mirror of
https://gitlab.com/upRootNutrition/dotfiles.git
synced 2025-12-06 21:17:14 -06:00
chore: removed services for now
This commit is contained in:
Nick
parent
fd46841bfb
commit
0dbcbb6b19
11 changed files with 113 additions and 44 deletions
|
|
@ -16,5 +16,8 @@ in
|
|||
ports = {
|
||||
port0 = 80;
|
||||
port1 = 443;
|
||||
port2 = 8443;
|
||||
port3 = 8444; # Nextcloud
|
||||
port4 = 8445; # Opencloud
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -78,8 +78,8 @@ in
|
|||
acmeEris
|
||||
caddyEris
|
||||
logrotate
|
||||
nextcloud
|
||||
opencloud
|
||||
# nextcloud
|
||||
# opencloud
|
||||
postgresEris
|
||||
;
|
||||
};
|
||||
|
|
|
|||
10
modules/nixos/services/acme/acmeCeres/default.nix
Normal file → Executable file
10
modules/nixos/services/acme/acmeCeres/default.nix
Normal file → Executable file
|
|
@ -10,6 +10,7 @@ let
|
|||
domain0 = instances.web.domains.url0;
|
||||
domain1 = instances.web.domains.url1;
|
||||
domain4 = flake.inputs.linkpage.secrets.domains.projectsite;
|
||||
service = instances.acme;
|
||||
dns0 = instances.web.dns.provider0;
|
||||
dns1 = instances.web.dns.provider1;
|
||||
dns0Path = "dns/${dns0}";
|
||||
|
|
@ -46,6 +47,8 @@ in
|
|||
instances.prompter.name
|
||||
instances.comfyui.name
|
||||
instances.firefly-iii.name
|
||||
instances.nextcloud.name
|
||||
instances.opencloud.name
|
||||
]
|
||||
)
|
||||
++ (map
|
||||
|
|
@ -108,4 +111,11 @@ in
|
|||
)
|
||||
);
|
||||
};
|
||||
|
||||
systemd = {
|
||||
tmpfiles.rules = [
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
15
modules/nixos/services/acme/acmeEris/default.nix
Normal file → Executable file
15
modules/nixos/services/acme/acmeEris/default.nix
Normal file → Executable file
|
|
@ -7,7 +7,7 @@ let
|
|||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.users.${user0}) email;
|
||||
inherit (flake.config.services) instances;
|
||||
|
||||
service = instances.acme;
|
||||
domain0 = instances.web.domains.url0;
|
||||
dns0 = instances.web.dns.provider0;
|
||||
dns0Path = "dns/${dns0}";
|
||||
|
|
@ -15,7 +15,7 @@ let
|
|||
|
||||
dnsConfig = provider: dns: {
|
||||
dnsProvider = dns;
|
||||
directory = "/var/lib/acme";
|
||||
directory = instances.acme.paths.path0;
|
||||
environmentFile = config.sops.secrets.${provider}.path;
|
||||
};
|
||||
in
|
||||
|
|
@ -33,8 +33,8 @@ in
|
|||
value = dnsConfig dns0Path dns0;
|
||||
})
|
||||
[
|
||||
instances.nextcloud.name
|
||||
instances.opencloud.name
|
||||
# instances.nextcloud.name
|
||||
# instances.opencloud.name
|
||||
]
|
||||
)
|
||||
);
|
||||
|
|
@ -66,4 +66,11 @@ in
|
|||
)
|
||||
);
|
||||
};
|
||||
|
||||
systemd = {
|
||||
tmpfiles.rules = [
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
23
modules/nixos/services/caddy/caddyCeres/default.nix
Normal file → Executable file
23
modules/nixos/services/caddy/caddyCeres/default.nix
Normal file → Executable file
|
|
@ -1,10 +1,12 @@
|
|||
{ flake, ... }:
|
||||
let
|
||||
inherit (flake.config.services.instances) caddy web;
|
||||
|
||||
domain0 = web.domains.url0;
|
||||
service = caddy;
|
||||
inherit (flake.config.services) instances;
|
||||
inherit (flake.config.machines) devices;
|
||||
|
||||
domain0 = instances.web.domains.url0;
|
||||
service = instances.caddy;
|
||||
nextcloud = instances.nextcloud;
|
||||
opencloud = instances.opencloud;
|
||||
in
|
||||
{
|
||||
services.caddy = {
|
||||
|
|
@ -16,9 +18,20 @@ in
|
|||
encode zstd gzip
|
||||
'';
|
||||
};
|
||||
"${nextcloud.domains.url0}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port3}
|
||||
tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key}
|
||||
'';
|
||||
};
|
||||
"${opencloud.domains.url0}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4}
|
||||
tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.${service.name}.extraGroups = [
|
||||
"acme"
|
||||
"mastodon"
|
||||
|
|
|
|||
1
modules/nixos/services/caddy/caddyEris/default.nix
Normal file → Executable file
1
modules/nixos/services/caddy/caddyEris/default.nix
Normal file → Executable file
|
|
@ -19,6 +19,7 @@ in
|
|||
allowedTCPPorts = [
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
service.ports.port2
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ let
|
|||
inherit (flake.config.services.instances)
|
||||
nextcloud
|
||||
nginx
|
||||
caddy
|
||||
smtp
|
||||
web
|
||||
;
|
||||
|
|
@ -63,33 +64,54 @@ in
|
|||
overwriteprotocol = "https";
|
||||
trusted_proxies = [
|
||||
localhost
|
||||
web.localhost.address1
|
||||
];
|
||||
security.headers = {
|
||||
Strict-Transport-Security = "max-age=15552000; includeSubDomains";
|
||||
X-XSS-Protection = "1; mode=block";
|
||||
X-Content-Type-Options = "nosniff";
|
||||
X-Frame-Options = "SAMEORIGIN";
|
||||
Referrer-Policy = "strict-origin-when-cross-origin";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts.${host}.listen = [
|
||||
{
|
||||
addr = localhost;
|
||||
port = nginx.ports.port0;
|
||||
}
|
||||
];
|
||||
virtualHosts.${host} = {
|
||||
listen = [
|
||||
{
|
||||
addr = localhost;
|
||||
port = nginx.ports.port0;
|
||||
}
|
||||
];
|
||||
forceSSL = false;
|
||||
onlySSL = false;
|
||||
addSSL = false;
|
||||
};
|
||||
};
|
||||
|
||||
caddy = {
|
||||
virtualHosts = {
|
||||
"${host}" = {
|
||||
listenAddresses = [ web.localhost.address1 ];
|
||||
":${toString caddy.ports.port3}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString nginx.ports.port0}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
header {
|
||||
# Enable XSS protection and block instead of sanitizing
|
||||
X-XSS-Protection "1; mode=block"
|
||||
# Enable HSTS with 6 month duration
|
||||
Strict-Transport-Security "max-age=15552000; includeSubDomains"
|
||||
# Additional security headers
|
||||
X-Content-Type-Options "nosniff"
|
||||
X-Frame-Options "SAMEORIGIN"
|
||||
Referrer-Policy "strict-origin-when-cross-origin"
|
||||
# Remove server identification
|
||||
-Server
|
||||
}
|
||||
reverse_proxy http://${localhost}:${toString nginx.ports.port0}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops =
|
||||
let
|
||||
sopsPath = secret: {
|
||||
|
|
@ -112,17 +134,29 @@ in
|
|||
);
|
||||
};
|
||||
|
||||
users.users.${service.name}.extraGroups = [
|
||||
"caddy"
|
||||
"nginx"
|
||||
"postgres"
|
||||
];
|
||||
systemd = {
|
||||
tmpfiles.rules = [
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
};
|
||||
|
||||
users.users.${service.name} = {
|
||||
packages = with pkgs; [
|
||||
php
|
||||
];
|
||||
extraGroups = [
|
||||
"caddy"
|
||||
"nginx"
|
||||
"postgres"
|
||||
];
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
nginx.ports.port0
|
||||
service.ports.port0
|
||||
caddy.ports.port3
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,16 +1,15 @@
|
|||
{ config, flake, ... }:
|
||||
let
|
||||
inherit (flake.config.machines.devices) ceres;
|
||||
inherit (flake.config.services.instances) opencloud web;
|
||||
inherit (flake.config.services.instances) opencloud web caddy;
|
||||
service = opencloud;
|
||||
localhost = web.localhost.address0;
|
||||
localhost = web.localhost.address1;
|
||||
host = service.domains.url0;
|
||||
in
|
||||
{
|
||||
services = {
|
||||
opencloud = {
|
||||
enable = true;
|
||||
url = "https://${host}";
|
||||
url = "http://${localhost}:${toString service.ports.port0}";
|
||||
port = service.ports.port0;
|
||||
address = localhost;
|
||||
stateDir = "/var/lib/${service.name}";
|
||||
|
|
@ -18,20 +17,14 @@ in
|
|||
};
|
||||
caddy = {
|
||||
virtualHosts = {
|
||||
"${host}" = {
|
||||
":${toString caddy.ports.port4}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy https://${localhost}:${toString service.ports.port0} {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
}
|
||||
}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
reverse_proxy http://${localhost}:${toString service.ports.port0}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops =
|
||||
let
|
||||
sopsPath = secret: {
|
||||
|
|
@ -53,10 +46,17 @@ in
|
|||
);
|
||||
};
|
||||
|
||||
systemd = {
|
||||
tmpfiles.rules = [
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
service.ports.port0
|
||||
caddy.ports.port4
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
0
modules/nixos/services/postgresql/postgresCeres/default.nix
Normal file → Executable file
0
modules/nixos/services/postgresql/postgresCeres/default.nix
Normal file → Executable file
0
modules/nixos/services/postgresql/postgresEris/default.nix
Normal file → Executable file
0
modules/nixos/services/postgresql/postgresEris/default.nix
Normal file → Executable file
|
|
@ -29,6 +29,7 @@ nextcloud-user0: ENC[AES256_GCM,data:yUZruPJ4s2Svvh6Q0f4C4lgcKCcWJDMw8CpT8cXv3m4
|
|||
nextcloud-user1: ENC[AES256_GCM,data:6EsbSeWWftPjZQM=,iv:LTcx6fx55d3+SepFIoy/6cBdbgaauDeo0gvq9ACCtHA=,tag:uzoATR3ZL2Uk5z6aMiD/yw==,type:str]
|
||||
nextcloud-user2: ENC[AES256_GCM,data:axrWMmouq5gwqdGL,iv:BPHEn47z2g7gocKO4g5vV4ZSGb+AMA3vGYheAy1zR5Q=,tag:QOWg4fdKxMhGk2qRehH2EQ==,type:str]
|
||||
nextcloud-user3: ENC[AES256_GCM,data:g6ldEdtBuEmPAQYAQfaO,iv:6fElE2vZh9l/KgJuNevklpIlZZdqGHgwhnOzq1n3ojE=,tag:T0Q1IkdVTeW2T1FmGnjz8A==,type:str]
|
||||
nextcloud-smtp: ENC[AES256_GCM,data:8cS/5Fnj/x1/Oikn3EQxlOCLzRJRf4PWx5C0dm2qzY0=,iv:izKI66ndRt56LfjKUQeC1SZBOFf8m4rO6kk6oVneQZA=,tag:oiSMzflj2jeE6QC1KEDBlg==,type:str]
|
||||
claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str]
|
||||
searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str]
|
||||
wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1GVC5m8StgsC5uaYEU=,iv:wffyNFWZ36vUjUVMCwo7w16pWWDvnPOUli3tIa/M3S4=,tag:yu7Xl+Ehg1uhzQ3rONSCbA==,type:str]
|
||||
|
|
@ -45,7 +46,7 @@ wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0
|
|||
wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str]
|
||||
glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str]
|
||||
opencloud:
|
||||
env: ENC[AES256_GCM,data:WnzaI6YPGtVzdo+qQZejz3zRDReuKSbr9n/Kg2Djh4Gzv+VuqPCxCIzJRAQs79O9CIj5mezy33KeJIXEstwhWmnG7xmv59nzBuDTdWP170JnsRWIdLRgj3jm8uBZiT7fZ2XcunKc0N7M6i0c0GK3u5ikzeVoXOzfX5S5DeIarwGutq0yi14+MAxHMjubJdgMkG1Ke/vyuSyqw9NZUCN3XfCN03rw3RhRPuB1hGZc0WEqxdY/EkpU1wpVDNnOZT/iKImjyDDLIjFo96YnHXaAAoeO8g2g5gbOIaUQFFWB0H8L2yw4zlifRpmjP6OV7AAWPJI/hsQS1YubOJLBN1UHLncxZh55ItlWr3fo6zLfpZIlkvNfama+tzu2kOTG4ALrgu8dwwYmwXbVdFCP3njsMSfp///aqjC4ShvzSQZSgfH+jkd86CZp079Ime7b1vo30CVcFlmCHrE=,iv:vDvTaxj4gSnvJBUzj/D+76DeXTEOQ/tSGdOfNSS0Oo4=,tag:dSqwIy4vFtFJxo0KkaslfQ==,type:str]
|
||||
env: ENC[AES256_GCM,data:nCivhLlGAku8HwYsdRvKhJd2mZFXE4feiTvNwx5aPknO7WLqbnMmmGC4pBLZ6SgUIvNbauWv9ayX8rh00kYIoxWxQJn4jI4XERHo6QtdHCLaYbgV2zCuduqVTiV0FtI/GHT17MyScl2pj338AJ2F54rrRXqKqQsS9RH2tIJvDDbg9WVlORY7okCHSVmha8N/XUaQEdwmy/FU7SxNrStmgzV36wDVZxHWvTtKx4+oxPhW5fYNL0YeRc/dSPtlfXxV8vGBH1TA1Q2FoOASLevcnngv+UndPZYVZtdrdD8Br+KoQXVIDj8ByNxDXPsgG95LiVrOu1pryLn9T+0MIx4fDF2ZASWztrrpPeQ0Uyy16UFeLI+DfPYsNf2k19/Mkc/kmyDSwCbXGTM72/UJ47sWraN3FECtusEhcft0Sn6EKkx+M6qTHAnQH3O/4noDgyFKWGph7pshHHK6/6eiV89vQHeF2Ta4M+k2+YFWVi0PtYo1JAU=,iv:dPeAl3LqkZQEcJUoPsbviJFM8pw5S8/0hbCqtg1C4sU=,tag:u0OOQ8fAhcxFlnMJXY35kg==,type:str]
|
||||
caddy:
|
||||
prompter-auth: ENC[AES256_GCM,data:uEj6gruCfcIRoCQY9eNcOka+PAIIhAlKnI+ehZ88aZo90tINcxZ7ZvKqlTJr4rt5o+EO7rvRJcYH/s8/+piszFyxSa64Rtq5KdAjfHnRm0QM8q/2JIHnZsQC3fPz1S177WPs/c3Eydh4VeVe,iv:ZOru4ABFgIy9DoTlMl3InSf8zM1ERNpbRNLN6vy97Jc=,tag:5v3w7kvFQCEPBjchE8K0cw==,type:str]
|
||||
comfyui-auth: ENC[AES256_GCM,data:YkHxbW/0zTmnrggXKl2jNO4OnBaepmCwB3ZC6d8MPIKf8snWJzAvTq5+X5ABzziwKaypHRTcS6vuNntxKrrD8DS7hX9DqVCZc5WeFHI6S5VzHh3SprW2MF4E8nm4Hj+VHoKGmRSSOU1cfX3J,iv:v0Pid0BCY2QsMNaahBvJd4WWZD115JDLHlOCQvPiaGU=,tag:gpsAgt052NoOyIa9WqJXyg==,type:str]
|
||||
|
|
@ -65,7 +66,7 @@ sops:
|
|||
bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
|
||||
aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-25T03:49:30Z"
|
||||
mac: ENC[AES256_GCM,data:bfAu4s0n86ArKD+Dnq/dwkxmMZ/h06O+0hjtEKnwlkU4lLxaxLORWPMlZKw97UbSB/SqNpD1wHjqV9CuwvdCOPzZxRizmGqMKsgE3RTg4FxFo29Fr7xL3pm8uKsEeIQDMJbY62GOCkxtBUsmae0nKLdDfufVlnlxGKvjtSYA1ww=,iv:sjV1MQI9R69oB75IvUc1RM9VWS+fyATvBEVmzyE2ASk=,tag:pZ4Zsd59CV2wKohHeYc9jQ==,type:str]
|
||||
lastmodified: "2025-10-25T09:30:00Z"
|
||||
mac: ENC[AES256_GCM,data:JA3RXs+AuOTOXFTqpwb5R2xT1Ia4mIO7pGHOqSVzNIZIrKdGStYZW1aBffanrMeAkHOPF0IXMNYv27bW0Z8Qo1AuijSn1daRtNAxBp5vYAaepV3DfYaZPTS35IqOklt7y0gLf9WEBKjaw9iwqNt+DD0DR3qGcSZe14IFdDIjbPU=,iv:emfH8TxrJVrrwsLcp74kN7NM0zQ4ROWQQkeuwMKPIYo=,tag:v302aJTdCAw/eJ3SWF63oA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.11.0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue