diff --git a/modules/home/gui/apps/tools/espanso/config/url.nix b/modules/home/gui/apps/tools/espanso/config/url.nix index 9e55bd0..9a57c36 100755 --- a/modules/home/gui/apps/tools/espanso/config/url.nix +++ b/modules/home/gui/apps/tools/espanso/config/url.nix @@ -4,7 +4,7 @@ let in [ (matchHelper ":dotfiles" "https://gitlab.com/upRootNutrition/dotfiles") - (matchHelper ":website" "https://${web.domains.url3}") - (matchHelper ":forgejo" "https://${forgejo.subdomain}.${web.domains.url3}") - (matchHelper ":mastodon" "https://${mastodon.subdomain}.${web.domains.url3}") + (matchHelper ":website" "https://${web.domains.url1}") + (matchHelper ":forgejo" "https://${forgejo.domains.url0}") + (matchHelper ":mastodon" "https://${mastodon.domains.url0}") ] diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 18bc7e3..e1b02b8 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -46,9 +46,9 @@ in ceres = { imports = builtins.attrValues { inherit (modules) - acme + acmeCeres audiobookshelf - caddy + caddyCeres comfyui filesorter firefly-iii @@ -59,8 +59,7 @@ in mastodon minecraft ollama - opencloud - postgresql + postgresCeres projectSite prompter samba @@ -76,7 +75,12 @@ in eris = { imports = builtins.attrValues { inherit (modules) + acmeEris + caddyEris + logrotate nextcloud + opencloud + postgresEris ; }; }; diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/acmeCeres/default.nix old mode 100755 new mode 100644 similarity index 97% rename from modules/nixos/services/acme/default.nix rename to modules/nixos/services/acme/acmeCeres/default.nix index 3a9fb6e..bd000ab --- a/modules/nixos/services/acme/default.nix +++ b/modules/nixos/services/acme/acmeCeres/default.nix @@ -39,12 +39,10 @@ in instances.glance.name instances.jellyfin.name instances.minecraft.name - instances.nextcloud.name instances.ollama.name instances.searx.name instances.syncthing.name instances.vaultwarden.name - instances.opencloud.name instances.prompter.name instances.comfyui.name instances.firefly-iii.name diff --git a/modules/nixos/services/acme/acmeEris/default.nix b/modules/nixos/services/acme/acmeEris/default.nix new file mode 100644 index 0000000..d2257a1 --- /dev/null +++ b/modules/nixos/services/acme/acmeEris/default.nix @@ -0,0 +1,69 @@ +{ + config, + flake, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.people.users.${user0}) email; + inherit (flake.config.services) instances; + + domain0 = instances.web.domains.url0; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; + instanceName = service: (instances.${service}.subdomain); + + dnsConfig = provider: dns: { + dnsProvider = dns; + directory = "/var/lib/acme"; + environmentFile = config.sops.secrets.${provider}.path; + }; +in +{ + security.acme = { + acceptTerms = true; + defaults = { + email = email.address0; + server = "https://acme-v02.api.letsencrypt.org/directory"; + }; + certs = builtins.listToAttrs ( + (map + (service: { + name = "${instanceName service}.