diff --git a/flake.lock b/flake.lock index 2d83292..70c65ad 100755 --- a/flake.lock +++ b/flake.lock @@ -1376,6 +1376,7 @@ "pre-commit-hooks-nix": "pre-commit-hooks-nix", "sops-nix": "sops-nix", "systems": "systems_5", + "treefmt-nix": "treefmt-nix_3", "upRootNutrition": "upRootNutrition", "waybar": "waybar", "wpaperd": "wpaperd", @@ -1566,6 +1567,26 @@ } }, "treefmt-nix_3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761311587, + "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_4": { "inputs": { "nixpkgs": "nixpkgs_7" }, @@ -1583,7 +1604,7 @@ "type": "github" } }, - "treefmt-nix_4": { + "treefmt-nix_5": { "inputs": { "nixpkgs": "nixpkgs_8" }, @@ -1607,7 +1628,7 @@ "mkElmDerivation": "mkElmDerivation", "nixpkgs": "nixpkgs_6", "nixpkgs-stable": "nixpkgs-stable_3", - "treefmt-nix": "treefmt-nix_3" + "treefmt-nix": "treefmt-nix_4" }, "locked": { "lastModified": 1761538643, @@ -1746,7 +1767,7 @@ "nixpkgs": [ "nixpkgs" ], - "treefmt-nix": "treefmt-nix_4" + "treefmt-nix": "treefmt-nix_5" }, "locked": { "lastModified": 1760778041, diff --git a/flake.nix b/flake.nix index 9723592..68ff16a 100755 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,10 @@ url = "github:hercules-ci/flake-parts"; inputs.nixpkgs-lib.follows = "nixpkgs"; }; + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; systems.url = "github:nix-systems/x86_64-linux"; home-manager = { url = "github:nix-community/home-manager"; @@ -87,6 +91,7 @@ inputs.flake-parts.lib.mkFlake { inherit inputs; } { imports = [ inputs.pre-commit-hooks-nix.flakeModule + inputs.treefmt-nix.flakeModule ./lib ./modules ./parts diff --git a/modules/config/default.nix b/modules/config/default.nix index 8730003..15f91a3 100755 --- a/modules/config/default.nix +++ b/modules/config/default.nix @@ -71,10 +71,23 @@ let email = genOptions stringType "address"; sops = genOptions stringType "path"; paths = genOptions stringType "path"; + varPaths = genOptions stringType "path"; + mntPaths = genOptions stringType "path"; + secretPaths = genOptions stringType "path"; ports = genOptions intType "port"; + interface = { + id = stringType; + mac = stringType; + idUser = stringType; + macUser = stringType; + ip = stringType; + gate = stringType; + ssh = intType; + }; ssl = { cert = stringType; key = stringType; + path = stringType; }; }; }; @@ -259,15 +272,26 @@ in }; - instancesFunctions = { - domain0 = "cloudbert.fun"; - domain1 = "uprootnutrition.com"; - servicePath = "/mnt/media/NAS1"; - sopsPath = "/var/lib/secrets"; - sslPath = "/var/lib/acme"; - varLib = "/var/lib"; - dummy = ""; - }; + instancesFunctions = + let + vm = "vm-"; + var = "/var/lib"; + in + { + domain0 = "cloudbert.fun"; + domain1 = "uprootnutrition.com"; + idPrefix = vm; + userPrefix = "user${vm}"; + emailNoReply = "noreply"; + servicePath = "/mnt/media/NAS1"; + mntPath = "/mnt/storage"; + varLib = var; + varPath = var; + sslPath = "${var}/acme"; + sopsPath = "${var}/secrets"; + secretPath = "${var}/secrets"; + dummy = ""; + }; themesFunctions = { brogrammer = "brogrammer"; diff --git a/modules/config/instances/config/acme.nix b/modules/config/instances/config/acme.nix index 2ed281a..ca82ad7 100755 --- a/modules/config/instances/config/acme.nix +++ b/modules/config/instances/config/acme.nix @@ -3,6 +3,7 @@ let inherit (moduleFunctions.instancesFunctions) sslPath sopsPath + secretPath ; label = "Acme"; @@ -14,6 +15,9 @@ in paths = { path0 = sslPath; }; + secretPaths = { + path0 = secretPath; + }; sops = { path0 = "${sopsPath}/${name}"; }; diff --git a/modules/config/instances/config/caddy.nix b/modules/config/instances/config/caddy.nix index 55d9717..003f42b 100755 --- a/modules/config/instances/config/caddy.nix +++ b/modules/config/instances/config/caddy.nix @@ -17,7 +17,6 @@ in port0 = 80; port1 = 443; port2 = 8443; - port3 = 8444; # Nextcloud - port4 = 8445; # Opencloud + port3 = 8445; # Opencloud }; } diff --git a/modules/config/instances/config/forgejo.nix b/modules/config/instances/config/forgejo.nix index f860609..747f518 100755 --- a/modules/config/instances/config/forgejo.nix +++ b/modules/config/instances/config/forgejo.nix @@ -2,25 +2,28 @@ let inherit (moduleFunctions.instancesFunctions) domain1 - servicePath + idPrefix + userPrefix + varPath + mntPath + secretPath sslPath - sopsPath + emailNoReply ; - label = "Forgejo"; name = "forgejo"; + label = "Forgejo"; subdomain = "source"; domain = "${subdomain}.${domain1}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; in { - label = label; name = name; + label = label; short = label; email = { - address0 = "noreply@${domain1}"; - }; - sops = { - path0 = "${sopsPath}/${name}"; + address0 = "${emailNoReply}@${domain1}"; }; domains = { url0 = domain; @@ -31,14 +34,30 @@ in "forge" "git" ]; - paths = { - path0 = "${servicePath}/${label}"; - }; ports = { port0 = 3033; }; + interface = { + id = "${idPrefix}-${name}"; + mac = "02:00:00:00:00:50"; + idUser = "${userPrefix}-${name}"; + macUser = "02:00:00:00:00:02"; + ip = "192.168.50.50"; + gate = "192.168.50.1"; + ssh = 2200; + }; ssl = { - cert = "${sslPath}/${subdomain}.${domain1}/fullchain.pem"; - key = "${sslPath}/${subdomain}.${domain1}/key.pem"; + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; }; } diff --git a/modules/config/instances/config/nextcloud.nix b/modules/config/instances/config/nextcloud.nix deleted file mode 100755 index cf5c873..0000000 --- a/modules/config/instances/config/nextcloud.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - domain0 - servicePath - sslPath - sopsPath - ; - - label = "Nextcloud"; - name = "nextcloud"; - domain = "${name}.${domain0}"; -in -{ - label = label; - name = name; - short = "Next"; - email = { - address0 = "noreply@${name}.${domain0}"; - }; - sops = { - path0 = "${sopsPath}/${name}"; - }; - domains = { - url0 = domain; - }; - subdomain = name; - tags = [ - name - "next" - "cloud" - "calendar" - ]; - paths = { - path0 = "${servicePath}/${label}"; - }; - ports = { - port0 = 8354; # Nextcloud - }; - ssl = { - cert = "${sslPath}/${name}.${domain0}/fullchain.pem"; - key = "${sslPath}/${name}.${domain0}/key.pem"; - }; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index de8e3a5..198840c 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -15,7 +15,6 @@ in plymouth sddm searx - syncthing wireGuard ; }; @@ -46,28 +45,28 @@ in ceres = { imports = builtins.attrValues { inherit (modules) - acmeCeres - audiobookshelf - caddyCeres - comfyui - filesorter - firefly-iii - forgejo - glance - jellyfin - logrotate - mastodon - minecraft - ollamaCeres - postgresCeres - projectSite - prompter - sambaCeres - searx - syncthing - vaultwarden - website - zookeeper + # acmeCeres + # audiobookshelf + # caddyCeres + # comfyui + # filesorter + # firefly-iii + # forgejo + # glance + # jellyfin + # logrotate + # mastodon + # microvm + # minecraft + # ollamaCeres + # postgresCeres + # projectSite + # prompter + # sambaCeres + # searx + # vaultwarden + # website + # zookeeper ; }; }; @@ -78,6 +77,7 @@ in acmeEris caddyEris