Compare commits
4 commits
7f12cb9bdc
...
9ec97fbda5
Author | SHA1 | Date | |
---|---|---|---|
Tigor Hutasuhut | 9ec97fbda5 | ||
Tigor Hutasuhut | b1156f42fb | ||
Tigor Hutasuhut | dab8841e4d | ||
Tigor Hutasuhut | 69fa74b1d5 |
|
@ -14,6 +14,10 @@
|
||||||
hostname = lib.mkOption {
|
hostname = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
|
networking.externalInterface = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
default = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
user = {
|
user = {
|
||||||
name = lib.mkOption {
|
name = lib.mkOption {
|
||||||
|
|
|
@ -2,10 +2,7 @@
|
||||||
{
|
{
|
||||||
options.profile.podman = {
|
options.profile.podman = {
|
||||||
enable = lib.mkEnableOption "podman";
|
enable = lib.mkEnableOption "podman";
|
||||||
caddy.enable = lib.mkOption {
|
caddy.enable = lib.mkEnableOption "caddy podman";
|
||||||
type = lib.types.bool;
|
kavita.enable = lib.mkEnableOption "kavita podman";
|
||||||
default = true;
|
|
||||||
};
|
|
||||||
kavita.enable = lib.mkEnableOption "kavita docker";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,5 +10,7 @@ in
|
||||||
kavita.enable = mkEnableOption "kavita";
|
kavita.enable = mkEnableOption "kavita";
|
||||||
samba.enable = mkEnableOption "samba";
|
samba.enable = mkEnableOption "samba";
|
||||||
nextcloud.enable = mkEnableOption "nextcloud";
|
nextcloud.enable = mkEnableOption "nextcloud";
|
||||||
|
syncthing.enable = mkEnableOption "syncthing";
|
||||||
|
openvpn.enable = mkEnableOption "openvpn";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
|
|
||||||
profile = {
|
profile = {
|
||||||
hostname = "homeserver";
|
hostname = "homeserver";
|
||||||
|
networking.externalInterface = "enp9s0";
|
||||||
user = {
|
user = {
|
||||||
name = "homeserver";
|
name = "homeserver";
|
||||||
fullName = "Homeserver";
|
fullName = "Homeserver";
|
||||||
|
@ -23,8 +24,6 @@
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
podman = {
|
podman = {
|
||||||
enable = true;
|
enable = true;
|
||||||
caddy.enable = false;
|
|
||||||
kavita.enable = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
@ -34,6 +33,8 @@
|
||||||
kavita.enable = true;
|
kavita.enable = true;
|
||||||
samba.enable = true;
|
samba.enable = true;
|
||||||
nextcloud.enable = true;
|
nextcloud.enable = true;
|
||||||
|
syncthing.enable = true;
|
||||||
|
openvpn.enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
24
secrets/kavita.yaml
