diff --git a/modules/config/instances/config/kanboard.nix b/modules/config/instances/config/kanboard.nix new file mode 100755 index 0000000..542380b --- /dev/null +++ b/modules/config/instances/config/kanboard.nix @@ -0,0 +1,34 @@ +{ instancesFunctions }: +let + inherit (instancesFunctions) + domain0 + servicePath + sslPath + sopsPath + ; + + kanboardLabel = "Kanboard"; + kanboardName = "kanboard"; + kanboardSubdomain = "todo"; +in +{ + label = kanboardLabel; + name = kanboardName; + email = { + address0 = "noreply@${domain0}"; + }; + sops = { + path0 = "${sopsPath}/${kanboardName}"; + }; + subdomain = kanboardSubdomain; + paths = { + path0 = "${servicePath}/${kanboardLabel}"; + }; + ports = { + port0 = 3434; + }; + ssl = { + cert = "${sslPath}/${kanboardSubdomain}.${domain0}/fullchain.pem"; + key = "${sslPath}/${kanboardSubdomain}.${domain0}/key.pem"; + }; +} diff --git a/modules/config/instances/config/nextcloud.nix b/modules/config/instances/config/nextcloud.nix index b111c85..cedb045 100755 --- a/modules/config/instances/config/nextcloud.nix +++ b/modules/config/instances/config/nextcloud.nix @@ -1,7 +1,7 @@ { instancesFunctions }: let inherit (instancesFunctions) - domain0 + domain1 servicePath sslPath sopsPath @@ -13,9 +13,6 @@ in { label = nextcloudLabel; name = nextcloudName; - email = { - address0 = "noreply@${nextcloudName}.${domain0}"; - }; sops = { path0 = "${sopsPath}/${nextcloudName}"; }; @@ -27,7 +24,7 @@ in port0 = 8354; # Nextcloud }; ssl = { - cert = "${sslPath}/${nextcloudName}.${domain0}/fullchain.pem"; - key = "${sslPath}/${nextcloudName}.${domain0}/key.pem"; + cert = "${sslPath}/${nextcloudName}.${domain1}/fullchain.pem"; + key = "${sslPath}/${nextcloudName}.${domain1}/key.pem"; }; } diff --git a/modules/config/instances/config/nginx.nix b/modules/config/instances/config/nginx.nix deleted file mode 100644 index fa9bce9..0000000 --- a/modules/config/instances/config/nginx.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ instancesFunctions }: -let - inherit (instancesFunctions) - sopsPath - ; - - nginxLabel = "Nginx"; - nginxName = "nginx"; -in -{ - label = nginxLabel; - name = nginxName; - sops = { - path0 = "${sopsPath}/${nginxName}"; - }; - ports = { - port0 = 8080; - }; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 85ae938..05de450 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -89,7 +89,7 @@ in vaultwarden forgejo xserver - nextcloud + # kanboard ; }; }; diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix index 1cbec44..abc2775 100755 --- a/modules/nixos/services/acme/default.nix +++ b/modules/nixos/services/acme/default.nix @@ -35,10 +35,10 @@ in "jellyfin" "minecraft" "ollama" - "nextcloud" "syncthing" "searx" "vaultwarden" + "kanboard" "audiobookshelf" ] ) diff --git a/modules/nixos/services/glance/config/pages.nix b/modules/nixos/services/glance/config/pages.nix index 95cff7b..00bda0a 100755 --- a/modules/nixos/services/glance/config/pages.nix +++ b/modules/nixos/services/glance/config/pages.nix @@ -2,7 +2,7 @@ let widgetsPath = ./widgets; widgets = { - jellyfin = import (widgetsPath + /jelly) { inherit config flake; }; + jellyfin = import (widgetsPath + /jellyfin) { inherit config flake; }; steam = import (widgetsPath + /steam); podcasts = import (widgetsPath + /podcasts.nix); calendar = import (widgetsPath + /calendar.nix); diff --git a/modules/nixos/services/glance/config/widgets/jelly/config/default.nix b/modules/nixos/services/glance/config/widgets/jellyfin/config/default.