logrotate + microvm # opencloud sambaEris postgresEris diff --git a/modules/nixos/microvm/default.nix b/modules/nixos/microvm/default.nix new file mode 100644 index 0000000..80f2ea6 --- /dev/null +++ b/modules/nixos/microvm/default.nix @@ -0,0 +1,6 @@ +{ flake, ... }: +{ + imports = [ + flake.inputs.microvm.nixosModules.host + ]; +} diff --git a/modules/nixos/services/acme/acmeCeres/default.nix b/modules/nixos/services/acme/acmeCeres/default.nix index 0841688..33ff056 100755 --- a/modules/nixos/services/acme/acmeCeres/default.nix +++ b/modules/nixos/services/acme/acmeCeres/default.nix @@ -15,12 +15,6 @@ let dns1 = instances.web.dns.provider1; dns0Path = "dns/${dns0}"; dns1Path = "dns/${dns1}"; - instanceName = service: (instances.${service}.subdomain); - dnsConfig = provider: dns: { - dnsProvider = dns; - directory = instances.acme.paths.path0; - environmentFile = config.sops.secrets.${provider}.path; - }; in { security.acme = { @@ -29,60 +23,33 @@ in email = email.address0; server = "https://acme-v02.api.letsencrypt.org/directory"; }; - certs = builtins.listToAttrs ( - (map - (service: { - name = "${instanceName service}.${domain0}"; - value = dnsConfig dns0Path dns0; - }) - [ - instances.audiobookshelf.name - instances.glance.name - instances.jellyfin.name - instances.minecraft.name - instances.ollama.name - instances.searx.name - instances.syncthing.name - instances.vaultwarden.name - instances.prompter.name - instances.comfyui.name - instances.firefly-iii.name - instances.nextcloud.name - instances.opencloud.name - ] - ) - ++ (map - (service: { - name = "${instanceName service}.${domain1}"; - value = dnsConfig dns0Path dns0; - }) - [ - instances.forgejo.name - instances.mastodon.name - instances.peertube.name - ] - ) - ++ (map - (name: { - name = name; - value = dnsConfig dns0Path dns0; - }) - [ - domain0 - domain1 - ] - ) - ++ (map - (name: { - name = name; - value = dnsConfig dns1Path dns1; - }) - [ - domain4 - ] - ) - ); + certs = + let + dnsConfig = provider: dns: directory: { + dnsProvider = dns; + environmentFile = config.sops.secrets.${provider}.path; + }; + in + { + "${instances.audiobookshelf.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.glance.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.jellyfin.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.ollama.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.searx.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.syncthing.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.vaultwarden.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.prompter.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.comfyui.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.firefly-iii.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.opencloud.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.forgejo.domains.url0}" = dnsConfig dns0Path dns0; + "${instances.mastodon.domains.url0}" = dnsConfig dns0Path dns0; + "${domain0}" = dnsConfig dns0Path dns0; + "${domain1}" = dnsConfig dns0Path dns0; + "${domain4}" = dnsConfig dns1Path dns1; + }; }; + sops = let dnsList = [ @@ -117,5 +84,4 @@ in "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" ]; }; - } diff --git a/modules/nixos/services/acme/acmeEris/default.nix b/modules/nixos/services/acme/acmeEris/default.nix index 4650804..e88d6ac 100755 --- a/modules/nixos/services/acme/acmeEris/default.nix +++ b/modules/nixos/services/acme/acmeEris/default.nix @@ -33,7 +33,6 @@ in value = dnsConfig dns0Path