jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added secureHost flag

Browse Source
This commit is contained in:
Danilo Reyes 2025-09-28 10:52:27 -06:00
parent d704e0ee13
commit a376428118
24 changed files with 100 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hosts/server/configuration.nix
View File

@ -1,6 +1,7 @@
{ {
pkgs, pkgs,
config, config,
lib,
... ...
}: }:
{ {
@ -35,14 +36,16 @@
supportedFeatures = config.my.nix.features; supportedFeatures = config.my.nix.features;
} }
]; ];
sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml; sops.secrets."vps/home/private" = lib.mkIf config.my.secureHost {
sopsFile = ../../secrets/wireguard.yaml;
};
networking = { networking = {
hostName = "server"; hostName = "server";
firewall = { firewall = {
allowedUDPPorts = config.networking.firewall.allowedTCPPorts; allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
interfaces.wg0.allowedTCPPorts = [ 8081 ]; interfaces.wg0.allowedTCPPorts = [ 8081 ];
}; };
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
ips = [ "${config.my.ips.wg-server}/32" ]; ips = [ "${config.my.ips.wg-server}/32" ];
privateKeyFile = config.sops.secrets."vps/home/private".path; privateKeyFile = config.sops.secrets."vps/home/private".path;
peers = [ peers = [

2
modules/scripts/update-dns.nix
View File

@ -7,7 +7,7 @@
}: }:
{ {
imports = [ ./base.nix ]; imports = [ ./base.nix ];
config = { config = lib.mkIf config.my.secureHost {
sops.secrets = { sops.secrets = {
cloudflare-api.sopsFile = ../../secrets/env.yaml; cloudflare-api.sopsFile = ../../secrets/env.yaml;
dns = { dns = {

2
modules/servers/atticd.nix
View File

@ -5,7 +5,7 @@ let
in in
{ {
options.my.servers.atticd = setup.mkOptions "atticd" "cache" 2343; options.my.servers.atticd = setup.mkOptions "atticd" "cache" 2343;
config = lib.mkIf cfg.enable { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets."private_cache_keys/atticd".sopsFile = ../../secrets/keys.yaml; sops.secrets."private_cache_keys/atticd".sopsFile = ../../secrets/keys.yaml;
services.atticd = { services.atticd = {
enable = true; enable = true;

5
modules/servers/firefly-iii.nix
View File

@ -1,7 +1,10 @@
{ lib, config, ... }: { lib, config, ... }:
{ {
options.my.servers.firefly-iii.enable = lib.mkEnableOption "enable"; options.my.servers.firefly-iii.enable = lib.mkEnableOption "enable";
config = lib.mkIf (config.my.servers.firefly-iii.enable && config.my.servers.postgres.enable) { config =
lib.mkIf
(config.my.servers.firefly-iii.enable && config.my.servers.postgres.enable && config.my.secureHost)
{
sops.secrets.firefly-iii-keyfile = { sops.secrets.firefly-iii-keyfile = {
owner = config.users.users.firefly-iii.name; owner = config.users.users.firefly-iii.name;
inherit (config.users.users.firefly-iii) group; inherit (config.users.users.firefly-iii) group;

16
modules/servers/flame.nix
View File

@ -2,7 +2,7 @@
let let
cfg = config.my.servers.flame; cfg = config.my.servers.flame;
cfgS = config.my.servers.flameSecret; cfgS = config.my.servers.flameSecret;
enable = cfg.enable || cfgS.enable; enable = (cfg.enable || cfgS.enable) && config.my.secureHost;
setup = import ./setup.nix { inherit lib config; }; setup = import ./setup.nix { inherit lib config; };
in in
{ {
@ -10,12 +10,14 @@ in
flame = setup.mkOptions "flame" "start" 5005; flame = setup.mkOptions "flame" "start" 5005;
flameSecret = setup.mkOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007; flameSecret = setup.mkOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007;
}; };
config = { config = lib.mkIf enable {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal || !cfgS.isLocal) [ networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal || !cfgS.isLocal) [
cfg.port cfg.port
cfgS.port cfgS.port
]; ];
sops.secrets = lib.mkIf enable { flame.sopsFile = ../../secrets/env.yaml; }; sops.secrets = {
flame.sopsFile = ../../secrets/env.yaml;
};
virtualisation.oci-containers.containers = lib.mkIf enable { virtualisation.oci-containers.containers = lib.mkIf enable {
flame = lib.mkIf cfg.enable { flame = lib.mkIf cfg.enable {
autoStart = true; autoStart = true;
@ -45,11 +47,9 @@ in
}; };
}; };
}; };
services.nginx = { services.nginx.virtualHosts = lib.mkIf enable {
virtualHosts = lib.mkIf (cfg.enableProxy || cfgS.enableProxy) { "${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverse cfg);
"${cfg.host}" = setup.proxyReverse cfg; "${cfgS.host}" = lib.mkIf cfgS.enableProxy (setup.proxyReverse cfgS);
"${cfgS.host}" = setup.proxyReverse cfgS;
};
}; };
}; };
} }

