jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added secureHost flag

Browse Source
This commit is contained in:
Danilo Reyes 2025-09-28 10:52:27 -06:00
parent d704e0ee13
commit a376428118
24 changed files with 100 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hosts/server/configuration.nix
View File

@ -1,6 +1,7 @@
{
pkgs,
config,
lib,
...
}:
{
@ -35,14 +36,16 @@
supportedFeatures = config.my.nix.features;
}
];
sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml;
sops.secrets."vps/home/private" = lib.mkIf config.my.secureHost {
sopsFile = ../../secrets/wireguard.yaml;
};
networking = {
hostName = "server";
firewall = {
allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
interfaces.wg0.allowedTCPPorts = [ 8081 ];
};
wireguard.interfaces.wg0 = {
wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
ips = [ "${config.my.ips.wg-server}/32" ];
privateKeyFile = config.sops.secrets."vps/home/private".path;
peers = [

2
modules/scripts/update-dns.nix
View File

@ -7,7 +7,7 @@
}:
{
imports = [ ./base.nix ];
config = {
config = lib.mkIf config.my.secureHost {
sops.secrets = {
cloudflare-api.sopsFile = ../../secrets/env.yaml;
dns = {

2
modules/servers/atticd.nix
View File

@ -5,7 +5,7 @@ let
in
{
options.my.servers.atticd = setup.mkOptions "atticd" "cache" 2343;
config = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets."private_cache_keys/atticd".sopsFile = ../../secrets/keys.yaml;
services.atticd = {
enable = true;

31
modules/servers/firefly-iii.nix
View File

@ -1,19 +1,22 @@
{ lib, config, ... }:
{
options.my.servers.firefly-iii.enable = lib.mkEnableOption "enable";
config = lib.mkIf (config.my.servers.firefly-iii.enable && config.my.servers.postgres.enable) {
sops.secrets.firefly-iii-keyfile = {
owner = config.users.users.firefly-iii.name;
inherit (config.users.users.firefly-iii) group;
};
services.firefly-iii = {
enable = true;
enableNginx = true;
settings = {
APP_KEY_FILE = config.sops.secrets.firefly-iii-keyfile.path;
DB_HOST = config.my.postgresSocket;
DB_CONNECTION = "pgsql";
config =
lib.mkIf
(config.my.servers.firefly-iii.enable && config.my.servers.postgres.enable && config.my.secureHost)
{
sops.secrets.firefly-iii-keyfile = {
owner = config.users.users.firefly-iii.name;
inherit (config.users.users.firefly-iii) group;
};
services.firefly-iii = {
enable = true;
enableNginx = true;
settings = {
APP_KEY_FILE = config.sops.secrets.firefly-iii-keyfile.path;
DB_HOST = config.my.postgresSocket;
DB_CONNECTION = "pgsql";
};
};
};
};
};
}

16
modules/servers/flame.nix
View File

@ -2,7 +2,7 @@
let
cfg = config.my.servers.flame;
cfgS = config.my.servers.flameSecret;
enable = cfg.enable || cfgS.enable;
enable = (cfg.enable || cfgS.enable) && config.my.secureHost;
setup = import ./setup.nix { inherit lib config; };
in
{
@ -10,12 +10,14 @@ in
flame = setup.mkOptions "flame" "start" 5005;
flameSecret = setup.mkOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007;
};
config = {
config = lib.mkIf enable {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal || !cfgS.isLocal) [
cfg.port
cfgS.port
];
sops.secrets = lib.mkIf enable { flame.sopsFile = ../../secrets/env.yaml; };
sops.secrets = {
flame.sopsFile = ../../secrets/env.yaml;
};
virtualisation.oci-containers.containers = lib.mkIf enable {
flame = lib.mkIf cfg.enable {
autoStart = true;
@ -45,11 +47,9 @@ in
};
};
};
services.nginx = {
virtualHosts = lib.mkIf (cfg.enableProxy || cfgS.enableProxy) {
"${cfg.host}" = setup.proxyReverse cfg;
"${cfgS.host}" = setup.proxyReverse cfgS;
};
services.nginx.virtualHosts = lib.mkIf enable {
"${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverse cfg);
"${cfgS.host}" = lib.mkIf cfgS.enableProxy (setup.proxyReverse cfgS);
};
};
}

2
modules/servers/gitea-actions-runners/nixos.nix
View File

@ -8,7 +8,7 @@ let
cfg = config.my.servers.gitea;
in
{
config = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
services.gitea-actions-runner.instances.nixos = {
inherit (cfg) url enable;
name = "${config.networking.hostName}-nixos";

2
modules/servers/gitea-actions-runners/ryujinx.nix
View File

@ -8,7 +8,7 @@ let
cfg = config.my.servers.gitea;
in
{
config = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
services.gitea-actions-runner.instances.ryujinx = {
inherit (cfg) url enable;
name = "${config.networking.hostName}-ryujinx";

6
modules/servers/gitea.nix
View File

@ -14,9 +14,9 @@ in
./gitea-actions-runners/nixos.nix
];
options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
config = {
sops.secrets = lib.mkIf cfg.enable { gitea.sopsFile = ../../secrets/env.yaml; };
services.gitea = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.gitea.sopsFile = ../../secrets/env.yaml;
services.gitea = {
enable = true;
domain = cfg.host;
rootUrl = cfg.url;

2
modules/servers/homepage.nix
View File

@ -5,7 +5,7 @@ let
in
{
options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
config = {
config = lib.mkIf config.my.secureHost {
sops.secrets = lib.mkIf cfg.enable {
homepage.sopsFile = ../../secrets/homepage.yaml;
"private-ca/pem" = {

6
modules/servers/kavita.nix
View File

@ -5,8 +5,8 @@ let
in
{
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
config = {
sops.secrets.kavita-token = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.kavita-token = {
owner = config.users.users.kavita.name;
inherit (config.users.users.kavita) group;
};
@ -18,7 +18,7 @@ in
"piracy"
];
};
services.kavita = lib.mkIf cfg.enable {
services.kavita = {
enable = true;
tokenKeyFile = config.sops.secrets.kavita-token.path;
};

6
modules/servers/maloja.nix
View File

@ -5,9 +5,9 @@ let
in
{
options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010;
config = {
sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; };
virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.maloja.sopsFile = ../../secrets/env.yaml;
virtualisation.oci-containers.containers.maloja = {
image = "krateng/maloja:3.2.3";
ports = [ "${toString cfg.port}:${toString cfg.port}" ];
environmentFiles = [ config.sops.secrets.maloja.path ];

9
modules/servers/mealie.nix
View File

@ -5,11 +5,10 @@ let
in
{
options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925;
config = {
sops.secrets = lib.mkIf cfg.enable { mealie.sopsFile = ../../secrets/env.yaml; };
services.mealie = lib.mkIf cfg.enable {
enable = true;
inherit (cfg) port;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.mealie.sopsFile = ../../secrets/env.yaml;
services.mealie = {
inherit (cfg) port enable;
settings = {
TZ = config.my.timeZone;
DEFAULT_GROUP = "Home";

6
modules/servers/multi-scrobbler.nix
View File

@ -5,9 +5,9 @@ let
in
{
options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078;
config = {
sops.secrets = lib.mkIf cfg.enable { multi-scrobbler.sopsFile = ../../secrets/env.yaml; };
virtualisation.oci-containers.containers.multi-scrobbler = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.multi-scrobbler.sopsFile = ../../secrets/env.yaml;
virtualisation.oci-containers.containers.multi-scrobbler = {
image = "foxxmd/multi-scrobbler:0.9.11";
ports = [ "${toString cfg.port}:${toString cfg.port}" ];
environmentFiles = [ config.sops.secrets.multi-scrobbler.path ];

2
modules/servers/nextcloud.nix
View File

@ -39,7 +39,7 @@ in
collabora = setup.mkOptions "collabora" "collabora" 9980;
go-vod.enable = lib.mkEnableOption "enable";
};
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
sops.secrets.nextcloud-adminpass = {
owner = config.users.users.nextcloud.name;
inherit (config.users.users.nextcloud) group;

2
modules/servers/nix-serve.nix
View File

@ -10,7 +10,7 @@ let
in
{
options.my.servers.nix-serve = setup.mkOptions "nix-serve" "cache" 5000;
config = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets."private_cache_keys/miniserver".sopsFile = ../../secrets/keys.yaml;
services.nix-serve = {
enable = true;

8
modules/servers/radarr.nix
View File

@ -5,8 +5,10 @@ let
in
{
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
config.services.radarr = lib.mkIf cfg.enable {
enable = true;
group = "piracy";
config = lib.mkIf (cfg.enable && config.my.secureHost) {
services.radarr = {
enable = true;
group = "piracy";
};
};
}

4
modules/servers/readeck.nix
View File

@ -5,10 +5,10 @@ let
in
{
options.my.servers.readeck = setup.mkOptions "readeck" "laters" 9546;
config = {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.readeck.sopsFile = ../../secrets/env.yaml;
services.readeck = {
inherit (cfg) enable;
enable = true;
environmentFile = config.sops.secrets.readeck.path;
settings = {
main = {

31
modules/servers/ryot.nix
View File

@ -5,19 +5,22 @@ let
in
{
options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765;
config = lib.mkIf (config.my.servers.ryot.enable && config.my.servers.postgres.enable) {
sops.secrets.ryot.sopsFile = ../../secrets/env.yaml;
virtualisation.oci-containers.containers.ryot = {
image = "ghcr.io/ignisda/ryot:v9.2.0";
ports = [ "${toString cfg.port}:8000" ];
environmentFiles = [ config.sops.secrets.ryot.path ];
environment = {
RUST_LOG = "ryot=debug,sea_orm=debug";
TZ = config.my.timeZone;
DATABASE_URL = "postgres:///ryot?host=${config.my.postgresSocket}";
FRONTEND_INSECURE_COOKIES = "true";
config =
lib.mkIf
(config.my.servers.ryot.enable && config.my.servers.postgres.enable && config.my.secureHost)
{
sops.secrets.ryot.sopsFile = ../../secrets/env.yaml;
virtualisation.oci-containers.containers.ryot = {
image = "ghcr.io/ignisda/ryot:v9.2.0";
ports = [ "${toString cfg.port}:8000" ];
environmentFiles = [ config.sops.secrets.ryot.path ];
environment = {
RUST_LOG = "ryot=debug,sea_orm=debug";
TZ = config.my.timeZone;
DATABASE_URL = "postgres:///ryot?host=${config.my.postgresSocket}";
FRONTEND_INSECURE_COOKIES = "true";
};
volumes = [ "${config.my.postgresSocket}:${config.my.postgresSocket}" ];
};
};
volumes = [ "${config.my.postgresSocket}:${config.my.postgresSocket}" ];
};
};
}

21
modules/servers/shiori.nix
View File

@ -5,13 +5,16 @@ let
in
{
options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368;
config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) {
sops.secrets = lib.mkIf cfg.enable { shiori.sopsFile = ../../secrets/env.yaml; };
services.shiori = lib.mkIf cfg.enable {
inherit (cfg) port;
enable = true;
environmentFile = config.sops.secrets.shiori.path;
databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}";
};
};
config =
lib.mkIf
(config.my.servers.shiori.enable && config.my.servers.postgres.enable && config.my.secureHost)
{
sops.secrets.shiori.sopsFile = ../../secrets/env.yaml;
services.shiori = {
inherit (cfg) port;
enable = true;
environmentFile = config.sops.secrets.shiori.path;
databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}";
};
};
}

6
modules/servers/stash.nix
View File

@ -5,13 +5,13 @@ let
in
{
options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
config = {
sops.secrets = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = {
"stash/password".sopsFile = ../../secrets/env.yaml;
"stash/jwt".sopsFile = ../../secrets/env.yaml;
"stash/session".sopsFile = ../../secrets/env.yaml;
};
services.stash = lib.mkIf cfg.enable {
services.stash = {
enable = true;
group = "piracy";
mutableSettings = true;

6
modules/servers/synapse.nix
View File

@ -22,12 +22,12 @@ in
synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
element = setup.mkOptions "element" "55a608953f6d64c199" 5345;
};
config = {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
my.servers = {
synapse = { inherit domain; };
element = { inherit domain; };
};
sops.secrets = lib.mkIf cfg.enable {
sops.secrets = {
synapse = {
sopsFile = ../../secrets/env.yaml;
owner = "matrix-synapse";
@ -50,7 +50,7 @@ in
};
};
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
services = lib.mkIf cfg.enable {
services = {
matrix-synapse = {
enable = true;
extraConfigFiles = [

6
modules/servers/vaultwarden.nix
View File

@ -10,9 +10,9 @@ let
in
{
options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
sops.secrets = lib.mkIf cfg.enable { vaultwarden.sopsFile = ../../secrets/env.yaml; };
services.vaultwarden = lib.mkIf cfg.enable {
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml;
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
package = pkgs.vaultwarden;

2
modules/services/msmtp.nix
View File

@ -7,7 +7,7 @@ let
cfg = config.my.servers;
in
{
config = lib.mkIf cfg.nextcloud.enable or cfg.gitea.enable {
config = lib.mkIf (config.my.secureHost && (cfg.nextcloud.enable or cfg.gitea.enable)) {
sops.secrets.smtp-password = { };
programs.msmtp = {
enable = true;

2
modules/services/wireguard.nix
View File

@ -10,7 +10,7 @@ let
in
{
options.my.services.wireguard.enable = lib.mkEnableOption "enable";
config = lib.mkIf config.my.services.wireguard.enable {
config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
networking = {
firewall.allowedUDPPorts = [ port ];