From fc8178ed80388097d1e3ec16bb0e2e260479593b Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 29 Aug 2025 11:05:27 +0200 Subject: [PATCH] Recreated options --- hosts/lapserv/default.nix | 34 ++++- hosts/minimal/default.nix | 2 +- secrets/bread-dcbot.age | Bin 1124 -> 0 bytes secrets/dcbot.age | 16 --- secrets/default.nix | 30 ++--- secrets/derek-bot.age | Bin 0 -> 1124 bytes secrets/jsw-bot.age | Bin 0 -> 1425 bytes secrets/secrets.nix | 4 +- system/server/caddy.nix | 16 +-- system/server/default.nix | 18 ++- system/server/{derekBot.nix => derek-bot.nix} | 34 ++--- system/server/forgejo.nix | 28 +++-- system/server/immich.nix | 28 +++-- system/server/index/default.nix | 22 ++-- system/server/{bot.nix => jsw-bot.nix} | 43 ++++--- system/server/lib/extractWebOptions.nix | 18 +++ system/server/lib/webOptions.nix | 16 +++ system/server/mail.nix | 18 ++- system/server/matrix.nix | 35 +++--- system/server/nextcloud.nix | 118 ++++++++++-------- system/server/temp.nix | 25 ++-- system/server/zitadel.nix | 25 ++-- 22 files changed, 325 insertions(+), 205 deletions(-) delete mode 100644 secrets/bread-dcbot.age delete mode 100644 secrets/dcbot.age create mode 100644 secrets/derek-bot.age create mode 100644 secrets/jsw-bot.age rename system/server/{derekBot.nix => derek-bot.nix} (73%) rename system/server/{bot.nix => jsw-bot.nix} (58%) create mode 100644 system/server/lib/extractWebOptions.nix create mode 100644 system/server/lib/webOptions.nix diff --git a/hosts/lapserv/default.nix b/hosts/lapserv/default.nix index 1cd0c0e..6e416f4 100644 --- a/hosts/lapserv/default.nix +++ b/hosts/lapserv/default.nix @@ -6,7 +6,39 @@ networking.interfaces.enp2s0.wakeOnLan.enable = true; niksos = { - server = true; + # server = true; + server = { + baseDomain = "jsw.tf"; + derek-bot.enable = true; + forgejo = { + enable = true; + subDomain = "git"; + }; + immich = { + enable = true; + subDomain = "photos"; + }; + jsw-bot = { + enable = true; + subDomain = "dc"; + }; + nextcloud = { + enable = true; + subDomain = "cloud"; + }; + stalwart = { + enable = true; + subDomain = "mail"; + }; + zitadel = { + enable = true; + subDomain = "z"; + }; + site = { + enable = true; + subDomain = ""; + }; + }; hardware.graphics = { nvidia = false; #FIXME: Compile error intel = true; diff --git a/hosts/minimal/default.nix b/hosts/minimal/default.nix index ee6495e..a782795 100644 --- a/hosts/minimal/default.nix +++ b/hosts/minimal/default.nix @@ -34,7 +34,7 @@ }; }; neovim = false; - server = false; + # server = false; }; #NOTE: Old info diff --git a/secrets/bread-dcbot.age b/secrets/bread-dcbot.age deleted file mode 100644 index e65c88bd9b882ef55c2e2bf2f372502f7b60c6d3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1124 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT453Gs|cU165P05W+ z%8fMkukdorPx8;m_73%R_fO1sHp(ceGIaJWtI8?MO(`xZ59BgQ57rL~3o8u^H7<0w zh)D7*i7JlD3-u_r3^hr~3C#_xGzm1z3(QbA|of`!mI#K zm-Ou12=5AWAEOlgz-0fx2yJ5v!