2
modules/servers/gitea-actions-runners/nixos.nix
View File

@ -8,7 +8,7 @@ let
cfg = config.my.servers.gitea; cfg = config.my.servers.gitea;
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf (cfg.enable && config.my.secureHost) {
services.gitea-actions-runner.instances.nixos = { services.gitea-actions-runner.instances.nixos = {
inherit (cfg) url enable; inherit (cfg) url enable;
name = "${config.networking.hostName}-nixos"; name = "${config.networking.hostName}-nixos";

2
modules/servers/gitea-actions-runners/ryujinx.nix
View File

@ -8,7 +8,7 @@ let
cfg = config.my.servers.gitea; cfg = config.my.servers.gitea;
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf (cfg.enable && config.my.secureHost) {
services.gitea-actions-runner.instances.ryujinx = { services.gitea-actions-runner.instances.ryujinx = {
inherit (cfg) url enable; inherit (cfg) url enable;
name = "${config.networking.hostName}-ryujinx"; name = "${config.networking.hostName}-ryujinx";

6
modules/servers/gitea.nix
View File

@ -14,9 +14,9 @@ in
./gitea-actions-runners/nixos.nix ./gitea-actions-runners/nixos.nix
]; ];
options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083; options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
config = { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = lib.mkIf cfg.enable { gitea.sopsFile = ../../secrets/env.yaml; }; sops.secrets.gitea.sopsFile = ../../secrets/env.yaml;
services.gitea = lib.mkIf cfg.enable { services.gitea = {
enable = true; enable = true;
domain = cfg.host; domain = cfg.host;
rootUrl = cfg.url; rootUrl = cfg.url;

2
modules/servers/homepage.nix
View File

@ -5,7 +5,7 @@ let
in in
{ {
options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082; options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
config = { config = lib.mkIf config.my.secureHost {
sops.secrets = lib.mkIf cfg.enable { sops.secrets = lib.mkIf cfg.enable {
homepage.sopsFile = ../../secrets/homepage.yaml; homepage.sopsFile = ../../secrets/homepage.yaml;
"private-ca/pem" = { "private-ca/pem" = {

6
modules/servers/kavita.nix
View File

@ -5,8 +5,8 @@ let
in in
{ {
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port; options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
config = { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.kavita-token = lib.mkIf cfg.enable { sops.secrets.kavita-token = {
owner = config.users.users.kavita.name; owner = config.users.users.kavita.name;
inherit (config.users.users.kavita) group; inherit (config.users.users.kavita) group;
}; };
@ -18,7 +18,7 @@ in
"piracy" "piracy"
]; ];
}; };
services.kavita = lib.mkIf cfg.enable { services.kavita = {
enable = true; enable = true;
tokenKeyFile = config.sops.secrets.kavita-token.path; tokenKeyFile = config.sops.secrets.kavita-token.path;
}; };

6
modules/servers/maloja.nix
View File

@ -5,9 +5,9 @@ let
in in
{ {
options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010; options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010;
config = { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; }; sops.secrets.maloja.sopsFile = ../../secrets/env.yaml;
virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable { virtualisation.oci-containers.containers.maloja = {
image = "krateng/maloja:3.2.3"; image = "krateng/maloja:3.2.3";
ports = [ "${toString cfg.port}:${toString cfg.port}" ]; ports = [ "${toString cfg.port}:${toString cfg.port}" ];
environmentFiles = [ config.sops.secrets.maloja.path ]; environmentFiles = [ config.sops.secrets.maloja.path ];

