diff --git a/hosts/greatyamada/services/_port-definitions.nix b/hosts/greatyamada/services/_port-definitions.nix new file mode 100644 index 0000000..c93c610 --- /dev/null +++ b/hosts/greatyamada/services/_port-definitions.nix @@ -0,0 +1,21 @@ +{ + adguardhome-dns = 53; + adguardhome-http = 3001; + coturn-turn = 3478; + coturn-turn-alt = 3479; + coturn-minimum = 49192; + coturn-maximum = 49200; + forgejo-http = 3000; + inv-sig-helper = 12999; + invidious-http = 3002; + matrix-http = 8008; + matrix-https = 8448; + matrix-bridges-http = 8088; + mautrix-whatsapp = 29318; + minecraft = 13914; + nginx-https = 443; + ntfy-http = 2586; + postgresql = 5432; + radicale-http = 5232; + wireguard = 51820; +} diff --git a/hosts/greatyamada/services/adguardhome.nix b/hosts/greatyamada/services/adguardhome.nix index e69de29..e8f7104 100644 --- a/hosts/greatyamada/services/adguardhome.nix +++ b/hosts/greatyamada/services/adguardhome.nix @@ -0,0 +1,49 @@ +{ ... }: +let + portDefinitions = import ./_port-definitions.nix; + nginxLocalServiceConfig = import ./nginx-local-config.nix; +in { + networking.firewall.allowedTCPPorts = [ portDefinitions.adguardhome-dns ]; + networking.firewall.allowedUDPPorts = [ portDefinitions.adguardhome-dns ]; + services = { + adguardhome = { + enable = true; + allowDHCP = true; + port = portDefinitions.adguardhome-http; + mutableSettings = true; + settings = { + http = { + address = "127.0.0.1:${toString portDefinitions.adguardhome-http}"; + session_ttl = "1440h"; + }; + dns = { + bind_hosts = [ "0.0.0.0" ]; + port = portDefinitions.adguardhome-dns; + anonymize_client_ip = false; + ratelimit = 0; + upstream_dns = [ "https://dns10.quad9.net/dns-query" ]; + bootstrap_dns = + [ "9.9.9.10" "149.112.112.10" "2620:fe::10" "2620:fe::fe:10" ]; + }; + dhcp = { + enabled = true; + interface_name = "enp5s0"; + local_domain_name = "lan"; + dhcpv4 = { + gateway_ip = "10.0.0.254"; + subnet_mask = "255.255.255.0"; + range_start = "10.0.0.10"; + range_end = "10.0.0.199"; + lease_duration = 86400; + icmp_timeout_msec = 1000; + }; + }; + }; + }; + nginx.virtualHosts."dns.rcia.dev" = { + locations."/".proxyPass = + "http://127.0.0.1:${toString portDefinitions.adguardhome-http}"; + extraConfig = nginxLocalServiceConfig; + }; + }; +} diff --git a/hosts/greatyamada/services/ddclient.nix b/hosts/greatyamada/services/ddclient.nix index 9f3422c..2caf9e4 100644 --- a/hosts/greatyamada/services/ddclient.nix +++ b/hosts/greatyamada/services/ddclient.nix @@ -6,6 +6,10 @@ protocol = "cloudflare"; zone = "rcia.dev"; passwordFile = "/run/secrets/cloudflare_api_token"; - domains = [ "@" "*" ];" + domains = [ "@" "*" ]; + }; + sops.secrets."cloudflare/api_token" = { + path = "/run/secrets/cloudflare_api_token"; + owner = "root"; }; } diff --git a/hosts/greatyamada/services/default.nix b/hosts/greatyamada/services/default.nix index c06dfbb..44554ba 100644 --- a/hosts/greatyamada/services/default.nix +++ b/hosts/greatyamada/services/default.nix @@ -1,12 +1,15 @@ { ... }: { imports = [ - ./nginx.nix + ./acme.nix + ./ddclient.nix ./forgejo.nix - ./invidious.nix + ./invidious ./jellyfin.nix + ./minecraft + ./nginx.nix ./postgresql.nix ./radicale.nix + ./wireguard.nix ]; - # TODO: adguardhome matrix matrix-second minecraft