Normal file
24
secrets/kavita.yaml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
kavita:
|
||||||
|
token: ENC[AES256_GCM,data:58jQJq5H/QA/yFlfZgHWrSgE3X+c1F96s+8jIGxzWRb91m4KJ8lGy6NHyZpev5l4XhV3ghhM2/0Gs7HNZn8jn5hdrMsvk0a1iG8Rw9PaF+bnERPOFDO9zQ==,iv:uwPYTIRFvCfMxYmHZOMRKkqi3J0MNiedvbVkqlh+hUs=,tag:cG/IwPO1qjQA/NgsRQhIFQ==,type:str]
|
||||||
|
api_key: ENC[AES256_GCM,data:SDfzZNTj5GJC6uzz7DP/k8s4Yzr8p/8pIBqvECndF4pxg0nD,iv:j1fw5Nm05PcbI8+wViQ4t/rd+BgflVnUNzbzVzmTmsY=,tag:TA6dvBw+fZpMhNeG9klRdg==,type:str]
|
||||||
|
opds_url: ENC[AES256_GCM,data:qgtncw2H/mrCKrdGJdjA2AtQp2lUZGFmT21u1RdMRjAyxxzEfC1kCwQHbhaIlxvKn1M/CqXpa/gXrZAM+TptCAoyN2Kn28DmbA==,iv:o5XJl35EZumAcPiK9NmnPV65YSu8Y4fgIgHmXzoGdqA=,tag:ZQvnWdfAofAfA8EWr7jA0g==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa0c1VlR4V1RUWE1vNUg2
|
||||||
|
bXpuNStTRWozRGhaTGZtcGtMWDBUbm1OREZZClJDQm1uRytFRFNyenY1RUloVXNv
|
||||||
|
Q0F6bFNjMFZZUFUxT1JQTHJnd0Z1QUUKLS0tIEpOaUw4OEdRVUhvYmNoYTRaL2Zy
|
||||||
|
SjFCNUtDbWticUs3d05PS3NuVW00TFkKlqV1V+/Eb5gMj/5NMprAElkBWrO/8tkl
|
||||||
|
/exWXMOie/WCKiwryoyLe6yms+aOl6x5csbyJtpO2piRs7Xp1sso7g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-06-14T04:52:39Z"
|
||||||
|
mac: ENC[AES256_GCM,data:WJrCCdEEaxm/b7KurXl3KUjgnT7sLKkqeu8MhYhKTOajcqTYeLcHZDNu0XZpuB1xJowP8aS9v8aTFkJIexvT44Fqf23qzzYSjSqTyR+0yjGXwJxImB3/noHtYiDMXd/TGhdyLhzPnicoOFy8qsNGy2wvFGhEKxwGT0dQf2Wuvr0=,iv:KVhNsFHkW1cLEeMjxEpyhguFp8LMhw0yF6qkPqh8238=,tag:oMXDVoIGUIRPJEfKpY+7vA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
26
secrets/openvpn.yaml
Normal file
26
secrets/openvpn.yaml
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
openvpn:
|
||||||
|
server:
|
||||||
|
ip: ENC[AES256_GCM,data:hv/lHgWGsx1LBR3wcg7O,iv:JtkecUzT50YGgDQMNlXQC9C1h53sm46EYfhdzT+0K9s=,tag:sdCiPlus1DJRPoET2e4HIQ==,type:str]
|
||||||
|
key:
|
||||||
|
phone: ENC[AES256_GCM,data:JobVqgDl1Lk8jsIPeJgfA3tuMY1IHkTL2+rWY8CQkyJ9Q+dLIS8hMrmlqhtfiEkaWs3NFqwFuyUhK8uuOa0stBzQ/lZiQ7OKjOH8Y3d4fs6sF/FCuaVOuwfAXNy2gVEG2HgKBzFkBT/ciFxF3guy2EVNaLZCm01PaA8XMr8piXDs6lqt/YoEUNr2l+LfOsphrxLCYpGxRJxJkUWjoNGm/ZtbxI/HFO94l9JAlSoCfETqgEgWOOP3OgGKFSjr6pVty5Nw6iKHnhzFYdXyPFy67MPK9NvLWM3sAZnKrmF+B6lUFGAyZwKDwenKbjM/e5VOZrEGjj7O7EgMG7tYkbPngCPvRhQ4URIibKhKlmuP/On2WuJsNhNW7mtGMAKps0Q3B9GVAWeEGAhJUo5Y3FHGtSs0dRglAo6DCB0bgSTpa87LmY0JskW+PXCTQzJgVd6EnqL+ewMXM+1ID9upedivBZpTPbN41KAz9pCa/EziSsz7vEijq1i40RS/TTvjAC2SJkiv0tCmM7/jAoPDd/N4l7doqhk8jvokGw2PBmYkxnhPo0B2Ofhx+td/Pe/Q1fDHt42POTQ1EEuptD+utvPZUdLaOGg2ybiEYn8lsB9oEK4tVZoPaxOqHPlckSOcnTjwLmQ8M2Nf5e+iW74w+dfJrXuSz15XMSGthWmYHNPZGYo24+437HcVpEs2txcysK003PTy62X56jB5Wrv3l8rqqufVeMZDgLqo3Lw3btniFs6b3lJp1+dvYwGFXBhMeOuoannOi0bQvtIwxqTYgovHv+7/HPD06Hg9ZuU6/Lip3Vp/XR0kT3IfU7S0rmxTSVdgmlJbY8IM5VDMJTk=,iv:y6rP58/eIdMOWK1KsIYOL3pve4ew8mLQZBmIWjVWRCM=,tag:PlUTapNdWwkVKqy2yzLTdQ==,type:str]
|
||||||
|
laptop: ENC[AES256_GCM,data:n6atoq4XVXd8xBdXpmlrZ1ZCB3dsuwJ7XUUEJeoFmxkLoT8b+A/SrEo3Cp0xaU7pwMmWZvWBj0trTGlodFM07b+rrpPHiYSPrZkKOSYTx4kj7s6jf2Fu/514fsNS76+hEu3Iof3Bxw+LhEQ3jL1Bd1lYU0+x5bh0b3JSl71VDto40VBoiM1UdQtO54XlfsfKJC9Qy6asWqDUIEpU4L4JElfFXNO9fWSUbHQX1m5UWLaZpAcAwcJknnpdr8MJPbaE2LLf9gddEoEYqZqeDcrxlWuVavgzqCwCdCHuwecmiF/Luvx1F1/O+btG0z2Iz7UzvZKjGONUV0lNE1aJiCLZhNdFluHiv+hTmjU4GRiUe2GJFACOp624GtSENrafnFV8m+cLYqrMnmCByk5FoW1CQ4Clm0txbIRRHG1zZcrwf8G/S0VAJ0CMeEHZJoe6Adh0a/BdxWaLvexxl2OQBAhv0KiISfkp5oU3RPIo5ITrNE06fXXRiVXUiB3YXV+tOUmfUzTqBBLwOiS2yT2ggRxS9j8cWvNpQJFQB0zfYE3Q9TNdzvItXD/0TtGfxC/hBEorjqQEeFrVg60qbV3m8pxZMcCSUK/2+fBrBmuJsZ6KkEX1mqMP+QLg8JyAX8Eyn3FI+EPbcoHTrTts0hrOUbSwKQjJiN3nwOm9iGB2u8q3xUUo8uV4Bx9tyVpZPmeTS3S9aA8md2UnwUHQLd+DsKtdgFMUeW7ynZKGVesi+Tf5TEkw39/zhUor/JbwoXBlKLmPNs+X3a50yr22uRqyQ0rC7WQ2DfR5cXTgS2itcFC/iyUdB0DolDX49flK3Wyr4+taMVA7nf0qnbfMmus=,iv:s8yYzh/sF2Nb+fnr+/X9GhGCg2Ft/bNJk5L+FQhG3nU=,tag:NT7jH148RvcjnmsarL9qZQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnpHV0dlaWxXSDNnYnBa
|
||||||
|
NDhaMWdEMDB2allPUm9MUll0QVNWUmNNZlN3CkUxNFF6YmMxMjdWRDlMMTNHZUNq
|
||||||
|
YVJDQWZWT1pVWkFDMVA1ank1amUySjQKLS0tIEs2SFNWTEhLRjdaM2sya3FmYVdP
|
||||||
|
NmVZSk5jUUs3ZnhCTC9NOEQ1WkRJem8KvwC+Tc67NgV6rJM9vdfWbVaJSrX7xZS4
|
||||||
|
aRvTzGL4Q2e+BnrFcyX8QiiZFgEUGEbk6MYbPELeGapwW79WvHzP8A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-06-14T09:39:43Z"
|
||||||
|
mac: ENC[AES256_GCM,data:OnbOkWUCl8Oa+XXHJ8sQVZ+8rQ/XFmMXQlzgJA/wXJgKAdU/FPF6XnfdYdXTH7MTu/nRhctnnRaTbPWaGaWYSejdPOQcu60z53lbALuRAWZXHAa0/tGC6pFV//3TwLd5FduOq9NnPeO0lM4yWF67z1wTDpygnrqoHDkY53OpGvU=,iv:Oj7UIFBg4/We07GD+mIJNb6K/QiGSvOXdNeyf2ezxck=,tag:rvG1y6xR1XaK5e5M9X/jrg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -6,5 +6,8 @@
|
||||||
./forgejo.nix
|
./forgejo.nix
|
||||||
./samba.nix
|
./samba.nix
|
||||||
./nextcloud.nix
|
./nextcloud.nix
|
||||||
|
./syncthing.nix
|
||||||
|
./kavita.nix
|
||||||
|
./openvpn.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
31
system/services/kavita.nix
Normal file
31
system/services/kavita.nix