${domain0}"; + value = dnsConfig dns0Path dns0; + }) + [ + instances.nextcloud.name + instances.opencloud.name + ] + ) + ); + }; + sops = + let + dnsList = [ + dns0 + ]; + secretList = [ + "pass" + ]; + sopsPath = secret: dns: { + path = "/var/lib/secrets/${instances.acme.name}/${dns}-${secret}"; + owner = "root"; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + builtins.concatLists ( + map ( + dns: + map (secret: { + name = "dns/${dns}"; + value = sopsPath secret dns; + }) secretList + ) dnsList + ) + ); + }; +} diff --git a/modules/nixos/services/caddy/default.nix b/modules/nixos/services/caddy/caddyCeres/default.nix old mode 100755 new mode 100644 similarity index 87% rename from modules/nixos/services/caddy/default.nix rename to modules/nixos/services/caddy/caddyCeres/default.nix index f9c680e..77bbfa4 --- a/modules/nixos/services/caddy/default.nix +++ b/modules/nixos/services/caddy/caddyCeres/default.nix @@ -1,13 +1,10 @@ { flake, ... }: let - inherit (flake.config.services.instances) - caddy - web - ; + inherit (flake.config.services.instances) caddy web; domain0 = web.domains.url0; - service = caddy; + in { services.caddy = { @@ -24,7 +21,6 @@ in users.users.${service.name}.extraGroups = [ "acme" - "nextcloud" "mastodon" "firefly-iii" ]; diff --git a/modules/nixos/services/caddy/caddyEris/default.nix b/modules/nixos/services/caddy/caddyEris/default.nix new file mode 100644 index 0000000..3083bff --- /dev/null +++ b/modules/nixos/services/caddy/caddyEris/default.nix @@ -0,0 +1,25 @@ +{ flake, ... }: +let + inherit (flake.config.services.instances) caddy; + + service = caddy; + +in +{ + services.caddy = { + enable = true; + }; + users.users.${service.name}.extraGroups = [ + "acme" + "nextcloud" + ]; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + service.ports.port1 + ]; + }; + }; +} diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index b8804ea..7fd5ec1 100755 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -7,7 +7,6 @@ let inherit (flake.config.people) user0; inherit (flake.config.people.users.${user0}) name; - inherit (flake.config.machines.devices) ceres; inherit (flake.config.services.instances) nextcloud nginx @@ -17,28 +16,7 @@ let service = nextcloud; localhost = web.localhost.address0; host = service.domains.url0; - hostname = config.networking.hostName; - bindMount = { - fileSystems."/var/lib/${service.name}" = { - device = service.paths.path0; - fsType = "none"; - options = [ - "bind" - ]; - depends = [ - ceres.storage0.mount - ]; - }; - - systemd.tmpfiles.rules = [ - "Z ${service.paths.path0} 750 ${service.name} ${service.name} -" - "Z ${service.paths.path0}/config 750 ${service.name} ${service.name} -" - "Z ${service.sops.path0} 750 ${service.name} ${service.name} -" - ]; - }; - - hostLogic = if hostname == ceres.name then bindMount else { }; in { services = { @@ -93,7 +71,7 @@ in enable = true; virtualHosts.${host}.listen = [ { - addr = web.localhost.address1; + addr = localhost; port = nginx.ports.port0; } ]; @@ -102,9 +80,9 @@ in caddy = { virtualHosts = { "${host}" = { + listenAddresses = [ web.localhost.address1 ]; extraConfig = '' reverse_proxy ${localhost}:${toString nginx.ports.port0} - tls ${service.ssl.cert} ${service.ssl.key} ''; }; @@ -149,4 +127,3 @@ in }; }; } -// hostLogic diff --git a/modules/nixos/services/opencloud/default.nix b/modules/nixos/services/opencloud/default.nix index 9c415ee..0085093 100755 --- a/modules/nixos/services/opencloud/default.nix +++ b/modules/nixos/services/opencloud/default.nix @@ -53,22 +53,6 @@ in ); }; - fileSystems."