dns0; }) [ - # instances.nextcloud.name # instances.opencloud.name ] ) diff --git a/modules/nixos/services/caddy/caddyCeres/default.nix b/modules/nixos/services/caddy/caddyCeres/default.nix index 0820f0b..131b183 100755 --- a/modules/nixos/services/caddy/caddyCeres/default.nix +++ b/modules/nixos/services/caddy/caddyCeres/default.nix @@ -5,7 +5,6 @@ let domain0 = instances.web.domains.url0; service = instances.caddy; - nextcloud = instances.nextcloud; opencloud = instances.opencloud; in { @@ -18,18 +17,12 @@ in encode zstd gzip ''; }; - "${nextcloud.domains.url0}" = { - extraConfig = '' - reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port3} - tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key} - ''; - }; - "${opencloud.domains.url0}" = { - extraConfig = '' - reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4} - tls ${opencloud.ssl.cert} ${opencloud.ssl.key} - ''; - }; + # "${opencloud.domains.url0}" = { + # extraConfig = '' + # reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4} + # tls ${opencloud.ssl.cert} ${opencloud.ssl.key} + # ''; + # }; }; }; users.users.${service.name}.extraGroups = [ diff --git a/modules/nixos/services/forgejo/default.nix b/modules/nixos/services/forgejo/default.nix index 67138f1..01fbbb7 100755 --- a/modules/nixos/services/forgejo/default.nix +++ b/modules/nixos/services/forgejo/default.nix @@ -1,84 +1,197 @@ { flake, - config, - pkgs, ... }: let - inherit (flake.config.machines.devices) ceres; - inherit (flake.config.services) - instances + inherit (flake.config.people) user0; + inherit (flake.config.services.instances) + forgejo + smtp + web ; - service = instances.forgejo; - localhost = instances.web.localhost.address0; - host = service.domains.url0; - - caddy = instances.caddy; - postgres = instances.postgresql; - syncthing = instances.syncthing; - backupPath = "${instances.syncthing.paths.path1}/${service.name}"; + service = forgejo; + host = forgejo.domains.url0; + secrets = service.secretPaths.path0; + localhost = web.localhost.address1; + sshPort = 22; in { - services = { - forgejo = { - enable = true; - database.type = "postgres"; - lfs.enable = true; - secrets = { - mailer.PASSWD = config.sops.secrets."${service.name}-smtp".path; - database.PASSWD = config.sops.secrets."${service.name}-database".path; - }; - dump = { - interval = "5:00"; - type = "zip"; - file = "forgejo-backup"; - enable = true; - backupDir = backupPath; - }; - settings = { - server = { - DOMAIN = host; - ROOT_URL = "https://${host}/"; - HTTP_PORT = service.ports.port0; - }; - # If you need to start from scratch, don't forget to turn this off again - service.DISABLE_REGISTRATION = true; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - mirror = { - ENABLED = true; - }; - mailer = { - ENABLED = true; - SMTP_ADDR = instances.smtp.hostname; - FROM = instances.smtp.email.address1; - USER = instances.smtp.email.address1; - PROTOCOL = "${instances.smtp.name}+${instances.smtp.records.record1}"; - SMTP_PORT = instances.smtp.ports.port1; - SEND_AS_PLAIN_TEXT = true; - USE_CLIENT_CERT = false; - }; - }; - }; - caddy = { - virtualHosts = { - "${host}" = { - extraConfig = '' - reverse_proxy ${localhost}:${toString service.ports.port0} + microvm = { + vms = { + forgejo = { + autostart = true; + config = + { config, pkgs, ... }: + { + system.stateVersion = "25.05"; + time.timeZone = "America/Winnipeg"; - tls ${service.ssl.cert} ${service.ssl.key} - ''; - }; + users.users.root = { + openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + }; + + services = { + forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + + secrets = { + mailer.PASSWD = "${secrets}/${service.name}-smtp"; + database.PASSWD = "${secrets}/${service.name}-database"; + }; + + dump = { + interval = "5:00"; + type = "zip"; + file = "forgejo-backup"; + enable = true; + }; + + settings = { + server = { + DOMAIN = host; + ROOT_URL = "https://${host}/"; + HTTP_PORT = service.ports.port0; + HTTP_ADDR = localhost; + }; + + # If you need to start from scratch, don't forget to turn this off again + service.DISABLE_REGISTRATION = false; + + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + + mirror.ENABLED = true; + + mailer = { + ENABLED = true; + SMTP_ADDR = smtp.hostname; + FROM = smtp.email.address1; + USER = smtp.email.address1; + PROTOCOL = "${smtp.name}+${smtp.records.record1}"; + SMTP_PORT = smtp.ports.port1; + SEND_AS_PLAIN_TEXT = true; + USE_CLIENT_CERT = false; + }; + }; + }; + + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + + systemd = { + tmpfiles.rules = [ + "d ${secrets} 0755 ${service.name} ${service.name} -" + ]; + + services.forgejo-dump = { + serviceConfig = { + ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${service.varPaths.path0}/dump | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'"; + }; + }; + + network = { + enable = true; + networks."10-enp" = { + matchConfig.Name = "enp0s4"; + addresses = [ { Address = "${service.interface.ip}/24"; } ]; + routes = [ + { + Destination = "${localhost}/0"; + Gateway = service.interface.gate; + } + ]; + dns = [ service.interface.gate ]; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + sshPort + service.ports.port0 + ]; + + microvm = { + vcpu = 2; + mem = 3096; + hypervisor = "qemu"; + + interfaces = [ + { + type = "tap"; + id = service.interface.id; + mac = service.interface.mac; + } + { + type = "user"; + id = service.interface.idUser; + mac = service.interface.macUser; + } + + ]; + + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = service.varPaths.path0; + proto = "virtiofs"; + source = service.mntPaths.path0; + tag = "${service.name}_data"; + } + { + mountPoint = service.secretPaths.path0; + proto = "virtiofs"; + source = service.secretPaths.path0; + tag = "${service.name}_secrets"; + } + { + mountPoint = service.ssl.path; + proto = "virtiofs"; + source = service.ssl.path; + tag = "acme_certs"; + } + ]; + + forwardPorts = [ + { + from = "host"; + host.port = service.interface.ssh; + guest.port = sshPort; + } + ]; + }; + }; }; }; }; + + services.caddy.virtualHosts."${host}" = { + extraConfig = '' + reverse_proxy ${service.interface.ip}:${toString service.ports.port0} + + tls ${service.ssl.cert} ${service.ssl.key} + ''; + }; + sops = let sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = service.name; + path = "${secrets}/${service.name}-${secret}"; + owner = "root"; mode = "600"; }; in @@ -95,42 +208,4 @@ in ] ); }; - - fileSystems."/var/lib/${service.name}" = { - device = service.paths.path0; - fsType = "none"; - options = [ - "bind" - ]; - depends = [ - ceres.storage0.mount - ]; - }; - - systemd.services = { - forgejo-dump = { - serviceConfig = { - ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${backupPath} | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'"; - }; - }; - }; - - systemd.tmpfiles.rules = [ - "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" - "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" - ]; - - users.users.