diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index 44128e1..1722e87 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -48,17 +48,21 @@ in ./nginx-nextcloud.nix ../../config/base.nix ]; - my = import ./toggles.nix { inherit config inputs; } // { - secureHost = true; - users.nixremote = { - enable = true; - authorizedKeys = inputs.self.lib.getSshKeys [ - "nixworkstation" - "nixserver" - "nixminiserver" - ]; + my = + import ./toggles.nix { + inherit config inputs lib; + } + // { + secureHost = true; + users.nixremote = { + enable = true; + authorizedKeys = inputs.self.lib.getSshKeys [ + "nixworkstation" + "nixserver" + "nixminiserver" + ]; + }; }; - }; sops.age = { generateKey = true; keyFile = "/var/lib/sops-nix/key.txt"; @@ -151,7 +155,12 @@ in www-data = { }; }; users = { - nginx.extraGroups = [ "www-data" ]; + nginx = lib.mkIf config.my.secureHost { + extraGroups = [ + "www-data" + "lidarr-reports" + ]; + }; deploy = { isSystemUser = true; group = "deploy"; diff --git a/hosts/vps/hardware-configuration.nix b/hosts/vps/hardware-configuration.nix index 6f42b2b..3ec3a26 100644 --- a/hosts/vps/hardware-configuration.nix +++ b/hosts/vps/hardware-configuration.nix @@ -1,5 +1,6 @@ { lib, + config, modulesPath, ... }: @@ -33,11 +34,17 @@ }; }; fileSystems."/" = { - device = "/dev/disk/by-uuid/f222513b-ded1-49fa-b591-20ce86a2fe7f"; + device = lib.mkForce ( + if config.my.build.baseImage then + "/dev/sda" + else + "/dev/disk/by-uuid/f222513b-ded1-49fa-b591-20ce86a2fe7f" + ); fsType = "ext4"; }; - swapDevices = [ - { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; } + swapDevices = lib.mkMerge [ + [ { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; } ] + (lib.mkIf config.my.build.baseImage [ { device = "/dev/sdb"; } ]) ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/vps/nginx-nextcloud.nix b/hosts/vps/nginx-nextcloud.nix index ea718ea..f175443 100644 --- a/hosts/vps/nginx-nextcloud.nix +++ b/hosts/vps/nginx-nextcloud.nix @@ -3,7 +3,7 @@ let cfg = config.my.servers.nextcloud; in { - config = lib.mkIf (cfg.enableProxy && config.my.enableProxy) { + config = lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) { services.nginx.virtualHosts.${cfg.host} = { forceSSL = true; enableACME = true; diff --git a/hosts/vps/toggles.nix b/hosts/vps/toggles.nix index e0072c5..daa413c 100644 --- a/hosts/vps/toggles.nix +++ b/hosts/vps/toggles.nix @@ -1,4 +1,8 @@ -{ config, inputs }: +{ + config, + inputs, + lib, +}: let inherit (inputs.self.lib) enableList @@ -16,59 +20,67 @@ let ip = wgServerIp; }; }; -in -{ - enableProxy = true; - enableContainers = true; - apps.dictionaries.enable = true; - apps.dictionaries.users = "jawz"; - services = enableList mkEnabled [ - "network" - "wireguard" - ]; - shell = enableList mkEnabledWithUsers [ - "multimedia" - "tools" - ]; - dev = enableList mkEnabledWithUsers [ - "nix" - "sh" - ]; - websites = { - portfolio.enableProxy = true; - lidarrMbReport.enableProxy = true; - }; - servers = - enableList mkEnabledWithProxy [ - "isso" - "microbin" - ] - // enableList mkEnabledProxySocketIp [ - "audiobookshelf" - "collabora" - "jellyfin" - "nextcloud" - "plausible" - "plex" - ] - // enableList mkEnabledProxyIp [ - "atticd" - "bazarr" - "gitea" - "homepage" - "kavita" - "keycloak" - "lidarr" - "linkwarden" - "maloja" - "mealie" - "metube" - "multi-scrobbler" - "oauth2-proxy" - "prowlarr" - "radarr" - "sonarr" - "vaultwarden" - "yamtrack" + baseToggles = { + services = enableList mkEnabled [ + "network" + "wireguard" ]; -} + shell = enableList mkEnabledWithUsers [ + "multimedia" + "tools" + ]; + dev = enableList mkEnabledWithUsers [ + "nix" + "sh" + ]; + apps.dictionaries = { + enable = true; + users = "jawz"; + }; + }; + secureToggles = { + enableProxy = true; + enableContainers = true; + websites = { + portfolio.enableProxy = true; + lidarrMbReport.enableProxy = true; + }; + servers = + enableList mkEnabledWithProxy [ + "isso" + "microbin" + ] + // enableList mkEnabledProxySocketIp [ + "audiobookshelf" + "collabora" + "jellyfin" + "nextcloud" + "plausible" + "plex" + ] + // enableList mkEnabledProxyIp [ + "atticd" + "bazarr" + "gitea" + "homepage" + "kavita" + "keycloak" + "lidarr" + "linkwarden" + "maloja" + "mealie" + "metube" + "multi-scrobbler" + "oauth2-proxy" + "prowlarr" + "radarr" + "sonarr" + "vaultwarden" + "yamtrack" + ]; + }; +in +lib.mkMerge [ + baseToggles + (lib.mkIf config.my.secureHost secureToggles) +] diff --git a/modules/modules.nix b/modules/modules.nix index 57e8d52..7652640 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -130,6 +130,11 @@ in }; enableContainers = lib.mkEnableOption "container services (Docker/Podman)"; enableProxy = lib.mkEnableOption "nginx reverse proxy for services"; + build.baseImage = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether to enable base image settings for this host build."; + }; toggleUsers = lib.mkOption { type = lib.types.attrsOf (lib.types.either lib.types.str (lib.types.listOf lib.types.str)); default = { diff --git a/parts/packages.nix b/parts/packages.nix index 13950a7..48334db 100644 --- a/parts/packages.nix +++ b/parts/packages.nix @@ -26,6 +26,17 @@ exec ${mcpPython}/bin/python -m mcp_server.server ''; }; + vpsLinodeConfig = inputs.self.nixosConfigurations.vps.extendModules { + modules = [ + ( + { lib, ... }: + { + my.secureHost = lib.mkForce false; + my.build.baseImage = true; + } + ) + ]; + }; mcpTests = pkgs.writeShellApplication { name = "mcp-tests"; runtimeInputs = with pkgs.python3Packages; [ @@ -43,7 +54,7 @@ { packages = (inputs.jawz-scripts.packages.${system} or { }) // { emacs-vm = inputs.self.nixosConfigurations.emacs.config.system.build.vm; - vps-linode = inputs.self.nixosConfigurations.vps.config.system.build.images.linode; + vps-linode = vpsLinodeConfig.config.system.build.images.linode; mcp-tests = mcpTests; nixos-mcp = nixosMcp; nixos-mcp-server = mcpServerPkg;