Merge branch 'main' of https://git.cyperpunk.de/DerGrumpf/cyper-nix

hosts/cyper-controller/configuration.nix

@@ -6,7 +6,7 @@
     ../../nixos/roles/postgresql.nix
     ../../nixos/roles/wyl.nix
     ../../nixos/roles/adguard.nix
-    ../../nixos/roles/unifi.nix
+#    ../../nixos/roles/unifi.nix
     ../../nixos/roles/searxng.nix
     ../../nixos/roles/filebrowser.nix
     ../../nixos/roles/gitea.nix

hosts/cyper-controller/hardware-configuration.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   modulesPath,
+  primaryUser,
   ...
 }:
 
@@ -21,6 +22,7 @@
     kernelModules = [ "kvm-intel" ];
     extraModulePackages = [ ];
   };
+
   fileSystems = {
     "/" = lib.mkForce {
       device = "/dev/disk/by-label/NIXROOT";
@@ -37,8 +39,47 @@
     };
 
     # TODO: Add External Devices as by-label with no necessity for boot
+    "/storage/internal" = {
+      device = "/dev/disk/by-label/STORAGE";
+      fsType = "btrfs";
+      options = [
+        "compress=zstd"
+        "noatime"
+        "nofail"
+      ];
     };
 
+    "/storage/fast" = {
+      device = "/dev/disk/by-label/FAST";
+      fsType = "ext4";
+      options = [
+        "nofail"
+        "noatime"
+        "x-systemd.automount"
+        "x-systemd.idle-timeout=60"
+      ];
+    };
+
+    "/storage/backup" = {
+      device = "/dev/disk/by-label/BACKUP";
+      fsType = "ext4";
+      options = [
+        "nofail"
+        "noatime"
+        "x-systemd.automount"
+        "x-systemd.idle-timeout=60"
+      ];
+    };
+
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /storage 0755 ${primaryUser} users -"
+    "d /storage/internal 0755 ${primaryUser} users -"
+    "d /storage/fast 0755 ${primaryUser} users -"
+    "d /storage/backup 0755 ${primaryUser} users -"
+  ];
+
   swapDevices = [
     {
       device = "/swapfile";

nixos/roles/adguard.nix

@@ -50,7 +50,7 @@ in
         };
 
         dhcp = {
-          enabled = false;
+          enabled = true;
           interface_name = primaryInterface;
           local_domain_name = "lan";
           dhcpv4 = {

nixos/roles/filebrowser.nix

@@ -10,10 +10,7 @@
       root = "/storage";
     };
 
-    # If you want the port opened in the firewall:
     openFirewall = true;
   };
 
-  #networking.firewall.allowedTCPPorts = [ 8080 ];
-
 }

nixos/roles/gitea.nix

@@ -13,7 +13,7 @@ let
     stripRoot = false;
   };
 
-  domain = "192.168.2.31"; # swap to git.cyperpunk.de for prod
+  domain = "git.cyperpunk.de"; # swap to git.cyperpunk.de for prod
   httpPort = 9000;
   sshPort = 12222;
 in
@@ -95,7 +95,7 @@ in
         HTTP_PORT = httpPort;
         SSH_PORT = sshPort;
         SSH_LISTEN_PORT = sshPort;
-        ROOT_URL = "http://${domain}:${toString httpPort}/";
+        ROOT_URL = "https://${domain}/";
         DISABLE_SSH = false;
         START_SSH_SERVER = true;
       };

nixos/roles/matrix.nix

@@ -6,8 +6,8 @@ let
 in
 {
   networking.firewall.allowedTCPPorts = [
+    8008
     8448
-    8080
   ];
 
   sops.secrets = {
@@ -18,8 +18,7 @@ in
     };
   };
 