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.profile.services.kavita;
|
||||||
|
user = config.profile.user;
|
||||||
|
inherit (lib) mkIf;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
fileSystems."/nas/kavita" = {
|
||||||
|
device = "/var/lib/kavita";
|
||||||
|
fsType = "none";
|
||||||
|
options = [ "bind" ];
|
||||||
|
};
|
||||||
|
users.groups.kavita.members = [ user.name ];
|
||||||
|
users.groups.${user.name}.members = [ "kavita" ]; # Allow kavita to read users's files copied to /var/lib/kavita via NAS
|
||||||
|
sops.secrets."kavita/token" = {
|
||||||
|
owner = "kavita";
|
||||||
|
sopsFile = ../../secrets/kavita.yaml;
|
||||||
|
};
|
||||||
|
services.caddy.virtualHosts."kavita.tigor.web.id".extraConfig = ''
|
||||||
|
reverse_proxy 0.0.0.0:${toString config.services.kavita.settings.Port}
|
||||||
|
'';
|
||||||
|
services.kavita = {
|
||||||
|
enable = true;
|
||||||
|
tokenKeyFile = config.sops.secrets."kavita/token".path;
|
||||||
|
settings = {
|
||||||
|
Port = 40001;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
125
system/services/openvpn.nix
Normal file
125
system/services/openvpn.nix
Normal file
|
@ -0,0 +1,125 @@
|
||||||
|
# It's a pain setting up Certificate Authority, Public Key Infrastructure, etc. for OpenVPN.
|
||||||
|
# Instead setup multiple openvpn servers with multiple ports, with each server having one client.
|
||||||
|
#
|
||||||
|
# Does not scale well, but it's good enough for personal use.
|
||||||
|
#
|
||||||
|
# TODO: Create CA, and ROOTCA, and use them to sign the keys, then store in sops-nix secrets.
|
||||||
|
|
||||||
|
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.profile.services.openvpn;
|
||||||
|
domain = "vpn.tigor.web.id";
|
||||||
|
portLaptop = 1194;
|
||||||
|
portPhone = 1195;
|
||||||
|
vpn-dev-laptop = "tun0";
|
||||||
|
vpn-dev-phone = "tun1";
|
||||||
|
externalInterface = config.profile.networking.externalInterface;
|
||||||
|
inherit (lib) mkIf;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.systemPackages = [ pkgs.openvpn ]; # To generate keys with openvpn --genkey --secret <name>.key
|
||||||
|
|
||||||
|
networking.nat = {
|
||||||
|
enable = true;
|
||||||
|
inherit externalInterface;
|
||||||
|
internalInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.trustedInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ portLaptop portPhone ];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
