added secureHost flag
This commit is contained in:
parent
d704e0ee13
commit
a376428118
@ -1,6 +1,7 @@
|
|||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
|
lib,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
@ -35,14 +36,16 @@
|
|||||||
supportedFeatures = config.my.nix.features;
|
supportedFeatures = config.my.nix.features;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml;
|
sops.secrets."vps/home/private" = lib.mkIf config.my.secureHost {
|
||||||
|
sopsFile = ../../secrets/wireguard.yaml;
|
||||||
|
};
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "server";
|
hostName = "server";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
|
allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
|
||||||
interfaces.wg0.allowedTCPPorts = [ 8081 ];
|
interfaces.wg0.allowedTCPPorts = [ 8081 ];
|
||||||
};
|
};
|
||||||
wireguard.interfaces.wg0 = {
|
wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
|
||||||
ips = [ "${config.my.ips.wg-server}/32" ];
|
ips = [ "${config.my.ips.wg-server}/32" ];
|
||||||
privateKeyFile = config.sops.secrets."vps/home/private".path;
|
privateKeyFile = config.sops.secrets."vps/home/private".path;
|
||||||
peers = [
|
peers = [
|
||||||
|
|||||||
@ -7,7 +7,7 @@
|
|||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
imports = [ ./base.nix ];
|
imports = [ ./base.nix ];
|
||||||
config = {
|
config = lib.mkIf config.my.secureHost {
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
cloudflare-api.sopsFile = ../../secrets/env.yaml;
|
cloudflare-api.sopsFile = ../../secrets/env.yaml;
|
||||||
dns = {
|
dns = {
|
||||||
|
|||||||
@ -5,7 +5,7 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.atticd = setup.mkOptions "atticd" "cache" 2343;
|
options.my.servers.atticd = setup.mkOptions "atticd" "cache" 2343;
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets."private_cache_keys/atticd".sopsFile = ../../secrets/keys.yaml;
|
sops.secrets."private_cache_keys/atticd".sopsFile = ../../secrets/keys.yaml;
|
||||||
services.atticd = {
|
services.atticd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|||||||
@ -1,19 +1,22 @@
|
|||||||
{ lib, config, ... }:
|
{ lib, config, ... }:
|
||||||
{
|
{
|
||||||
options.my.servers.firefly-iii.enable = lib.mkEnableOption "enable";
|
options.my.servers.firefly-iii.enable = lib.mkEnableOption "enable";
|
||||||
config = lib.mkIf (config.my.servers.firefly-iii.enable && config.my.servers.postgres.enable) {
|
config =
|
||||||
sops.secrets.firefly-iii-keyfile = {
|
lib.mkIf
|
||||||
owner = config.users.users.firefly-iii.name;
|
(config.my.servers.firefly-iii.enable && config.my.servers.postgres.enable && config.my.secureHost)
|
||||||
inherit (config.users.users.firefly-iii) group;
|
{
|
||||||
};
|
sops.secrets.firefly-iii-keyfile = {
|
||||||
services.firefly-iii = {
|
owner = config.users.users.firefly-iii.name;
|
||||||
enable = true;
|
inherit (config.users.users.firefly-iii) group;
|
||||||
enableNginx = true;
|
};
|
||||||
settings = {
|
services.firefly-iii = {
|
||||||
APP_KEY_FILE = config.sops.secrets.firefly-iii-keyfile.path;
|
enable = true;
|
||||||
DB_HOST = config.my.postgresSocket;
|
enableNginx = true;
|
||||||
DB_CONNECTION = "pgsql";
|
settings = {
|
||||||
|
APP_KEY_FILE = config.sops.secrets.firefly-iii-keyfile.path;
|
||||||
|
DB_HOST = config.my.postgresSocket;
|
||||||
|
DB_CONNECTION = "pgsql";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
let
|
let
|
||||||
cfg = config.my.servers.flame;
|
cfg = config.my.servers.flame;
|
||||||
cfgS = config.my.servers.flameSecret;
|
cfgS = config.my.servers.flameSecret;
|
||||||
enable = cfg.enable || cfgS.enable;
|
enable = (cfg.enable || cfgS.enable) && config.my.secureHost;
|
||||||
setup = import ./setup.nix { inherit lib config; };
|
setup = import ./setup.nix { inherit lib config; };