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/jelly/config/default.nix rename to modules/nixos/services/glance/config/widgets/jellyfin/config/default.nix diff --git a/modules/nixos/services/glance/config/widgets/jelly/default.nix b/modules/nixos/services/glance/config/widgets/jellyfin/default.nix similarity index 100% rename from modules/nixos/services/glance/config/widgets/jelly/default.nix rename to modules/nixos/services/glance/config/widgets/jellyfin/default.nix diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix old mode 100755 new mode 100644 index 7153901..cf05dc1 --- a/modules/nixos/services/jellyfin/default.nix +++ b/modules/nixos/services/jellyfin/default.nix @@ -1,5 +1,6 @@ -{ flake, ... }: +{ config, ... }: let + flake = config.flake; inherit (flake.config.people) user0; inherit (flake.config.machines.devices) ceres; inherit (flake.config.services.instances) jellyfin web; diff --git a/modules/nixos/services/kanboard/default.nix b/modules/nixos/services/kanboard/default.nix new file mode 100755 index 0000000..1275b4c --- /dev/null +++ b/modules/nixos/services/kanboard/default.nix @@ -0,0 +1,93 @@ +{ + flake, + config, + ... +}: +let + inherit (flake.config.machines.devices) + ceres + ; + inherit (flake.config.services.instances) smtp kanboard web; + service = kanboard; + localhost = web.localhost.address0; + host = "${service.subdomain}.${web.domains.url0}"; +in +{ + services = { + kanboard = { + enable = true; + dataDir = "/var/lib/${service.name}"; + settings = { + HTTP_PROXY_HOSTNAME = host; + HTTP_PROXY_PORT = service.ports.port0; + MAIL_SMTP_HOSTNAME = smtp.hostname; + MAIL_TRANSPORT = "smtp"; + MAIL_SMTP_PORT = smtp.ports.port0; + MAIL_SMTP_USERNAME = service.email.address0; + MAIL_FROM = service.email.address0; + MAIL_SMTP_PASSWORD = config.sops.secrets."${service.name}-smtp".path; + MAIL_SMTP_ENCRYPTION = "tls"; + }; + }; + caddy = { + virtualHosts = { + "${host}" = { + extraConfig = '' + reverse_proxy ${localhost}:${toString service.ports.port0} + + tls ${service.ssl.cert} ${service.ssl.key} + ''; + }; + }; + }; + }; + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}-${secret}"; + value = sopsPath secret; + }) + [ + "smtp" + ] + ); + }; + + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; + fsType = "none"; + options = [ + "bind" + ]; + depends = [ + ceres.storage0.mount + ]; + }; + + systemd.tmpfiles.rules = [ + "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + + users.users.${service.name}.extraGroups = [ + "caddy" + "postgres" + ]; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + ]; + }; + }; +} diff --git a/modules/nixos/services/minecraft/default.nix b/modules/nixos/services/minecraft/default.nix index cdb5fe4..c92ce69 100755 --- a/modules/nixos/services/minecraft/default.nix +++ b/modules/nixos/services/minecraft/default.nix @@ -4,8 +4,12 @@ ... }: let - inherit (flake.config.machines.devices) ceres; - inherit (flake.config.services.instances) minecraft; + inherit (flake.config.machines.devices) + ceres + ; + inherit (flake.config.services.instances) + minecraft + ; service = minecraft; in { diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index 7439560..7c8d3b3 100755 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -8,15 +8,10 @@ let inherit (flake.config.people) user0; inherit (flake.config.people.users.${user0}) name; inherit (flake.config.machines.devices) ceres; - inherit (flake.config.services.instances) - nextcloud - nginx - smtp - web - ; + inherit (flake.config.services.instances) nextcloud nginx web; service = nextcloud; localhost = web.localhost.address0; - host = "${service.subdomain}.${web.domains.url0}"; + host = "${service.subdomain}.${web.domains.url1}"; in { services = { @@ -27,14 +22,13 @@ in enable = true; hostName = host; https = true; - package = pkgs.nextcloud31; + package = pkgs.nextcloud30; phpOptions."opcache.interned_strings_buffer" = "24"; extraAppsEnable = true; extraApps = { - inherit (pkgs.nextcloud31Packages.apps) + inherit (config.services.service.package.packages.apps) contacts calendar - deck ; }; config = { @@ -48,17 +42,8 @@ in settings = { default_phone_region = "CA"; log_type = "file"; - mail_domain = host; - mail_from_address = "noreply"; - mail_sendmailmode = "smtp"; - mail_smtpmode = "smtp"; - mail_smtphost = smtp.hostname; - mail_smtpport = smtp.ports.port0; - mail_smtpsecure = ""; - mail_smtptimeout = 30; - mail_smtpauth = 1; - mail_smtpname = service.email.address0; - mail_smtppassword = config.sops.secrets."${service.name}-smtp".path; + mail_sendmailmode = "pipe"; + mail_smtpmode = "sendmail"; maintenance_window_start = 4; overwriteprotocol = "https"; trusted_proxies = [ @@ -107,7 +92,6 @@ in }) [ "pass" - "smtp" ] ); }; @@ -125,7 +109,6 @@ in systemd.tmpfiles.rules = [ "Z ${service.paths.path0} 750 ${service.name} ${service.name} -" - "Z ${service.paths.path0}/config 750 ${service.name} ${service.name} -" "Z ${service.sops.path0} 750 ${service.name} ${service.name} -" ]; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 857746f..ea48b5b 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -35,7 +35,7 @@ wireguard-CA220: ENC[AES256_GCM,data:rNy/IMKqAOsgMUu5r8BZsjTCu0L5fDDDV3/g+pkhW1y wireguard-CA358: ENC[AES256_GCM,data:/VewmiNfRc9/wSE7TT+z1F9LLIvr/5wPsQZ/zBwAh3dEi9yswOGyde2b/XQ=,iv:7U5dmqFiwhCoL1moGSfHprv85o5TdMr6T2sNk5gH82I=,tag:T1hqh8CiO2iBa+ksaiKCtA==,type:str] wireguard-CA627: ENC[AES256_GCM,data:chmDsH2nE0nagjFRZWuxX08/Ykt+rIgCHYkMHd+7nIqihK5SebF7MJlrp84=,iv:NVOlGE7W70nQ0UM/i5WixJvDULO3Y4cLf8h+OAGHhQQ=,tag:L123ShCnr9+kIg1itIoqBA==,type:str] glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] -nextcloud-smtp: ENC[AES256_GCM,data:GbNv/pHAtPru00m5OCER8g==,iv:Q1WYLKe34VsCvP1trk6IXm46RbVFMnsq4Eb5e2MBVgk=,tag:dwmimioRlHKbZeDv3THfzQ==,type:str] +kanboard-smtp: ENC[AES256_GCM,data:FmmLEGr5Q8RHtie11Y88XQ==,iv:KtY/Bl2vpkXim7KrkK7cc5n0M0RDlxerbXu9jczj/hI=,tag:ZlbV6d1wH6KmbvHJR3Fq/w==,type:str] sops: age: - recipient: age19dpncsdphdt2tmknjs99eghk527pvdrw0m29qjn2z2gg3et5tdtqycqhl0 @@ -47,7 +47,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-09T09:37:48Z" - mac: ENC[AES256_GCM,data:gBEfsR718Hn+GJ1wzxS3T1HOrNL659TUUq3l3nUNxbY2SxXWnnHxzdMhf2xP1/tm3Vst2MC/SjPszdbqVnVKIS1k+iwT+WSLH7OlbASku62cx9J9RKqm4PJd/2KtKR7Yaj4dU9+F7RnKtCA4N/m4ZA+BiD0oib76/Aa64tjVtDo=,iv:rJ+WfAFR8Un/u66Y2554BjDzJifQLdXNDexpl4GGClw=,tag:tY2biwFl7ywaHe3aTKjCMA==,type:str] + lastmodified: "2025-06-09T00:32:17Z" + mac: ENC[AES256_GCM,data:b4WMUmVOzgcz/ajxPl0OfQUGarUtnFIFS3DA9CjogPz6aVNDGWrVged5FB6UOotoqQ5RcgThewSu2HztEfCbhM0ZwZ0ak87XS8QHb++s97HhYeeh5mqgVnpsvF4Coa9aRpc2H4etuUNYFxoDojT/hTUKzg3a3QNSWzB06aKTd1A=,iv:YEJN5sakhN1rFytIDMIHpHAVYxvbt9iI2eXL2YBUYnY=,tag:SNBQWZIrXw4ptMLEqkR/xA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2