diff --git a/hosts/sobotka/default.nix b/hosts/sobotka/default.nix index 9b4c2966..df18e7d4 100644 --- a/hosts/sobotka/default.nix +++ b/hosts/sobotka/default.nix @@ -39,6 +39,7 @@ in { "share" "jellyfin" "render" + "traefik" ]; }; diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix index b4d53ce1..4eb841d8 100644 --- a/hosts/sobotka/server.nix +++ b/hosts/sobotka/server.nix @@ -24,9 +24,6 @@ unbound = { enable = true; }; - acme = { - enable = false; - }; homepage-dashboard = { enable = true; }; diff --git a/hosts/ziggy/server.nix b/hosts/ziggy/server.nix index 9e9b357d..82d1ca57 100644 --- a/hosts/ziggy/server.nix +++ b/hosts/ziggy/server.nix @@ -11,9 +11,6 @@ unbound = { enable = true; }; - acme = { - enable = true; - }; homepage-dashboard = { enable = false; }; diff --git a/modules/default.nix b/modules/default.nix index 96f0c853..3373a05d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -100,7 +100,6 @@ ./nixos/services/virtualisation ./nixos/services/locate ./nixos/services/mullvad - ./nixos/services/mullvad-netns ./nixos/services/nfs ./nixos/services/nix-ld ./nixos/services/openssh @@ -123,7 +122,6 @@ server = { imports = [ ./server - ./server/acme ./server/fail2ban ./server/homepage-dashboard ./server/nextcloud diff --git a/modules/nixos/services/agenix/default.nix b/modules/nixos/services/agenix/default.nix index a126d2d9..a0727ab4 100644 --- a/modules/nixos/services/agenix/default.nix +++ b/modules/nixos/services/agenix/default.nix @@ -78,7 +78,6 @@ in { nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age"; vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age"; vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age"; - homepageEnvironment.file = "${self}/secrets/homepageEnvironment.age"; pihole.file = "${self}/secrets/pihole.age"; slskd.file = "${self}/secrets/slskd.age"; }; diff --git a/modules/nixos/services/mullvad-netns/default.nix b/modules/nixos/services/mullvad-netns/default.nix deleted file mode 100644 index f72bbcef..00000000 --- a/modules/nixos/services/mullvad-netns/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ self, pkgs, ... }: -{ - age.secrets.wgCredentials = { - file = "${self}/secrets/wgCredentials.age"; - mode = "0400"; - owner = "root"; - group = "root"; - path = "/etc/wireguard/mullvad.conf"; - }; - - systemd.services.mullvad-netns = { - description = "WireGuard Mullvad netns for VMs"; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - - ExecStart = "${pkgs.writeShellScript "mullvad-netns-up" '' - set -euo pipefail - - ip netns add mullvad || true - - ip link add veth0 type veth peer name veth1 || true - ip link set veth1 netns mullvad - ip addr add 10.250.0.1/24 dev veth0 || true - ip link set veth0 up - ip netns exec mullvad ip addr add 10.250.0.2/24 dev veth1 || true - ip netns exec mullvad ip link set veth1 up - - ip netns exec mullvad wg-quick up /etc/wireguard/mullvad.conf - ip netns exec mullvad ip route add default dev wg0 || true - - nft add table ip mullvad-nat || true - nft add chain ip mullvad-nat postrouting { type nat hook postrouting priority 100 \; } || true - nft add rule ip mullvad-nat postrouting ip saddr 10.250.0.0/24 oif "wg0" masquerade || true - ''}"; - - ExecStop = "${pkgs.writeShellScript "mullvad-netns-down" '' - set -euo pipefail - - ip netns exec mullvad wg-quick down /etc/wireguard/mullvad.conf || true - ip link delete veth0 || true - ip netns delete mullvad || true - nft delete table ip mullvad-nat || true - ''}"; - }; - - # no wantedBy here -> won't start at boot - }; -} diff --git a/modules/server/acme/default.nix b/modules/server/acme/default.nix deleted file mode 100644 index 2d6e220d..00000000 --- a/modules/server/acme/default.