${service.name}.extraGroups = [ - caddy.name - postgres.name - syncthing.name - ]; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - ]; - }; - }; } diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix deleted file mode 100755 index 02fa416..0000000 --- a/modules/nixos/services/nextcloud/default.nix +++ /dev/null @@ -1,163 +0,0 @@ -{ - flake, - config, - pkgs, - ... -}: -let - inherit (flake.config.people) user0; - inherit (flake.config.people.users.${user0}) name; - inherit (flake.config.services.instances) - nextcloud - nginx - caddy - smtp - web - ; - service = nextcloud; - localhost = web.localhost.address0; - host = service.domains.url0; - -in -{ - services = { - nextcloud = { - appstoreEnable = true; - autoUpdateApps.enable = true; - configureRedis = true; - enable = true; - hostName = host; - https = true; - package = pkgs.nextcloud31; - phpOptions."opcache.interned_strings_buffer" = "24"; - extraAppsEnable = true; - extraApps = { - inherit (pkgs.nextcloud31Packages.apps) - contacts - calendar - deck - ; - }; - config = { - adminpassFile = config.sops.secrets."${service.name}-pass".path; - adminuser = name; - dbtype = "pgsql"; - }; - database = { - createLocally = true; - }; - settings = { - default_phone_region = "CA"; - log_type = "file"; - mail_domain = host; - mail_from_address = "noreply"; - mail_sendmailmode = smtp.name; - mail_smtpmode = smtp.name; - mail_smtphost = smtp.hostname; - mail_smtpport = smtp.ports.port1; - mail_smtpsecure = ""; - mail_smtptimeout = 30; - mail_smtpauth = 1; - mail_smtpname = smtp.email.address0; - mail_smtppassword = config.sops.secrets."${service.name}-smtp".path; - maintenance_window_start = 4; - overwriteprotocol = "https"; - trusted_proxies = [ - localhost - web.localhost.address1 - ]; - security.headers = { - Strict-Transport-Security = "max-age=15552000; includeSubDomains"; - X-XSS-Protection = "1; mode=block"; - X-Content-Type-Options = "nosniff"; - X-Frame-Options = "SAMEORIGIN"; - Referrer-Policy = "strict-origin-when-cross-origin"; - }; - }; - - }; - nginx = { - enable = true; - virtualHosts.${host} = { - listen = [ - { - addr = localhost; - port = nginx.ports.port0; - } - ]; - forceSSL = false; - onlySSL = false; - addSSL = false; - }; - }; - caddy = { - virtualHosts = { - ":${toString caddy.ports.port3}" = { - extraConfig = '' - header { - # Enable XSS protection and block instead of sanitizing - X-XSS-Protection "1; mode=block" - # Enable HSTS with 6 month duration - Strict-Transport-Security "max-age=15552000; includeSubDomains" - # Additional security headers - X-Content-Type-Options "nosniff" - X-Frame-Options "SAMEORIGIN" - Referrer-Policy "strict-origin-when-cross-origin" - # Remove server identification - -Server - } - reverse_proxy http://${localhost}:${toString nginx.ports.port0} - ''; - }; - }; - }; - }; - sops = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = service.name; - mode = "600"; - }; - in - { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${service.name}-${secret}"; - value = sopsPath secret; - }) - [ - "pass" - "smtp" - ] - ); - }; - - systemd = { - tmpfiles.rules = [ - "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" - ]; - }; - - users.users.${service.name} = { - packages = with pkgs; [ - php - ]; - extraGroups = [ - "caddy" - "nginx" - "postgres" - ]; - }; - - networking = { - firewall = { - allowedTCPPorts = [ - nginx.ports.port0 - service.ports.port0 - caddy.ports.port3 - ]; - }; - }; -} diff --git a/parts/config/devshells.nix b/parts/config/devshells.nix deleted file mode 100755 index d94d3a1..0000000 --- a/parts/config/devshells.