Refactor server files

servers/acme-cert-store.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  users.users."cert-store" = {
+    isNormalUser = true;
+    description = "Read-only access to certs";
+    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCEnSRQyUVUOwzIbThHC2cdk+zDabHUNkgPLgnjwqme idacloud"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgIXTr7HxC13UNZP0UCALBRJuiDh4U0Nnd4GPIE4RQR vaultwarden"
+    ];
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
+  ];
+}

servers/forgejo.nix

@@ -0,0 +1,63 @@
+{ config, ... }:
+{
+  imports = [ ./utils/acme-http-client.nix ];
+
+  services = {
+    forgejo = {
+      enable = true;
+      lfs.enable = true;
+
+      secrets.mailer.PASSWD = "${config.services.forgejo.stateDir}/smtp_pass";
+      settings = {
+        DEFAULT.APP_NAME = "Forgejo for Vili Sinervä";
+        repository = {
+          ENABLE_PUSH_CREATE_USER = true;
+          ENABLE_PUSH_CREATE_ORG = true;
+          DEFAULT_REPO_UNITS = "repo.code,repo.releases";
+        };
+        ui.DEFAULT_SHOW_FULL_NAME = true;
+        "ui.meta".AUTHOR = "Forgeo, hosted by Vili Sinervä";
+        server = {
+          DOMAIN = "forgejo.sinerva.eu";
+          HTTP_ADDR = "::1";
+          HTTP_PORT = 8000;
+          ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
+        };
+        service = {
+          DISABLE_REGISTRATION = true; # Disable for initial setup
+        };
+        session.COOKIE_SECURE = true;
+        mailer = {
+          ENABLED = true;
+          SMTP_ADDR = "smtp.gmail.com";
+          SMTP_PORT = 587;
+          USER = "vmsskv12@gmail.com"; # Password set in file
+          FROM = "forgejo@sinerva.eu";
+          ENVELOPE_FROM = "forgejo@sinerva.eu";
+        };
+        cron = {
+          ENABLED = true;
+          RUN_AT_START = true;
+        };
+        time.DEFAULT_UI_LOCATION = "Europe/Helsinki";
+      };
+    };
+
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+
+      virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+        enableACME = true;
+        forceSSL = true;
+        kTLS = true;
+        locations."/" = {
+          proxyPass = "http://localhost:8000";
+        };
+      };
+    };
+  };
+}

servers/gaming-server.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    parsec-bin
+  ];
+
+  programs.steam = {
+    enable = true;
+    extraCompatPackages = with pkgs; [ proton-ge-bin ];
+  };
+
+  services.sunshine = {
+    enable = true;
+    autoStart = true;
+    openFirewall = true;
+  };
+
+}

servers/nextcloud.nix

@@ -0,0 +1,97 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [ ./cert-store-client.nix ];
+
+  options.custom = {
+    nextcloud_domain = lib.mkOption {
+      type = lib.types.str;
+      description = "Domain used by Nextcloud";
+    };
+
+    collabora_domain = lib.mkOption {
+      type = with lib.types; nullOr str;
+      default = null;
+      description = "Domain used by Collabora Online";
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      services = {
+        nextcloud = {
+          package = pkgs.nextcloud31;
+          enable = true;
+          hostName = config.custom.nextcloud_domain;
+          autoUpdateApps.enable = true;
+          https = true;
+          maxUploadSize = "512M"; # Default
+          config = {
+            dbtype = "sqlite";
+            adminpassFile = "/var/lib/nextcloud/adminpass";
+          };
+          settings = {
+            overwriteprotocol = "https";
+            default_phone_region = "FI";
+            maintenance_window_start = 1;
+          };
+          phpOptions = {
+            "opcache.interned_strings_buffer" = 32;
+          };
+        };
+
+        nginx.virtualHosts.${config.services.nextcloud.hostName} = { };
+      };
+    }
+    (
+      # Optional Collabora Client
+      lib.mkIf (config.custom.collabora_domain != null) {
+        services = {
+          collabora-online = {
+            enable = true;
+            port = 9980; # default
+            settings = {
+              ssl = {
+                enable = false;
+                termination = true;
+              };
+
+              net = {
+                listen = "loopback";
+                post_allow.host = [ "::1" ];
+              };
+
+              storage.wopi = {
+                "@allow" = true;
+                host = [ config.services.nextcloud.hostName ] ++ config.services.nextcloud.settings.trusted_domains;
+              };
+
+              server_name = config.custom.collabora_domain;
+            };
+          };
+
+          nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
+            locations."/" = {
+              proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
+              proxyWebsockets = true; # collabora uses websockets
+            };
+          };
+
+          nextcloud = {
+            appstoreEnable = true;
+            extraAppsEnable = true;
+            extraApps = with config.services.nextcloud.package.packages.apps; {
+              inherit
+                richdocuments
+                ;
+            };
+          };
+        };
+      }
+    )
+  ];
+}

servers/siit-dc.nix

@@ -0,0 +1,33 @@
+{ config, ... }:
+let
+  v4_pref = "192.168.251";
+in
+{
+  networking = {
+    jool = {
+      enable = true;
+      siit.default = {
+        global.pool6 = "${config.custom.gua_pref}46::/96";
+
+        # Explicit address mappings
+        eamt = [
+          {
+            # ExoPlaSim
+            "ipv6 prefix" = "${config.custom.gua_pref}d1:be24:11ff:fe42:dd76/128";
+            "ipv4 prefix" = "${v4_pref}.1/32";
+          }
+          {
+            # Forgejo
+            "ipv6 prefix" = "${config.custom.gua_pref}d2:be24:11ff:feee:9c55/128";
+            "ipv4 prefix" = "${v4_pref}.2/32";
+          }
+          {
+            # Idacloud
+            "ipv6 prefix" = "${config.custom.gua_pref}d3:be24:11ff:fece:7d63/128";
+            "ipv4 prefix" = "${v4_pref}.3/32";
+          }
+        ];
+      };
+    };
+  };
+}

