diff --git a/config/default.nix b/config/default.nix index fc093d3..fda9adc 100755 --- a/config/default.nix +++ b/config/default.nix @@ -7,7 +7,6 @@ "phone" "server" "tablet" - "wildcard" ]; instanceNames = [ "acme" @@ -28,7 +27,8 @@ "syncthing" "synology" "vaultwarden" - "wiki-js" + "web" + "wiki" "writefreely" ]; userNames = [ @@ -78,9 +78,7 @@ in let sshKeys = listType; group = stringType; email = genOptions stringType "address"; - domain = genOptions stringType "url"; - dns = genOptions stringType "provider"; - git = genOptions stringType "path"; + paths = genOptions stringType "path"; }; }; serviceSubmodule = lib.types.submodule { @@ -104,6 +102,10 @@ in let subdomain = stringType; label = stringType; name = stringType; + domains = genOptions stringType "url"; + dns = genOptions stringType "provider"; + localhost = genOptions stringType "address"; + email = genOptions stringType "address"; sops = genOptions stringType "path"; paths = genOptions stringType "path"; ports = genOptions intType "port"; diff --git a/config/device.nix b/config/device.nix index e33bfeb..a4dc4be 100755 --- a/config/device.nix +++ b/config/device.nix @@ -166,16 +166,5 @@ in { address0 = "192.168.50.189"; }; }; - - # No particular system - - wildcard = { - ip = { - address0 = "127.0.0.1"; # Local - address1 = "0.0.0.0"; # All - address2 = "192.168.50.1"; # Router - address3 = "192.168.50.0"; # Router - }; - }; }; } diff --git a/config/instance.nix b/config/instance.nix index 059d9d0..4c13bff 100755 --- a/config/instance.nix +++ b/config/instance.nix @@ -51,6 +51,21 @@ let varLib = "/var/lib"; in { instance = { + web = { + domains = { + url0 = domain0; + url1 = domain1; + }; + dns = { + provider0 = "namecheap"; + }; + localhost = { + address0 = "127.0.0.1"; # Local + address1 = "0.0.0.0"; # All + address2 = "192.168.50.1"; # Router + address3 = "192.168.50.0"; # Router + }; + }; acme = { label = acmeLabel; name = acmeName; @@ -73,14 +88,17 @@ in { }; }; castopod = let - castDomain = "podcast"; + castopodSubdomain = "podcast"; in { label = castLabel; name = castName; + email = { + address0 = "noreply@${castopodSubdomain}.${domain1}"; + }; sops = { path0 = "${sops}/${castName}"; }; - subdomain = castDomain; + subdomain = castopodSubdomain; paths = { path0 = "${servicePath}/${castLabel}"; }; @@ -88,19 +106,22 @@ in { port0 = 8000; }; ssl = { - cert = "${sslPath}/${castDomain}.${domain1}/fullchain.pem"; - key = "${sslPath}/${castDomain}.${domain1}/key.pem"; + cert = "${sslPath}/${castopodSubdomain}.${domain1}/fullchain.pem"; + key = "${sslPath}/${castopodSubdomain}.${domain1}/key.pem"; }; }; forgejo = let - forgejoDomain = "source"; + forgejoSubdomain = "source"; in { label = forgejoLabel; name = forgejoName; + email = { + address0 = "noreply@${forgejoSubdomain}.${domain1}"; + }; sops = { path0 = "${sops}/${forgejoName}"; }; - subdomain = forgejoDomain; + subdomain = forgejoSubdomain; paths = { path0 = "${servicePath}/${forgejoLabel}"; }; @@ -108,8 +129,8 @@ in { port0 = 3033; }; ssl = { - cert = "${sslPath}/${forgejoDomain}.${domain1}/fullchain.pem"; - key = "${sslPath}/${forgejoDomain}.${domain1}/key.pem"; + cert = "${sslPath}/${forgejoSubdomain}.${domain1}/fullchain.pem"; + key = "${sslPath}/${forgejoSubdomain}.${domain1}/key.pem"; }; }; jellyfin = { @@ -148,6 +169,9 @@ in { mastodon = { label = mastodonLabel; name = mastodonName; + email = { + address0 = "thenutrivore@${domain1}"; + }; sops = { path0 = "${sops}/${mastodonName}"; }; @@ -245,13 +269,18 @@ in { key = "${sslPath}/${owncastSubdomain}.${domain1}/key.pem"; }; }; - peertube = { + peertube = let + peertubeSubdomain = "video"; + in { label = peertubeLabel; name = peertubeName; + email = { + address0 = "noreply@${peertubeSubdomain}.${domain1}"; + }; sops = { path0 = "${sops}/${peertubeName}"; }; - subdomain = "video"; + subdomain = peertubeSubdomain; paths = { path0 = "${servicePath}/${peertubeLabel}"; }; @@ -322,13 +351,18 @@ in { key = "${sslPath}/${syncthingName}.${domain0}/key.pem"; }; }; - vaultwarden = { + vaultwarden = let + vaultwardenSubdomain = vaultwardenName; + in { label = vaultwardenLabel; name = vaultwardenName; + email = { + address0 = "noreply@${vaultwardenSubdomain}.${domain0}"; + }; sops = { path0 = "${sops}/${vaultwardenName}"; }; - subdomain = vaultwardenName; + subdomain = vaultwardenSubdomain; paths = { path0 = "${servicePath}/${vaultwardenLabel}/BackupDir"; }; diff --git a/config/user.nix b/config/user.nix index 68eee09..3d54cd2 100755 --- a/config/user.nix +++ b/config/user.nix @@ -16,21 +16,9 @@ in { email = { address0 = "nickjhiebert@proton.me"; address1 = "thenutrivore@proton.me"; - address2 = "thenutrivore@the-nutrivore.social"; - address3 = "noreply@vaultwarden.cloudbert.fun"; - address4 = "noreply@video.the-nutrivore.social"; - address5 = "noreply@source.the-nutrivore.social"; - address6 = "noreply@podcast.the-nutrivore.social"; }; - domain = { - url0 = "cloudbert.fun"; - url1 = "the-nutrivore.social"; - }; - git = { - path0 = "/home/${user0}/Files/Projects"; - }; - dns = { - provider0 = "namecheap"; + paths = { + path0 = "/home/${user0}/Files/Projects"; # Git path }; sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9TmImDoYDpsW5VMFbOcuK3aH4TWRtx/xGxT3yUtEN nick@desktop" diff --git a/nixos/modules/ollama.nix b/nixos/modules/ollama.nix index ce86be6..358a948 100755 --- a/nixos/modules/ollama.nix +++ b/nixos/modules/ollama.nix @@ -1,39 +1,39 @@ {flake, ...