Merge branch 'main' of https://git.cyperpunk.de/DerGrumpf/cyper-nix

hosts/cyper-controller/configuration.nix

@@ -6,7 +6,7 @@
     ../../nixos/roles/postgresql.nix
     ../../nixos/roles/wyl.nix
     ../../nixos/roles/adguard.nix
-    ../../nixos/roles/unifi.nix
+#    ../../nixos/roles/unifi.nix
     ../../nixos/roles/searxng.nix
     ../../nixos/roles/filebrowser.nix
     ../../nixos/roles/gitea.nix

hosts/cyper-controller/hardware-configuration.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   modulesPath,
+  primaryUser,
   ...
 }:
 
@@ -21,6 +22,7 @@
     kernelModules = [ "kvm-intel" ];
     extraModulePackages = [ ];
   };
+
   fileSystems = {
     "/" = lib.mkForce {
       device = "/dev/disk/by-label/NIXROOT";
@@ -37,8 +39,47 @@
     };
 
     # TODO: Add External Devices as by-label with no necessity for boot
+    "/storage/internal" = {
+      device = "/dev/disk/by-label/STORAGE";
+      fsType = "btrfs";
+      options = [
+        "compress=zstd"
+        "noatime"
+        "nofail"
+      ];
+    };
+
+    "/storage/fast" = {
+      device = "/dev/disk/by-label/FAST";
+      fsType = "ext4";
+      options = [
+        "nofail"
+        "noatime"
+        "x-systemd.automount"
+        "x-systemd.idle-timeout=60"
+      ];
+    };
+
+    "/storage/backup" = {
+      device = "/dev/disk/by-label/BACKUP";
+      fsType = "ext4";
+      options = [
+        "nofail"
+        "noatime"
+        "x-systemd.automount"
+        "x-systemd.idle-timeout=60"
+      ];
+    };
+
   };
 
+  systemd.tmpfiles.rules = [
+    "d /storage 0755 ${primaryUser} users -"
+    "d /storage/internal 0755 ${primaryUser} users -"
+    "d /storage/fast 0755 ${primaryUser} users -"
+    "d /storage/backup 0755 ${primaryUser} users -"
+  ];
+
   swapDevices = [
     {
       device = "/swapfile";

nixos/roles/adguard.nix

@@ -50,7 +50,7 @@ in
         };
 
         dhcp = {
-          enabled = false;
+          enabled = true;
           interface_name = primaryInterface;
           local_domain_name = "lan";
           dhcpv4 = {

nixos/roles/filebrowser.nix

@@ -10,10 +10,7 @@
       root = "/storage";
     };
 
-    # If you want the port opened in the firewall:
     openFirewall = true;
   };
 
-  #networking.firewall.allowedTCPPorts = [ 8080 ];
-
 }

nixos/roles/gitea.nix

@@ -13,7 +13,7 @@ let
     stripRoot = false;
   };
 
-  domain = "192.168.2.31"; # swap to git.cyperpunk.de for prod
+  domain = "git.cyperpunk.de"; # swap to git.cyperpunk.de for prod
   httpPort = 9000;
   sshPort = 12222;
 in
@@ -95,7 +95,7 @@ in
         HTTP_PORT = httpPort;
         SSH_PORT = sshPort;
         SSH_LISTEN_PORT = sshPort;
-        ROOT_URL = "http://${domain}:${toString httpPort}/";
+        ROOT_URL = "https://${domain}/";
         DISABLE_SSH = false;
         START_SSH_SERVER = true;
       };

nixos/roles/matrix.nix

@@ -6,8 +6,8 @@ let
 in
 {
   networking.firewall.allowedTCPPorts = [
+    8008
     8448
-    8080
   ];
 
   sops.secrets = {
@@ -18,74 +18,35 @@ in
     };
   };
 