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
@ -10,12 +10,14 @@ in
|
|||||||
flame = setup.mkOptions "flame" "start" 5005;
|
flame = setup.mkOptions "flame" "start" 5005;
|
||||||
flameSecret = setup.mkOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007;
|
flameSecret = setup.mkOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007;
|
||||||
};
|
};
|
||||||
config = {
|
config = lib.mkIf enable {
|
||||||
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal || !cfgS.isLocal) [
|
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal || !cfgS.isLocal) [
|
||||||
cfg.port
|
cfg.port
|
||||||
cfgS.port
|
cfgS.port
|
||||||
];
|
];
|
||||||
sops.secrets = lib.mkIf enable { flame.sopsFile = ../../secrets/env.yaml; };
|
sops.secrets = {
|
||||||
|
flame.sopsFile = ../../secrets/env.yaml;
|
||||||
|
};
|
||||||
virtualisation.oci-containers.containers = lib.mkIf enable {
|
virtualisation.oci-containers.containers = lib.mkIf enable {
|
||||||
flame = lib.mkIf cfg.enable {
|
flame = lib.mkIf cfg.enable {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
@ -45,11 +47,9 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx.virtualHosts = lib.mkIf enable {
|
||||||
virtualHosts = lib.mkIf (cfg.enableProxy || cfgS.enableProxy) {
|
"${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverse cfg);
|
||||||
"${cfg.host}" = setup.proxyReverse cfg;
|
"${cfgS.host}" = lib.mkIf cfgS.enableProxy (setup.proxyReverse cfgS);
|
||||||
"${cfgS.host}" = setup.proxyReverse cfgS;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@ -8,7 +8,7 @@ let
|
|||||||
cfg = config.my.servers.gitea;
|
cfg = config.my.servers.gitea;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
services.gitea-actions-runner.instances.nixos = {
|
services.gitea-actions-runner.instances.nixos = {
|
||||||
inherit (cfg) url enable;
|
inherit (cfg) url enable;
|
||||||
name = "${config.networking.hostName}-nixos";
|
name = "${config.networking.hostName}-nixos";
|
||||||
|
|||||||
@ -8,7 +8,7 @@ let
|
|||||||
cfg = config.my.servers.gitea;
|
cfg = config.my.servers.gitea;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
services.gitea-actions-runner.instances.ryujinx = {
|
services.gitea-actions-runner.instances.ryujinx = {
|
||||||
inherit (cfg) url enable;
|
inherit (cfg) url enable;
|
||||||
name = "${config.networking.hostName}-ryujinx";
|
name = "${config.networking.hostName}-ryujinx";
|
||||||
|
|||||||
@ -14,9 +14,9 @@ in
|
|||||||
./gitea-actions-runners/nixos.nix
|
./gitea-actions-runners/nixos.nix
|
||||||
];
|
];
|
||||||
options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
|
options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
|
||||||
config = {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets = lib.mkIf cfg.enable { gitea.sopsFile = ../../secrets/env.yaml; };
|
sops.secrets.gitea.sopsFile = ../../secrets/env.yaml;
|
||||||
services.gitea = lib.mkIf cfg.enable {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = cfg.host;
|
domain = cfg.host;
|
||||||
rootUrl = cfg.url;
|
rootUrl = cfg.url;
|
||||||
|
|||||||
@ -5,7 +5,7 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
|
options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
|
||||||
config = {
|
config = lib.mkIf config.my.secureHost {
|
||||||
sops.secrets = lib.mkIf cfg.enable {
|
sops.secrets = lib.mkIf cfg.enable {
|
||||||
homepage.sopsFile = ../../secrets/homepage.yaml;
|
homepage.sopsFile = ../../secrets/homepage.yaml;
|
||||||
"private-ca/pem" = {
|
"private-ca/pem" = {
|
||||||
|
|||||||
@ -5,8 +5,8 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
|
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
|
||||||
config = {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets.kavita-token = lib.mkIf cfg.enable {
|
sops.secrets.kavita-token = {
|
||||||
owner = config.users.users.kavita.name;
|
owner = config.users.users.kavita.name;
|
||||||
inherit (config.users.users.kavita) group;
|
inherit (config.users.users.kavita) group;
|
||||||
};
|
};
|
||||||
@ -18,7 +18,7 @@ in
|
|||||||
"piracy"
|
"piracy"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
services.kavita = lib.mkIf cfg.enable {
|
services.kavita = {
|
||||||
enable = true;
|
enable = true;
|
||||||
tokenKeyFile = config.sops.secrets.kavita-token.path;
|
tokenKeyFile = config.sops.secrets.kavita-token.path;
|
||||||
};
|
};
|
||||||
|
|||||||
@ -5,9 +5,9 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010;
|
options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010;
|
||||||
config = {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; };
|
sops.secrets.maloja.sopsFile = ../../secrets/env.yaml;
|
||||||
virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable {
|
virtualisation.oci-containers.containers.maloja = {
|
||||||
image = "krateng/maloja:3.2.3";
|
image = "krateng/maloja:3.2.3";
|
||||||
ports = [ "${toString cfg.port}:${toString cfg.port}" ];
|
ports = [ "${toString cfg.port}:${toString cfg.port}" ];
|
||||||
environmentFiles = [ config.sops.secrets.maloja.path ];
|
environmentFiles = [ config.sops.secrets.maloja.path ];
|
||||||
|
|||||||
@ -5,11 +5,10 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925;
|
options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925;
|
||||||
config = {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets = lib.mkIf cfg.enable { mealie.sopsFile = ../../secrets/env.yaml; };
|
sops.secrets.mealie.sopsFile = ../../secrets/env.yaml;
|
||||||
services.mealie = lib.mkIf cfg.enable {
|
services.mealie = {
|
||||||
enable = true;
|
inherit (cfg) port enable;
|
||||||
inherit (cfg) port;
|
|
||||||
settings = {
|
settings = {
|
||||||
TZ = config.my.timeZone;
|
TZ = config.my.timeZone;
|
||||||
DEFAULT_GROUP = "Home";
|
DEFAULT_GROUP = "Home";
|
||||||
|
|||||||
@ -5,9 +5,9 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078;
|
options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078;
|
||||||
config = {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets = lib.mkIf cfg.enable { multi-scrobbler.sopsFile = ../../secrets/env.yaml; };
|
sops.secrets.multi-scrobbler.sopsFile = ../../secrets/env.yaml;
|
||||||
virtualisation.oci-containers.containers.multi-scrobbler = lib.mkIf cfg.enable {
|
virtualisation.oci-containers.containers.multi-scrobbler = {
|
||||||
image = "foxxmd/multi-scrobbler:0.9.11";
|
image = "foxxmd/multi-scrobbler:0.9.11";
|
||||||
ports = [ "${toString cfg.port}:${toString cfg.port}" ];
|
ports = [ "${toString cfg.port}:${toString cfg.port}" ];
|
||||||
environmentFiles = [ config.sops.secrets.multi-scrobbler.path ];
|
environmentFiles = [ config.sops.secrets.multi-scrobbler.path ];
|
||||||
|
|||||||
@ -39,7 +39,7 @@ in
|
|||||||
collabora = setup.mkOptions "collabora" "collabora" 9980;
|
collabora = setup.mkOptions "collabora" "collabora" 9980;
|
||||||
go-vod.enable = lib.mkEnableOption "enable";
|
go-vod.enable = lib.mkEnableOption "enable";
|
||||||
};
|
};
|
||||||
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
|
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
|
||||||
sops.secrets.nextcloud-adminpass = {
|
sops.secrets.nextcloud-adminpass = {
|
||||||
owner = config.users.users.nextcloud.name;
|
owner = config.users.users.nextcloud.name;
|
||||||
inherit (config.users.users.nextcloud) group;
|
inherit (config.users.users.nextcloud) group;
|
||||||
|
|||||||
@ -10,7 +10,7 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.nix-serve = setup.mkOptions "nix-serve" "cache" 5000;
|
options.my.servers.nix-serve = setup.mkOptions "nix-serve" "cache" 5000;
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets."private_cache_keys/miniserver".sopsFile = ../../secrets/keys.yaml;
|
sops.secrets."private_cache_keys/miniserver".sopsFile = ../../secrets/keys.yaml;
|
||||||
services.nix-serve = {
|
services.nix-serve = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|||||||
@ -5,8 +5,10 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
|
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
|
||||||
config.services.radarr = lib.mkIf cfg.enable {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
enable = true;
|
services.radarr = {
|
||||||
group = "piracy";
|
enable = true;
|
||||||
|
group = "piracy";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@ -5,10 +5,10 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.readeck = setup.mkOptions "readeck" "laters" 9546;
|
options.my.servers.readeck = setup.mkOptions "readeck" "laters" 9546;
|
||||||
config = {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets.readeck.sopsFile = ../../secrets/env.yaml;
|
sops.secrets.readeck.sopsFile = ../../secrets/env.yaml;
|
||||||
services.readeck = {
|
services.readeck = {
|
||||||
inherit (cfg) enable;
|
enable = true;
|
||||||
environmentFile = config.sops.secrets.readeck.path;
|
environmentFile = config.sops.secrets.readeck.path;
|
||||||
settings = {
|
settings = {
|
||||||
main = {
|
main = {
|
||||||
|
|||||||
@ -5,19 +5,22 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765;
|
options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765;
|
||||||
config = lib.mkIf (config.my.servers.ryot.enable && config.my.servers.postgres.enable) {
|
config =
|
||||||
sops.secrets.ryot.sopsFile = ../../secrets/env.yaml;
|
lib.mkIf
|
||||||
virtualisation.oci-containers.containers.ryot = {
|
(config.my.servers.ryot.enable && config.my.servers.postgres.enable && config.my.secureHost)
|
||||||
image = "ghcr.io/ignisda/ryot:v9.2.0";
|
{
|
||||||
ports = [ "${toString cfg.port}:8000" ];
|
sops.secrets.ryot.sopsFile = ../../secrets/env.yaml;
|
||||||
environmentFiles = [ config.sops.secrets.ryot.path ];
|
virtualisation.oci-containers.containers.ryot = {
|
||||||
environment = {
|
image = "ghcr.io/ignisda/ryot:v9.2.0";
|
||||||
RUST_LOG = "ryot=debug,sea_orm=debug";
|
ports = [ "${toString cfg.port}:8000" ];
|
||||||
TZ = config.my.timeZone;
|
environmentFiles = [ config.sops.secrets.ryot.path ];
|
||||||
DATABASE_URL = "postgres:///ryot?host=${config.my.postgresSocket}";
|
environment = {
|
||||||
FRONTEND_INSECURE_COOKIES = "true";
|
RUST_LOG = "ryot=debug,sea_orm=debug";
|
||||||
|
TZ = config.my.timeZone;
|
||||||
|
DATABASE_URL = "postgres:///ryot?host=${config.my.postgresSocket}";
|
||||||
|
FRONTEND_INSECURE_COOKIES = "true";
|
||||||
|
};
|
||||||
|
volumes = [ "${config.my.postgresSocket}:${config.my.postgresSocket}" ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
volumes = [ "${config.my.postgresSocket}:${config.my.postgresSocket}" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -5,13 +5,16 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368;
|
options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368;
|
||||||
config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) {
|
config =
|
||||||
sops.secrets = lib.mkIf cfg.enable { shiori.sopsFile = ../../secrets/env.yaml; };
|
lib.mkIf
|
||||||
services.shiori = lib.mkIf cfg.enable {
|
(config.my.servers.shiori.enable && config.my.servers.postgres.enable && config.my.secureHost)
|
||||||
inherit (cfg) port;
|
{
|
||||||
enable = true;
|
sops.secrets.shiori.sopsFile = ../../secrets/env.yaml;
|
||||||
environmentFile = config.sops.secrets.shiori.path;
|
services.shiori = {
|
||||||
databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}";
|
inherit (cfg) port;
|
||||||
};
|
enable = true;
|
||||||
};
|
environmentFile = config.sops.secrets.shiori.path;
|
||||||
|
databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}";
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@ -5,13 +5,13 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
|
options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
|
||||||
config = {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
sops.secrets = lib.mkIf cfg.enable {
|
sops.secrets = {
|
||||||
"stash/password".sopsFile = ../../secrets/env.yaml;
|
"stash/password".sopsFile = ../../secrets/env.yaml;
|
||||||
"stash/jwt".sopsFile = ../../secrets/env.yaml;
|
"stash/jwt".sopsFile = ../../secrets/env.yaml;
|
||||||
"stash/session".sopsFile = ../../secrets/env.yaml;
|
"stash/session".sopsFile = ../../secrets/env.yaml;
|
||||||
};
|
};
|
||||||
services.stash = lib.mkIf cfg.enable {
|
services.stash = {
|
||||||
enable = true;
|
enable = true;
|
||||||
group = "piracy";
|
group = "piracy";
|
||||||
mutableSettings = true;
|
mutableSettings = true;
|
||||||
|
|||||||
@ -22,12 +22,12 @@ in
|
|||||||
synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
|
synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
|
||||||
element = setup.mkOptions "element" "55a608953f6d64c199" 5345;
|
element = setup.mkOptions "element" "55a608953f6d64c199" 5345;
|
||||||
};
|
};
|
||||||
config = {
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||||
my.servers = {
|
my.servers = {
|
||||||
synapse = { inherit domain; };
|
synapse = { inherit domain; };
|
||||||
element = { inherit domain; };
|
element = { inherit domain; };
|
||||||
};
|
};
|
||||||
sops.secrets = lib.mkIf cfg.enable {
|
sops.secrets = {
|
||||||
synapse = {
|
synapse = {
|
||||||
sopsFile = ../../secrets/env.yaml;
|
sopsFile = ../../secrets/env.yaml;
|
||||||
owner = "matrix-synapse";
|
owner = "matrix-synapse";
|
||||||
@ -50,7 +50,7 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
|
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
|
||||||
services = lib.mkIf cfg.enable {
|
services = {
|
||||||
matrix-synapse = {
|
matrix-synapse = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraConfigFiles = [
|
extraConfigFiles = [
|
||||||
|
|||||||
@ -10,9 +10,9 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
|
options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
|
||||||
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
|
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
|
||||||
sops.secrets = lib.mkIf cfg.enable { vaultwarden.sopsFile = ../../secrets/env.yaml; };
|
sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml;
|
||||||
services.vaultwarden = lib.mkIf cfg.enable {
|
services.vaultwarden = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dbBackend = "postgresql";
|
dbBackend = "postgresql";
|
||||||
package = pkgs.vaultwarden;
|
package = pkgs.vaultwarden;
|
||||||
|
|||||||
@ -7,7 +7,7 @@ let
|
|||||||
cfg = config.my.servers;
|
cfg = config.my.servers;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.nextcloud.enable or cfg.gitea.enable {
|
config = lib.mkIf (config.my.secureHost && (cfg.nextcloud.enable or cfg.gitea.enable)) {
|
||||||
sops.secrets.smtp-password = { };
|
sops.secrets.smtp-password = { };
|
||||||
programs.msmtp = {
|
programs.msmtp = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|||||||
@ -10,7 +10,7 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.services.wireguard.enable = lib.mkEnableOption "enable";
|
options.my.services.wireguard.enable = lib.mkEnableOption "enable";
|
||||||
config = lib.mkIf config.my.services.wireguard.enable {
|
config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
|
||||||
sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
|
sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
|
||||||
networking = {
|
networking = {
|
||||||
firewall.allowedUDPPorts = [ port ];
|
firewall.allowedUDPPorts = [ port ];
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user