syncthing.nix index e54391d..9fbba5d 100644 --- a/machine-confs/syncthing.nix +++ b/machine-confs/syncthing.nix @@ -5,7 +5,7 @@ imports = [ ../base.nix ../users/vili.nix - ../services/syncthing.nix + ../servers/syncthing.nix ]; users.users.vili.hashedPasswordFile = pkgs.lib.mkForce null; diff --git a/machine-confs/vaultwarden.nix b/machine-confs/vaultwarden.nix index 3371c84..8219a87 100644 --- a/machine-confs/vaultwarden.nix +++ b/machine-confs/vaultwarden.nix @@ -4,7 +4,7 @@ imports = [ ../base.nix - ../services/vaultwarden.nix + ../servers/vaultwarden.nix ]; # HARDWARE SPECIFIC diff --git a/services/acme-cert-store.nix b/servers/acme-cert-store.nix similarity index 99% rename from services/acme-cert-store.nix rename to servers/acme-cert-store.nix index dce7d1e..bc335c8 100644 --- a/services/acme-cert-store.nix +++ b/servers/acme-cert-store.nix @@ -13,5 +13,4 @@ users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense" ]; - } diff --git a/services/forgejo.nix b/servers/forgejo.nix similarity index 91% rename from services/forgejo.nix rename to servers/forgejo.nix index 52031b8..32f0e20 100644 --- a/services/forgejo.nix +++ b/servers/forgejo.nix @@ -1,14 +1,6 @@ { config, ... }: { - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - - security.acme = { - acceptTerms = true; - defaults.email = "vili.m.sinerva@gmail.com"; - }; + imports = [ ./utils/acme-http-client.nix ]; services = { forgejo = { diff --git a/services/gaming-server.nix b/servers/gaming-server.nix similarity index 100% rename from services/gaming-server.nix rename to servers/gaming-server.nix diff --git a/services/nextcloud.nix b/servers/nextcloud.nix similarity index 78% rename from services/nextcloud.nix rename to servers/nextcloud.nix index d86d533..a8c6f20 100644 --- a/services/nextcloud.nix +++ b/servers/nextcloud.nix @@ -22,8 +22,6 @@ config = lib.mkMerge [ { - networking.firewall.allowedTCPPorts = [ 443 ]; - services = { nextcloud = { package = pkgs.nextcloud31; @@ -46,19 +44,7 @@ }; }; - nginx = { - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - - virtualHosts.${config.services.nextcloud.hostName} = { - forceSSL = true; - kTLS = true; - sslCertificate = "/mnt/acme/fullchain.pem"; - sslCertificateKey = "/mnt/acme/key.pem"; - }; - }; + nginx.virtualHosts.${config.services.nextcloud.hostName} = { }; }; } ( @@ -89,10 +75,6 @@ }; nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = { - forceSSL = true; - kTLS = true; - sslCertificate = "/mnt/acme/fullchain.pem"; - sslCertificateKey = "/mnt/acme/key.pem"; locations."/" = { proxyPass = "http://[::1]:${toString config.services.collabora-online.port}"; proxyWebsockets = true; # collabora uses websockets diff --git a/services/siit-dc.nix b/servers/siit-dc.nix similarity index 100% rename from services/siit-dc.nix rename to servers/siit-dc.nix diff --git a/services/syncthing.nix b/servers/syncthing.nix similarity index 93% rename from services/syncthing.nix rename to servers/syncthing.nix index b4b6a07..fd1cd8e 100644 --- a/services/syncthing.nix +++ b/servers/syncthing.nix @@ -1,12 +1,5 @@ { config, pkgs, ... }: { - assertions = [ - { - assertion = config.users.users ? "vili"; - message = "User 'vili' needed for syncthing!"; - } - ]; - boot.kernel.sysctl."fs.inotify.max_user_watches" = 204800; services.syncthing = { diff --git a/servers/utils/acme-http-client.nix b/servers/utils/acme-http-client.nix new file mode 100644 index 0000000..6da45bd --- /dev/null +++ b/servers/utils/acme-http-client.nix @@ -0,0 +1,21 @@ +{ lib, ... }: +{ + options.services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkDefault { + enableACME = true; + }; + } + ); + }; + + config = { + networking.firewall.allowedTCPPorts = [ 80 ]; + + security.acme = { + acceptTerms = true; + defaults.email = "vili.m.sinerva@gmail.com"; + }; + }; +} diff --git a/servers/utils/cert-store-client.nix b/servers/utils/cert-store-client.nix new file mode 100644 index 0000000..b847667 --- /dev/null +++ b/servers/utils/cert-store-client.nix @@ -0,0 +1,34 @@ +{ lib, ... }: +{ + options.services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkDefault { + sslCertificate = "/mnt/acme/fullchain.pem"; + sslCertificateKey = "/mnt/acme/key.pem"; + }; + } + ); + }; + + config = { + services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7"; + + systemd.services.nginx = { + wants = [ "mnt-acme.mount" ]; + after = [ "mnt-acme.mount" ]; + }; + + fileSystems."/mnt/acme" = { + device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi"; + fsType = "sshfs"; + options = [ + "nodev" + "noatime" + "allow_other" + "IdentityFile=/etc/ssh/ssh_host_ed25519_key" + ]; + }; + }; +} diff --git a/servers/utils/nginx-https-server.nix b/servers/utils/nginx-https-server.nix new file mode 100644 index 0000000..deb6250 --- /dev/null +++ b/servers/utils/nginx-https-server.nix @@ -0,0 +1,25 @@ +{ lib, ... }: +{ + options.services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkDefault { + forceSSL = true; + kTLS = true; + }; + } + ); + }; + + config = { + networking.firewall.allowedTCPPorts = [ 443 ]; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + }; + }; +} diff --git a/services/vaultwarden.nix b/servers/vaultwarden.nix similarity index 70% rename from services/vaultwarden.nix rename to servers/vaultwarden.nix index 368146d..ab435dd 100644 --- a/services/vaultwarden.nix +++ b/servers/vaultwarden.nix @@ -2,9 +2,6 @@ { imports = [ ./cert-store-client.nix ]; - networking.firewall.allowedTCPPorts = [ 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; - services = { vaultwarden = { enable = true; @@ -31,17 +28,7 @@ }; nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - virtualHosts."vaultwarden.vsinerva.fi" = { - forceSSL = true; - kTLS = true; - sslCertificate = "/mnt/acme/fullchain.pem"; - sslCertificateKey = "/mnt/acme/key.pem"; locations."/" = { proxyPass = "http://localhost:8000"; }; diff --git a/services/cert-store-client.nix b/services/cert-store-client.nix deleted file mode 100644 index 05a8b57..0000000 --- a/services/cert-store-client.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: -{ - services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7"; - - systemd.services.nginx = { - wants = [ "mnt-acme.mount" ]; - after = [ "mnt-acme.mount" ]; - }; - - fileSystems."/mnt/acme" = { - device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi"; - fsType = "sshfs"; - options = [ - "nodev" - "noatime" - "allow_other" - "IdentityFile=/etc/ssh/ssh_host_ed25519_key" - ]; - }; -} diff --git a/services/moonlight.nix b/services/moonlight.nix deleted file mode 100644 index fc240c2..0000000 --- a/services/moonlight.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - moonlight-qt - parsec-bin - ]; -} diff --git a/services/redshift.nix b/services/redshift.nix deleted file mode 100644 index 2d4a392..0000000 --- a/services/redshift.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, ... }: -{ - assertions = [ - { - assertion = config.services.xserver.enable; - message = "Redshift does not work without a desktop!"; - } - ]; - services.redshift = { - executable = "/bin/redshift-gtk"; - enable = true; - temperature = { - night = 2800; - day = 6500; - }; - brightness = { - night = "0.5"; - day = "1"; - }; - }; - - location = { - latitude = 60.17; - longitude = 24.94; - }; -}