9
modules/servers/mealie.nix
View File

@ -5,11 +5,10 @@ let
in in
{ {
options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925; options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925;
config = { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = lib.mkIf cfg.enable { mealie.sopsFile = ../../secrets/env.yaml; }; sops.secrets.mealie.sopsFile = ../../secrets/env.yaml;
services.mealie = lib.mkIf cfg.enable { services.mealie = {
enable = true; inherit (cfg) port enable;
inherit (cfg) port;
settings = { settings = {
TZ = config.my.timeZone; TZ = config.my.timeZone;
DEFAULT_GROUP = "Home"; DEFAULT_GROUP = "Home";

6
modules/servers/multi-scrobbler.nix
View File

@ -5,9 +5,9 @@ let
in in
{ {
options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078; options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078;
config = { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = lib.mkIf cfg.enable { multi-scrobbler.sopsFile = ../../secrets/env.yaml; }; sops.secrets.multi-scrobbler.sopsFile = ../../secrets/env.yaml;
virtualisation.oci-containers.containers.multi-scrobbler = lib.mkIf cfg.enable { virtualisation.oci-containers.containers.multi-scrobbler = {
image = "foxxmd/multi-scrobbler:0.9.11"; image = "foxxmd/multi-scrobbler:0.9.11";
ports = [ "${toString cfg.port}:${toString cfg.port}" ]; ports = [ "${toString cfg.port}:${toString cfg.port}" ];
environmentFiles = [ config.sops.secrets.multi-scrobbler.path ]; environmentFiles = [ config.sops.secrets.multi-scrobbler.path ];

2
modules/servers/nextcloud.nix
View File

@ -39,7 +39,7 @@ in
collabora = setup.mkOptions "collabora" "collabora" 9980; collabora = setup.mkOptions "collabora" "collabora" 9980;
go-vod.enable = lib.mkEnableOption "enable"; go-vod.enable = lib.mkEnableOption "enable";
}; };
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
sops.secrets.nextcloud-adminpass = { sops.secrets.nextcloud-adminpass = {
owner = config.users.users.nextcloud.name; owner = config.users.users.nextcloud.name;
inherit (config.users.users.nextcloud) group; inherit (config.users.users.nextcloud) group;

2
modules/servers/nix-serve.nix
View File

@ -10,7 +10,7 @@ let
in in
{ {
options.my.servers.nix-serve = setup.mkOptions "nix-serve" "cache" 5000; options.my.servers.nix-serve = setup.mkOptions "nix-serve" "cache" 5000;
config = lib.mkIf cfg.enable { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets."private_cache_keys/miniserver".sopsFile = ../../secrets/keys.yaml; sops.secrets."private_cache_keys/miniserver".sopsFile = ../../secrets/keys.yaml;
services.nix-serve = { services.nix-serve = {
enable = true; enable = true;

4
modules/servers/radarr.nix
View File

@ -5,8 +5,10 @@ let
in in
{ {
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878; options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
config.services.radarr = lib.mkIf cfg.enable { config = lib.mkIf (cfg.enable && config.my.secureHost) {
services.radarr = {
enable = true; enable = true;
group = "piracy"; group = "piracy";
}; };
};
} }

4
modules/servers/readeck.nix
View File

@ -5,10 +5,10 @@ let
in in
{ {
options.my.servers.readeck = setup.mkOptions "readeck" "laters" 9546; options.my.servers.readeck = setup.mkOptions "readeck" "laters" 9546;
config = { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.readeck.sopsFile = ../../secrets/env.yaml; sops.secrets.readeck.sopsFile = ../../secrets/env.yaml;
services.readeck = { services.readeck = {
inherit (cfg) enable; enable = true;
environmentFile = config.sops.secrets.readeck.path; environmentFile = config.sops.secrets.readeck.path;
settings = { settings = {
main = { main = {