servers/syncthing.nix

@@ -0,0 +1,74 @@
+{ config, pkgs, ... }:
+{
+  boot.kernel.sysctl."fs.inotify.max_user_watches" = 204800;
+
+  services.syncthing = {
+    enable = true;
+    user = "vili";
+    dataDir = config.users.users.${config.services.syncthing.user}.home;
+
+    settings = {
+      defaults.ignores = [
+        "/Projects/Programming"
+      ];
+
+      options = {
+        urAccepted = -1;
+        localAnnounceEnabled = false;
+        globalAnnounceEnabled = false;
+        natEnabled = false;
+        relaysEnabled = false;
+      };
+
+      devices = pkgs.lib.mkMerge [
+        {
+          "syncthing" = {
+            id = "J6GNM4Z-2TWASPT-3P3EW4V-KZEQYFF-TXL22QX-4YTZ3WO-WLM7GQ7-NUP66A4";
+            addresses = [ "tcp://syncthing.vsinerva.fi:22000" ];
+          };
+        }
+        (pkgs.lib.mkIf (config.networking.hostName == "syncthing") {
+          "helium" = {
+            id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM";
+            addresses = [ "tcp://helium.vsinerva.fi:22000" ];
+          };
+          "lithium" = {
+            id = "S4ZORDV-QBY7QC7-FQHADMZ-NQSKJUA-7B7LQNS-CWJLSMG-JPMN7YJ-OVRDZQA";
+            addresses = [ "tcp://lithium.vsinerva.fi:22000" ];
+          };
+        })
+      ];
+
+      folders =
+        let
+          default = {
+            devices = pkgs.lib.mkMerge [
+              [ "syncthing" ]
+              (pkgs.lib.mkIf (config.networking.hostName == "syncthing") [
+                "helium"
+                "lithium"
+              ])
+            ];
+            versioning = {
+              type = "trashcan";
+              params.cleanoutDays = "30";
+            };
+            fsWatcherDelayS = 1;
+          };
+        in
+        {
+          "~/Documents" = default;
+          "~/Downloads" = default;
+          "~/Music" = default;
+          "~/Pictures" = default;
+          "~/Projects" = default;
+          "~/School" = default;
+          "~/Videos" = default;
+          "~/Zotero" = default;
+        };
+    };
+
+    #TCP/UDP 22000 for transfers and UDP 21027 for discovery
+    openDefaultPorts = true;
+  };
+}

servers/utils/acme-http-client.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          enableACME = true;
+        };
+      }
+    );
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 80 ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "vili.m.sinerva@gmail.com";
+    };
+  };
+}

servers/utils/cert-store-client.nix

@@ -0,0 +1,34 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          sslCertificate = "/mnt/acme/fullchain.pem";
+          sslCertificateKey = "/mnt/acme/key.pem";
+        };
+      }
+    );
+  };
+
+  config = {
+    services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
+
+    systemd.services.nginx = {
+      wants = [ "mnt-acme.mount" ];
+      after = [ "mnt-acme.mount" ];
+    };
+
+    fileSystems."/mnt/acme" = {
+      device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi";
+      fsType = "sshfs";
+      options = [
+        "nodev"
+        "noatime"
+        "allow_other"
+        "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
+      ];
+    };
+  };
+}

servers/utils/nginx-https-server.nix

@@ -0,0 +1,25 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          forceSSL = true;
+          kTLS = true;
+        };
+      }
+    );
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 443 ];
+
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+    };
+  };
+}

servers/vaultwarden.nix

@@ -0,0 +1,38 @@
+{ ... }:
+{
+  imports = [ ./cert-store-client.nix ];
+
+  services = {
+    vaultwarden = {
+      enable = true;
+      environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+      config = {
+        DOMAIN = "https://vaultwarden.vsinerva.fi";
+        LOGIN_RATELIMIT_MAX_BURST = 10;
+        LOGIN_RATELIMIT_SECONDS = 60;
+        ADMIN_RATELIMIT_MAX_BURST = 10;
+        ADMIN_RATELIMIT_SECONDS = 60;
+        SENDS_ALLOWED = true;
+        EMERGENCY_ACCESS_ALLOWED = true;
+        WEB_VAULT_ENABLED = true;
+        SIGNUPS_ALLOWED = true;
+        SIGNUPS_VERIFY = true;
+        SIGNUPS_VERIFY_RESEND_TIME = 3600;
+        SIGNUPS_VERIFY_RESEND_LIMIT = 5;
+        SMTP_HOST = "smtp.gmail.com";
+        SMTP_FROM_NAME = "Vaultwarden";
+        SMTP_SECURITY = "starttls";
+        SMTP_PORT = 587;
+        SMTP_AUTH_MECHANISM = "Login";
+      };
+    };
+
+    nginx = {
+      virtualHosts."vaultwarden.vsinerva.fi" = {
+        locations."/" = {
+          proxyPass = "http://localhost:8000";
+        };
+      };
+    };
+  };
+}