Refactor server files

machine-confs/cert-store.nix

@@ -4,7 +4,7 @@
 
   imports = [
     ../base.nix
-    ../services/acme-cert-store.nix
+    ../servers/acme-cert-store.nix
   ];
 
   #Many installs will need this, and it won't hurt either way

machine-confs/forgejo.nix

@@ -4,7 +4,7 @@
 
   imports = [
     ../base.nix
-    ../services/forgejo.nix
+    ../servers/forgejo.nix
   ];
 
   # HARDWARE SPECIFIC

machine-confs/gaming.nix

@@ -6,7 +6,7 @@
     ../base.nix
     ../desktop.nix
     ../users/vili.nix
-    ../services/gaming-server.nix
+    ../servers/gaming-server.nix
     ../hardware-specific/nvidia.nix
   ];
 

machine-confs/idacloud.nix

@@ -6,7 +6,7 @@
 
   imports = [
     ../base.nix
-    ../services/nextcloud.nix
+    ../servers/nextcloud.nix
   ];
 
   # Networking conf including WireGuard

machine-confs/nextcloud.nix

@@ -5,7 +5,7 @@
 
   imports = [
     ../base.nix
-    ../services/nextcloud.nix
+    ../servers/nextcloud.nix
   ];
 
   # HARDWARE SPECIFIC

machine-confs/siit-dc.nix

@@ -4,7 +4,7 @@
 
   imports = [
     ../base.nix
-    ../services/siit-dc.nix
+    ../servers/siit-dc.nix
   ];
 
   # HARDWARE SPECIFIC

machine-confs/syncthing.nix

@@ -5,7 +5,7 @@
   imports = [
     ../base.nix
     ../users/vili.nix
-    ../services/syncthing.nix
+    ../servers/syncthing.nix
   ];
 
   users.users.vili.hashedPasswordFile = pkgs.lib.mkForce null;

machine-confs/vaultwarden.nix

@@ -4,7 +4,7 @@
 
   imports = [
     ../base.nix
-    ../services/vaultwarden.nix
+    ../servers/vaultwarden.nix
   ];
 
   # HARDWARE SPECIFIC

servers/acme-cert-store.nix

@@ -13,5 +13,4 @@
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
   ];
-
 }

servers/forgejo.nix

@@ -1,14 +1,6 @@
 { config, ... }:
 {
-  networking.firewall.allowedTCPPorts = [
+  imports = [ ./utils/acme-http-client.nix ];
-    80
-    443
-  ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "vili.m.sinerva@gmail.com";
-  };
 
   services = {
     forgejo = {

servers/nextcloud.nix

@@ -22,8 +22,6 @@
 
   config = lib.mkMerge [
     {
-      networking.firewall.allowedTCPPorts = [ 443 ];
-
       services = {
         nextcloud = {
           package = pkgs.nextcloud31;
@@ -46,19 +44,7 @@
           };
         };
 
-        nginx = {
+        nginx.virtualHosts.${config.services.nextcloud.hostName} = { };
-          recommendedGzipSettings = true;
-          recommendedOptimisation = true;
-          recommendedTlsSettings = true;
-          recommendedProxySettings = true;
-
-          virtualHosts.${config.services.nextcloud.hostName} = {
-            forceSSL = true;
-            kTLS = true;
-            sslCertificate = "/mnt/acme/fullchain.pem";
-            sslCertificateKey = "/mnt/acme/key.pem";
-          };
-        };
       };
     }
     (
@@ -89,10 +75,6 @@
           };
 
           nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
-            forceSSL = true;
-            kTLS = true;
-            sslCertificate = "/mnt/acme/fullchain.pem";
-            sslCertificateKey = "/mnt/acme/key.pem";
             locations."/" = {
               proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
               proxyWebsockets = true; # collabora uses websockets

servers/syncthing.nix

@@ -1,12 +1,5 @@
 { config, pkgs, ... }:
 {
-  assertions = [
-    {
-      assertion = config.users.users ? "vili";
-      message = "User 'vili' needed for syncthing!";
-    }
-  ];
-
   boot.kernel.sysctl."fs.inotify.max_user_watches" = 204800;
 
   services.syncthing = {

servers/utils/acme-http-client.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          enableACME = true;
+        };
+      }
+    );
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 80 ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "vili.m.sinerva@gmail.com";
+    };
+  };
+}

servers/utils/cert-store-client.nix

@@ -0,0 +1,34 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          sslCertificate = "/mnt/acme/fullchain.pem";
+          sslCertificateKey = "/mnt/acme/key.pem";
+        };
+      }
+    );
+  };
+
+  config = {
+    services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
+
+    systemd.services.nginx = {
+      wants = [ "mnt-acme.mount" ];
+      after = [ "mnt-acme.mount" ];
+    };
+
+    fileSystems."/mnt/acme" = {
+      device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi";
+      fsType = "sshfs";
+      options = [
+        "nodev"
+        "noatime"
+        "allow_other"
+        "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
+      ];
+    };
+  };
+}

servers/utils/nginx-https-server.nix

@@ -0,0 +1,25 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          forceSSL = true;
+          kTLS = true;
+        };
+      }
+    );
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 443 ];
+
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+    };
+  };
+}

servers/vaultwarden.nix

@@ -2,9 +2,6 @@
 {
   imports = [ ./cert-store-client.nix ];
 
-  networking.firewall.allowedTCPPorts = [ 443 ];
-  networking.firewall.allowedUDPPorts = [ 443 ];
-
   services = {
     vaultwarden = {
       enable = true;
@@ -31,17 +28,7 @@
     };
 
     nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedTlsSettings = true;
-      recommendedProxySettings = true;
-
       virtualHosts."vaultwarden.vsinerva.fi" = {
-        forceSSL = true;
-        kTLS = true;
-        sslCertificate = "/mnt/acme/fullchain.pem";
-        sslCertificateKey = "/mnt/acme/key.pem";
         locations."/" = {
           proxyPass = "http://localhost:8000";
         };

services/cert-store-client.nix

@@ -1,21 +0,0 @@
-{ ... }:
-{
-  services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
-
-  systemd.services.nginx = {
-    wants = [ "mnt-acme.mount" ];
-    after = [ "mnt-acme.mount" ];
-  };
-
-  fileSystems."/mnt/acme" = {
-    device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi";
-    fsType = "sshfs";
-    options = [
-      "nodev"
-      "noatime"
-      "allow_other"
-      "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
-    ];
-  };
-}

services/moonlight.nix

@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    moonlight-qt
-    parsec-bin
-  ];
-}

services/redshift.nix

@@ -1,26 +0,0 @@
-{ config, ... }:
-{
-  assertions = [
-    {
-      assertion = config.services.xserver.enable;
-      message = "Redshift does not work without a desktop!";
-    }
-  ];
-  services.redshift = {
-    executable = "/bin/redshift-gtk";
-    enable = true;
-    temperature = {
-      night = 2800;
-      day = 6500;
-    };
-    brightness = {
-      night = "0.5";
-      day = "1";
-    };
-  };
-
-  location = {
-    latitude = 60.17;
-    longitude = 24.94;
-  };
-}