5
modules/servers/ryot.nix
View File

@ -5,7 +5,10 @@ let
in in
{ {
options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765; options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765;
config = lib.mkIf (config.my.servers.ryot.enable && config.my.servers.postgres.enable) { config =
lib.mkIf
(config.my.servers.ryot.enable && config.my.servers.postgres.enable && config.my.secureHost)
{
sops.secrets.ryot.sopsFile = ../../secrets/env.yaml; sops.secrets.ryot.sopsFile = ../../secrets/env.yaml;
virtualisation.oci-containers.containers.ryot = { virtualisation.oci-containers.containers.ryot = {
image = "ghcr.io/ignisda/ryot:v9.2.0"; image = "ghcr.io/ignisda/ryot:v9.2.0";

9
modules/servers/shiori.nix
View File

@ -5,9 +5,12 @@ let
in in
{ {
options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368; options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368;
config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) { config =
sops.secrets = lib.mkIf cfg.enable { shiori.sopsFile = ../../secrets/env.yaml; }; lib.mkIf
services.shiori = lib.mkIf cfg.enable { (config.my.servers.shiori.enable && config.my.servers.postgres.enable && config.my.secureHost)
{
sops.secrets.shiori.sopsFile = ../../secrets/env.yaml;
services.shiori = {
inherit (cfg) port; inherit (cfg) port;
enable = true; enable = true;
environmentFile = config.sops.secrets.shiori.path; environmentFile = config.sops.secrets.shiori.path;

6
modules/servers/stash.nix
View File

@ -5,13 +5,13 @@ let
in in
{ {
options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999; options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
config = { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = lib.mkIf cfg.enable { sops.secrets = {
"stash/password".sopsFile = ../../secrets/env.yaml; "stash/password".sopsFile = ../../secrets/env.yaml;
"stash/jwt".sopsFile = ../../secrets/env.yaml; "stash/jwt".sopsFile = ../../secrets/env.yaml;
"stash/session".sopsFile = ../../secrets/env.yaml; "stash/session".sopsFile = ../../secrets/env.yaml;
}; };
services.stash = lib.mkIf cfg.enable { services.stash = {
enable = true; enable = true;
group = "piracy"; group = "piracy";
mutableSettings = true; mutableSettings = true;

6
modules/servers/synapse.nix
View File

@ -22,12 +22,12 @@ in
synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008; synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
element = setup.mkOptions "element" "55a608953f6d64c199" 5345; element = setup.mkOptions "element" "55a608953f6d64c199" 5345;
}; };
config = { config = lib.mkIf (cfg.enable && config.my.secureHost) {
my.servers = { my.servers = {
synapse = { inherit domain; }; synapse = { inherit domain; };
element = { inherit domain; }; element = { inherit domain; };
}; };
sops.secrets = lib.mkIf cfg.enable { sops.secrets = {
synapse = { synapse = {
sopsFile = ../../secrets/env.yaml; sopsFile = ../../secrets/env.yaml;
owner = "matrix-synapse"; owner = "matrix-synapse";
@ -50,7 +50,7 @@ in
}; };
}; };
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
services = lib.mkIf cfg.enable { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
extraConfigFiles = [ extraConfigFiles = [

6
modules/servers/vaultwarden.nix
View File

@ -10,9 +10,9 @@ let
in in
{ {
options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222; options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
sops.secrets = lib.mkIf cfg.enable { vaultwarden.sopsFile = ../../secrets/env.yaml; }; sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml;
services.vaultwarden = lib.mkIf cfg.enable { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";
package = pkgs.vaultwarden; package = pkgs.vaultwarden;

2
modules/services/msmtp.nix
View File

@ -7,7 +7,7 @@ let
cfg = config.my.servers; cfg = config.my.servers;
in in
{ {
config = lib.mkIf cfg.nextcloud.enable or cfg.gitea.enable { config = lib.mkIf (config.my.secureHost && (cfg.nextcloud.enable or cfg.gitea.enable)) {
sops.secrets.smtp-password = { }; sops.secrets.smtp-password = { };
programs.msmtp = { programs.msmtp = {
enable = true; enable = true;

2
modules/services/wireguard.nix
View File

@ -10,7 +10,7 @@ let
in in
{ {
options.my.services.wireguard.enable = lib.mkEnableOption "enable"; options.my.services.wireguard.enable = lib.mkEnableOption "enable";
config = lib.mkIf config.my.services.wireguard.enable { config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml; sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
networking = { networking = {
firewall.allowedUDPPorts = [ port ]; firewall.allowedUDPPorts = [ port ];