terraria factorio coturn mautrix-whatsapp wireguard # paperlessngx } diff --git a/hosts/greatyamada/services/forgejo.nix b/hosts/greatyamada/services/forgejo.nix index acfc272..e6abb27 100644 --- a/hosts/greatyamada/services/forgejo.nix +++ b/hosts/greatyamada/services/forgejo.nix @@ -1,11 +1,12 @@ -{ lib, pkgs, ... }: +{ pkgs, ... }: let forgejoConfigPath = "/var/lib/forgejo/custom/conf"; + portDefinitions = import ./_port-definitions.nix; arrayToSecrets = elements: - builtins.listToAttrs (map (x: { - name = "forgejo/" + x; + builtins.listToAttrs (map (key: { + name = "forgejo/${key}"; value = { - path = "${forgejoConfigPath}/" + x; + path = "${forgejoConfigPath}/${key}"; owner = "forgejo"; }; }) elements); @@ -13,36 +14,34 @@ in { services = { forgejo = { enable = true; + package = pkgs.forgejo; + database = { + type = "postgres"; + port = portDefinitions.postgresql; + passwordFile = "${forgejoConfigPath}/database_password"; + }; + secrets = { + server.LFS_JWT_SECRET = "${forgejoConfigPath}/lfs_jwt_secret"; + security = { + INTERNAL_TOKEN = "${forgejoConfigPath}/internal_token"; + SECRET_KEY = "${forgejoConfigPath}/secret_key"; + }; + oauth2.JWT_SECRET = "${forgejoConfigPath}/oauth2_jwt_secret"; + }; settings = { server = { DOMAIN = "git.rcia.dev"; ROOT_URL = "https://git.rcia.dev"; - HTTP_PORT = 3000; + HTTP_PORT = portDefinitions.forgejo-http; DISABLE_SSH = true; LFS_START_SERVER = true; - LFS_JWT_SECRET = ""; - LFS_JWT_SECRET_URI = "file://${forgejoConfigPath}/lfs_jwt_secret"; - }; - database = { - type = "postgres"; - passwordFile = "${forgejoConfigPath}/database_password"; - }; - security = { - INSTALL_LOCK = true; - INTERNAL_TOKEN = lib.mkForce ""; - INTERNAL_TOKEN_URI = "file://${forgejoConfigPath}/internal_token"; - SECRET_KEY = lib.mkForce ""; - SECRET_KEY_URI = "file://${forgejoConfigPath}/secret_key"; - }; - oauth2 = { - JWT_SECRET = lib.mkForce ""; - JWT_SECRET_URI = "file://${forgejoConfigPath}/oauth2_jwt_secret"; }; + security = { INSTALL_LOCK = true; }; }; }; nginx.virtualHosts."git.rcia.dev" = { locations."/" = { - proxyPass = "http://127.0.0.1:3000"; + proxyPass = "http://127.0.0.1:${toString portDefinitions.forgejo-http}"; clientMaxBodySize = "200M"; }; }; diff --git a/hosts/greatyamada/services/invidious/default.nix b/hosts/greatyamada/services/invidious/default.nix new file mode 100644 index 0000000..78b8ffa --- /dev/null +++ b/hosts/greatyamada/services/invidious/default.nix @@ -0,0 +1,10 @@ +{ ... }: { + imports = [ ./invidious.nix ./inv-sig-helper.nix ]; + users = { + groups.invidious = { }; + users.invidious = { + group = "invidious"; + isSystemUser = true; + }; + }; +} diff --git a/hosts/greatyamada/services/invidious/inv-sig-helper.nix b/hosts/greatyamada/services/invidious/inv-sig-helper.nix new file mode 100644 index 0000000..24a331d --- /dev/null +++ b/hosts/greatyamada/services/invidious/inv-sig-helper.nix @@ -0,0 +1,83 @@ +{ pkgs, ... }: +let portDefinitions = import ../_port-definitions.nix; +in { + environment.systemPackages = with pkgs; [ inv-sig-helper ]; + systemd.services.inv-sig-helper = { + enable = true; + after = [ "syslog.target" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "invidious"; + Group = "invidious"; + ExecStart = + "${pkgs.inv-sig-helper}/bin/inv_sig_helper_rust --tcp 127.0.0.1:${ + toString portDefinitions.inv-sig-helper + }"; + Restart = "always"; + RestartSec = "2s"; + Type = "simple"; + WorkingDirectory = "/tmp"; + BindPaths = "/tmp"; + CapabilityBoundingSet = [ + "~CAP_SETUID CAP_SETGID CAP_SETPCAP" + "~CAP_SYS_ADMIN" + "~CAP_SYS_PTRACE" + "~CAP_CHOWN CAP_FSETID CAP_SETFCAP" + "~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER" + "~CAP_NET_ADMIN" + "~CAP_SYS_MODULE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_TIME" + "~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE" + "~CAP_KILL" + "~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW" + "~CAP_SYSLOG" + "~CAP_SYS_NICE CAP_SYS_RESOURCE" + "~CAP_MAC_ADMIN CAP_MAC_OVERRIDE" + "~CAP_SYS_BOOT" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_SYS_PACCT" + "~CAP_SYS_TTY_CONFIG" + "~CAP_WAKE_ALARM" + ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectControlGroups = true; + ProtectHome = "tmpfs"; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; + RestrictNamespaces = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@clock" + "~@debug" + "~@module" + "~@mount" + "~@raw-io" + "~@reboot" + "~@swap" + "~@privileged" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + ]; + }; + }; +} diff --git a/hosts/greatyamada/services/invidious.nix b/hosts/greatyamada/services/invidious/invidious.nix similarity index 63% rename from hosts/greatyamada/services/invidious.nix rename to hosts/greatyamada/services/invidious/invidious.nix index 918dd33..4cedece 100644 --- a/hosts/greatyamada/services/invidious.nix +++ b/hosts/greatyamada/services/invidious/invidious.nix @@ -1,9 +1,13 @@ { ... }: -let nginxLocalServiceConfig = import ./nginx-local-config.nix; +let + nginxLocalServiceConfig = import ./nginx-local-config.nix; + ports = import ../_port-definitions.nix; in { services = { invidious = { enable = true; + port = ports.invidious-http; + extraSettingsFile = "/var/lib/invidious/extra_configuration"; settings = { check_tables = true; db.user = "invidious"; @@ -15,6 +19,7 @@ in { quality = "dash"; volume = 20; }; + signature_server = "localhost:${toString ports.inv-sig-helper}"; }; database = { createLocally = false; @@ -23,7 +28,9 @@ in { hmacKeyFile = "/var/lib/invidious/hmac_key"; }; nginx.virtualHosts."iv.rcia.dev" = { - locations."/" = { proxyPass = "http://127.0.0.1:3000"; }; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString ports.invidious-http}"; + }; extraConfig = nginxLocalServiceConfig; }; }; @@ -36,5 +43,9 @@ in { path = "/var/lib/invidious/hmac_key"; owner = "invidious"; }; + "invidious/extra_secrets" = { + path = "/var/lib/invidious/extra_configuration"; + owner = "invidious"; + }; }; } diff --git a/hosts/greatyamada/services/jellyfin.nix b/hosts/greatyamada/services/jellyfin.nix index 77e1667..c368969 100644 --- a/hosts/greatyamada/services/jellyfin.nix +++ b/hosts/greatyamada/services/jellyfin.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: +{ ... }: let - jellyfinPath = "/mnt/Datos/jellyfin/"; + jellyfinPath = "/mnt/Datos/jellyfin"; nginxLocalServiceConfig = import ./nginx-local-config.nix; + portDefinitions = import ./_port-definitions.nix; in { services = { jellyfin = { enable = true; - configDir = jellyfinPath + "config/"; - dataDir = jellyfinPath + "data/"; + dataDir = "${jellyfinPath}/data/"; }; nginx.virtualHosts."jellyfin.rcia.dev" = { locations."