diff --git a/features/server/backups-repos.nix b/features/server/backups-repos.nix index 282cf6f..6dfc3b7 100644 --- a/features/server/backups-repos.nix +++ b/features/server/backups-repos.nix @@ -1,5 +1,5 @@ -U2FsdGVkX1+pKUtcxhT27nl6afKy5paC7y9iBtZgbq2rnuJebgGFCD0AxE1TOWMV -RaWwqeK7YaU7MnImh+b7JfR3C7b6OgQz3+V+gGhC8f10e23maH/me3m3SNsxLp4w -BS4SQZzrWc5WHS+QHTCH7tfUyFPYBs8xnfMAN+TGqB/ud0l7ZZ7MRvpU2IHpzoi1 -8ek6OT+w/oyXU3o5eVklEuXpTEB2dcGJ41hbXCEDn7ELyfpaF/+Tx5yGGIJ73FvS -+P2s1wpjWnrHPj78aphmdm8Q/PZ81vDU4/e2nyg4OcHyOPXVVnwhRUWl1Y9/a/sK +U2FsdGVkX1+alugeaL42d1DXdx+FlLJ9RQErEECKiXmHETExGwdgvNOSSjSXfWc0 +Mo22lNDdaoVtCK2gcsBqdxxI8Y6RlxuJvznyk7MO3dqT+CYSxbOS8NMfCu7q+NDg +zelWePoV+99RmeI7dbkgFrwzw1F3YEXlrTnfmsr72Qb9kje1j9GRaN73Tvc3+PMN +Rq0QmIXluZLSt0z1dfn/lOSY9Q4kB2t/60ErNAC4tL58sK7Dry6G2mjT8pHwOzF8 +yXP1iuae6jhNDmlgoXuH76ktVYdS+nbURWjvt0uFQENyU29+r9pCpJDhExNdvPKX diff --git a/features/server/backups.nix b/features/server/backups.nix index d5bb32b..505917e 100644 --- a/features/server/backups.nix +++ b/features/server/backups.nix @@ -1,11 +1,24 @@ -{ config, ... }: +{ + config, + secrets, + pkgs, + ... +}: { imports = [ ./backups-repos.nix ]; sops.secrets.borgRepoPassword = { }; sops.secrets.borgRemoteServerPassword = { - sopsFile = "/home/homelab/secrets/backup.yaml"; + sopsFile = "${secrets}/secrets/backup.yaml"; + }; + + sops.secrets.sshBorgOffsiteBackup = { + sopsFile = "${secrets}/secrets/backup.yaml"; + }; + + sops.secrets.borgOffsiteBackupHostKeys = { + sopsFile = "${secrets}/secrets/backup.yaml"; }; services.borgbackup.jobs = { @@ -64,25 +77,26 @@ "/srv/freshrss" "/srv/Minecraft" ]; - postgres_databases = [ - "forgejo" - "nextcloud" - "matrix-synapse" + postgresql_databases = [ + { name = "forgejo"; } + { name = "nextcloud"; } + { name = "matrix-synapse"; } ]; exclude_patterns = [ "/home/*/.cache" ]; - encryption_passcommand = "cat /run/secrets/borgRemoteServerPassword"; + encryption_passcommand = "${pkgs.coreutils}/bin/cat /run/secrets/borgRemoteServerPassword"; + ssh_command = "ssh -o GlobalKnownHostsFile=${config.sops.secrets.borgOffsiteBackupHostKeys.path} -i ${config.sops.secrets.sshBorgOffsiteBackup.path}"; }; }; }; - systemd.timers.borgmatic = { + systemd.timers."borgmatic" = { enable = true; - unit = "borgmatic.service"; wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "*-*-* 03:00:00"; Persistent = true; WakeSystem = true; + Unit = "borgmatic.service"; }; }; } diff --git a/features/server/caddy.nix b/features/server/caddy.nix index 101e08e..3562437 100644 --- a/features/server/caddy.nix +++ b/features/server/caddy.nix @@ -24,6 +24,10 @@ reverse_proxy :8096 ''; + "http://media.hypervirtual.world".extraConfig = '' + reverse_proxy :8096 + ''; + "http://slskd.sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :5030 ''; @@ -48,7 +52,7 @@ reverse_proxy :3000 ''; - "http://status.normandy.hypervirtual.world".extraConfig = '' + "http://status.hypervirtual.world".extraConfig = '' reverse_proxy :4000 ''; diff --git a/features/server/default.nix b/features/server/default.nix index 519f317..0b54b2e 100644 --- a/features/server/default.nix +++ b/features/server/default.nix @@ -28,6 +28,6 @@ ethtool networkd-dispatcher transcrypt - libressl_3_8 + libressl_3_9 ]; } diff --git a/features/server/multimedia/arr-suite.nix b/features/server/multimedia/arr-suite.nix index af56b9f..d5e940c 100644 --- a/features/server/multimedia/arr-suite.nix +++ b/features/server/multimedia/arr-suite.nix @@ -1,10 +1,7 @@ { config, - pkgs, - lib, ... }: -with lib; let cfg = config.arrSuite; @@ -35,27 +32,27 @@ in enable = true; openFirewall = true; }; -/* - #TODO: create duplicated instances of Sonarr. - systemd.services."sonarrAnime" = { - enable = true; - description = "Duplicated Sonarr instance, for animes"; - after = [ - "syslog.target" - "network.target" - ]; + /* + #TODO: create duplicated instances of Sonarr. + systemd.services."sonarrAnime" = { + enable = true; + description = "Duplicated Sonarr instance, for animes"; + after = [ + "syslog.target" + "network.target" + ]; - path = [ pkgs.sonarr ]; - serviceConfig = { - Type = "simple"; - User = "sonarr"; - ExecStart = "${pkgs.sonarr}/bin/Sonarr -nobrowser -data=/var/lib/sonarrAnime"; - TimeoutStopSec = "20"; - KillMode = "process"; - Restart = "on-failure"; + path = [ pkgs.sonarr ]; + serviceConfig = { + Type = "simple"; + User = "sonarr"; + ExecStart = "${pkgs.sonarr}/bin/Sonarr -nobrowser -data=/var/lib/sonarrAnime"; + TimeoutStopSec = "20"; + KillMode = "process"; + Restart = "on-failure"; + }; + wantedBy = [ "multi-user.target" ]; }; - wantedBy = [ "multi-user.target" ]; - }; -*/ + */ } diff --git a/features/server/multimedia/jellyfin.nix b/features/server/multimedia/jellyfin.nix index 5024104..a2001bc 100644 --- a/features/server/multimedia/jellyfin.nix +++ b/features/server/multimedia/jellyfin.nix @@ -16,6 +16,7 @@ intel-media-sdk # QSV up to 11th gen ]; }; + services.jellyfin = { enable = true; openFirewall = true; diff --git a/features/server/multimedia/slskd.nix b/features/server/multimedia/slskd.nix index 3835aed..6a5a34c 100644 --- a/features/server/multimedia/slskd.nix +++ b/features/server/multimedia/slskd.nix @@ -1,12 +1,17 @@ -{ config, lib, ... }: +{ + config, + lib, + secrets, + ... +}: with lib; let - cfg = config.slskd; + cfg = config.downloads.music; in { options = { - slskd.directory = mkOption { + downloads.music.directory = mkOption { type = types.str; default = "/srv/media/Music"; }; @@ -14,7 +19,7 @@ in config = { sops.secrets.slskd = { - sopsFile = ../../../secrets/slskd.env; + sopsFile = "${secrets}/secrets/slskd.env"; format = "dotenv"; }; diff --git a/features/server/multimedia/transmission.nix b/features/server/multimedia/transmission.nix index 18434b7..6362b54 100644 --- a/features/server/multimedia/transmission.nix +++ b/features/server/multimedia/transmission.nix @@ -1,12 +1,17 @@ -{ config, lib, ... }: +{ + config, + secrets, + lib, + ... +}: with lib; let - cfg = config.transmission; + cfg = config.downloads.transmission; in { options = { - transmission = { + downloads.transmission = { directory = mkOption { type = lib.types.str; default = "/srv/Multimedia"; @@ -16,7 +21,7 @@ in config = { sops.secrets.transmission = { - sopsFile = ../../../secrets/transmission.json; + sopsFile = "${secrets}/secrets/transmission.json"; path = "/var/lib/secrets/transmission/settings.json"; }; diff --git a/features/server/services/freshrss.nix b/features/server/services/freshrss.nix index 3775a72..1987d24 100644 --- a/features/server/services/freshrss.nix +++ b/features/server/services/freshrss.nix @@ -14,18 +14,14 @@ in config = { sops.secrets = { - freshrss_username = { - sopsFile = ../../secrets/freshrss.yaml; - }; - freshrss_password = { - sopsFile = ../../secrets/freshrss.yaml; - }; + freshrss_username = { }; + freshrss_password = { }; }; services.freshrss = { enable = true; language = "fr"; - defaultUser = config.sops.secrets.freshrss_username; + defaultUser = ""; baseUrl = cfg.url; passwordFile = config.sops.secrets.freshrss_password.path; database = { diff --git a/features/server/services/grafana.nix b/features/server/services/grafana.nix index b07a949..98ca6aa 100644 --- a/features/server/services/grafana.nix +++ b/features/server/services/grafana.nix @@ -4,7 +4,6 @@ enable = true; settings = { server = { - http_addr = "0.0.0.0"; http_port = 3000; }; }; diff --git a/features/server/services/homelab-dashboard.nix b/features/server/services/homelab-dashboard.nix index 6d260f0..ea89733 100644 --- a/features/server/services/homelab-dashboard.nix +++ b/features/server/services/homelab-dashboard.nix @@ -1,6 +1,7 @@ { config, lib, + secrets, pkgs, ... }: @@ -33,7 +34,7 @@ in #TODO: add Radarr/Sonarr/... api key support config = { sops.secrets."homepage" = { - sopsFile = ../../../secrets/homepage.env; + sopsFile = "${secrets}/secrets/homepage.env"; format = "dotenv"; }; @@ -220,12 +221,11 @@ in { "Utilitaires" = [ { - "Photoprism" = { - icon = "photoprism"; - description = "Sauvegarde de photos"; - href = "http://${ip}:2342"; + "Nextcloud" = { + icon = "nextcloud"; + description = "Sauvegarde de données"; + href = "https://cloud.hypervirtual.world"; }; - } { "4get" = { diff --git a/features/server/services/i2p.nix b/features/server/services/i2p.nix deleted file mode 100644 index 8f5ca24..0000000 --- a/features/server/services/i2p.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: -{ - services.i2pd = { - enable = true; - upnp.enable = true; - }; -} diff --git a/features/server/services/uptime-kuma.nix b/features/server/services/uptime-kuma.nix index 7c6ab9f..c66d2ae 100644 --- a/features/server/services/uptime-kuma.nix +++ b/features/server/services/uptime-kuma.nix @@ -4,7 +4,6 @@ services.uptime-kuma = { enable = true; settings = { - HOST = "0.0.0.0"; PORT = "4000"; }; }; diff --git a/flake.nix b/flake.nix index 5a13bb5..817e05f 100644 --- a/flake.nix +++ b/flake.nix @@ -8,8 +8,10 @@ alejandra.url = "github:kamadorueda/alejandra/3.0.0"; alejandra.inputs.nixpkgs.follows = "nixpkgs"; - nix-secrets.url = "git.hypervirtual.world:harry123/nix-secrets.git"; - nix-secrets.inputs.nixpkgs.follows = "nixpkgs"; + nix-secrets = { + url = "git+https://git.hypervirtual.world/harry123/nix-secrets.git"; + flake = false; + }; }; outputs = @@ -21,15 +23,18 @@ }@inputs: let username = "harry123"; + secrets = builtins.toString inputs.nix-secrets; specialArgs = { inherit username; + inherit secrets; }; in { nixosConfigurations = { sisyphe = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = specialArgs; modules = [ ./hosts/sisyphe/configuration.nix sops-nix.nixosModules.sops diff --git a/hosts/sisyphe/server-configuration.nix b/hosts/sisyphe/server-configuration.nix index c673d69..8140f1f 100644 --- a/hosts/sisyphe/server-configuration.nix +++ b/hosts/sisyphe/server-configuration.nix @@ -3,6 +3,7 @@ config, lib, pkgs, + secrets, ... }: let @@ -36,6 +37,7 @@ in enable = true; allowedTCPPorts = [ 22 # ssh + 80 # http 8008 # matrix-synapse 8448 # matrix-synapse ]; @@ -60,5 +62,5 @@ in sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.generateKey = true; - sops.defaultSopsFile = ../../secrets/secrets.yaml; + sops.defaultSopsFile = "${secrets}/secrets/secrets.yaml"; }