*s6D$UKiygRmSYSAAp8qL6SWeedL8@1UTdB)_yk z<4AoEZ-2Mq2#?6z;Cyu3!kq(riX0UZ6Qd%HiqnFVJuR|xOcP5(iVX{jBHfBIlPeM{ z3L}#Oa?M?w^0GZMoLspK@}fNRGqqE*j0{VQb5cVC$|C~&QbJwJl1vNIgZ#by11xjW z+$!81i(S!eGuN-mj4W3OOV22dC=WF7v~=;ZFsaCQ@lTA%OmcDzh%huWj&iaLu5b)X z3pGqC%y8xMF*ee639od{HVq6-w={{!OLg^eDG2gPbTxO(a!HT!sqm^Oi>OTT$n{0H zEiACo%pg!9)xs#yL))c5J2^BlsWQ+}J3BAPB(2gj-_6WOKeWQYs94`6qtd&q%Bh^I zq}GMf9ClT(nX-9gF zi)m+xMZ38K>&LGYeB@DdoZ(9Re7otgLB6-PzrXd1?VnpyG}9)ghP;Y-`~!>yg^-ux)JbVKmOKd2mRKcutIgtgzC_0 zTh&Duk8OCIB6r=@WM{X82zyAFDA&8n`#W2?KM4Qt*T44uXeDx7}OC;}gae zXm-=$o{nAnVX@$M+upqS{p8M#Z*fwG?{s~SNtu7xah9{fKNs^Ixrg%$+Z)+-2mY*g ql@UD8baEO0dX;|?dZBiarziRaq}<+r;FqQ7l)OJjZLQ1OC4B%RsHp+~ diff --git a/secrets/dcbot.age b/secrets/dcbot.age deleted file mode 100644 index 823685d..0000000 --- a/secrets/dcbot.age +++ /dev/null @@ -1,16 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 GQzYWA a0CqbXhMIeFmKsMSnQzPWJcdi0hH8caayThGHtKNdjc -ZfRN0ukqXH8L1E1pWBU+tw0LmPxsb6/4FoeERCKEYCk --> ssh-ed25519 MfR7VA WO0CmKh4CQY1ZLtgDbGIhxfbC8C/C9Vw4p4UGkZTzSs -0oQbzzz8A6WJRbFqEPR6WStMRRGtFy2eEXIJ1WCqvIg --> ssh-ed25519 +cvRTg ZYBJwTDV8zwZIpqY7sZIszS3saww0OV4RwVREVNxWHg -PW9gzG2odI4G2I5zz+Gr2vaouPB6796RWDJzYZNFREQ --> ssh-ed25519 WCPLrA p8I1d6YXg5pN6Ljeq/wsY5jj4rPaSvD+/au+vEUsgh4 -U0aiqeildEqF8SNh0L4hGIq3rQxY4HcSnDvluwldDpQ --> ssh-ed25519 7/ziYw 7DGE8Zr0qMGh3P5lUSRYT+AdgRges037cLjHbbPPnTc -daC7dau5IHSZr/HmjszbWrQNsVJOQILqNS/Yn1YE/zM --> ssh-ed25519 VQy60Q cAuS4VLmDC9iCZ+7e+/5WVIxrvBa7ZChCz2pPSSY/TY -ut6SAJSZMm9/YElx7SShyMufrBYAlb/IyQp0g4ADMa4 ---- DQrDZ/cXaadnKTDN8MrGuTokHttdMbOzs2IPYTIOPw4 -9 EJG($'_z3!;\k珐IE3%!zO*., `+',*ml%g?0'-<MwYj]SRaթV(ky6@`j9j~[_Dzd^"\7lO# cW=a~K],0![G~4!Xś|(C4)g^-5DnlIm C,-94bI: 1UxeM㒡X(ʼ5m[BXH f_J{ufOTD^*Y3-e-OBt .Qaሲ{m $W7L>r•'>b6D;w*.uYX`A**2$TtԌM_1NƋd -@cJst,ЅhaJpj:sG@P/L4>XR{fJB>z&;|vΚJSA,7E{MEwP:GcYR 糳 z@XՍ*j%MMĵB`HzSKUWy+xGDȓm~֛>%]R;98VLc (RXRrl!eSAʧG3jhw,2b1 \ No newline at end of file diff --git a/secrets/default.nix b/secrets/default.nix index 1681eb2..f8b1a50 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -14,35 +14,35 @@ in { password.file = ./password.age; # NOTE: server things - dcbot = mkIf server { - file = ./dcbot.age; - owner = serviceUser "dcbot"; # + jsw-bot = mkIf server.jsw-bot.enable { + file = ./jsw-bot.age; + owner = serviceUser "jsw-bot"; # }; - bread-dcbot = mkIf server { - file = ./bread-dcbot.age; - owner = "bread-dcbot"; + derek-bot = mkIf server.derek-bot.enable { + file = ./derek-bot.age; + owner = "derek-bot"; }; - matrix-registration = mkIf server { - file = ./matrix-registration.age; - owner = abstrServiceUser "matrix-continuwuity"; - }; - mail-admin = mkIf server { + # matrix-registration = mkIf server.matrix.enable { + # file = ./matrix-registration.age; + # owner = abstrServiceUser "matrix-continuwuity"; + # }; + mail-admin = mkIf server.stalwart.enable { # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. file = ./mail-admin.age; }; - zitadel-key = mkIf server { + zitadel-key = mkIf server.zitadel.enable { file = ./zitadel-key.age; owner = abstrServiceUser "zitadel"; }; - forgejo-mailpass = mkIf server { + forgejo-mailpass = mkIf server.forgejo.enable { file = ./forgejo-mailpass.age; owner = abstrServiceUser "forgejo"; }; - immich-oidc = mkIf server { + immich-oidc = mkIf server.immich.enable { file = ./immich-oidc.age; owner = abstrServiceUser "immich"; }; - nextcloud-admin-pass = mkIf server { + nextcloud-admin-pass = mkIf server.nextcloud.enable { file = ./nextcloud-admin-pass.age; owner = "nextcloud"; #NOTE: not a clear 'nextcloud.service' or 'services.nextcloud.user'. }; diff --git a/secrets/derek-bot.age b/secrets/derek-bot.age new file mode 100644 index 0000000000000000000000000000000000000000..f45ac469bf36dc83ed10f2a869114b6d3da43dfb GIT binary patch literal 1124 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT453Gs|cT`BV^hz}h z@^{P0E>A8E3{G|{O|8hR^2pS-DAsoKO9>5($}`Q?HZ}7Mx8Mp7$Sw5M4oJ(*@N`eI ztgOiNaZj%>3dzkc^fz&{NHoYwPY<#z(stB0GC{Y^H!a9K%uylODaqZS%%#x4%f~R( zAkD2J*elo9z$82(EW{|zCOxq=`Dl5z11;aM&Y$ zWk;BmxOwMkSLFL=T5yF1rl+_>dRF9_S>&0T6h!1lWOx}wxVWV_I~Nx^2ly0+xMq1} zy80U=MWWkgu3wcIS*{SC?3a|76crxj=$LA0nVlBl6p>V9UR9J`;uV}1U}9lx78MZU z?qQZ%Wx^GbA5fN@n^&9_m6%?cR#aqKrtjx!=^2>jVMv&HRiTGbfn~m7abQr8c~Q1|Iaj&9 zPkKs7kwuu0pDXhf}(# zrG9BuwqZ!Nuep0pMR-M3ws)9IX_{%4Q-o8Fc6w-4KyFk>AlK%oXE{qe%Uhp&9OIvt z-W=AtLUZ%0bp~onzW$#j&oo=|T=_3o0q^A!3G23d_?cKXr9bFXej=+V{fz53Ygxtg z|1amJaCc3%`tJL7;;!zl=m~pg@$YjESzmE(kFurBZx6Fx0a=M3hvHRY)}(Bjchn`; zQc`-RUU^W~3EfTF*S&w|8+eNZUu|P7(N@*Ba{M?u>apmKdc|M2qjEpD3)NrR5k)_X+x>*_eEO{KoHy1wMY`^GdsKfFvH_gSE+g~hCtmJ9Ya8iGB@m|-FA6qSh zGCWk(R;#5KekgiA`(8(OqPO z*k%arIjONdOihQ;;=;|9SFO)0ta0L6zh$%6&!Fhd%PhV*wg$^LndVw6>+#ML3y2I^ z9QKddNQ3FPV~yR!l-;f84c=SKp0g}8D(do7Z>hVSOcNf7v>wxAtGaA+Rf%2O;qskd neGFSm&o9)e@a6Mcsv7da#K41o~4>R literal 0 HcmV?d00001 diff --git a/secrets/jsw-bot.age b/secrets/jsw-bot.age new file mode 100644 index 0000000000000000000000000000000000000000..3e8c6a9e9ad3a0ef67e30611c4a5f9e57c4077f3 GIT binary patch literal 1425 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT453Gs|cT`9T^-oPn zs`3d>H1G;@&rB(`2=eoA(RMUSE_8EpEzb-#GS1D=H%)cQa^&*2G?c}nckaUHz5>vnAh_nFxP@^(8m!#A@Hxo~f z63+_#_ed!=HuFWd zEiACo%pg!9+t@3$)X%cm(lETF$}>DXsidmRBE&L0A|x!YBC04Q)zHN}y}~d;JJXY^ z$lu-7B+W3>Da*^v(b7F9!`RV0Bs|KyJTE&c)!DJMD7&hxBqG(q$EBQ0S65ddGt1I1 zF~T4yD5WSb$vHX1x3r)zs?0k)x5UjPE3Mq9JgYc0v^cr2(9DfqlP$92>u)`7SS_|{rnIRj_sMigwNSS2 ziD9y5Hb?$%m?vQJuyx-yxBZUdJ=v$0PJG~Cbur|}sqkO=5A?8*0HEBOQ}Bk^y-@jxEER+G{~EqbUdX>ri9Pu{f>%VR(ZyAc58+NmPH6% zZ7Q0hB>yyO!|oLyCw$+>l~#9Y{w?lJHy=nWbeg?x@z1`+Q)Dvpm)c)&TIi?hI>Fia zbNgK%x#Xm6mkRE`oHSWltJXVA@AQnCV&>GDDQ`{7)4NwTMcnbfo>2B<_8SeZ^QpW$ z`44;VoZRs*$7Q}d(uU&O^v|DAQsak2iR9b39> zw|#t<;l&zIcI*GUl%2MZqPw1JyiIN2d@XfTmD{74><g!xaXW;cvgPV9(oKzp5Q#SN}9(=!^ZedDl7qz5tcg*8598&6{)XF95(5L{k6& literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1c98513..66e90da 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -14,8 +14,8 @@ let keys = users ++ devices; in { "password.age".publicKeys = keys; - "dcbot.age".publicKeys = keys; - "bread-dcbot.age".publicKeys = keys; + "jsw-bot.age".publicKeys = keys; + "derek-bot.