-  services = {
+  services.matrix-synapse = {
-    matrix-synapse = {
+    enable = true;
-      enable = true;
+    settings = {
-      settings = {
+      server_name = "cyperpunk.de";
-        server_name = "cyperpunk.de";
+      public_baseurl = "http://matrix.cyperpunk.de";
-        public_baseurl = "http://matrix.cyperpunk.de";
+      enable_registration = false; # TODO: disable
-        enable_registration = false; # TODO: disable
+      enable_registration_without_verfication = true;
-        enable_registration_without_verfication = true;
+      trusted_key_servers = [ { server_name = "matrix.org"; } ];
-        trusted_key_servers = [ { server_name = "matrix.org"; } ];
+      suppress_key_server_warning = true;
-        suppress_key_server_warning = true;
+      registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
-        registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
+      macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
-        macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
+      listeners = [
-        listeners = [
+        {
-          {
+          port = 8008;
-            port = 8008;
+          bind_addresses = [ "0.0.0.0" ];
-            bind_addresses = [ "127.0.0.1" ];
+          type = "http";
-            type = "http";
+          tls = false;
-            tls = false;
+          x_forwarded = true;
-            x_forwarded = true;
+          resources = [
-            resources = [
-              {
-                names = [
-                  "client"
-                  "federation"
-                ];
-                compress = false;
-              }
-            ];
-          }
-        ];
-      };
-    };
-
-    nginx = {
-      enable = true;
-      virtualHosts = {
-        "matrix.cyperpunk.de" = {
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
-            proxyWebsockets = true;
-            extraConfig = ''
-              proxy_set_header Host matrix.cyperpunk.de;
-            '';
-          };
-        };
-        "cinny" = {
-          listen = [
             {
-              addr = "0.0.0.0";
+              names = [
-              port = 8080;
+                "client"
+                "federation"
+              ];
+              compress = false;
             }
           ];
-          locations."/" = {
+        }
-            alias = "${pkgs.cinny}/";
+      ];
-            extraConfig = ''
-              try_files $uri $uri/ /index.html;
-            '';
-          };
-        };
-        "${serverIP}" = {
-          locations = {
-            "/_matrix/" = {
-              proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
-              proxyWebsockets = true;
-            };
-          };
-        };
-      };
     };
   };
 }

nixos/roles/monitoring.nix

@@ -35,10 +35,10 @@ in
       };
       settings = {
         server = {
-          domain = serverIP; # "grafana.cyperpunk.de";
+          domain = "www.cyperpunk.de"; # serverIP; # "grafana.cyperpunk.de";
           http_port = 2342;
-          http_addr = "127.0.0.1";
+          http_addr = "0.0.0.0";
-          root_url = "http://${serverIP}/grafana/";
+          root_url = "http://www.cyperpunk.de/grafana/";
           serve_from_sub_path = true;
         };
         security = {
@@ -51,20 +51,6 @@ in
       };
     };
 
-    # nginx reverse proxy
-    nginx = {
-      enable = true;
-      virtualHosts."${serverIP}" = {
-        locations."/grafana/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
-          proxyWebsockets = true;
-          extraConfig = ''
-            proxy_set_header Host ${serverIP};
-          '';
-        };
-      };
-    };
-
     # TODO: Computers should register themselves
     prometheus = {
       enable = true;
@@ -133,9 +119,7 @@ in
   };
 
   networking.firewall.allowedTCPPorts = [
-    80
+    2342
-    443
-    # TODO: Remove
     9001
     3100
   ];

nixos/roles/vaultwarden.nix

@@ -17,13 +17,12 @@ in
     backupDir = "/var/local/vaultwarden/backup";
 
     config = {
-      DOMAIN = "http://${ip}:${toString port}";
+      DOMAIN = "https://vault.cyperpunk.de"; # "http://${ip}:${toString port}";
       ROCKET_ADDRESS = "0.0.0.0";
       ROCKET_PORT = port;
       ROCKET_LOG = "critical";
       SIGNUPS_ALLOWED = true;
       WEBSOCKET_ENABLED = true;
-      ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}";
     };
   };
 
@@ -34,39 +33,21 @@ in
 
   networking.firewall.allowedTCPPorts = [ port ];
 
-  systemd.services.vaultwarden-backup-rotate = {
+  systemd = {
-    description = "Rotate old Vaultwarden backups";
+    services.vaultwarden-backup-rotate = {
-    serviceConfig = {
+      description = "Rotate old Vaultwarden backups";
-      Type = "oneshot";
+      serviceConfig = {
-      ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete";
+        Type = "oneshot";
+        ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete";
+      };
     };
-  };
 
-  systemd.timers.vaultwarden-backup-rotate = {
+    timers.vaultwarden-backup-rotate = {
-    wantedBy = [ "timers.target" ];
+      wantedBy = [ "timers.target" ];
-    timerConfig = {
+      timerConfig = {
-      OnCalendar = "daily";
+        OnCalendar = "daily";
-      Persistent = true;
+        Persistent = true;
+      };
     };
   };
-
-  # TODO: Remove for proper TLS Setup
-  systemd.services.vaultwarden-gen-cert = {
-    description = "Generate self-signed cert for Vaultwarden";
-    before = [ "vaultwarden.service" ];
-    wantedBy = [ "vaultwarden.service" ];
-    serviceConfig.Type = "oneshot";
-    script = ''
-      mkdir -p /var/lib/vaultwarden/ssl
-      if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then
-        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \
-          -keyout /var/lib/vaultwarden/ssl/key.pem \
-          -out /var/lib/vaultwarden/ssl/cert.pem \
-          -days 3650 \
-          -subj "/CN=${ip}" \
-          -addext "subjectAltName=IP:${ip}"
-        chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl
-      fi
-    '';
-  };
 }