/" = { - proxyPass = "http://127.0.0.1:8096"; + proxyPass = "http://127.0.0.1:${portDefinitions.jellyfin-http}"; clientMaxBodySize = "10M"; }; extraConfig = nginxLocalServiceConfig; diff --git a/hosts/greatyamada/services/matrix-internal.nix b/hosts/greatyamada/services/matrix-internal.nix deleted file mode 100644 index e4f359d..0000000 --- a/hosts/greatyamada/services/matrix-internal.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ }: { - containers.matrix-bridges = { - autoStart = true; - config = { config, pkgs }: { - services.matrix-synapse = { - enable = true; - settings = { - server_name = "matrix-int.rcia.dev"; - listeners = [ { } ]; - }; - }; - }; - }; -} diff --git a/hosts/greatyamada/services/matrix/coturn.nix b/hosts/greatyamada/services/matrix/coturn.nix deleted file mode 100644 index 2d545b4..0000000 --- a/hosts/greatyamada/services/matrix/coturn.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ pkgs, ... }: { - services.coturn = { - enable = true; - realm = "rcia.dev"; - min-port = 49152; - max-port = 49200; - use-auth-secret = true; - static-auth-secret-file = "/run/turnserver/auth_secret" - extraConfig = '' - syslog - no-rfc5780 - no-stun-backward-compatibility - response-origin-only-with-rfc5780 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 - allowed-peer-ip=10.0.0.1 - allowed-peer-ip=10.10.0.1 - allowed-peer-ip=10.10.0.2 - allowed-peer-ip=10.10.0.3 - user-quota=16 - total-quota=128 - ''; - }; - sops.secrets."coturn/static_auth_secret" = { - path = "/run/turnserver/auth_secret"; - owner = "turnserver"; - }; -} diff --git a/hosts/greatyamada/services/matrix/default.nix b/hosts/greatyamada/services/matrix/default.nix deleted file mode 100644 index 7ae8ba1..0000000 --- a/hosts/greatyamada/services/matrix/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { imports = [ ./coturn.nix ./synapse.nix ]; } diff --git a/hosts/greatyamada/services/matrix/synapse.nix b/hosts/greatyamada/services/matrix/synapse.nix deleted file mode 100644 index 43811ec..0000000 --- a/hosts/greatyamada/services/matrix/synapse.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ pkgs, ... }: -let dataDir = "/mnt/Datos/synapse"; -in { - services.matrix-synapse = { - enable = true; - settings = { - server_name = "rcia.dev"; - listeners = [{ - port = 8008; - bind_addresses = [ "synapse" ]; - tls = false; - type = http; - x_forwarded = true; - resources = [{ - names = [ "client" "federation" ]; - compress = false; - }]; - }]; - media_store_path = dataDir + "/media_store"; - max_upload_size = "100M"; - enable_registration = false; - report_stats = true; - signing_key_path = "/var/lib/matrix-synapse/matrix.rcia.dev.signing.key"; - turn_user_lifetime = "1h"; - turn_uris = [ "turn:rcia.dev:3478" "turn:rcia.dev:3479" ]; - }; - }; - nginx.virtualHosts."matrix.rcia.dev" = { - locations = { - "/" = { proxyPass = "http://127.0.0.1:8008/_matrix/static"; }; - "/_matrix" = { - proxyPass = "http://127.0.0.1:8008"; - recommendedProxySettings = true; - clientMaxBodySize = "200M"; - }; - }; - # Federation - listen = [{ - port = 8448; - ssl = true; - extraParameters = [ "default_server" ]; - }]; - }; - sops.secrets = { - "matrix/secrets" = { - path = "/var/lib/matrix-synapse/secrets"; - owner = "matrix-synapse"; - }; - }; -} diff --git a/hosts/greatyamada/services/minecraft/data-directory.nix b/hosts/greatyamada/services/minecraft/data-directory.nix deleted file mode 100644 index d6265e0..0000000 --- a/hosts/greatyamada/services/minecraft/data-directory.nix +++ /dev/null @@ -1 +0,0 @@ -"/minecraft" diff --git a/hosts/greatyamada/services/minecraft/default.nix b/hosts/greatyamada/services/minecraft/default.nix index 942c3d5..485a6af 100644 --- a/hosts/greatyamada/services/minecraft/default.nix +++ b/hosts/greatyamada/services/minecraft/default.nix @@ -28,18 +28,14 @@ let serverIcon = ./server-icon.png; in { - imports = [ ./plugins ]; services.minecraft-server = { - enable = true; - package = pkgs.papermc.override { - mcVersion = "1.20.6"; - buildNum = "147"; - }; + enable = false; + package = pkgs.papermc; declarative = true; eula = true; openFirewall = true; jvmOpts = - "-Xms4G -Xmx4G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true"; + "-Xms6G -Xmx6G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true"; serverProperties = { difficulty = "hard"; enable-rcon = false; @@ -48,12 +44,12 @@ in { hide-online-players = true; motd = "NixOS server"; online-mode = true; - pvp = false; + pvp = true; server-port = 13914; spawn-protection = 0; white-list = true; }; - dataDir = import ./data-directory.nix; + dataDir = "/minecraft"; }; # Overriden to have a non-declarative whitelist systemd.services.minecraft-server.preStart = lib.mkForce '' diff --git a/hosts/greatyamada/services/minecraft/plugins/default.nix b/hosts/greatyamada/services/minecraft/plugins/default.nix deleted file mode 100644 index 6fdc0d1..0000000 --- a/hosts/greatyamada/services/minecraft/plugins/default.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ pkgs, ... }: { - environment.systemPackages = with pkgs; - [ (callPackage ./packages/essentialsx.nix { }) ]; -} diff --git a/hosts/greatyamada/services/minecraft/plugins/packages/essentialsx.nix b/hosts/greatyamada/services/minecraft/plugins/packages/essentialsx.nix deleted file mode 100644 index 1e6be0e..0000000 --- a/hosts/greatyamada/services/minecraft/plugins/packages/essentialsx.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, lib, stdenv, fetchurl }: - -stdenv.mkDerivation rec { - pname = "EssentialsX"; - version = "2.20.1"; - - src = fetchurl { - url = - "https://github.com/EssentialsX/Essentials/releases/download/${version}/EssentialsX-${version}.jar"; - hash = "sha256-gC6jC9pGDKRZfoGJJYFpM8EjsI2BJqgU+sKNA6Yb9UI="; - }; - - unpackPhase = ":"; - - installPhase = '' - ln -sf EssentialsX-${version}.jar $out - ''; - - meta = { - description = "The modern Essentials suite for Spigot and Paper."; - homepage = "https://essentialsx.net/"; - license = lib.licenses.gpl3Plus; - }; -} diff --git a/hosts/greatyamada/services/nginx.nix b/hosts/greatyamada/services/nginx.nix index bf714e3..c7da12d 100644 --- a/hosts/greatyamada/services/nginx.nix +++ b/hosts/greatyamada/services/nginx.nix @@ -4,15 +4,7 @@ virtualHosts = { "rcia.dev" = { forceSSL = true; - locations = { - "/" = { root = /var/www/public; }; - "/profile_picture" = { }; - }; - }; - "ichi-prod.rcia.dev" = { - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - } + locations."/" = { root = /var/www/public; }; }; }; }; diff --git a/hosts/greatyamada/services/ntfy.nix b/hosts/greatyamada/services/ntfy.nix new file mode 100644 index 0000000..edefb85 --- /dev/null +++ b/hosts/greatyamada/services/ntfy.nix @@ -0,0 +1,20 @@ +{ ... }: +let ports = import ./_port-definitions.nix; +in { + services = { + ntfy-sh = { + enable = true; + settings = { + base-url = "https://ntfy.rcia.dev"; + auth-file = "/etc/ntfy-users.db"; + auth-default-access = "deny-all"; + }; + }; + nginx.virtualHosts."ntfy.rcia.dev" = { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString ports.ntfy-http}"; + recommendedProxySettings = true; + }; + }; + }; +} diff --git a/hosts/greatyamada/services/postgresql.nix b/hosts/greatyamada/services/postgresql.nix index 330be3b..0683293 100644 --- a/hosts/greatyamada/services/postgresql.nix +++ b/hosts/greatyamada/services/postgresql.nix @@ -1 +1,8 @@ -{ lib, pkgs, ... }: { services.postgresql = { enable = true; }; } +{ ... }: +let portDefinitions = import ./_port-definitions.nix; +in { + services.postgresql = { + enable = true; + settings.port = portDefinitions.postgresql; + }; +} diff --git a/hosts/greatyamada/services/radicale.nix b/hosts/greatyamada/services/radicale.nix index dd9ef4c..89cfb0c 100644 --- a/hosts/greatyamada/services/radicale.nix +++ b/hosts/greatyamada/services/radicale.nix @@ -1,13 +1,15 @@ { ... }: let - radicalePath = "/mnt/Datos/radicale"; nginxLocalServiceConfig = import ./nginx-local-config.nix; + portDefinitions = import ./_port-definitions.nix; + radicalePath = "/mnt/Datos/radicale"; in { services = { radicale = { enable = true; settings = { - server.hosts = [ "127.0.0.1:5232" ]; + server.hosts = + [ "127.0.0.1:${toString portDefinitions.radicale-http}" ]; auth = { type = "htpasswd"; htpasswd_filename = "/etc/radicale/users"; @@ -17,7 +19,10 @@ in { }; }; nginx.virtualHosts."radicale.rcia.dev" = { - locations."/" = { proxyPass = "http://127.0.0.1:5232"; }; + locations."/" = { + proxyPass = + "http://127.0.0.1:${toString portDefinitions.radicale-http}"; + }; extraConfig = nginxLocalServiceConfig; }; }; diff --git a/hosts/greatyamada/services/wireguard.nix b/hosts/greatyamada/services/wireguard.nix new file mode 100644 index 0000000..1ea0892 --- /dev/null +++ b/hosts/greatyamada/services/wireguard.nix @@ -0,0 +1,34 @@ +{ ... }: +let portDefinitions = import ./_port-definitions.nix; +in { + networking = { + firewall.allowedUDPPorts = [ portDefinitions.wireguard ]; + wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ 10.10.0.1/24 ]; + peers = [{ + allowedIPs = [ 10.10.0.2/32 ]; + name = "Note9"; + publicKey = "Y5A5iv0ukg1TQMcIdtXd+bmDxtrqHCuoEhYRmBqwkFY="; + presharedKeyFile = "/run/secrets/preshared_keys_note9"; + }]; + postSetup = + "iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE"; + postShutdown = + "iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE"; + privateKeyFile = "/run/secrets/wg_private_key"; + }; + }; + }; + sops.secrets = { + "wireguard/private_key" = { + path = "/run/secrets/wg_private_key"; + user = "root"; + }; + "wireguard/preshared_keys/note9" = { + path = "/run/secrets/preshared_keys_note9"; + user = "root"; + }; + }; +}