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; diff --git a/system/server/caddy.nix b/system/server/caddy.nix index 389cbed..47d34f1 100644 --- a/system/server/caddy.nix +++ b/system/server/caddy.nix @@ -3,13 +3,15 @@ lib, ... }: let - cfg = config.niksos.server; + inherit (config.services.caddy) enable; + inherit (lib) mkIf; in { - services.caddy = { - enable = cfg; - email = "jurnwubben@gmail.com"; - enableReload = false; - }; + config = mkIf enable { + services.caddy = { + email = "jurnwubben@gmail.com"; + enableReload = false; + }; - networking.firewall.allowedTCPPorts = lib.mkIf cfg [80 443]; + networking.firewall.allowedTCPPorts = [80 443]; + }; } diff --git a/system/server/default.nix b/system/server/default.nix index c232262..920d92c 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -1,16 +1,24 @@ -{lib, ...}: { +{lib, ...}: let + inherit (lib) mkOption types; +in { imports = [ # ./matrix.nix - ./bot.nix + # ./temp.nix + ./jsw-bot.nix ./caddy.nix - ./derekBot.nix + ./derek-bot.nix ./forgejo.nix ./immich.nix ./index ./mail.nix ./nextcloud.nix - ./temp.nix ./zitadel.nix ]; - options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option. + options.niksos.server = { + baseDomain = mkOption { + type = types.lines; + description = "Set's the apex domain for the webservices. Do not include 'https' or a slash at the end. Just 'example.com'."; + example = "example.com"; + }; + }; } diff --git a/system/server/derekBot.nix b/system/server/derek-bot.nix similarity index 73% rename from system/server/derekBot.nix rename to system/server/derek-bot.nix index c71da3d..23d5d9d 100644 --- a/system/server/derekBot.nix +++ b/system/server/derek-bot.nix @@ -4,26 +4,26 @@ lib, ... }: let - cfg = config.niksos.server; - userGroup = "bread-dcbot"; + name = "derek-bot"; + cfg = config.niksos.server.${name}.enable; + + userGroup = name; gitRepo = "https://github.com/The-Breadening/Breadener"; - bash = lib.getExe pkgs.bash; + inherit (lib) getExe mkEnableOption mkIf; + bash = getExe pkgs.bash; + varLib = "/var/lib/"; - mainDir = - varLib - + ( - if !cfg - then "" - else userGroup - ) - + "/"; - programDir = mainDir + "program"; - denoDir = mainDir + "deno"; - tokenDir = mainDir + "Breadener-token"; + mainDir = "${varLib}${userGroup}"; + programDir = "${mainDir}/program"; + denoDir = "${mainDir}/deno"; + tokenDir = "${mainDir}/Breadener-token"; + path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.deno pkgs.git]); in { - config = lib.mkIf config.niksos.server { + options.niksos.server.${name}.enable = mkEnableOption name; + + config = mkIf cfg { systemd.services.