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs, config, ... }: -{ - devShells = { - default = pkgs.mkShell { - packages = builtins.attrValues { - inherit (pkgs) - age - gitmoji-cli - graphviz - imv - just - nixfmt - just-lsp - litemdview - nil - openssl - pqiv - sops - ssh-to-age - taplo - vscode-langservers-extracted - watchexec - ; - }; - shellHook = "${config.pre-commit.installationScript}"; - }; - }; -} diff --git a/parts/config/pre-commit.nix b/parts/config/pre-commit.nix deleted file mode 100755 index 723b60e..0000000 --- a/parts/config/pre-commit.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - pre-commit.settings.hooks = { - nixfmt-rfc-style.enable = true; - commitizen.enable = true; - # statix.enable = true; - }; -} diff --git a/parts/default.nix b/parts/default.nix index 27fb3cf..e5dbb82 100755 --- a/parts/default.nix +++ b/parts/default.nix @@ -1,20 +1,48 @@ { - perSystem = { - pkgs, - lib, - config, - self', - ... - }: let - configPath = ./config; + perSystem = + { + pkgs, + lib, + config, + self', + ... + }: + { + devShells = { + default = pkgs.mkShell { + packages = builtins.attrValues { + inherit (pkgs) + age + gitmoji-cli + graphviz + imv + just + nixfmt + just-lsp + litemdview + nil + openssl + pqiv + sops + ssh-to-age + taplo + vscode-langservers-extracted + watchexec + ; + }; + shellHook = "${config.pre-commit.installationScript}"; + }; + }; - devshellImports = let - files = builtins.attrNames (builtins.readDir configPath); - in - map - (name: configPath + "/${name}") - (builtins.filter (name: builtins.match ".*\\.nix$" name != null) files); - in { - imports = devshellImports; - }; + pre-commit.settings.hooks = { + nixfmt-rfc-style.enable = true; + commitizen.enable = true; + }; + + treefmt.programs.nixfmt = { + enable = true; + width = 200; + }; + + }; } diff --git a/profiles/user0/default.nix b/profiles/user0/default.nix index a6d7d69..1e62ff6 100755 --- a/profiles/user0/default.nix +++ b/profiles/user0/default.nix @@ -29,7 +29,6 @@ in "minecraft" "netdev" "networkmanager" - "nextcloud" "ollama" "opencloud" "plugdev" diff --git a/profiles/user0/files/misc/justfile.nix b/profiles/user0/files/misc/justfile.nix index 5705c3a..e07845c 100755 --- a/profiles/user0/files/misc/justfile.nix +++ b/profiles/user0/files/misc/justfile.nix @@ -16,20 +16,6 @@ let hostname = config.networking.hostName; deviceLogic = if hostname == mars.name then deimos else mars; - vpnServers = [ - "CA363" - "CA220" - "CA358" - "CA627" - ]; - - vpnCommands = lib.concatStrings ( - lib.imap0 (i: server: '' - vpn${toString i}: - sudo systemctl start wg-quick-Proton-${server}.service - - '') vpnServers - ); in { text = @@ -73,12 +59,12 @@ in serverRemote: ssh ${instances.web.remotehost.address0} + forgejo: + ssh root@${instances.forgejo.interface.ip} + ${deviceLogic.name}: ssh ${deviceLogic.ip.address0} - vpnoff: - sudo systemctl stop wg-quick-Proton-*.service - ${vpnCommands} ''; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index f4c129d..cf0c008 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -23,12 +23,6 @@ vaultwarden: dns: namecheap: ENC[AES256_GCM,data:Afxyf4cHvdnPIXYoPN3viBOzzqUOeRs3YjQ5ugerlnL9H4iSf/iAsxyzHYysOgZ/9xc0OWt6G6A7cEZHW4i82MX1+mLbvWN5ir1iHL73RtesC14=,iv:3XMTQ4TNL7iXPYFLSa+BapSgqILYuM6ZaQLMQZSJ2pc=,tag:PO69wRhCoey+CwPgnOOR6A==,type:str] cloudflare: ENC[AES256_GCM,data:H0ODjZvDZpaicYwM1qX1V05iaiCsJMUo5aIZYVzQ2bGvsVA+nQYKy7i1qCNbG796WmBOvUJOo1XJHsceTyfGB7rQpgs103RA0CXmc9WfvU74tsER+sVbnCxsGrG1kvyZvD80ACsx53s6j9nXkZO2m7uZgdM8LbEEaj/CVOMDg39YWWKwug==,iv:EALcT+2ES7q/4zEwUXDsyrDzSZnUCsYtYZLIU3xNJQs=,tag:RTyPzUpMcrQtDT4UKn4SNw==,type:str] -nextcloud-pass: ENC[AES256_GCM,data:BJWpsEtnezl67vQWwV9WSdpPAYLg3eOXAZ301A382GE=,iv:+1LrBtbjCBcVC7m/fSbXzPnBxbVmpv+2opPoxEfcgjY=,tag:ArMw4yv+Zt6Lhm7CaS5hMg==,type:str] -nextcloud-user0: ENC[AES256_GCM,data:yUZruPJ4s2Svvh6Q0f4C4lgcKCcWJDMw8CpT8cXv3m4=,iv:wo9Cl1OsJY6UOvrJw/UHxtcBKykaYQ69Mue7QYyBXRY=,tag:83XvKKJ9V2aBhznzBkzNEQ==,type:str] -nextcloud-user1: ENC[AES256_GCM,data:6EsbSeWWftPjZQM=,iv:LTcx6fx55d3+SepFIoy/6cBdbgaauDeo0gvq9ACCtHA=,tag:uzoATR3ZL2Uk5z6aMiD/yw==,type:str] -nextcloud-user2: ENC[AES256_GCM,data:axrWMmouq5gwqdGL,iv:BPHEn47z2g7gocKO4g5vV4ZSGb+AMA3vGYheAy1zR5Q=,tag:QOWg4fdKxMhGk2qRehH2EQ==,type:str] -nextcloud-user3: ENC[AES256_GCM,data:g6ldEdtBuEmPAQYAQfaO,iv:6fElE2vZh9l/KgJuNevklpIlZZdqGHgwhnOzq1n3ojE=,tag:T0Q1IkdVTeW2T1FmGnjz8A==,type:str] -nextcloud-smtp: ENC[AES256_GCM,data:8cS/5Fnj/x1/Oikn3EQxlOCLzRJRf4PWx5C0dm2qzY0=,iv:izKI66ndRt56LfjKUQeC1SZBOFf8m4rO6kk6oVneQZA=,tag:oiSMzflj2jeE6QC1KEDBlg==,type:str] claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str] searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str] wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1GVC5m8StgsC5uaYEU=,iv:wffyNFWZ36vUjUVMCwo7w16pWWDvnPOUli3tIa/M3S4=,tag:yu7Xl+Ehg1uhzQ3rONSCbA==,type:str] @@ -65,7 +59,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-01T07:44:35Z" - mac: ENC[AES256_GCM,data:a2/GQdFc4tWSOJcKfGeA2sg/f3thnU115kX29xCGHSFLboXKs+i1VJrnCf40aytLySdsuTv2m/7nUPuSEHUrooRRcFSBmCE4lS3Zdbk4PWhN9+3JmffzlVDiEwIbd8DqenrO9WwuiKgJej5sWm99NBCWJICY+NQYq3cUjm3KYNU=,iv:4aJ0EmDISECfQrWgC8OnTUmSzLm23c5QPUPnx6mv3Xw=,tag:zIj0PY44pzVt0IRfBmuJGw==,type:str] + lastmodified: "2025-11-04T04:09:51Z" + mac: ENC[AES256_GCM,data:n2zidnFq3K+SEeXQylmN44Y7v6oGiuatFh/rgaNvIeJONYpk/+IJ7C3ykhFAsjlwpBj8t6T/D7vhKTNMVozebvwCJ7yRfQoxBx7MsZgV+9M/3rVBt1uuzAK5IJ71ep6nlAnWxpJ+28HJIh2bgjhyvTHj/dEkUhSfCo7l2TrjHzc=,iv:TLdNBMQLkQBYwzdQmUuJOVtvSNLJJsRhdcRWcB1ikLA=,tag:i4wSRgjNpwugf0vso8KUng==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/systems/ceres/config/filesystem.nix b/systems/ceres/config/filesystem.nix index b7ce342..2cc7462 100755 --- a/systems/ceres/config/filesystem.nix +++ b/systems/ceres/config/filesystem.nix @@ -13,20 +13,20 @@ let in { fileSystems = - let - storageDrives = [ - "storage0" - ]; + # let + # storageDrives = [ + # "storage0" + # ]; - storageMounts = storage: { - name = "${ceres.${storage}.mount}"; - value = { - device = ceres.${storage}.device; - fsType = "ext4"; - options = ceres.${storage}.options; - }; - }; - in + # storageMounts = storage: { + # name = "${ceres.${storage}.mount}"; + # value = { + # device = ceres.${storage}.device; + # fsType = "ext4"; + # options = ceres.${storage}.options; + # }; + # }; + # in { "/" = { device = "/dev/disk/by-uuid/de4e681b-0667-4bf8-8d6e-c50894aa41cd"; @@ -36,8 +36,8 @@ in device = "/dev/disk/by-uuid/C68D-B1C0"; fsType = "vfat"; }; - } - // (builtins.listToAttrs (map storageMounts storageDrives)); + }; + # // (builtins.listToAttrs (map storageMounts storageDrives)); swapDevices = [ { device = "/dev/disk/by-uuid/259fcc06-912c-4bd3-b781-8f77449e935a"; } @@ -45,7 +45,7 @@ in systemd.tmpfiles.rules = [ "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -" - "Z ${ceres.storage0.mount} 2775 root root -" + # "Z ${ceres.storage0.mount} 2775 root root -" ]; services.udisks2.enable = true;