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf mkEnableOption; - cfg = config.server.acme; - - getCloudflareCredentials = hostname: - if hostname == "ziggy" - then config.age.secrets.cloudflareDnsCredentialsZiggy.path - else if hostname == "sobotka" - then config.age.secrets.cloudflareDnsCredentials.path - else throw "Unknown hostname: ${hostname}"; -in { - options = { - server.acme.enable = mkEnableOption "Enables ACME"; - }; - config = mkIf cfg.enable { - networking.firewall = let - ports = [ - 80 - 443 - ]; - in { - allowedTCPPorts = ports; - }; - - security.acme = { - acceptTerms = true; - defaults.email = config.server.email; - certs.${config.server.domain} = { - reloadServices = ["caddy.service"]; - domain = "${config.server.domain}"; - extraDomainNames = ["*.${config.server.domain}"]; - dnsProvider = "cloudflare"; - dnsResolver = "1.1.1.1:53"; - dnsPropagationCheck = true; - group = config.services.caddy.group; - environmentFile = getCloudflareCredentials config.networking.hostName; - }; - certs.${config.server.www.url} = { - reloadServices = ["caddy.service"]; - domain = "${config.server.www.url}"; - extraDomainNames = ["*.${config.server.www.url}"]; - dnsProvider = "cloudflare"; - dnsResolver = "1.1.1.1:53"; - dnsPropagationCheck = true; - group = config.services.caddy.group; - environmentFile = getCloudflareCredentials config.networking.hostName; - }; - }; - - services.caddy = { - enable = true; - globalConfig = '' - auto_https off - ''; - virtualHosts = { - "http://${config.server.domain}" = { - extraConfig = '' - redir https://{host}{uri} - ''; - }; - "http://*.${config.server.domain}" = { - extraConfig = '' - redir https://{host}{uri} - ''; - }; - - "http://${config.server.www.url}" = { - extraConfig = '' - redir https://{host}{uri} - ''; - }; - "http://*.${config.server.www.url}" = { - extraConfig = '' - redir https://{host}{uri} - ''; - }; - }; - }; - }; -} diff --git a/modules/server/homepage-dashboard/default.nix b/modules/server/homepage-dashboard/default.nix index b0a49877..7ca11976 100644 --- a/modules/server/homepage-dashboard/default.nix +++ b/modules/server/homepage-dashboard/default.nix @@ -1,20 +1,19 @@ { config, lib, + self, ... -}: -let +}: let unit = "homepage-dashboard"; cfg = config.server.homepage-dashboard; srv = config.server; -in -{ +in { options.server.homepage-dashboard = { enable = lib.mkEnableOption { description = "Enable ${unit}"; }; misc = lib.mkOption { - default = [ ]; + default = []; type = lib.types.listOf ( lib.types.attrsOf ( lib.types.submodule { @@ -38,11 +37,16 @@ in }; }; config = lib.mkIf cfg.enable { + age.secrets = { + homepageEnvironment = { + file = "${self}/secrets/homepageEnvironment.age"; + }; + }; services = { glances.enable = true; ${unit} = { enable = true; - allowedHosts = srv.domain; + environmentFile = config.age.secrets.homepageEnvironment.path; settings = { layout = [ { @@ -81,7 +85,6 @@ in statusStyle = "dot"; hideVersion = "true"; }; - widgets = [ { openmeteo = { @@ -93,140 +96,119 @@ in longitude = 16.324541; }; } - { - datetime = { - text_size = "x1"; - format = { - hour12 = false; - timeStyle = "short"; - dateStyle = "long"; - }; - }; - } { resources = { - label = "root"; + label = "SYSTEM"; memory = true; - disk = [ "/dev/dm-1" ]; - }; - } - { - resources = { - label = "zfs"; - memory = true; - disk = [ "/mnt/data" ]; + cpu = true; + uptime = true; }; } ]; - services = - let - homepageCategories = [ - "Arr" - "Media" - "Downloads" - "Services" - "Smart Home" - ]; - hl = config.server; - mergedServices = hl // hl.podman; - homepageServices = - x: - (lib.attrsets.filterAttrs ( - name: value: value ? homepage && value.homepage.category == x - ) mergedServices); - in + services = let + homepageCategories = [ + "Arr" + "Media" + "Downloads" + "Services" + ]; + hl = config.server; + mergedServices = hl // hl.podman; + homepageServices = x: (lib.attrsets.filterAttrs ( + name: value: value ? homepage && value.homepage.category == x + ) + mergedServices); + in lib.lists.forEach homepageCategories (cat: { "${cat}" = lib.lists.forEach - (lib.attrsets.mapAttrsToList (name: value: { - inherit name; - url = value.url; - homepage = value.homepage; - }) (homepageServices "${cat}")) - (x: { - "${x.homepage.name}" = { - icon = x.homepage.icon; - description = x.homepage.description; - href = "https://${x.url}${x.homepage.path or ""}"; - siteMonitor = "https://${x.url}${x.homepage.path or ""}"; - }; - }); + (lib.attrsets.mapAttrsToList (name: value: { + inherit name; + url = value.url; + homepage = value.homepage; + }) (homepageServices "${cat}")) + (x: { + "${x.homepage.name}" = { + icon = x.homepage.icon; + description = x.homepage.description; + href = "https://${x.url}${x.homepage.path or ""}"; + siteMonitor = "https://${x.url}${x.homepage.path or ""}"; + }; + }); }) - ++ [ { Misc = cfg.misc; } ] + ++ [{Misc = cfg.misc;}] ++ [ { - Glances = - let - port = toString config.services.glances.port; - in - [ - { - Info = { - widget = { - type = "glances"; - url = "http://localhost:${port}"; - metric = "info"; - chart = false; - version = 4; - }; + Glances = let + port = toString config.services.glances.port; + in [ + { + Info = { + widget = { + type = "glances"; + url = "http://localhost:${port}"; + metric = "info"; + chart = false; + version = 4; }; - } - { - "CPU Temp" = { - widget = { - type = "glances"; - url = "http://localhost:${port}"; - metric = "sensor:Tctl"; - chart = false; - version = 4; - }; + }; + } + { + "CPU Temp" = { + widget = { + type = "glances"; + url = "http://localhost:${port}"; + metric = "sensor:Tctl"; + chart = false; + version = 4; }; - } - { - "GPU Radeon" = { - widget = { - type = "glances"; - url = "http://localhost:${port}"; - metric = "sensor:junction"; - chart = false; - version = 4; - }; + }; + } + { + "GPU Radeon" = { + widget = { + type = "glances"; + url = "http://localhost:${port}"; + metric = "sensor:junction"; + chart = false; + version = 4; }; - } - { - "GPU Intel" = { - widget = { - type = "glances"; - url = "http://localhost:${port}"; - metric = "sensor:pkg"; - chart = false; - version = 4; - }; + }; + } + { + "GPU Intel" = { + widget = { + type = "glances"; + url = "http://localhost:${port}"; + metric = "sensor:pkg"; + chart = false; + version = 4; }; - } - { - Processes = { - widget = { - type = "glances"; - url = "http://localhost:${port}"; - metric = "process"; - chart = false; - version = 4; - }; + }; + } + { + Processes = { + widget = { + type = "glances"; + url = "http://localhost:${port}"; + metric = "process"; + chart = false; + version = 4; }; - } - { - Network = { - widget = { - type = "glances"; - url = "http://localhost:${port}"; - metric = "network:enp6s0"; - chart = false; - version = 4; - }; + }; + } + { + Network = { + widget = { + type = "glances"; + url = "http://localhost:${port}"; + metric = "network:enp6s0"; + chart = false; + version = 4; }; - } - ]; + }; + } + ]; } ]; }; @@ -235,11 +217,11 @@ in dynamicConfigOptions = { http = { services.homepage.loadBalancer.servers = [ - { url = "http://127.0.0.1:${toString config.services.${unit}.listenPort}"; } + {url = "http://127.0.0.1:${toString config.services.${unit}.listenPort}";} ]; routers = { homepage = { - entryPoints = [ "websecure" ]; + entryPoints = ["websecure"]; rule = "Host(`cnix.dev`)"; service = "homepage"; tls.certResolver = "letsencrypt"; diff --git a/secrets/homepageEnvironment.age b/secrets/homepageEnvironment.age index 7d80ce49..f5a686db 100644 Binary files a/secrets/homepageEnvironment.age and b/secrets/homepageEnvironment.age differ