${userGroup} = { enable = true; after = ["network.target"]; @@ -39,7 +39,7 @@ in { export PATH=${path} cd "${mainDir}" - chown -R ${userGroup}:${userGroup} ${mainDir}* || echo + chown -R ${userGroup}:${userGroup} ${mainDir}/* || echo rm -rf "${tokenDir}" || echo mkdir -p "${denoDir}" "${tokenDir}" @@ -48,7 +48,7 @@ in { if [ ! -d "${programDir}" ]; then git clone "${gitRepo}" "${programDir}" fi - chmod -R 750 ${mainDir}* || echo + chmod -R 750 ${mainDir}/* || echo cd "${programDir}" diff --git a/system/server/forgejo.nix b/system/server/forgejo.nix index 3b9da1e..423849b 100644 --- a/system/server/forgejo.nix +++ b/system/server/forgejo.nix @@ -3,17 +3,24 @@ lib, ... }: let - DOMAIN = "git.jsw.tf"; + name = "forgejo"; + cfg = import ./lib/extractWebOptions.nix {inherit config name;}; + + DOMAIN = cfg.domain; in { + options = import ./lib/webOptions.nix {inherit config lib name;}; config = - lib.mkIf config.niksos.server + lib.mkIf cfg.enable { - services.caddy.virtualHosts.${DOMAIN}.extraConfig = '' - request_body { - max_size 512M - } - reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR} - ''; + services.caddy = { + enable = true; + virtualHosts.${DOMAIN}.extraConfig = '' + request_body { + max_size 512M + } + reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR} + ''; + }; services.forgejo = { enable = true; @@ -52,12 +59,13 @@ in { DEFAULT_ACTIONS_URL = "github"; }; mailer = { + #FIXME: Only enable if stalwart is enabled by default. ENABLED = true; SUBJECT_PREFIX = "JSWGit"; PROTOCOL = "smtps"; - SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module. + SMTP_ADDR = "mail.${cfg.baseDomain}"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module. SMTP_PORT = 465; - FROM = "git@jsw.tf"; + FROM = "git@${cfg.baseDomain}"; USER = "git"; PASSWD_URI = "file:${config.age.secrets.forgejo-mailpass.path}"; }; diff --git a/system/server/immich.nix b/system/server/immich.nix index 3554292..772b26f 100644 --- a/system/server/immich.nix +++ b/system/server/immich.nix @@ -4,23 +4,29 @@ pkgs, ... }: let + name = "immich"; inherit (lib) mkIf mkForce mkDefault; - cfg = config.niksos.server; + cfg = import ./lib/extractWebOptions.nix {inherit config name;}; + oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*"; config-dir = "/run/immich-conf"; - url = "photos.jsw.tf"; - httpsUrl = "https://" + url; + httpsUrl = "https://" + cfg.domain; in { - config = - mkIf cfg - { - users.users.${config.services.immich.user}.extraGroups = ["video" "render"]; - services.caddy.virtualHosts.${url}.extraConfig = '' - reverse_proxy localhost:9002 - ''; + options = import ./lib/webOptions.nix {inherit config lib name;}; - services.immich = mkIf cfg { + config = + mkIf cfg.enable + { + services.caddy = { + enable = true; + virtualHosts.${cfg.domain}.extraConfig = '' + reverse_proxy localhost:9002 + ''; + }; + + users.users.${config.services.immich.user}.extraGroups = ["video" "render"]; + services.immich = { enable = true; port = 9002; diff --git a/system/server/index/default.nix b/system/server/index/default.nix index 2cfd6f7..44a2634 100644 --- a/system/server/index/default.nix +++ b/system/server/index/default.nix @@ -2,13 +2,19 @@ config, lib, ... -}: { - services.caddy.virtualHosts."jsw.tf" = lib.mkIf config.niksos.server { - extraConfig = '' - header Content-Type text/html - respond <