Kyren223/server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restructured config

Browse Source
This commit is contained in:
Kyren223
2024-12-29 11:06:37 +02:00
parent 007e0b9a2e
commit 1a21960980
10 changed files with 135 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
flake.nix
View File

@@ -12,8 +12,8 @@
modules = [
disko.nixosModules.disko
sops-nix.nixosModules.sops
./configuration.nix
./hardware-configuration.nix
./host/configuration.nix
./host/hardware-configuration.nix
];
};
};

25
configuration.nix → host/configuration.nix
View File

@@ -3,7 +3,8 @@
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/profiles/qemu-guest.nix")
./disk-config.nix
./nginx.nix
./../nixosModules/secrets.nix
./../nixosModules/website.nix
];
boot.loader.grub = {
@@ -26,26 +27,8 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
];
users.users.website = {
createHome = false;
isNormalUser = true;
group = "users";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1B/i/AQLYt6mrz0P/oUJItpvWXp7z0xHNzmcPdtwWd"
];
};
systemd.tmpfiles.rules = [
"d /srv/website 0750 website users"
];
sops = {
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/root/id_ed25519" ];
secrets.github-access-token = { };
secrets.cloudflare-dns-api-token = { mode = "0440"; owner = "acme"; };
};
nix.extraOptions = "!include /run/secrets/github-access-token";
secrets.enable = true;
website.enable = true;
system.autoUpgrade = {
enable = true;

3
disk-config.nix → host/disk-config.nix
View File

@@ -1,5 +1,4 @@
{ lib, ... }:
{
{ lib, ... }: {
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/vda";

0
hardware-configuration.nix → host/hardware-configuration.nix
View File

35
nginx.nix
View File

@@ -1,35 +0,0 @@
{ pkgs, ... }: {
services.nginx.enable = true;
services.nginx.virtualHosts."kyren.codes" = {
useACMEHost = "kyren.codes";
forceSSL = true;
locations."/" = {
index = "index.html";
root = "/srv/website";
};
locations."/404.html" = {
root = "/srv/website";
};
extraConfig = ''
error_page 404 /404.html;
'';
};
security.acme = {
acceptTerms = true;
defaults.email = "kyren223@proton.me";
certs."kyren.codes" = {
domain = "kyren.codes";
extraDomainNames = [ "*.kyren.codes" ];
dnsProvider = "cloudflare";
environmentFile = "${pkgs.writeText "cf-creds" ''
CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare-dns-api-token
''}";
webroot = null;
};
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [ 443 80 3000 ];
}

26
nixosModules/acme.nix Normal file
View File

@@ -0,0 +1,26 @@
{ pkgs, lib, config, ... }: {
options = {
acme.enable = lib.mkEnableOption "enables acme";
};
config = lib.mkIf config.acme.enable {
sops.secrets.cloudflare-dns-api-token = { mode = "0440"; owner = "acme"; };
security.acme.acceptTemrs = true;
security.acme.defaults.email = "kyren223@proton.me";
security.acme.certs."kyren.codes" = {
domain = "kyren.codes";
extraDomainNames = [ "*.kyren.codes" ];
dnsProvider = "cloudflare";
environmentFile = "${pkgs.writeText "cf-creds" ''
CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare-dns-api-token
''}";
webroot = null;
};
# Allow nginx to access acme certs
users.users.nginx.extraGroups = [ "acme" ];
};
}

23
nixosModules/actual-budget.nix Normal file
View File

@@ -0,0 +1,23 @@
{ pkgs, lib, config, ... }: {
options = {
actual-budget.enable = lib.mkEnableOption "enables actual-budget";
};
config = lib.mkIf config.actual-budget.enable {
# services.nginx.virtualHosts."budget.kyren.codes" = {
# useACMEHost = "kyren.codes";
# forceSSL = true;
#
# locations."/".proxyPass = "http://actual-server:5006/";
# locations."/".extraConfig = ''
# include /config/nginx/proxy.conf;
# include /config/nginx/resolver.conf;
#
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# '';
#
# };
};
}

13
nixosModules/secrets.nix Normal file
View File

@@ -0,0 +1,13 @@
{ pkgs, lib, config, ... }: {
options = {
secrets.enable = lib.mkEnableOption "enables secrets";
};
config = lib.mkIf config.secrets.enable {
sops = {
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/root/id_ed25519" ];
};
};
}

9
nixosModules/template.nix Normal file
View File

@@ -0,0 +1,9 @@
{ pkgs, lib, config, ... }: {
options = {
MODULE.enable = lib.mkEnableOption "enables MODULE";
};
config = lib.mkIf config.MODULE.enable {
};
}

57
nixosModules/website.nix Normal file
View File

@@ -0,0 +1,57 @@
{ pkgs, lib, config, ... }: {
imports = [
./acme.nix
];
options = {
website.enable = lib.mkEnableOption "enables website";
};
config = lib.mkIf config.website.enable {
users.users.website = {
createHome = false;
isNormalUser = true;
group = "users";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1B/i/AQLYt6mrz0P/oUJItpvWXp7z0xHNzmcPdtwWd"
];
};
# Make sure the "website" user has access to /srv/website
systemd.tmpfiles.rules = [
"d /srv/website 0750 website users"
];
# Set secrets for CD (let github actions upload builds to /srv/website)
sops.secrets.github-access-token = { };
nix.extraOptions = "!include /run/secrets/github-access-token";
# Open http and https ports to the public
networking.firewall.allowedTCPPorts = [ 443 80 ];
# Make sure acme module is active for the "kyrej.codes" ssl cert
acme.enable = true;
services.nginx.enable = true;
services.nginx.virtualHosts."kyren.codes" = {
useACMEHost = "kyren.codes";
forceSSL = true;
locations."/" = {
index = "index.html";
root = "/srv/website";
};
locations."/404.html" = {
root = "/srv/website";
};
extraConfig = ''
error_page 404 /404.html;
'';
};
};
}