-  services = {
-    matrix-synapse = {
+  services.matrix-synapse = {
     enable = true;
     settings = {
       server_name = "cyperpunk.de";
@@ -33,7 +32,7 @@ in
       listeners = [
         {
           port = 8008;
-            bind_addresses = [ "127.0.0.1" ];
+          bind_addresses = [ "0.0.0.0" ];
           type = "http";
           tls = false;
           x_forwarded = true;
@@ -50,42 +49,4 @@ in
       ];
     };
   };
-
-    nginx = {
-      enable = true;
-      virtualHosts = {
-        "matrix.cyperpunk.de" = {
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
-            proxyWebsockets = true;
-            extraConfig = ''
-              proxy_set_header Host matrix.cyperpunk.de;
-            '';
-          };
-        };
-        "cinny" = {
-          listen = [
-            {
-              addr = "0.0.0.0";
-              port = 8080;
-            }
-          ];
-          locations."/" = {
-            alias = "${pkgs.cinny}/";
-            extraConfig = ''
-              try_files $uri $uri/ /index.html;
-            '';
-          };
-        };
-        "${serverIP}" = {
-          locations = {
-            "/_matrix/" = {
-              proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
-              proxyWebsockets = true;
-            };
-          };
-        };
-      };
-    };
-  };
 }

nixos/roles/monitoring.nix

@@ -35,10 +35,10 @@ in
       };
       settings = {
         server = {
-          domain = serverIP; # "grafana.cyperpunk.de";
+          domain = "www.cyperpunk.de"; # serverIP; # "grafana.cyperpunk.de";
           http_port = 2342;
-          http_addr = "127.0.0.1";
-          root_url = "http://${serverIP}/grafana/";
+          http_addr = "0.0.0.0";
+          root_url = "http://www.cyperpunk.de/grafana/";
           serve_from_sub_path = true;
         };
         security = {
@@ -51,20 +51,6 @@ in
       };
     };
 
-    # nginx reverse proxy
-    nginx = {
-      enable = true;
-      virtualHosts."${serverIP}" = {
-        locations."/grafana/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
-          proxyWebsockets = true;
-          extraConfig = ''
-            proxy_set_header Host ${serverIP};
-          '';
-        };
-      };
-    };
-
     # TODO: Computers should register themselves
     prometheus = {
       enable = true;
@@ -133,9 +119,7 @@ in
   };
 
   networking.firewall.allowedTCPPorts = [
-    80
-    443
-    # TODO: Remove
+    2342
     9001
     3100
   ];

nixos/roles/vaultwarden.nix

@@ -17,13 +17,12 @@ in
     backupDir = "/var/local/vaultwarden/backup";
 
     config = {
-      DOMAIN = "http://${ip}:${toString port}";
+      DOMAIN = "https://vault.cyperpunk.de"; # "http://${ip}:${toString port}";
       ROCKET_ADDRESS = "0.0.0.0";
       ROCKET_PORT = port;
       ROCKET_LOG = "critical";
       SIGNUPS_ALLOWED = true;
       WEBSOCKET_ENABLED = true;
-      ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}";
     };
   };
 
@@ -34,7 +33,8 @@ in
 
   networking.firewall.allowedTCPPorts = [ port ];
 
-  systemd.services.vaultwarden-backup-rotate = {
+  systemd = {
+    services.vaultwarden-backup-rotate = {
       description = "Rotate old Vaultwarden backups";
       serviceConfig = {
         Type = "oneshot";
@@ -42,31 +42,12 @@ in
       };
     };
 
-  systemd.timers.vaultwarden-backup-rotate = {
+    timers.vaultwarden-backup-rotate = {
       wantedBy = [ "timers.target" ];
       timerConfig = {
         OnCalendar = "daily";
         Persistent = true;
       };
     };
-
-  # TODO: Remove for proper TLS Setup
-  systemd.services.vaultwarden-gen-cert = {
-    description = "Generate self-signed cert for Vaultwarden";
-    before = [ "vaultwarden.service" ];
-    wantedBy = [ "vaultwarden.service" ];
-    serviceConfig.Type = "oneshot";
-    script = ''
-      mkdir -p /var/lib/vaultwarden/ssl
-      if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then
-        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \
-          -keyout /var/lib/vaultwarden/ssl/key.pem \
-          -out /var/lib/vaultwarden/ssl/cert.pem \
-          -days 3650 \
-          -subj "/CN=${ip}" \
-          -addext "subjectAltName=IP:${ip}"
-        chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl
-      fi
-    '';
   };
 }