system: added services config

2024-06-13 13:52:45 +07:00 · 2024-06-13 13:52:45 +07:00 · 507b91bc52
parent 906d35e44d
commit 507b91bc52
5 changed files with 60 additions and 4 deletions
--- a/secrets/caddy_reverse_proxy.yaml
+++ b/secrets/caddy_reverse_proxy.yaml
@ -1,5 +1,5 @@
-#ENC[AES256_GCM,data:wyNRZzsDfae8R/ADyKc8w3Gx9mIQmx7yEEqWFCdhEtUTu5SPvQGwIB3zvV24Sk203jh4tA==,iv:mmPKoZVX241G6KvqbEMq/iqJDF7KVDOuF1kdanYgEgw=,tag:Uh8SxJHtESO+q97Xgp80Gg==,type:comment]
-forgejo: ENC[AES256_GCM,data:5XXkzc7U4/Fx9QtKPlB3BaF7STExgWz0RMpNxNEElF42Yh18pf6oV8O7cjhud4RiAi+y,iv:84F0WEzryK17RuAnix0EdXjfmA+ln9/ozPOlCRI65YA=,tag:ksRj3fXo3Bnd6zgd9vsSow==,type:str]
+forgejo: ENC[AES256_GCM,data:w/qGCqEsbzhgCmGiy4pqvwjEbIWhOIPjQyQyNtbiBzadrFxG6+cxFQJ1gY/q9tENuogKoVdCtKdHYONM6gs+yd3+/Xk=,iv:u5P7so4J3OeHmnf33ss2X7f8GAA04I0/mw1/MUy6C3Y=,tag:nYhY/ecas7dPYP6FwEnOsg==,type:str]
+cockpit: ENC[AES256_GCM,data:5/ztOP1mJwKlcLS0RLqbre2nMOphIg59+/Dqz3njZW7jDJm37gMdgaPpY+eA5IWBMW7gZNCcVA==,iv:mmGsqA7U3rzhZ40BUReMlDaKxzKsDTw0mSZzcpu2QB4=,tag:jwmqiMGbENjX4B8GbPHcjw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -15,8 +15,8 @@ sops:
            OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
            +bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T05:31:48Z"
-    mac: ENC[AES256_GCM,data:J4oXHZeqH+h5Yq+wOzC0Bhx42/pS9hxeybeEtsWaymMgjKUbj4QpdF9mYXwRawp4juLrHIgGAypW0iFrgTkDpzY5AKrwN23CJQwxQtuCLkZXzm4QJ46fR60Rtf8Kx92wKpOaLknxa9k5L6nK0G7FU9m2afxPb5MsqH3o6WubVG8=,iv:49BL9vpS67SkhZbZlyjIl0Ip2MWwK5/tya/2O8mVXGE=,tag:9A08TsIP22nGNBMhmAGhrg==,type:str]
+    lastmodified: "2024-06-13T06:44:09Z"
+    mac: ENC[AES256_GCM,data:S0/He8nAYp524SIteg1bd7aa4b7OJ2jshP/x+m9Grt+9fI8ZN42XpcW/u7JA6xV2eAJ7ZS4YBt965V6ttJu/Ric0xRzdG/evK9zrG0CFcoY8Di9eBU/KqBSyXxO7E/ZYamp9AQpkO9KzsSBYYStkZe4FjPy/5o4bSCjkLOIPO1w=,iv:OR42uFaNxMHAdaq1JZLz4B+cPZPJw5TP97W+rbHckK0=,tag:BXKF4WSHDZ63eyzNNBR2JA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/system/default.nix
+++ b/system/default.nix
@ -4,6 +4,7 @@
    profile-path
    hardware-configuration
    ./modules
+    ./services
    ./podman
    ./docker
    ./programs.nix
--- a/system/services/caddy.nix
+++ b/system/services/caddy.nix
@ -0,0 +1,17 @@
+{ config, lib, ... }:
+let
+  cfg = config.profile.services.caddy;
+  inherit (lib) mkIf mkEnableOption;
+in
+{
+  options.profile.services.caddy.enable = mkEnableOption "Caddy";
+
+  config = mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+      extraConfig = ''
+        import /etc/caddy/sites-enabled/*
+      '';
+    };
+  };
+}
--- a/system/services/cockpit.nix
+++ b/system/services/cockpit.nix
@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.profile.services.cockpit;
+  inherit (lib) mkIf mkEnableOption;
+in
+{
+  options.profile.services.cockpit.enable = mkEnableOption "cockpit";
+  config = mkIf cfg.enable {
+    environment.systemPackages = mkIf config.profile.podman.enable [
+      (pkgs.callPackage ../packages/cockpit-podman.nix { })
+    ];
+    sops.secrets."cockpit" = {
+      sopsFile = ../../secrets/caddy_reverse_proxy.yaml;
+      path = "/etc/caddy/sites-enabled/cockpit";
+    };
+    services.cockpit = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        WebService = {
+          AllowUnencrypted = true;
+          ProtocolHeader = "X-Forwarded-Proto";
+          ForwardedForHeader = "X-Forwarded-For";
+        };
+        Session = {
+          IdleTimeout = 120; # 2 hours.
+        };
+      };
+    };
+  };
+}
--- a/system/services/default.nix
+++ b/system/services/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./caddy.nix
+    ./cockpit.nix
+  ];
+}