From 0dbcbb6b196ff69aaadf5bae7f40f22e1aa9f321 Mon Sep 17 00:00:00 2001 From: Nick Date: Sat, 25 Oct 2025 05:16:26 -0500 Subject: [PATCH] chore: removed services for now --- modules/config/instances/config/caddy.nix | 3 + modules/nixos/default.nix | 4 +- .../nixos/services/acme/acmeCeres/default.nix | 10 +++ .../nixos/services/acme/acmeEris/default.nix | 15 ++-- .../services/caddy/caddyCeres/default.nix | 23 ++++-- .../services/caddy/caddyEris/default.nix | 1 + modules/nixos/services/nextcloud/default.nix | 70 ++++++++++++++----- modules/nixos/services/opencloud/default.nix | 24 +++---- .../postgresql/postgresCeres/default.nix | 0 .../postgresql/postgresEris/default.nix | 0 secrets/secrets.yaml | 7 +- 11 files changed, 113 insertions(+), 44 deletions(-) mode change 100644 => 100755 modules/nixos/services/acme/acmeCeres/default.nix mode change 100644 => 100755 modules/nixos/services/acme/acmeEris/default.nix mode change 100644 => 100755 modules/nixos/services/caddy/caddyCeres/default.nix mode change 100644 => 100755 modules/nixos/services/caddy/caddyEris/default.nix mode change 100644 => 100755 modules/nixos/services/postgresql/postgresCeres/default.nix mode change 100644 => 100755 modules/nixos/services/postgresql/postgresEris/default.nix diff --git a/modules/config/instances/config/caddy.nix b/modules/config/instances/config/caddy.nix index 67414ee..55d9717 100755 --- a/modules/config/instances/config/caddy.nix +++ b/modules/config/instances/config/caddy.nix @@ -16,5 +16,8 @@ in ports = { port0 = 80; port1 = 443; + port2 = 8443; + port3 = 8444; # Nextcloud + port4 = 8445; # Opencloud }; } diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index e1b02b8..eebca44 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -78,8 +78,8 @@ in acmeEris caddyEris logrotate - nextcloud - opencloud + # nextcloud + # opencloud postgresEris ; }; diff --git a/modules/nixos/services/acme/acmeCeres/default.nix b/modules/nixos/services/acme/acmeCeres/default.nix old mode 100644 new mode 100755 index bd000ab..0841688 --- a/modules/nixos/services/acme/acmeCeres/default.nix +++ b/modules/nixos/services/acme/acmeCeres/default.nix @@ -10,6 +10,7 @@ let domain0 = instances.web.domains.url0; domain1 = instances.web.domains.url1; domain4 = flake.inputs.linkpage.secrets.domains.projectsite; + service = instances.acme; dns0 = instances.web.dns.provider0; dns1 = instances.web.dns.provider1; dns0Path = "dns/${dns0}"; @@ -46,6 +47,8 @@ in instances.prompter.name instances.comfyui.name instances.firefly-iii.name + instances.nextcloud.name + instances.opencloud.name ] ) ++ (map @@ -108,4 +111,11 @@ in ) ); }; + + systemd = { + tmpfiles.rules = [ + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + }; + } diff --git a/modules/nixos/services/acme/acmeEris/default.nix b/modules/nixos/services/acme/acmeEris/default.nix old mode 100644 new mode 100755 index d2257a1..4650804 --- a/modules/nixos/services/acme/acmeEris/default.nix +++ b/modules/nixos/services/acme/acmeEris/default.nix @@ -7,7 +7,7 @@ let inherit (flake.config.people) user0; inherit (flake.config.people.users.${user0}) email; inherit (flake.config.services) instances; - + service = instances.acme; domain0 = instances.web.domains.url0; dns0 = instances.web.dns.provider0; dns0Path = "dns/${dns0}"; @@ -15,7 +15,7 @@ let dnsConfig = provider: dns: { dnsProvider = dns; - directory = "/var/lib/acme"; + directory = instances.acme.paths.path0; environmentFile = config.sops.secrets.${provider}.path; }; in @@ -33,8 +33,8 @@ in value = dnsConfig dns0Path dns0; }) [ - instances.nextcloud.name - instances.opencloud.name + # instances.nextcloud.name + # instances.opencloud.name ] ) ); @@ -66,4 +66,11 @@ in ) ); }; + + systemd = { + tmpfiles.rules = [ + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + }; + } diff --git a/modules/nixos/services/caddy/caddyCeres/default.nix b/modules/nixos/services/caddy/caddyCeres/default.nix old mode 100644 new mode 100755 index 77bbfa4..0820f0b --- a/modules/nixos/services/caddy/caddyCeres/default.nix +++ b/modules/nixos/services/caddy/caddyCeres/default.nix @@ -1,10 +1,12 @@ { flake, ... }: let - inherit (flake.config.services.instances) caddy web; - - domain0 = web.domains.url0; - service = caddy; + inherit (flake.config.services) instances; + inherit (flake.config.machines) devices; + domain0 = instances.web.domains.url0; + service = instances.caddy; + nextcloud = instances.nextcloud; + opencloud = instances.opencloud; in { services.caddy = { @@ -16,9 +18,20 @@ in encode zstd gzip ''; }; + "${nextcloud.domains.url0}" = { + extraConfig = '' + reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port3} + tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key} + ''; + }; + "${opencloud.domains.url0}" = { + extraConfig = '' + reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4} + tls ${opencloud.ssl.cert} ${opencloud.ssl.key} + ''; + }; }; }; - users.users.${service.name}.extraGroups = [ "acme" "mastodon" diff --git a/modules/nixos/services/caddy/caddyEris/default.nix b/modules/nixos/services/caddy/caddyEris/default.nix old mode 100644 new mode 100755 index 3083bff..f251372 --- a/modules/nixos/services/caddy/caddyEris/default.nix +++ b/modules/nixos/services/caddy/caddyEris/default.nix @@ -19,6 +19,7 @@ in allowedTCPPorts = [ service.ports.port0 service.ports.port1 + service.ports.port2 ]; }; }; diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index 7fd5ec1..02fa416 100755 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -10,6 +10,7 @@ let inherit (flake.config.services.instances) nextcloud nginx + caddy smtp web ; @@ -63,33 +64,54 @@ in overwriteprotocol = "https"; trusted_proxies = [ localhost + web.localhost.address1 ]; + security.headers = { + Strict-Transport-Security = "max-age=15552000; includeSubDomains"; + X-XSS-Protection = "1; mode=block"; + X-Content-Type-Options = "nosniff"; + X-Frame-Options = "SAMEORIGIN"; + Referrer-Policy = "strict-origin-when-cross-origin"; + }; }; - }; + }; nginx = { enable = true; - virtualHosts.${host}.listen = [ - { - addr = localhost; - port = nginx.ports.port0; - } - ]; + virtualHosts.${host} = { + listen = [ + { + addr = localhost; + port = nginx.ports.port0; + } + ]; + forceSSL = false; + onlySSL = false; + addSSL = false; + }; }; - caddy = { virtualHosts = { - "${host}" = { - listenAddresses = [ web.localhost.address1 ]; + ":${toString caddy.ports.port3}" = { extraConfig = '' - reverse_proxy ${localhost}:${toString nginx.ports.port0} - tls ${service.ssl.cert} ${service.ssl.key} + header { + # Enable XSS protection and block instead of sanitizing + X-XSS-Protection "1; mode=block" + # Enable HSTS with 6 month duration + Strict-Transport-Security "max-age=15552000; includeSubDomains" + # Additional security headers + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + Referrer-Policy "strict-origin-when-cross-origin" + # Remove server identification + -Server + } + reverse_proxy http://${localhost}:${toString nginx.ports.port0} ''; }; }; }; }; - sops = let sopsPath = secret: { @@ -112,17 +134,29 @@ in ); }; - users.users.${service.name}.extraGroups = [ - "caddy" - "nginx" - "postgres" - ]; + systemd = { + tmpfiles.rules = [ + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + }; + + users.users.${service.name} = { + packages = with pkgs; [ + php + ]; + extraGroups = [ + "caddy" + "nginx" + "postgres" + ]; + }; networking = { firewall = { allowedTCPPorts = [ nginx.ports.port0 service.ports.port0 + caddy.ports.port3 ]; }; }; diff --git a/modules/nixos/services/opencloud/default.nix b/modules/nixos/services/opencloud/default.nix index 0085093..71163a4 100755 --- a/modules/nixos/services/opencloud/default.nix +++ b/modules/nixos/services/opencloud/default.nix @@ -1,16 +1,15 @@ { config, flake, ... }: let - inherit (flake.config.machines.devices) ceres; - inherit (flake.config.services.instances) opencloud web; + inherit (flake.config.services.instances) opencloud web caddy; service = opencloud; - localhost = web.localhost.address0; + localhost = web.localhost.address1; host = service.domains.url0; in { services = { opencloud = { enable = true; - url = "https://${host}"; + url = "http://${localhost}:${toString service.ports.port0}"; port = service.ports.port0; address = localhost; stateDir = "/var/lib/${service.name}"; @@ -18,20 +17,14 @@ in }; caddy = { virtualHosts = { - "${host}" = { + ":${toString caddy.ports.port4}" = { extraConfig = '' - reverse_proxy https://${localhost}:${toString service.ports.port0} { - transport http { - tls_insecure_skip_verify - } - } - tls ${service.ssl.cert} ${service.ssl.key} + reverse_proxy http://${localhost}:${toString service.ports.port0} ''; }; }; }; }; - sops = let sopsPath = secret: { @@ -53,10 +46,17 @@ in ); }; + systemd = { + tmpfiles.rules = [ + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + }; + networking = { firewall = { allowedTCPPorts = [ service.ports.port0 + caddy.ports.port4 ]; }; }; diff --git a/modules/nixos/services/postgresql/postgresCeres/default.nix b/modules/nixos/services/postgresql/postgresCeres/default.nix old mode 100644 new mode 100755 diff --git a/modules/nixos/services/postgresql/postgresEris/default.nix b/modules/nixos/services/postgresql/postgresEris/default.nix old mode 100644 new mode 100755 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 16e9199..d33fe20 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -29,6 +29,7 @@ nextcloud-user0: ENC[AES256_GCM,data:yUZruPJ4s2Svvh6Q0f4C4lgcKCcWJDMw8CpT8cXv3m4 nextcloud-user1: ENC[AES256_GCM,data:6EsbSeWWftPjZQM=,iv:LTcx6fx55d3+SepFIoy/6cBdbgaauDeo0gvq9ACCtHA=,tag:uzoATR3ZL2Uk5z6aMiD/yw==,type:str] nextcloud-user2: ENC[AES256_GCM,data:axrWMmouq5gwqdGL,iv:BPHEn47z2g7gocKO4g5vV4ZSGb+AMA3vGYheAy1zR5Q=,tag:QOWg4fdKxMhGk2qRehH2EQ==,type:str] nextcloud-user3: ENC[AES256_GCM,data:g6ldEdtBuEmPAQYAQfaO,iv:6fElE2vZh9l/KgJuNevklpIlZZdqGHgwhnOzq1n3ojE=,tag:T0Q1IkdVTeW2T1FmGnjz8A==,type:str] +nextcloud-smtp: ENC[AES256_GCM,data:8cS/5Fnj/x1/Oikn3EQxlOCLzRJRf4PWx5C0dm2qzY0=,iv:izKI66ndRt56LfjKUQeC1SZBOFf8m4rO6kk6oVneQZA=,tag:oiSMzflj2jeE6QC1KEDBlg==,type:str] claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str] searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str] wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1GVC5m8StgsC5uaYEU=,iv:wffyNFWZ36vUjUVMCwo7w16pWWDvnPOUli3tIa/M3S4=,tag:yu7Xl+Ehg1uhzQ3rONSCbA==,type:str] @@ -45,7 +46,7 @@ wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0 wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str] glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] opencloud: - env: ENC[AES256_GCM,data:WnzaI6YPGtVzdo+qQZejz3zRDReuKSbr9n/Kg2Djh4Gzv+VuqPCxCIzJRAQs79O9CIj5mezy33KeJIXEstwhWmnG7xmv59nzBuDTdWP170JnsRWIdLRgj3jm8uBZiT7fZ2XcunKc0N7M6i0c0GK3u5ikzeVoXOzfX5S5DeIarwGutq0yi14+MAxHMjubJdgMkG1Ke/vyuSyqw9NZUCN3XfCN03rw3RhRPuB1hGZc0WEqxdY/EkpU1wpVDNnOZT/iKImjyDDLIjFo96YnHXaAAoeO8g2g5gbOIaUQFFWB0H8L2yw4zlifRpmjP6OV7AAWPJI/hsQS1YubOJLBN1UHLncxZh55ItlWr3fo6zLfpZIlkvNfama+tzu2kOTG4ALrgu8dwwYmwXbVdFCP3njsMSfp///aqjC4ShvzSQZSgfH+jkd86CZp079Ime7b1vo30CVcFlmCHrE=,iv:vDvTaxj4gSnvJBUzj/D+76DeXTEOQ/tSGdOfNSS0Oo4=,tag:dSqwIy4vFtFJxo0KkaslfQ==,type:str] + env: ENC[AES256_GCM,data:nCivhLlGAku8HwYsdRvKhJd2mZFXE4feiTvNwx5aPknO7WLqbnMmmGC4pBLZ6SgUIvNbauWv9ayX8rh00kYIoxWxQJn4jI4XERHo6QtdHCLaYbgV2zCuduqVTiV0FtI/GHT17MyScl2pj338AJ2F54rrRXqKqQsS9RH2tIJvDDbg9WVlORY7okCHSVmha8N/XUaQEdwmy/FU7SxNrStmgzV36wDVZxHWvTtKx4+oxPhW5fYNL0YeRc/dSPtlfXxV8vGBH1TA1Q2FoOASLevcnngv+UndPZYVZtdrdD8Br+KoQXVIDj8ByNxDXPsgG95LiVrOu1pryLn9T+0MIx4fDF2ZASWztrrpPeQ0Uyy16UFeLI+DfPYsNf2k19/Mkc/kmyDSwCbXGTM72/UJ47sWraN3FECtusEhcft0Sn6EKkx+M6qTHAnQH3O/4noDgyFKWGph7pshHHK6/6eiV89vQHeF2Ta4M+k2+YFWVi0PtYo1JAU=,iv:dPeAl3LqkZQEcJUoPsbviJFM8pw5S8/0hbCqtg1C4sU=,tag:u0OOQ8fAhcxFlnMJXY35kg==,type:str] caddy: prompter-auth: ENC[AES256_GCM,data:uEj6gruCfcIRoCQY9eNcOka+PAIIhAlKnI+ehZ88aZo90tINcxZ7ZvKqlTJr4rt5o+EO7rvRJcYH/s8/+piszFyxSa64Rtq5KdAjfHnRm0QM8q/2JIHnZsQC3fPz1S177WPs/c3Eydh4VeVe,iv:ZOru4ABFgIy9DoTlMl3InSf8zM1ERNpbRNLN6vy97Jc=,tag:5v3w7kvFQCEPBjchE8K0cw==,type:str] comfyui-auth: ENC[AES256_GCM,data:YkHxbW/0zTmnrggXKl2jNO4OnBaepmCwB3ZC6d8MPIKf8snWJzAvTq5+X5ABzziwKaypHRTcS6vuNntxKrrD8DS7hX9DqVCZc5WeFHI6S5VzHh3SprW2MF4E8nm4Hj+VHoKGmRSSOU1cfX3J,iv:v0Pid0BCY2QsMNaahBvJd4WWZD115JDLHlOCQvPiaGU=,tag:gpsAgt052NoOyIa9WqJXyg==,type:str] @@ -65,7 +66,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-25T03:49:30Z" - mac: ENC[AES256_GCM,data:bfAu4s0n86ArKD+Dnq/dwkxmMZ/h06O+0hjtEKnwlkU4lLxaxLORWPMlZKw97UbSB/SqNpD1wHjqV9CuwvdCOPzZxRizmGqMKsgE3RTg4FxFo29Fr7xL3pm8uKsEeIQDMJbY62GOCkxtBUsmae0nKLdDfufVlnlxGKvjtSYA1ww=,iv:sjV1MQI9R69oB75IvUc1RM9VWS+fyATvBEVmzyE2ASk=,tag:pZ4Zsd59CV2wKohHeYc9jQ==,type:str] + lastmodified: "2025-10-25T09:30:00Z" + mac: ENC[AES256_GCM,data:JA3RXs+AuOTOXFTqpwb5R2xT1Ia4mIO7pGHOqSVzNIZIrKdGStYZW1aBffanrMeAkHOPF0IXMNYv27bW0Z8Qo1AuijSn1daRtNAxBp5vYAaepV3DfYaZPTS35IqOklt7y0gLf9WEBKjaw9iwqNt+DD0DR3qGcSZe14IFdDIjbPU=,iv:emfH8TxrJVrrwsLcp74kN7NM0zQ4ROWQQkeuwMKPIYo=,tag:v302aJTdCAw/eJ3SWF63oA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0