}: let - inherit (flake.config.system.device) wildcard; - inherit (flake.config.service.instance.ollama) paths ports name; - localhost = wildcard.ip.address0; + inherit (flake.config.service.instance) ollama web; + service = ollama; + localhost = web.localhost.address0; in { services = { ollama = { acceleration = false; enable = true; - group = name; + group = service.name; host = "http://${localhost}"; - models = paths.path1; - user = name; + models = service.paths.path1; + user = service.name; }; open-webui = { enable = true; host = localhost; - port = ports.port0; + port = service.ports.port0; environment = { ENABLE_OLLAMA_API = "True"; ANONYMIZED_TELEMETRY = "False"; DO_NOT_TRACK = "True"; SCARF_NO_ANALYTICS = "True"; - OLLAMA_BASE_URL = "http://${localhost}:${toString ports.port1}"; + OLLAMA_BASE_URL = "http://${localhost}:${toString service.ports.port1}"; WEBUI_AUTH = "True"; }; }; }; - systemd.tmpfiles.rules = ["Z ${paths.path1} 0755 ${name} ${name} -"]; + systemd.tmpfiles.rules = ["Z ${service.paths.path1} 0755 ${service.name} ${service.name} -"]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 - ports.port1 + service.ports.port0 + service.ports.port1 ]; }; }; diff --git a/nixos/modules/services/acme.nix b/nixos/modules/services/acme.nix index 9652892..d2017c7 100755 --- a/nixos/modules/services/acme.nix +++ b/nixos/modules/services/acme.nix @@ -4,17 +4,21 @@ ... }: let inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain email dns; - inherit (flake.config.service.instance.acme) paths; + inherit (flake.config.people.user.${user0}) email; inherit (flake.config.service) instance; - dnsConfig = { - dnsProvider = dns.provider0; - directory = paths.path0; - environmentFile = config.sops.secrets."dns/namecheap".path; - }; + + domain0 = instance.web.domains.url0; + domain1 = instance.web.domains.url1; + dns = instance.web.dns.provider0; instanceName = service: (instance.${service}.subdomain); + dnsConfig = { + dnsProvider = dns; + directory = instance.acme.paths.path0; + environmentFile = config.sops.secrets."dns/namecheap".path; + }; + domain0SubdomainNames = [ "nextcloud" "jellyfin" @@ -35,13 +39,13 @@ "writefreely" ]; + domainRoot = [ + domain0 + domain1 + ]; + domain0Subdomains = map instanceName domain0SubdomainNames; domain1Subdomains = map instanceName domain1SubdomainNames; - - domainRoot = [ - domain.url0 - domain.url1 - ]; in { security.acme = { acceptTerms = true; @@ -51,12 +55,12 @@ in { }; certs = builtins.listToAttrs ( (map (prefix: { - name = "${prefix}.${domain.url0}"; + name = "${prefix}.${domain0}"; value = dnsConfig; }) domain0Subdomains) ++ (map (prefix: { - name = "${prefix}.${domain.url1}"; + name = "${prefix}.${domain1}"; value = dnsConfig; }) domain1Subdomains) @@ -71,7 +75,7 @@ in { sops = let sopsSecrets = ["pass"]; sopsPath = secret: { - path = "/var/lib/secrets/${instance.acme.name}/${dns.provider0}-${secret}"; + path = "/var/lib/secrets/${instance.acme.name}/${dns}-${secret}"; owner = "root"; mode = "600"; }; @@ -79,7 +83,7 @@ in { secrets = builtins.listToAttrs ( map (secret: { - name = "dns/${dns.provider0}"; + name = "dns/${dns}"; value = sopsPath secret; }) sopsSecrets diff --git a/nixos/modules/services/caddy.nix b/nixos/modules/services/caddy.nix index ebf8809..86995ec 100755 --- a/nixos/modules/services/caddy.nix +++ b/nixos/modules/services/caddy.nix @@ -1,27 +1,29 @@ {flake, ...}: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain; - inherit (flake.config.service.instance.caddy) ports; + inherit (flake.config.service.instance) caddy web; + + domain0 = web.domains.url0; + + service = caddy; in { services.caddy = { enable = true; virtualHosts = { - "${domain.url0}" = { + "${domain0}" = { extraConfig = '' - tls /var/lib/acme/${domain.url0}/fullchain.pem /var/lib/acme/${domain.url0}/key.pem + tls /var/lib/acme/${domain0}/fullchain.pem /var/lib/acme/${domain0}/key.pem encode zstd gzip ''; }; }; }; - users.users.caddy.extraGroups = ["acme" "nextcloud" "mastodon"]; + users.users.${service}.extraGroups = ["acme" "nextcloud" "mastodon"]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 - ports.port1 + service.ports.port0 + service.ports.port1 ]; }; }; diff --git a/nixos/modules/services/castopod.nix b/nixos/modules/services/castopod.nix index ba119b8..27ef6ed 100755 --- a/nixos/modules/services/castopod.nix +++ b/nixos/modules/services/castopod.nix @@ -3,20 +3,18 @@ config, ... }: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain email; - inherit (flake.config.system.device) server wildcard; - inherit (flake.config.service.instance.castopod) paths ports subdomain name sops ssl; - inherit (flake.config.service.instance) nginx; - localhost = wildcard.ip.address0; - host = "${subdomain}.${domain.url1}"; + inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) castopod nginx web; + service = castopod; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url1}"; in { services = { castopod = { enable = true; localDomain = host; configureNginx = false; - environmentFile = config.sops.secrets."${name}-smtp".path; + environmentFile = config.sops.secrets."${service.name}-smtp".path; maxUploadSize = "1024M"; database = { createLocally = true; @@ -31,7 +29,7 @@ in { "pm.start_servers" = "2"; }; settings = { - "email.fromEmail" = email.address6; + "email.fromEmail" = service.email.address0; "email.protocol" = "smtp"; "email.SMTPHost" = localhost; "email.SMTPPort" = 587; @@ -51,9 +49,9 @@ in { virtualHosts = { "${host}" = { extraConfig = '' - reverse_proxy ${localhost}:${toString ports.port0} + reverse_proxy ${localhost}:${toString service.ports.port0} - tls ${ssl.cert} ${ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; @@ -63,37 +61,37 @@ in { sops = let sopsSecrets = ["smtp" "database"]; sopsPath = secret: { - path = "${sops.path0}/${name}-${secret}"; - owner = name; + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { - name = "${name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) sopsSecrets ); }; - fileSystems."/var/lib/${name}" = { - device = paths.path0; + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; systemd.tmpfiles.rules = [ - "Z ${paths.path0} 755 ${name} ${name} -" - "Z ${sops.path0} 755 ${name} ${name} -" + "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" ]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 + service.ports.port0 nginx.ports.port0 ]; }; diff --git a/nixos/modules/services/default.nix b/nixos/modules/services/default.nix index 42c334b..9431320 100755 --- a/nixos/modules/services/default.nix +++ b/nixos/modules/services/default.nix @@ -14,7 +14,7 @@ ./owncast.nix ./samba.nix ./vaultwarden.nix - ./wiki.nix + # ./wiki.nix # These are all broken. diff --git a/nixos/modules/services/forgejo.nix b/nixos/modules/services/forgejo.nix index e474afe..213676b 100755 --- a/nixos/modules/services/forgejo.nix +++ b/nixos/modules/services/forgejo.nix @@ -3,12 +3,11 @@ config, ... }: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain email; - inherit (flake.config.system.device) server wildcard; - inherit (flake.config.service.instance.forgejo) paths ports name subdomain sops ssl; - localhost = wildcard.ip.address0; - host = "${subdomain}.${domain.url1}"; + inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) forgejo web; + service = forgejo; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url1}"; in { services = { forgejo = { @@ -16,8 +15,8 @@ in { database.type = "postgres"; lfs.enable = true; secrets = { - mailer.PASSWD = config.sops.secrets."${name}-smtp".path; - database.PASSWD = config.sops.secrets."${name}-database".path; + mailer.PASSWD = config.sops.secrets."${service.name}-smtp".path; + database.PASSWD = config.sops.secrets."${service.name}-database".path; }; dump = { interval = "5:00"; @@ -29,7 +28,7 @@ in { server = { DOMAIN = host; ROOT_URL = "https://${host}/"; - HTTP_PORT = ports.port0; + HTTP_PORT = service.ports.port0; }; # If you need to start from scratch, don't forget to turn this off again service.DISABLE_REGISTRATION = false; @@ -43,8 +42,8 @@ in { mailer = { ENABLED = true; SMTP_ADDR = "smtp.protonmail.ch"; - FROM = email.address5; - USER = email.address5; + FROM = service.email.address0; + USER = service.email.address0; PROTOCOL = "smtp+starttls"; SMTP_PORT = 587; SEND_AS_PLAIN_TEXT = true; @@ -56,9 +55,9 @@ in { virtualHosts = { "${host}" = { extraConfig = '' - reverse_proxy ${localhost}:${toString ports.port0} + reverse_proxy ${localhost}:${toString service.ports.port0} - tls ${ssl.cert} ${ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; @@ -67,39 +66,39 @@ in { sops = let sopsSecrets = ["smtp" "database"]; sopsPath = secret: { - path = "${sops.path0}/${name}-${secret}"; - owner = name; + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { - name = "${name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) sopsSecrets ); }; - fileSystems."/var/lib/${name}" = { - device = paths.path0; + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; systemd.tmpfiles.rules = [ - "Z ${paths.path0} 755 ${name} ${name} -" - "Z ${sops.path0} 755 ${name} ${name} -" + "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" ]; - users.users.${name}.extraGroups = ["caddy" "postgres"]; + users.users.${service.name}.extraGroups = ["caddy" "postgres"]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 + service.ports.port0 ]; }; }; diff --git a/nixos/modules/services/jellyfin.nix b/nixos/modules/services/jellyfin.nix index cde3d12..cef605d 100755 --- a/nixos/modules/services/jellyfin.nix +++ b/nixos/modules/services/jellyfin.nix @@ -1,10 +1,10 @@ {flake, ...}: let inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain; - inherit (flake.config.system.device) server wildcard; - inherit (flake.config.service.instance.jellyfin) paths ports name subdomain ssl; - localhost = wildcard.ip.address0; - host = "${subdomain}.${domain.url0}"; + inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) jellyfin web; + service = jellyfin; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url0}"; in { services = { jellyfin = { @@ -23,9 +23,9 @@ in { redir /.well-known/carddav /remote.php/dav/ 301 redir /.well-known/caldav /remote.php/dav/ 301 - reverse_proxy ${localhost}:${toString ports.port1} + reverse_proxy ${localhost}:${toString service.ports.port1} - tls ${ssl.cert} ${ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; @@ -39,29 +39,29 @@ in { depends = [server.storage0.mount]; }; in { - "/var/lib/${name}" = + "/var/lib/${service.name}" = { - device = paths.path0; + device = service.paths.path0; } // settings; - "/var/cache/${name}" = + "/var/cache/${service.name}" = { - device = "${paths.path0}/cache"; + device = "${service.paths.path0}/cache"; } // settings; }; systemd.tmpfiles.rules = [ - "Z ${paths.path0} 0755 ${user0} ${name} -" - "Z ${paths.path0}/cache 0755 ${user0} ${name} -" + "Z ${service.paths.path0} 0755 ${user0} ${service.name} -" + "Z ${service.paths.path0}/cache 0755 ${user0} ${service.name} -" ]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 - ports.port1 - ports.port2 + service.ports.port0 + service.ports.port1 + service.ports.port2 ]; }; }; diff --git a/nixos/modules/services/mastodon/default.nix b/nixos/modules/services/mastodon/default.nix index 8f57ea2..4f36485 100755 --- a/nixos/modules/services/mastodon/default.nix +++ b/nixos/modules/services/mastodon/default.nix @@ -5,12 +5,11 @@ lib, ... }: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain email; - inherit (flake.config.system.device) server wildcard; - inherit (flake.config.service.instance.mastodon) paths name sops ssl; - host = domain.url1; - localhost = wildcard.ip.address0; + inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) mastodon web; + service = mastodon; + host = web.domains.url1; + localhost = web.localhost.address0; in { # If you need to start fresh for some reason, run these to create the new Admin account: # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner @@ -46,9 +45,9 @@ in { automaticMigrations = true; database = { createLocally = true; - name = name; + name = service.name; host = "/run/postgresql"; - user = name; + user = service.name; passwordFile = config.sops.secrets.mastodon-database.path; }; extraConfig = { @@ -92,11 +91,11 @@ in { smtp = { authenticate = true; createLocally = false; - fromAddress = "The Nutrivore <${email.address2}>"; + fromAddress = "The Nutrivore <${service.email.address0}>"; host = "smtp.protonmail.ch"; passwordFile = config.sops.secrets.mastodon-smtp.path; port = 587; - user = email.address2; + user = service.email.address0; }; }; caddy = { @@ -121,7 +120,7 @@ in { reverse_proxy * unix//run/mastodon-web/web.socket } - tls ${ssl.cert} ${ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} handle_errors { root * ${pkgs.mastodon}/public @@ -149,34 +148,34 @@ in { sops = let sopsSecrets = ["smtp" "database" "redis"]; sopsPath = secret: { - path = "${sops.path0}/${name}-${secret}"; - owner = name; + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { - name = "${name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) sopsSecrets ); }; - fileSystems."/var/lib/${name}" = { - device = paths.path0; + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; systemd.tmpfiles.rules = [ - "Z ${paths.path0} 0755 ${name} ${name} -" - "Z ${sops.path0} 0755 ${name} ${name} -" + "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -" ]; - users.users.${name}.extraGroups = ["postgres"]; + users.users.${service.name}.extraGroups = ["postgres"]; networking = { firewall = { diff --git a/nixos/modules/services/minecraft.nix b/nixos/modules/services/minecraft.nix index bbcccbd..59d6357 100755 --- a/nixos/modules/services/minecraft.nix +++ b/nixos/modules/services/minecraft.nix @@ -4,7 +4,8 @@ ... }: let inherit (flake.config.system.device) server; - inherit (flake.config.service.instance.minecraft) paths ports name sops; + inherit (flake.config.service.instance) minecraft; + service = minecraft; in { services = { minecraft-server = { @@ -13,7 +14,7 @@ in { openFirewall = true; declarative = true; serverProperties = { - "rcon.password" = config.sops.secrets."${name}-pass".path; + "rcon.password" = config.sops.secrets."${service.name}-pass".path; allow-flight = false; allow-nether = true; difficulty = 2; @@ -32,7 +33,7 @@ in { motd = "A cool Minecraft server powered by NixOS"; online-mode = true; pvp = true; - server-port = ports.port0; + server-port = service.ports.port0; spawn-animals = true; spawn-monsters = true; spawn-npcs = true; @@ -51,37 +52,37 @@ in { sops = let sopsSecrets = ["pass"]; sopsPath = secret: { - path = "${sops.path0}/${name}-${secret}"; - owner = name; + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { - name = "${name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) sopsSecrets ); }; - fileSystems."/var/lib/${name}" = { - device = paths.path0; + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; systemd.tmpfiles.rules = [ - "Z ${paths.path0} 0755 ${name} ${name} -" - "Z ${sops.path0} 0755 ${name} ${name} -" + "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -" ]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 + service.ports.port0 ]; }; }; diff --git a/nixos/modules/services/nextcloud.nix b/nixos/modules/services/nextcloud.nix index 6a6a089..f1499b0 100755 --- a/nixos/modules/services/nextcloud.nix +++ b/nixos/modules/services/nextcloud.nix @@ -5,11 +5,12 @@ ... }: let inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain name; - inherit (flake.config.system.device) server wildcard; - inherit (flake.config.service.instance) nextcloud nginx; - localhost = wildcard.ip.address0; - host = "${nextcloud.subdomain}.${domain.url1}"; + inherit (flake.config.people.user.${user0}) name; + inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) nextcloud nginx web; + service = nextcloud; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url1}"; in { services = { nextcloud = { @@ -24,13 +25,13 @@ in { extraAppsEnable = true; extraApps = { inherit - (config.services.nextcloud.package.packages.apps) + (config.services.service.package.packages.apps) contacts calendar ; }; config = { - adminpassFile = config.sops.secrets."${nextcloud.name}-pass".path; + adminpassFile = config.sops.secrets."${service.name}-pass".path; adminuser = name; dbtype = "pgsql"; }; @@ -54,7 +55,7 @@ in { enable = true; virtualHosts.${host}.listen = [ { - addr = wildcard.ip.address1; + addr = web.localhost.address1; port = nginx.ports.port0; } ]; @@ -66,7 +67,7 @@ in { extraConfig = '' reverse_proxy ${localhost}:${toString nginx.ports.port0} - tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; @@ -76,40 +77,40 @@ in { sops = let sopsSecrets = ["pass"]; sopsPath = secret: { - path = "${nextcloud.sops.path0}/${nextcloud.name}-${secret}"; - owner = nextcloud.name; + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { - name = "${nextcloud.name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) sopsSecrets ); }; - # fileSystems."/var/lib/${nextcloud.name}" = { - # device = nextcloud.paths.path0; - # fsType = "none"; - # options = ["bind"]; - # depends = [server.storage0.mount]; - # }; + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; + fsType = "none"; + options = ["bind"]; + depends = [server.storage0.mount]; + }; - # systemd.tmpfiles.rules = [ - # "Z ${nextcloud.paths.path0} 750 ${nextcloud.name} ${nextcloud.name} -" - # "Z ${nextcloud.sops.path0} 750 ${nextcloud.name} ${nextcloud.name} -" - # ]; + systemd.tmpfiles.rules = [ + "Z ${service.paths.path0} 750 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 750 ${service.name} ${service.name} -" + ]; - users.users.${nextcloud.name}.extraGroups = ["caddy" "nginx" "postgres"]; + users.users.${service.name}.extraGroups = ["caddy" "nginx" "postgres"]; networking = { firewall = { allowedTCPPorts = [ nginx.ports.port0 - nextcloud.ports.port0 + service.ports.port0 ]; }; }; diff --git a/nixos/modules/services/ollama.nix b/nixos/modules/services/ollama.nix index 52e3d7a..ba640a7 100755 --- a/nixos/modules/services/ollama.nix +++ b/nixos/modules/services/ollama.nix @@ -1,31 +1,30 @@ {flake, ...}: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain; - inherit (flake.config.system.device) server wildcard; - inherit (flake.config.service.instance.ollama) paths ports subdomain name ssl; - localhost = wildcard.ip.address0; - host = "${subdomain}.${domain.url0}"; + inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) ollama web; + service = ollama; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url0}"; in { services = { ollama = { acceleration = false; enable = true; - group = name; + group = service.name; host = "http://${localhost}"; - port = ports.port1; - user = name; + port = service.ports.port1; + user = service.name; }; open-webui = { enable = true; host = localhost; - port = ports.port0; + port = service.ports.port0; environment = { ENABLE_OLLAMA_API = "True"; ANONYMIZED_TELEMETRY = "False"; DO_NOT_TRACK = "True"; SCARF_NO_ANALYTICS = "True"; - OLLAMA_BASE_URL = "http://${localhost}:${toString ports.port1}"; + OLLAMA_BASE_URL = "http://${localhost}:${toString service.ports.port1}"; WEBUI_AUTH = "True"; }; }; @@ -34,29 +33,29 @@ in { virtualHosts = { ${host} = { extraConfig = '' - reverse_proxy ${localhost}:${toString ports.port0} + reverse_proxy ${localhost}:${toString service.ports.port0} - tls ${ssl.cert} ${ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; }; }; - fileSystems."/var/lib/${name}" = { - device = paths.path0; + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; - systemd.tmpfiles.rules = ["Z ${paths.path0} 0755 ${name} ${name} -"]; + systemd.tmpfiles.rules = ["Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 - ports.port1 + service.ports.port0 + service.ports.port1 ]; }; }; diff --git a/nixos/modules/services/owncast.nix b/nixos/modules/services/owncast.nix index 1a7e08a..be6b508 100755 --- a/nixos/modules/services/owncast.nix +++ b/nixos/modules/services/owncast.nix @@ -1,25 +1,23 @@ {flake, ...}: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain; - inherit (flake.config.system.device) wildcard; - inherit (flake.config.service.instance.owncast) ports subdomain ssl; - localhost = wildcard.ip.address1; - host = "${subdomain}.${domain.url1}"; + inherit (flake.config.service.instance) owncast web; + service = owncast; + localhost = web.localhost.address1; + host = "${service.subdomain}.${web.domains.url1}"; in { services = { owncast = { enable = true; listen = localhost; - port = ports.port0; + port = service.ports.port0; openFirewall = true; }; caddy = { virtualHosts = { "${host}" = { extraConfig = '' - reverse_proxy ${localhost}:${toString ports.port0} + reverse_proxy ${localhost}:${toString service.ports.port0} - tls ${ssl.cert} ${ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; @@ -29,8 +27,8 @@ in { networking = { firewall = { allowedTCPPorts = [ - ports.port0 - ports.port1 + service.ports.port0 + service.ports.port1 ]; }; }; diff --git a/nixos/modules/services/peertube.nix b/nixos/modules/services/peertube.nix index 4e837c0..ba3b070 100755 --- a/nixos/modules/services/peertube.nix +++ b/nixos/modules/services/peertube.nix @@ -4,24 +4,23 @@ pkgs, ... }: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain email; - inherit (flake.config.system.device) server wildcard; - inherit (flake.config.service.instance) caddy peertube; - localhost = wildcard.ip.address0; - host = "${peertube.subdomain}.${domain.url1}"; + inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) caddy peertube web; + service = peertube; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url1}"; in { services = { peertube = { configureNginx = false; enable = true; enableWebHttps = true; - group = peertube.name; + group = service.name; listenWeb = caddy.ports.port1; - listenHttp = peertube.ports.port0; + listenHttp = service.ports.port0; localDomain = host; - serviceEnvironmentFile = config.sops.secrets."${peertube.name}-root".path; - user = peertube.name; + serviceEnvironmentFile = config.sops.secrets."${service.name}-root".path; + user = service.name; plugins = { enable = true; plugins = with pkgs; [ @@ -33,7 +32,7 @@ in { }; secrets = { - secretsFile = config.sops.secrets."${peertube.name}-secret".path; + secretsFile = config.sops.secrets."${service.name}-secret".path; }; settings = { instance = { @@ -45,25 +44,25 @@ in { smtp = { transport = "smtp"; disable_starttls = false; - from_address = email.address4; + from_address = service.email.address0; hostname = "smtp.protonmail.ch"; port = 587; - username = email.address4; + username = service.email.address0; tls = false; }; }; database = { createLocally = true; - passwordFile = config.sops.secrets."${peertube.name}-database".path; + passwordFile = config.sops.secrets."${service.name}-database".path; }; redis = { enableUnixSocket = true; createLocally = true; - passwordFile = config.sops.secrets."${peertube.name}-redis".path; + passwordFile = config.sops.secrets."${service.name}-redis".path; }; smtp = { createLocally = true; - passwordFile = config.sops.secrets."${peertube.name}-smtp".path; + passwordFile = config.sops.secrets."${service.name}-smtp".path; }; }; @@ -71,9 +70,9 @@ in { virtualHosts = { ${host} = { extraConfig = '' - reverse_proxy ${localhost}:${toString peertube.ports.port0} + reverse_proxy ${localhost}:${toString service.ports.port0} - tls ${peertube.ssl.cert} ${peertube.ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} ''; }; @@ -84,43 +83,43 @@ in { sops = let sopsSecrets = ["smtp" "database" "redis" "root" "secret"]; sopsPath = secret: { - path = "${peertube.sops.path0}/${peertube.name}-${secret}-pass"; - owner = peertube.name; + path = "${service.sops.path0}/${service.name}-${secret}-pass"; + owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { - name = "${peertube.name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) sopsSecrets ); }; - fileSystems."/var/lib/${peertube.name}" = { - device = peertube.paths.path0; + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; systemd.tmpfiles.rules = [ - "Z ${peertube.paths.path0} 755 ${peertube.name} ${peertube.name} -" - "Z ${peertube.sops.path0} 755 ${peertube.name} ${peertube.name} -" + "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" ]; - users.users.${peertube.name}.extraGroups = ["nginx" "caddy"]; + users.users.${service.name}.extraGroups = ["nginx" "caddy"]; networking = { firewall = { allowedTCPPorts = [ - peertube.ports.port0 - peertube.ports.port1 - peertube.ports.port2 - peertube.ports.port3 - peertube.ports.port4 + service.ports.port0 + service.ports.port1 + service.ports.port2 + service.ports.port3 + service.ports.port4 ]; }; }; diff --git a/nixos/modules/services/postgresql.nix b/nixos/modules/services/postgresql.nix index 818456b..e97c0af 100755 --- a/nixos/modules/services/postgresql.nix +++ b/nixos/modules/services/postgresql.nix @@ -1,11 +1,13 @@ {flake, ...}: let - inherit (flake.config.service.instance.postgresql) name paths ports; inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) postgresql; + + service = postgresql; in { services = { postgresqlBackup = { enable = true; - location = paths.path0; + location = service.paths.path0; databases = ["mastodon" "nextcloud" "peertube" "forgejo" "wiki"]; }; postgresql = { @@ -15,23 +17,23 @@ in { networking = { firewall = { allowedTCPPorts = [ - ports.port0 + service.ports.port0 ]; }; }; fileSystems."/var/lib/postgresql" = { - device = paths.path0; + device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; - systemd.tmpfiles.rules = ["Z ${paths.path0} 700 ${name} ${name} -"]; + systemd.tmpfiles.rules = ["Z ${service.paths.path0} 700 ${service.name} ${service.name} -"]; - users.users.${name}.extraGroups = ["nextcloud" "mastodon" "forgejo"]; + users.users.${service.name}.extraGroups = ["nextcloud" "mastodon" "forgejo"]; system.activationScripts.postgresCommands = '' - chown -R ${name}:${name} ${paths.path0} + chown -R ${service.name}:${service.name} ${service.paths.path0} ''; } diff --git a/nixos/modules/services/samba.nix b/nixos/modules/services/samba.nix index c34b042..92f6b9b 100755 --- a/nixos/modules/services/samba.nix +++ b/nixos/modules/services/samba.nix @@ -4,6 +4,7 @@ ... }: let inherit (flake.config.service.instance) samba jellyfin; + service = samba; in { # If you ever need to start fresh, you need to add yourself to the Samba users database: # sudo smbpasswd -a username @@ -13,7 +14,7 @@ in { enable = true; openFirewall = true; settings = { - ${samba.paths.path1} = { + ${service.paths.path1} = { path = jellyfin.paths.path0; writable = "true"; }; @@ -24,7 +25,7 @@ in { networking = { firewall = { allowedTCPPorts = [ - samba.ports.port0 + service.ports.port0 ]; }; }; diff --git a/nixos/modules/services/vaultwarden.nix b/nixos/modules/services/vaultwarden.nix index 73b0265..f86abea 100755 --- a/nixos/modules/services/vaultwarden.nix +++ b/nixos/modules/services/vaultwarden.nix @@ -3,18 +3,16 @@ config, ... }: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain email; - inherit (flake.config.system.device) wildcard; - inherit (flake.config.service.instance.vaultwarden) paths ports subdomain name sops ssl; - localhost = wildcard.ip.address0; - host = "${subdomain}.${domain.url0}"; + inherit (flake.config.service.instance) vaultwarden web; + service = vaultwarden; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url0}"; in { services = { vaultwarden = { - backupDir = paths.path0; + backupDir = service.paths.path0; enable = true; - environmentFile = config.sops.secrets."${name}/env".path; + environmentFile = config.sops.secrets."${service.name}/env".path; config = { # Domain Configuration DOMAIN = "https://${host}"; @@ -22,12 +20,12 @@ in { # Email Configuration SMTP_AUTH_MECHANISM = "Plain"; SMTP_EMBED_IMAGES = true; - SMTP_FROM = email.address3; + SMTP_FROM = service.email.address0; SMTP_FROM_NAME = "Vaultwarden"; SMTP_HOST = "smtp.protonmail.ch"; SMTP_PORT = 587; SMTP_SECURITY = "starttls"; - SMTP_USERNAME = email.address3; + SMTP_USERNAME = service.email.address0; # Security Configuration DISABLE_ADMIN_TOKEN = false; @@ -42,18 +40,18 @@ in { # Rocket (Web Server) Settings ROCKET_ADDRESS = localhost; - ROCKET_PORT = ports.port0; + ROCKET_PORT = service.ports.port0; }; }; caddy = { virtualHosts = { "${host}" = { extraConfig = '' - reverse_proxy ${localhost}:${toString ports.port0} { + reverse_proxy ${localhost}:${toString service.ports.port0} { header_up X-Real-IP {remote_host} } - tls ${ssl.cert} ${ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} encode zstd gzip ''; @@ -65,15 +63,15 @@ in { sops = let sopsSecrets = ["env"]; sopsPath = secret: { - path = "${sops.path0}/${name}-${secret}"; - owner = name; + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { - name = "${name}/${secret}"; + name = "${service.name}/${secret}"; value = sopsPath secret; }) sopsSecrets @@ -81,14 +79,14 @@ in { }; systemd.tmpfiles.rules = [ - "Z ${paths.path0} 0755 ${name} ${name} -" - "Z ${sops.path0} 755 ${name} ${name} -" + "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" ]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 + service.ports.port0 ]; }; }; diff --git a/nixos/modules/services/wiki.nix b/nixos/modules/services/wiki.nix index a8e9020..86eb579 100755 --- a/nixos/modules/services/wiki.nix +++ b/nixos/modules/services/wiki.nix @@ -3,22 +3,21 @@ config, ... }: let - inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) domain; - inherit (flake.config.system.device) server wildcard; - inherit (flake.config.service.instance.wiki) paths ports subdomain ssl sops name; - localhost = wildcard.ip.address0; - host = "${subdomain}.${domain.url1}"; + inherit (flake.config.system.device) server; + inherit (flake.config.service.instance) web wiki; + service = wiki; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url1}"; in { services = { wiki-js = { enable = true; - environmentFile = config.sops.secrets."${name}-pass".path; + environmentFile = config.sops.secrets."${service.name}-pass".path; settings = { - port = ports.port0; + port = service.ports.port0; bindIP = localhost; db = { - db = name; + db = service.name; type = "postgres"; host = host; }; @@ -29,19 +28,19 @@ in { virtualHosts = { "${host}" = { extraConfig = '' - reverse_proxy ${localhost}:${toString ports.port0} + reverse_proxy ${localhost}:${toString service.ports.port0} - tls ${ssl.cert} ${ssl.key} + tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; }; postgresql = { - ensureDatabases = [name]; + ensureDatabases = [service.name]; ensureUsers = [ { - name = name; + name = service.name; ensureDBOwnership = true; } ]; @@ -51,7 +50,7 @@ in { sops = let sopsSecrets = ["pass"]; sopsPath = secret: { - path = "${sops.path0}/${name}-${secret}"; + path = "${service.sops.path0}/${service.name}-${secret}"; owner = "root"; mode = "600"; }; @@ -59,30 +58,30 @@ in { secrets = builtins.listToAttrs ( map (secret: { - name = "${name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) sopsSecrets ); }; - fileSystems."/var/lib/${name}" = { - device = paths.path0; + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; systemd.tmpfiles.rules = [ - "Z ${paths.path0} 755 ${name} ${name} -" - "Z ${sops.path0} 755 ${name} ${name} -" + "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" ]; networking = { firewall = { allowedTCPPorts = [ - ports.port0 - ports.port1 + service.ports.port0 + service.ports.port1 ]; }; }; diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix index f99db9c..7d1446b 100755 --- a/nixos/modules/syncthing.nix +++ b/nixos/modules/syncthing.nix @@ -1,7 +1,8 @@ {flake, ...}: let - inherit (flake.config.system.device) nas phone tablet wildcard; - inherit (flake.config.service.instance.syncthing) ports; - localhost = wildcard.ip.address0; + inherit (flake.config.system.device) nas phone tablet; + inherit (flake.config.service.instance) syncthing web; + service = syncthing; + localhost = web.localhost.address0; in { services = { syncthing = { @@ -10,14 +11,14 @@ in { overrideFolders = false; openDefaultPorts = true; systemService = true; - guiAddress = "${localhost}:${toString ports.port0}"; + guiAddress = "${localhost}:${toString service.ports.port0}"; settings = { devices = { ${nas.name} = { autoAcceptFolders = true; name = nas.name; addresses = [ - "tcp://${nas.ip.address0}:${toString ports.port2}" + "tcp://${nas.ip.address0}:${toString service.ports.port2}" ]; id = nas.sync; }; @@ -25,7 +26,7 @@ in { autoAcceptFolders = true; name = phone.name; addresses = [ - "tcp://${phone.ip.address0}:${toString ports.port2}" + "tcp://${phone.ip.address0}:${toString service.ports.port2}" ]; id = phone.sync; }; @@ -33,7 +34,7 @@ in { autoAcceptFolders = true; name = tablet.name; addresses = [ - "tcp://${tablet.ip.address0}:${toString ports.port2}" + "tcp://${tablet.ip.address0}:${toString service.ports.port2}" ]; id = tablet.sync; }; @@ -45,9 +46,9 @@ in { networking = { firewall = { allowedTCPPorts = [ - ports.port0 - ports.port1 - ports.port2 + service.ports.port0 + service.ports.port1 + service.ports.port2 ]; }; }; diff --git a/profiles/user0/default.nix b/profiles/user0/default.nix index 26ace0f..1e5cb34 100755 --- a/profiles/user0/default.nix +++ b/profiles/user0/default.nix @@ -5,7 +5,7 @@ ... }: let inherit (flake.config.people) user0; - inherit (flake.config.people.user.${user0}) name git; + inherit (flake.config.people.user.${user0}) name paths; hostname = config.networking.hostName; in { @@ -90,7 +90,7 @@ in { ]; in { rules = - ["d ${git.path0} 0755 ${user0} users -"] + ["d ${paths.path0} 0755 ${user0} users -"] ++ (map (path: "d /home/${user0}/${path} 0755 ${user0} users -") directoriesAddedToHome) ++ (map (path: "R /home/${user0}/${path} 0755 ${user0} users - -") directoriesRemovedFromHome); };