From 507b91bc524da269bea8a775c4230715aad7588e Mon Sep 17 00:00:00 2001
From: Tigor Hutasuhut <tigor.hutasuhut@gmail.com>
Date: Thu, 13 Jun 2024 13:52:45 +0700
Subject: [PATCH] system: added services config

---
 secrets/caddy_reverse_proxy.yaml |  8 ++++----
 system/default.nix               |  1 +
 system/services/caddy.nix        | 17 +++++++++++++++++
 system/services/cockpit.nix      | 31 +++++++++++++++++++++++++++++++
 system/services/default.nix      |  7 +++++++
 5 files changed, 60 insertions(+), 4 deletions(-)
 create mode 100644 system/services/caddy.nix
 create mode 100644 system/services/cockpit.nix
 create mode 100644 system/services/default.nix

diff --git a/secrets/caddy_reverse_proxy.yaml b/secrets/caddy_reverse_proxy.yaml
index 9ceabf1..d0b3145 100644
--- a/secrets/caddy_reverse_proxy.yaml
+++ b/secrets/caddy_reverse_proxy.yaml
@@ -1,5 +1,5 @@
-#ENC[AES256_GCM,data:wyNRZzsDfae8R/ADyKc8w3Gx9mIQmx7yEEqWFCdhEtUTu5SPvQGwIB3zvV24Sk203jh4tA==,iv:mmPKoZVX241G6KvqbEMq/iqJDF7KVDOuF1kdanYgEgw=,tag:Uh8SxJHtESO+q97Xgp80Gg==,type:comment]
-forgejo: ENC[AES256_GCM,data:5XXkzc7U4/Fx9QtKPlB3BaF7STExgWz0RMpNxNEElF42Yh18pf6oV8O7cjhud4RiAi+y,iv:84F0WEzryK17RuAnix0EdXjfmA+ln9/ozPOlCRI65YA=,tag:ksRj3fXo3Bnd6zgd9vsSow==,type:str]
+forgejo: ENC[AES256_GCM,data:w/qGCqEsbzhgCmGiy4pqvwjEbIWhOIPjQyQyNtbiBzadrFxG6+cxFQJ1gY/q9tENuogKoVdCtKdHYONM6gs+yd3+/Xk=,iv:u5P7so4J3OeHmnf33ss2X7f8GAA04I0/mw1/MUy6C3Y=,tag:nYhY/ecas7dPYP6FwEnOsg==,type:str]
+cockpit: ENC[AES256_GCM,data:5/ztOP1mJwKlcLS0RLqbre2nMOphIg59+/Dqz3njZW7jDJm37gMdgaPpY+eA5IWBMW7gZNCcVA==,iv:mmGsqA7U3rzhZ40BUReMlDaKxzKsDTw0mSZzcpu2QB4=,tag:jwmqiMGbENjX4B8GbPHcjw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +15,8 @@ sops:
             OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
             +bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T05:31:48Z"
-    mac: ENC[AES256_GCM,data:J4oXHZeqH+h5Yq+wOzC0Bhx42/pS9hxeybeEtsWaymMgjKUbj4QpdF9mYXwRawp4juLrHIgGAypW0iFrgTkDpzY5AKrwN23CJQwxQtuCLkZXzm4QJ46fR60Rtf8Kx92wKpOaLknxa9k5L6nK0G7FU9m2afxPb5MsqH3o6WubVG8=,iv:49BL9vpS67SkhZbZlyjIl0Ip2MWwK5/tya/2O8mVXGE=,tag:9A08TsIP22nGNBMhmAGhrg==,type:str]
+    lastmodified: "2024-06-13T06:44:09Z"
+    mac: ENC[AES256_GCM,data:S0/He8nAYp524SIteg1bd7aa4b7OJ2jshP/x+m9Grt+9fI8ZN42XpcW/u7JA6xV2eAJ7ZS4YBt965V6ttJu/Ric0xRzdG/evK9zrG0CFcoY8Di9eBU/KqBSyXxO7E/ZYamp9AQpkO9KzsSBYYStkZe4FjPy/5o4bSCjkLOIPO1w=,iv:OR42uFaNxMHAdaq1JZLz4B+cPZPJw5TP97W+rbHckK0=,tag:BXKF4WSHDZ63eyzNNBR2JA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/system/default.nix b/system/default.nix
index 0b17684..c7a16ad 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -4,6 +4,7 @@
     profile-path
     hardware-configuration
     ./modules
+    ./services
     ./podman
     ./docker
     ./programs.nix
diff --git a/system/services/caddy.nix b/system/services/caddy.nix
new file mode 100644
index 0000000..17cc8a1
--- /dev/null
+++ b/system/services/caddy.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+let
+  cfg = config.profile.services.caddy;
+  inherit (lib) mkIf mkEnableOption;
+in
+{
+  options.profile.services.caddy.enable = mkEnableOption "Caddy";
+
+  config = mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+      extraConfig = ''
+        import /etc/caddy/sites-enabled/*
+      '';
+    };
+  };
+}
diff --git a/system/services/cockpit.nix b/system/services/cockpit.nix
new file mode 100644
index 0000000..08328ac
--- /dev/null
+++ b/system/services/cockpit.nix
@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.profile.services.cockpit;
+  inherit (lib) mkIf mkEnableOption;
+in
+{
+  options.profile.services.cockpit.enable = mkEnableOption "cockpit";
+  config = mkIf cfg.enable {
+    environment.systemPackages = mkIf config.profile.podman.enable [
+      (pkgs.callPackage ../packages/cockpit-podman.nix { })
+    ];
+    sops.secrets."cockpit" = {
+      sopsFile = ../../secrets/caddy_reverse_proxy.yaml;
+      path = "/etc/caddy/sites-enabled/cockpit";
+    };
+    services.cockpit = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        WebService = {
+          AllowUnencrypted = true;
+          ProtocolHeader = "X-Forwarded-Proto";
+          ForwardedForHeader = "X-Forwarded-For";
+        };
+        Session = {
+          IdleTimeout = 120; # 2 hours.
+        };
+      };
+    };
+  };
+}
diff --git a/system/services/default.nix b/system/services/default.nix
new file mode 100644
index 0000000..5194a89
--- /dev/null
+++ b/system/services/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./caddy.nix
+    ./cockpit.nix
+  ];
+}