/var/lib/${service.name}" = { - device = service.paths.path0; - fsType = "none"; - options = [ - "bind" - ]; - depends = [ - ceres.storage0.mount - ]; - }; - - systemd.tmpfiles.rules = [ - "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" - "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" - ]; - networking = { firewall = { allowedTCPPorts = [ diff --git a/modules/nixos/services/postgresql/default.nix b/modules/nixos/services/postgresql/postgresCeres/default.nix old mode 100755 new mode 100644 similarity index 92% rename from modules/nixos/services/postgresql/default.nix rename to modules/nixos/services/postgresql/postgresCeres/default.nix index b979144..5b64182 --- a/modules/nixos/services/postgresql/default.nix +++ b/modules/nixos/services/postgresql/postgresCeres/default.nix @@ -5,12 +5,8 @@ ... }: let - inherit (flake.config.machines.devices) - ceres - ; - inherit (flake.config.services) - instances - ; + inherit (flake.config.machines.devices) ceres; + inherit (flake.config.services) instances; service = instances.postgresql; # backupPath = "${instances.syncthing.paths.path1}/${service.name}"; @@ -51,7 +47,6 @@ in }; users.users.${service.name}.extraGroups = [ - instances.nextcloud.name instances.mastodon.name instances.forgejo.name instances.syncthing.name diff --git a/modules/nixos/services/postgresql/postgresEris/default.nix b/modules/nixos/services/postgresql/postgresEris/default.nix new file mode 100644 index 0000000..3d2e0d1 --- /dev/null +++ b/modules/nixos/services/postgresql/postgresEris/default.nix @@ -0,0 +1,36 @@ +{ + flake, + ... +}: +let + inherit (flake.config.services) instances; + + service = instances.postgresql; +in +{ + services = { + postgresqlBackup = { + enable = true; + startAt = "*-*-* 07:00:00"; + databases = [ + instances.nextcloud.name + ]; + }; + postgresql = { + enable = true; + }; + }; + + users.users.${service.name}.extraGroups = [ + instances.nextcloud.name + ]; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + ]; + }; + }; + +} diff --git a/profiles/user0/files/misc/justfile.nix b/profiles/user0/files/misc/justfile.nix index f1e62ad..5705c3a 100755 --- a/profiles/user0/files/misc/justfile.nix +++ b/profiles/user0/files/misc/justfile.nix @@ -44,13 +44,13 @@ in nixos-rebuild switch --sudo --flake ~/projects/dotfiles#${hostname} --show-trace rebuild-ceres: - nixos-rebuild switch --flake ~/projects/dotfiles#${ceres.name} --target-host ${ceres.ip.address0} --sudo --ask-sudo-password + nixos-rebuild switch --flake ~/projects/dotfiles#${ceres.name} --target-host ${ceres.ip.address0} --sudo --ask-sudo-password --show-trace rebuild-eris: - nixos-rebuild switch --flake ~/projects/dotfiles#${eris.name} --target-host ${eris.ip.address0} --sudo --ask-sudo-password + nixos-rebuild switch --flake ~/projects/dotfiles#${eris.name} --target-host ${eris.ip.address0} --sudo --ask-sudo-password --show-trace rebuild-lamda: - nixos-rebuild switch --flake ~/projects/lamdagibson#lamdagibson --target-host denise@${lamdaIP} --sudo --ask-sudo-password + nixos-rebuild switch --flake ~/projects/lamdagibson#lamdagibson --target-host denise@${lamdaIP} --sudo --ask-sudo-password --show-trace update: nix flake update --flake ~/projects/dotfiles @@ -61,9 +61,12 @@ in remove-imports: ls **/*.hs | each { |file| ormolu --mode inplace $file.name } - server: + ceres: ssh ${ceres.ip.address0} + eris: + ssh ${eris.ip.address0} + lamda: ssh denise@${lamdaIP} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 8056254..16e9199 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -45,7 +45,7 @@ wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0 wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str] glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] opencloud: - env: ENC[AES256_GCM,data:1mDynSVUQ4fFbIfNC9TO1pGvOa9kBR2fjloMzrA1XCn3VEyrTL0JMd1p7cmShFv9TTvuPB6N1PR8JA3nmlRfWV3OWfbtkp/alhV+rRtbsmZ3bWAvEfyT431TFVbwU81i68mG1ueL9UfZ7u+bSZ8udHEvTJiDbAh20DYYwZMBkrQ9huzuCdJlEwhBqP9IzZHvhMuFv6PZVNInMkAPY8UcZEmJfPpXu9x6KZ0B6NPnuGttTagGnSrYgqnlad953ij8bV3i50KQV7uGTKhWrUZ3vRXfAx1QkRLkh5Hb8B8mf4FyWGc2xy0OIxkmReJIdWRDYJg3wWUT5XdG7nATSxkBvbhRCcMdLjPcv4uEmG/CuaXra+dTi/XNXnOTfoiNywFLEfxY2bmw9fIYqUk2d8MJDA==,iv:cNnxZnIcRc2lkEaXyRjPQ3hDmeAec4KCb80MEQ9a2sY=,tag:X8/eD06Vf4yaUNh0aTEBUg==,type:str] + env: ENC[AES256_GCM,data:WnzaI6YPGtVzdo+qQZejz3zRDReuKSbr9n/Kg2Djh4Gzv+VuqPCxCIzJRAQs79O9CIj5mezy33KeJIXEstwhWmnG7xmv59nzBuDTdWP170JnsRWIdLRgj3jm8uBZiT7fZ2XcunKc0N7M6i0c0GK3u5ikzeVoXOzfX5S5DeIarwGutq0yi14+MAxHMjubJdgMkG1Ke/vyuSyqw9NZUCN3XfCN03rw3RhRPuB1hGZc0WEqxdY/EkpU1wpVDNnOZT/iKImjyDDLIjFo96YnHXaAAoeO8g2g5gbOIaUQFFWB0H8L2yw4zlifRpmjP6OV7AAWPJI/hsQS1YubOJLBN1UHLncxZh55ItlWr3fo6zLfpZIlkvNfama+tzu2kOTG4ALrgu8dwwYmwXbVdFCP3njsMSfp///aqjC4ShvzSQZSgfH+jkd86CZp079Ime7b1vo30CVcFlmCHrE=,iv:vDvTaxj4gSnvJBUzj/D+76DeXTEOQ/tSGdOfNSS0Oo4=,tag:dSqwIy4vFtFJxo0KkaslfQ==,type:str] caddy: prompter-auth: ENC[AES256_GCM,data:uEj6gruCfcIRoCQY9eNcOka+PAIIhAlKnI+ehZ88aZo90tINcxZ7ZvKqlTJr4rt5o+EO7rvRJcYH/s8/+piszFyxSa64Rtq5KdAjfHnRm0QM8q/2JIHnZsQC3fPz1S177WPs/c3Eydh4VeVe,iv:ZOru4ABFgIy9DoTlMl3InSf8zM1ERNpbRNLN6vy97Jc=,tag:5v3w7kvFQCEPBjchE8K0cw==,type:str] comfyui-auth: ENC[AES256_GCM,data:YkHxbW/0zTmnrggXKl2jNO4OnBaepmCwB3ZC6d8MPIKf8snWJzAvTq5+X5ABzziwKaypHRTcS6vuNntxKrrD8DS7hX9DqVCZc5WeFHI6S5VzHh3SprW2MF4E8nm4Hj+VHoKGmRSSOU1cfX3J,iv:v0Pid0BCY2QsMNaahBvJd4WWZD115JDLHlOCQvPiaGU=,tag:gpsAgt052NoOyIa9WqJXyg==,type:str] @@ -65,7 +65,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-25T01:22:52Z" - mac: ENC[AES256_GCM,data:nrXg655ZQmcxW3Nqqru3hqHFLj5qvmguhXTMyNqZI9m7ABDpLgEcM4L2tfDj8T6094d4mmCVDDuEF4jHhmtKihmFK7LnJfd5s4+bgPbPtD9VvPfmAYE57Zv9dUZZ9ulJXd6FMwCiIMQ0i7xcqhP9a7QM5mg9CSemwRCS87nvuZc=,iv:62Td+PdqC9JJk+ceANnAByG9uJVQCvKAv6WfzSiga4w=,tag:7BUUyMIcrx3P9Lph4Ps3oA==,type:str] + lastmodified: "2025-10-25T03:49:30Z" + mac: ENC[AES256_GCM,data:bfAu4s0n86ArKD+Dnq/dwkxmMZ/h06O+0hjtEKnwlkU4lLxaxLORWPMlZKw97UbSB/SqNpD1wHjqV9CuwvdCOPzZxRizmGqMKsgE3RTg4FxFo29Fr7xL3pm8uKsEeIQDMJbY62GOCkxtBUsmae0nKLdDfufVlnlxGKvjtSYA1ww=,iv:sjV1MQI9R69oB75IvUc1RM9VWS+fyATvBEVmzyE2ASk=,tag:pZ4Zsd59CV2wKohHeYc9jQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0