# Activate the secrets.
|
||||||
|
secrets =
|
||||||
|
let
|
||||||
|
opts = {
|
||||||
|
sopsFile = ../../secrets/openvpn.yaml;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"openvpn/server/ip" = opts;
|
||||||
|
"openvpn/key/phone" = opts;
|
||||||
|
"openvpn/key/laptop" = opts;
|
||||||
|
};
|
||||||
|
|
||||||
|
# This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients.
|
||||||
|
templates =
|
||||||
|
let
|
||||||
|
template = { secretPlaceholder, port, ifConfig }: ''
|
||||||
|
dev tun
|
||||||
|
remote "${config.sops.placeholder."openvpn/server/ip"}"
|
||||||
|
port ${toString port}
|
||||||
|
ifconfig ${ifConfig}
|
||||||
|
redirect-gateway def1
|
||||||
|
|
||||||
|
cipher AES-256-CBC
|
||||||
|
auth-nocache
|
||||||
|
|
||||||
|
comp-lzo
|
||||||
|
keepalive 10 60
|
||||||
|
resolv-retry infinite
|
||||||
|
nobind
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
secret [inline]
|
||||||
|
|
||||||
|
<secret>
|
||||||
|
${secretPlaceholder}
|
||||||
|
</secret>
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"openvpn/key/phone" = {
|
||||||
|
content = template {
|
||||||
|
secretPlaceholder = config.sops.placeholder."openvpn/key/phone";
|
||||||
|
port = portPhone;
|
||||||
|
ifConfig = "10.8.1.1 10.8.1.2";
|
||||||
|
};
|
||||||
|
path = "/etc/openvpn/phone.ovpn";
|
||||||
|
owner = config.profile.user.name;
|
||||||
|
};
|
||||||
|
"openvpn/key/laptop" = {
|
||||||
|
content = template {
|
||||||
|
secretPlaceholder = config.sops.placeholder."openvpn/key/laptop";
|
||||||
|
port = portLaptop;
|
||||||
|
ifConfig = "10.8.2.1 10.8.2.2";
|
||||||
|
};
|
||||||
|
path = "/etc/openvpn/laptop.ovpn";
|
||||||
|
owner = config.profile.user.name;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.openvpn.servers =
|
||||||
|
let
|
||||||
|
configTemplate = { secretFile, port, dev }: ''
|
||||||
|
dev ${dev}
|
||||||
|
proto udp
|
||||||
|
secret ${secretFile}
|
||||||
|
port ${toString port}
|
||||||
|
|
||||||
|
cipher AES-256-CBC
|
||||||
|
auth-nocache
|
||||||
|
|
||||||
|
comp-lzo
|
||||||
|
keepalive 10 60
|
||||||
|
ping-timer-rem
|
||||||
|
persist-tun
|
||||||
|
persist-key
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
phone = {
|
||||||
|
config = configTemplate { secretFile = config.sops.secrets."openvpn/key/phone".path; port = portPhone; dev = vpn-dev-phone; };
|
||||||
|
autoStart = true;
|
||||||
|
};
|
||||||
|
laptop = {
|
||||||
|
config = configTemplate { secretFile = config.sops.secrets."openvpn/key/laptop".path; port = portLaptop; dev = vpn-dev-laptop; };
|
||||||
|
autoStart = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
|
22
system/services/syncthing.nix
Normal file
22
system/services/syncthing.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.profile.services.syncthing;
|
||||||
|
inherit (lib) mkIf;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.caddy.virtualHosts."syncthing.tigor.web.id".extraConfig = ''
|
||||||
|
reverse_proxy 0.0.0.0:8384
|
||||||
|
'';
|
||||||
|
services.syncthing = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
options.urAccepted = 1; # Allow anonymous usage reporting.
|
||||||
|
};
|
||||||
|
overrideFolders = false;
|
||||||
|
overrideDevices = false;
|
||||||
|
openDefaultPorts = true;
|
||||||
|
guiAddress = "0.0.0.0:8384";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue