From a376428118cbe813f63c178fc6accb3bbf5d118b Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Sun, 28 Sep 2025 10:52:27 -0600 Subject: [PATCH] added secureHost flag --- hosts/server/configuration.nix | 7 +++-- modules/scripts/update-dns.nix | 2 +- modules/servers/atticd.nix | 2 +- modules/servers/firefly-iii.nix | 31 ++++++++++--------- modules/servers/flame.nix | 16 +++++----- .../servers/gitea-actions-runners/nixos.nix | 2 +- .../servers/gitea-actions-runners/ryujinx.nix | 2 +- modules/servers/gitea.nix | 6 ++-- modules/servers/homepage.nix | 2 +- modules/servers/kavita.nix | 6 ++-- modules/servers/maloja.nix | 6 ++-- modules/servers/mealie.nix | 9 +++--- modules/servers/multi-scrobbler.nix | 6 ++-- modules/servers/nextcloud.nix | 2 +- modules/servers/nix-serve.nix | 2 +- modules/servers/radarr.nix | 8 +++-- modules/servers/readeck.nix | 4 +-- modules/servers/ryot.nix | 31 ++++++++++--------- modules/servers/shiori.nix | 21 +++++++------ modules/servers/stash.nix | 6 ++-- modules/servers/synapse.nix | 6 ++-- modules/servers/vaultwarden.nix | 6 ++-- modules/services/msmtp.nix | 2 +- modules/services/wireguard.nix | 2 +- 24 files changed, 100 insertions(+), 87 deletions(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 52ee6bc..572c719 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -1,6 +1,7 @@ { pkgs, config, + lib, ... }: { @@ -35,14 +36,16 @@ supportedFeatures = config.my.nix.features; } ]; - sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml; + sops.secrets."vps/home/private" = lib.mkIf config.my.secureHost { + sopsFile = ../../secrets/wireguard.yaml; + }; networking = { hostName = "server"; firewall = { allowedUDPPorts = config.networking.firewall.allowedTCPPorts; interfaces.wg0.allowedTCPPorts = [ 8081 ]; }; - wireguard.interfaces.wg0 = { + wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost { ips = [ "${config.my.ips.wg-server}/32" ]; privateKeyFile = config.sops.secrets."vps/home/private".path; peers = [ diff --git a/modules/scripts/update-dns.nix b/modules/scripts/update-dns.nix index e7716bb..6a71d6c 100644 --- a/modules/scripts/update-dns.nix +++ b/modules/scripts/update-dns.nix @@ -7,7 +7,7 @@ }: { imports = [ ./base.nix ]; - config = { + config = lib.mkIf config.my.secureHost { sops.secrets = { cloudflare-api.sopsFile = ../../secrets/env.yaml; dns = { diff --git a/modules/servers/atticd.nix b/modules/servers/atticd.nix index 7971396..032a211 100644 --- a/modules/servers/atticd.nix +++ b/modules/servers/atticd.nix @@ -5,7 +5,7 @@ let in { options.my.servers.atticd = setup.mkOptions "atticd" "cache" 2343; - config = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { sops.secrets."private_cache_keys/atticd".sopsFile = ../../secrets/keys.yaml; services.atticd = { enable = true; diff --git a/modules/servers/firefly-iii.nix b/modules/servers/firefly-iii.nix index 85234f2..e229f2c 100644 --- a/modules/servers/firefly-iii.nix +++ b/modules/servers/firefly-iii.nix @@ -1,19 +1,22 @@ { lib, config, ... }: { options.my.servers.firefly-iii.enable = lib.mkEnableOption "enable"; - config = lib.mkIf (config.my.servers.firefly-iii.enable && config.my.servers.postgres.enable) { - sops.secrets.firefly-iii-keyfile = { - owner = config.users.users.firefly-iii.name; - inherit (config.users.users.firefly-iii) group; - }; - services.firefly-iii = { - enable = true; - enableNginx = true; - settings = { - APP_KEY_FILE = config.sops.secrets.firefly-iii-keyfile.path; - DB_HOST = config.my.postgresSocket; - DB_CONNECTION = "pgsql"; + config = + lib.mkIf + (config.my.servers.firefly-iii.enable && config.my.servers.postgres.enable && config.my.secureHost) + { + sops.secrets.firefly-iii-keyfile = { + owner = config.users.users.firefly-iii.name; + inherit (config.users.users.firefly-iii) group; + }; + services.firefly-iii = { + enable = true; + enableNginx = true; + settings = { + APP_KEY_FILE = config.sops.secrets.firefly-iii-keyfile.path; + DB_HOST = config.my.postgresSocket; + DB_CONNECTION = "pgsql"; + }; + }; }; - }; - }; } diff --git a/modules/servers/flame.nix b/modules/servers/flame.nix index f18df00..853aad8 100644 --- a/modules/servers/flame.nix +++ b/modules/servers/flame.nix @@ -2,7 +2,7 @@ let cfg = config.my.servers.flame; cfgS = config.my.servers.flameSecret; - enable = cfg.enable || cfgS.enable; + enable = (cfg.enable || cfgS.enable) && config.my.secureHost; setup = import ./setup.nix { inherit lib config; }; in { @@ -10,12 +10,14 @@ in flame = setup.mkOptions "flame" "start" 5005; flameSecret = setup.mkOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007; }; - config = { + config = lib.mkIf enable { networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal || !cfgS.isLocal) [ cfg.port cfgS.port ]; - sops.secrets = lib.mkIf enable { flame.sopsFile = ../../secrets/env.yaml; }; + sops.secrets = { + flame.sopsFile = ../../secrets/env.yaml; + }; virtualisation.oci-containers.containers = lib.mkIf enable { flame = lib.mkIf cfg.enable { autoStart = true; @@ -45,11 +47,9 @@ in }; }; }; - services.nginx = { - virtualHosts = lib.mkIf (cfg.enableProxy || cfgS.enableProxy) { - "${cfg.host}" = setup.proxyReverse cfg; - "${cfgS.host}" = setup.proxyReverse cfgS; - }; + services.nginx.virtualHosts = lib.mkIf enable { + "${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverse cfg); + "${cfgS.host}" = lib.mkIf cfgS.enableProxy (setup.proxyReverse cfgS); }; }; } diff --git a/modules/servers/gitea-actions-runners/nixos.nix b/modules/servers/gitea-actions-runners/nixos.nix index ad6ed99..436941c 100644 --- a/modules/servers/gitea-actions-runners/nixos.nix +++ b/modules/servers/gitea-actions-runners/nixos.nix @@ -8,7 +8,7 @@ let cfg = config.my.servers.gitea; in { - config = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { services.gitea-actions-runner.instances.nixos = { inherit (cfg) url enable; name = "${config.networking.hostName}-nixos"; diff --git a/modules/servers/gitea-actions-runners/ryujinx.nix b/modules/servers/gitea-actions-runners/ryujinx.nix index 4427e6a..95a138c 100644 --- a/modules/servers/gitea-actions-runners/ryujinx.nix +++ b/modules/servers/gitea-actions-runners/ryujinx.nix @@ -8,7 +8,7 @@ let cfg = config.my.servers.gitea; in { - config = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { services.gitea-actions-runner.instances.ryujinx = { inherit (cfg) url enable; name = "${config.networking.hostName}-ryujinx"; diff --git a/modules/servers/gitea.nix b/modules/servers/gitea.nix index aa709a9..403b2b8 100644 --- a/modules/servers/gitea.nix +++ b/modules/servers/gitea.nix @@ -14,9 +14,9 @@ in ./gitea-actions-runners/nixos.nix ]; options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083; - config = { - sops.secrets = lib.mkIf cfg.enable { gitea.sopsFile = ../../secrets/env.yaml; }; - services.gitea = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.gitea.sopsFile = ../../secrets/env.yaml; + services.gitea = { enable = true; domain = cfg.host; rootUrl = cfg.url; diff --git a/modules/servers/homepage.nix b/modules/servers/homepage.nix index f7cb8f7..d22a29e 100644 --- a/modules/servers/homepage.nix +++ b/modules/servers/homepage.nix @@ -5,7 +5,7 @@ let in { options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082; - config = { + config = lib.mkIf config.my.secureHost { sops.secrets = lib.mkIf cfg.enable { homepage.sopsFile = ../../secrets/homepage.yaml; "private-ca/pem" = { diff --git a/modules/servers/kavita.nix b/modules/servers/kavita.nix index 3ad8cd7..5a98e27 100644 --- a/modules/servers/kavita.nix +++ b/modules/servers/kavita.nix @@ -5,8 +5,8 @@ let in { options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port; - config = { - sops.secrets.kavita-token = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.kavita-token = { owner = config.users.users.kavita.name; inherit (config.users.users.kavita) group; }; @@ -18,7 +18,7 @@ in "piracy" ]; }; - services.kavita = lib.mkIf cfg.enable { + services.kavita = { enable = true; tokenKeyFile = config.sops.secrets.kavita-token.path; }; diff --git a/modules/servers/maloja.nix b/modules/servers/maloja.nix index b9e7102..15edb02 100644 --- a/modules/servers/maloja.nix +++ b/modules/servers/maloja.nix @@ -5,9 +5,9 @@ let in { options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010; - config = { - sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; }; - virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.maloja.sopsFile = ../../secrets/env.yaml; + virtualisation.oci-containers.containers.maloja = { image = "krateng/maloja:3.2.3"; ports = [ "${toString cfg.port}:${toString cfg.port}" ]; environmentFiles = [ config.sops.secrets.maloja.path ]; diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index 6e0d7e1..6e60843 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -5,11 +5,10 @@ let in { options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925; - config = { - sops.secrets = lib.mkIf cfg.enable { mealie.sopsFile = ../../secrets/env.yaml; }; - services.mealie = lib.mkIf cfg.enable { - enable = true; - inherit (cfg) port; + config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.mealie.sopsFile = ../../secrets/env.yaml; + services.mealie = { + inherit (cfg) port enable; settings = { TZ = config.my.timeZone; DEFAULT_GROUP = "Home"; diff --git a/modules/servers/multi-scrobbler.nix b/modules/servers/multi-scrobbler.nix index 35736b6..eaab171 100644 --- a/modules/servers/multi-scrobbler.nix +++ b/modules/servers/multi-scrobbler.nix @@ -5,9 +5,9 @@ let in { options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078; - config = { - sops.secrets = lib.mkIf cfg.enable { multi-scrobbler.sopsFile = ../../secrets/env.yaml; }; - virtualisation.oci-containers.containers.multi-scrobbler = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.multi-scrobbler.sopsFile = ../../secrets/env.yaml; + virtualisation.oci-containers.containers.multi-scrobbler = { image = "foxxmd/multi-scrobbler:0.9.11"; ports = [ "${toString cfg.port}:${toString cfg.port}" ]; environmentFiles = [ config.sops.secrets.multi-scrobbler.path ]; diff --git a/modules/servers/nextcloud.nix b/modules/servers/nextcloud.nix index f87c101..31bce26 100644 --- a/modules/servers/nextcloud.nix +++ b/modules/servers/nextcloud.nix @@ -39,7 +39,7 @@ in collabora = setup.mkOptions "collabora" "collabora" 9980; go-vod.enable = lib.mkEnableOption "enable"; }; - config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { + config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) { sops.secrets.nextcloud-adminpass = { owner = config.users.users.nextcloud.name; inherit (config.users.users.nextcloud) group; diff --git a/modules/servers/nix-serve.nix b/modules/servers/nix-serve.nix index 0808a2d..8c3f51e 100644 --- a/modules/servers/nix-serve.nix +++ b/modules/servers/nix-serve.nix @@ -10,7 +10,7 @@ let in { options.my.servers.nix-serve = setup.mkOptions "nix-serve" "cache" 5000; - config = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { sops.secrets."private_cache_keys/miniserver".sopsFile = ../../secrets/keys.yaml; services.nix-serve = { enable = true; diff --git a/modules/servers/radarr.nix b/modules/servers/radarr.nix index d77cb32..d4b25e9 100644 --- a/modules/servers/radarr.nix +++ b/modules/servers/radarr.nix @@ -5,8 +5,10 @@ let in { options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878; - config.services.radarr = lib.mkIf cfg.enable { - enable = true; - group = "piracy"; + config = lib.mkIf (cfg.enable && config.my.secureHost) { + services.radarr = { + enable = true; + group = "piracy"; + }; }; } diff --git a/modules/servers/readeck.nix b/modules/servers/readeck.nix index a809ce0..012590a 100644 --- a/modules/servers/readeck.nix +++ b/modules/servers/readeck.nix @@ -5,10 +5,10 @@ let in { options.my.servers.readeck = setup.mkOptions "readeck" "laters" 9546; - config = { + config = lib.mkIf (cfg.enable && config.my.secureHost) { sops.secrets.readeck.sopsFile = ../../secrets/env.yaml; services.readeck = { - inherit (cfg) enable; + enable = true; environmentFile = config.sops.secrets.readeck.path; settings = { main = { diff --git a/modules/servers/ryot.nix b/modules/servers/ryot.nix index d2e7e0f..74eb382 100644 --- a/modules/servers/ryot.nix +++ b/modules/servers/ryot.nix @@ -5,19 +5,22 @@ let in { options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765; - config = lib.mkIf (config.my.servers.ryot.enable && config.my.servers.postgres.enable) { - sops.secrets.ryot.sopsFile = ../../secrets/env.yaml; - virtualisation.oci-containers.containers.ryot = { - image = "ghcr.io/ignisda/ryot:v9.2.0"; - ports = [ "${toString cfg.port}:8000" ]; - environmentFiles = [ config.sops.secrets.ryot.path ]; - environment = { - RUST_LOG = "ryot=debug,sea_orm=debug"; - TZ = config.my.timeZone; - DATABASE_URL = "postgres:///ryot?host=${config.my.postgresSocket}"; - FRONTEND_INSECURE_COOKIES = "true"; + config = + lib.mkIf + (config.my.servers.ryot.enable && config.my.servers.postgres.enable && config.my.secureHost) + { + sops.secrets.ryot.sopsFile = ../../secrets/env.yaml; + virtualisation.oci-containers.containers.ryot = { + image = "ghcr.io/ignisda/ryot:v9.2.0"; + ports = [ "${toString cfg.port}:8000" ]; + environmentFiles = [ config.sops.secrets.ryot.path ]; + environment = { + RUST_LOG = "ryot=debug,sea_orm=debug"; + TZ = config.my.timeZone; + DATABASE_URL = "postgres:///ryot?host=${config.my.postgresSocket}"; + FRONTEND_INSECURE_COOKIES = "true"; + }; + volumes = [ "${config.my.postgresSocket}:${config.my.postgresSocket}" ]; + }; }; - volumes = [ "${config.my.postgresSocket}:${config.my.postgresSocket}" ]; - }; - }; } diff --git a/modules/servers/shiori.nix b/modules/servers/shiori.nix index 3931666..5b0a123 100644 --- a/modules/servers/shiori.nix +++ b/modules/servers/shiori.nix @@ -5,13 +5,16 @@ let in { options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368; - config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) { - sops.secrets = lib.mkIf cfg.enable { shiori.sopsFile = ../../secrets/env.yaml; }; - services.shiori = lib.mkIf cfg.enable { - inherit (cfg) port; - enable = true; - environmentFile = config.sops.secrets.shiori.path; - databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}"; - }; - }; + config = + lib.mkIf + (config.my.servers.shiori.enable && config.my.servers.postgres.enable && config.my.secureHost) + { + sops.secrets.shiori.sopsFile = ../../secrets/env.yaml; + services.shiori = { + inherit (cfg) port; + enable = true; + environmentFile = config.sops.secrets.shiori.path; + databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}"; + }; + }; } diff --git a/modules/servers/stash.nix b/modules/servers/stash.nix index c432d63..dcfb0dc 100644 --- a/modules/servers/stash.nix +++ b/modules/servers/stash.nix @@ -5,13 +5,13 @@ let in { options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999; - config = { - sops.secrets = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets = { "stash/password".sopsFile = ../../secrets/env.yaml; "stash/jwt".sopsFile = ../../secrets/env.yaml; "stash/session".sopsFile = ../../secrets/env.yaml; }; - services.stash = lib.mkIf cfg.enable { + services.stash = { enable = true; group = "piracy"; mutableSettings = true; diff --git a/modules/servers/synapse.nix b/modules/servers/synapse.nix index 0fc6b42..d3672ed 100644 --- a/modules/servers/synapse.nix +++ b/modules/servers/synapse.nix @@ -22,12 +22,12 @@ in synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008; element = setup.mkOptions "element" "55a608953f6d64c199" 5345; }; - config = { + config = lib.mkIf (cfg.enable && config.my.secureHost) { my.servers = { synapse = { inherit domain; }; element = { inherit domain; }; }; - sops.secrets = lib.mkIf cfg.enable { + sops.secrets = { synapse = { sopsFile = ../../secrets/env.yaml; owner = "matrix-synapse"; @@ -50,7 +50,7 @@ in }; }; networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; - services = lib.mkIf cfg.enable { + services = { matrix-synapse = { enable = true; extraConfigFiles = [ diff --git a/modules/servers/vaultwarden.nix b/modules/servers/vaultwarden.nix index 5a3e8da..f171a22 100644 --- a/modules/servers/vaultwarden.nix +++ b/modules/servers/vaultwarden.nix @@ -10,9 +10,9 @@ let in { options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222; - config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { - sops.secrets = lib.mkIf cfg.enable { vaultwarden.sopsFile = ../../secrets/env.yaml; }; - services.vaultwarden = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) { + sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml; + services.vaultwarden = { enable = true; dbBackend = "postgresql"; package = pkgs.vaultwarden; diff --git a/modules/services/msmtp.nix b/modules/services/msmtp.nix index 92583ef..519978d 100644 --- a/modules/services/msmtp.nix +++ b/modules/services/msmtp.nix @@ -7,7 +7,7 @@ let cfg = config.my.servers; in { - config = lib.mkIf cfg.nextcloud.enable or cfg.gitea.enable { + config = lib.mkIf (config.my.secureHost && (cfg.nextcloud.enable or cfg.gitea.enable)) { sops.secrets.smtp-password = { }; programs.msmtp = { enable = true; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 1ecaef5..bb33c0b 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -10,7 +10,7 @@ let in { options.my.services.wireguard.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.services.wireguard.enable { + config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) { sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml; networking = { firewall.allowedUDPPorts = [ port ];