Compare commits

..

No commits in common. "9ec97fbda5a74fa876ab74d79c696f3ac0f4b8d6" and "7f12cb9bdc471bf74abb2b65c5354e710bbbe069" have entirely different histories.

10 changed files with 7 additions and 242 deletions

View file

@ -14,10 +14,6 @@
hostname = lib.mkOption { hostname = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };
networking.externalInterface = lib.mkOption {
type = lib.types.str;
default = "eth0";
};
user = { user = {
name = lib.mkOption { name = lib.mkOption {

View file

@ -2,7 +2,10 @@
{ {
options.profile.podman = { options.profile.podman = {
enable = lib.mkEnableOption "podman"; enable = lib.mkEnableOption "podman";
caddy.enable = lib.mkEnableOption "caddy podman"; caddy.enable = lib.mkOption {
kavita.enable = lib.mkEnableOption "kavita podman"; type = lib.types.bool;
default = true;
};
kavita.enable = lib.mkEnableOption "kavita docker";
}; };
} }

View file

@ -10,7 +10,5 @@ in
kavita.enable = mkEnableOption "kavita"; kavita.enable = mkEnableOption "kavita";
samba.enable = mkEnableOption "samba"; samba.enable = mkEnableOption "samba";
nextcloud.enable = mkEnableOption "nextcloud"; nextcloud.enable = mkEnableOption "nextcloud";
syncthing.enable = mkEnableOption "syncthing";
openvpn.enable = mkEnableOption "openvpn";
}; };
} }

View file

@ -6,7 +6,6 @@
profile = { profile = {
hostname = "homeserver"; hostname = "homeserver";
networking.externalInterface = "enp9s0";
user = { user = {
name = "homeserver"; name = "homeserver";
fullName = "Homeserver"; fullName = "Homeserver";
@ -24,6 +23,8 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
podman = { podman = {
enable = true; enable = true;
caddy.enable = false;
kavita.enable = true;
}; };
services = { services = {
@ -33,8 +34,6 @@
kavita.enable = true; kavita.enable = true;
samba.enable = true; samba.enable = true;
nextcloud.enable = true; nextcloud.enable = true;
syncthing.enable = true;
openvpn.enable = true;
}; };
}; };
} }

View file

@ -1,24 +0,0 @@
kavita:
token: ENC[AES256_GCM,data:58jQJq5H/QA/yFlfZgHWrSgE3X+c1F96s+8jIGxzWRb91m4KJ8lGy6NHyZpev5l4XhV3ghhM2/0Gs7HNZn8jn5hdrMsvk0a1iG8Rw9PaF+bnERPOFDO9zQ==,iv:uwPYTIRFvCfMxYmHZOMRKkqi3J0MNiedvbVkqlh+hUs=,tag:cG/IwPO1qjQA/NgsRQhIFQ==,type:str]
api_key: ENC[AES256_GCM,data:SDfzZNTj5GJC6uzz7DP/k8s4Yzr8p/8pIBqvECndF4pxg0nD,iv:j1fw5Nm05PcbI8+wViQ4t/rd+BgflVnUNzbzVzmTmsY=,tag:TA6dvBw+fZpMhNeG9klRdg==,type:str]
opds_url: ENC[AES256_GCM,data:qgtncw2H/mrCKrdGJdjA2AtQp2lUZGFmT21u1RdMRjAyxxzEfC1kCwQHbhaIlxvKn1M/CqXpa/gXrZAM+TptCAoyN2Kn28DmbA==,iv:o5XJl35EZumAcPiK9NmnPV65YSu8Y4fgIgHmXzoGdqA=,tag:ZQvnWdfAofAfA8EWr7jA0g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa0c1VlR4V1RUWE1vNUg2
bXpuNStTRWozRGhaTGZtcGtMWDBUbm1OREZZClJDQm1uRytFRFNyenY1RUloVXNv
Q0F6bFNjMFZZUFUxT1JQTHJnd0Z1QUUKLS0tIEpOaUw4OEdRVUhvYmNoYTRaL2Zy
SjFCNUtDbWticUs3d05PS3NuVW00TFkKlqV1V+/Eb5gMj/5NMprAElkBWrO/8tkl
/exWXMOie/WCKiwryoyLe6yms+aOl6x5csbyJtpO2piRs7Xp1sso7g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-14T04:52:39Z"
mac: ENC[AES256_GCM,data:WJrCCdEEaxm/b7KurXl3KUjgnT7sLKkqeu8MhYhKTOajcqTYeLcHZDNu0XZpuB1xJowP8aS9v8aTFkJIexvT44Fqf23qzzYSjSqTyR+0yjGXwJxImB3/noHtYiDMXd/TGhdyLhzPnicoOFy8qsNGy2wvFGhEKxwGT0dQf2Wuvr0=,iv:KVhNsFHkW1cLEeMjxEpyhguFp8LMhw0yF6qkPqh8238=,tag:oMXDVoIGUIRPJEfKpY+7vA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,26 +0,0 @@
openvpn:
server:
ip: ENC[AES256_GCM,data:hv/lHgWGsx1LBR3wcg7O,iv:JtkecUzT50YGgDQMNlXQC9C1h53sm46EYfhdzT+0K9s=,tag:sdCiPlus1DJRPoET2e4HIQ==,type:str]
key:
phone: ENC[AES256_GCM,data:JobVqgDl1Lk8jsIPeJgfA3tuMY1IHkTL2+rWY8CQkyJ9Q+dLIS8hMrmlqhtfiEkaWs3NFqwFuyUhK8uuOa0stBzQ/lZiQ7OKjOH8Y3d4fs6sF/FCuaVOuwfAXNy2gVEG2HgKBzFkBT/ciFxF3guy2EVNaLZCm01PaA8XMr8piXDs6lqt/YoEUNr2l+LfOsphrxLCYpGxRJxJkUWjoNGm/ZtbxI/HFO94l9JAlSoCfETqgEgWOOP3OgGKFSjr6pVty5Nw6iKHnhzFYdXyPFy67MPK9NvLWM3sAZnKrmF+B6lUFGAyZwKDwenKbjM/e5VOZrEGjj7O7EgMG7tYkbPngCPvRhQ4URIibKhKlmuP/On2WuJsNhNW7mtGMAKps0Q3B9GVAWeEGAhJUo5Y3FHGtSs0dRglAo6DCB0bgSTpa87LmY0JskW+PXCTQzJgVd6EnqL+ewMXM+1ID9upedivBZpTPbN41KAz9pCa/EziSsz7vEijq1i40RS/TTvjAC2SJkiv0tCmM7/jAoPDd/N4l7doqhk8jvokGw2PBmYkxnhPo0B2Ofhx+td/Pe/Q1fDHt42POTQ1EEuptD+utvPZUdLaOGg2ybiEYn8lsB9oEK4tVZoPaxOqHPlckSOcnTjwLmQ8M2Nf5e+iW74w+dfJrXuSz15XMSGthWmYHNPZGYo24+437HcVpEs2txcysK003PTy62X56jB5Wrv3l8rqqufVeMZDgLqo3Lw3btniFs6b3lJp1+dvYwGFXBhMeOuoannOi0bQvtIwxqTYgovHv+7/HPD06Hg9ZuU6/Lip3Vp/XR0kT3IfU7S0rmxTSVdgmlJbY8IM5VDMJTk=,iv:y6rP58/eIdMOWK1KsIYOL3pve4ew8mLQZBmIWjVWRCM=,tag:PlUTapNdWwkVKqy2yzLTdQ==,type:str]
laptop: ENC[AES256_GCM,data:n6atoq4XVXd8xBdXpmlrZ1ZCB3dsuwJ7XUUEJeoFmxkLoT8b+A/SrEo3Cp0xaU7pwMmWZvWBj0trTGlodFM07b+rrpPHiYSPrZkKOSYTx4kj7s6jf2Fu/514fsNS76+hEu3Iof3Bxw+LhEQ3jL1Bd1lYU0+x5bh0b3JSl71VDto40VBoiM1UdQtO54XlfsfKJC9Qy6asWqDUIEpU4L4JElfFXNO9fWSUbHQX1m5UWLaZpAcAwcJknnpdr8MJPbaE2LLf9gddEoEYqZqeDcrxlWuVavgzqCwCdCHuwecmiF/Luvx1F1/O+btG0z2Iz7UzvZKjGONUV0lNE1aJiCLZhNdFluHiv+hTmjU4GRiUe2GJFACOp624GtSENrafnFV8m+cLYqrMnmCByk5FoW1CQ4Clm0txbIRRHG1zZcrwf8G/S0VAJ0CMeEHZJoe6Adh0a/BdxWaLvexxl2OQBAhv0KiISfkp5oU3RPIo5ITrNE06fXXRiVXUiB3YXV+tOUmfUzTqBBLwOiS2yT2ggRxS9j8cWvNpQJFQB0zfYE3Q9TNdzvItXD/0TtGfxC/hBEorjqQEeFrVg60qbV3m8pxZMcCSUK/2+fBrBmuJsZ6KkEX1mqMP+QLg8JyAX8Eyn3FI+EPbcoHTrTts0hrOUbSwKQjJiN3nwOm9iGB2u8q3xUUo8uV4Bx9tyVpZPmeTS3S9aA8md2UnwUHQLd+DsKtdgFMUeW7ynZKGVesi+Tf5TEkw39/zhUor/JbwoXBlKLmPNs+X3a50yr22uRqyQ0rC7WQ2DfR5cXTgS2itcFC/iyUdB0DolDX49flK3Wyr4+taMVA7nf0qnbfMmus=,iv:s8yYzh/sF2Nb+fnr+/X9GhGCg2Ft/bNJk5L+FQhG3nU=,tag:NT7jH148RvcjnmsarL9qZQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnpHV0dlaWxXSDNnYnBa
NDhaMWdEMDB2allPUm9MUll0QVNWUmNNZlN3CkUxNFF6YmMxMjdWRDlMMTNHZUNq
YVJDQWZWT1pVWkFDMVA1ank1amUySjQKLS0tIEs2SFNWTEhLRjdaM2sya3FmYVdP
NmVZSk5jUUs3ZnhCTC9NOEQ1WkRJem8KvwC+Tc67NgV6rJM9vdfWbVaJSrX7xZS4
aRvTzGL4Q2e+BnrFcyX8QiiZFgEUGEbk6MYbPELeGapwW79WvHzP8A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-14T09:39:43Z"
mac: ENC[AES256_GCM,data:OnbOkWUCl8Oa+XXHJ8sQVZ+8rQ/XFmMXQlzgJA/wXJgKAdU/FPF6XnfdYdXTH7MTu/nRhctnnRaTbPWaGaWYSejdPOQcu60z53lbALuRAWZXHAa0/tGC6pFV//3TwLd5FduOq9NnPeO0lM4yWF67z1wTDpygnrqoHDkY53OpGvU=,iv:Oj7UIFBg4/We07GD+mIJNb6K/QiGSvOXdNeyf2ezxck=,tag:rvG1y6xR1XaK5e5M9X/jrg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -6,8 +6,5 @@
./forgejo.nix ./forgejo.nix
./samba.nix ./samba.nix
./nextcloud.nix ./nextcloud.nix
./syncthing.nix
./kavita.nix
./openvpn.nix
]; ];
} }

View file

@ -1,31 +0,0 @@
{ config, lib, ... }:
let
cfg = config.profile.services.kavita;
user = config.profile.user;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
fileSystems."/nas/kavita" = {
device = "/var/lib/kavita";
fsType = "none";
options = [ "bind" ];
};
users.groups.kavita.members = [ user.name ];
users.groups.${user.name}.members = [ "kavita" ]; # Allow kavita to read users's files copied to /var/lib/kavita via NAS
sops.secrets."kavita/token" = {
owner = "kavita";
sopsFile = ../../secrets/kavita.yaml;
};
services.caddy.virtualHosts."kavita.tigor.web.id".extraConfig = ''
reverse_proxy 0.0.0.0:${toString config.services.kavita.settings.Port}
'';
services.kavita = {
enable = true;
tokenKeyFile = config.sops.secrets."kavita/token".path;
settings = {
Port = 40001;
};
};
};
}

View file

@ -1,125 +0,0 @@
# It's a pain setting up Certificate Authority, Public Key Infrastructure, etc. for OpenVPN.
# Instead setup multiple openvpn servers with multiple ports, with each server having one client.
#
# Does not scale well, but it's good enough for personal use.
#
# TODO: Create CA, and ROOTCA, and use them to sign the keys, then store in sops-nix secrets.
{ config, lib, pkgs, ... }:
let
cfg = config.profile.services.openvpn;
domain = "vpn.tigor.web.id";
portLaptop = 1194;
portPhone = 1195;
vpn-dev-laptop = "tun0";
vpn-dev-phone = "tun1";
externalInterface = config.profile.networking.externalInterface;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.openvpn ]; # To generate keys with openvpn --genkey --secret <name>.key
networking.nat = {
enable = true;
inherit externalInterface;
internalInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
};
networking.firewall.trustedInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
networking.firewall.allowedUDPPorts = [ portLaptop portPhone ];
sops = {
# Activate the secrets.
secrets =
let
opts = {
sopsFile = ../../secrets/openvpn.yaml;
};
in
{
"openvpn/server/ip" = opts;
"openvpn/key/phone" = opts;
"openvpn/key/laptop" = opts;
};
# This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients.
templates =
let
template = { secretPlaceholder, port, ifConfig }: ''
dev tun
remote "${config.sops.placeholder."openvpn/server/ip"}"
port ${toString port}
ifconfig ${ifConfig}
redirect-gateway def1
cipher AES-256-CBC
auth-nocache
comp-lzo
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
secret [inline]
<secret>
${secretPlaceholder}
</secret>
'';
in
{
"openvpn/key/phone" = {
content = template {
secretPlaceholder = config.sops.placeholder."openvpn/key/phone";
port = portPhone;
ifConfig = "10.8.1.1 10.8.1.2";
};
path = "/etc/openvpn/phone.ovpn";
owner = config.profile.user.name;
};
"openvpn/key/laptop" = {
content = template {
secretPlaceholder = config.sops.placeholder."openvpn/key/laptop";
port = portLaptop;
ifConfig = "10.8.2.1 10.8.2.2";
};
path = "/etc/openvpn/laptop.ovpn";
owner = config.profile.user.name;
};
};
};
services.openvpn.servers =
let
configTemplate = { secretFile, port, dev }: ''
dev ${dev}
proto udp
secret ${secretFile}
port ${toString port}
cipher AES-256-CBC
auth-nocache
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
'';
in
{
phone = {
config = configTemplate { secretFile = config.sops.secrets."openvpn/key/phone".path; port = portPhone; dev = vpn-dev-phone; };
autoStart = true;
};
laptop = {
config = configTemplate { secretFile = config.sops.secrets."openvpn/key/laptop".path; port = portLaptop; dev = vpn-dev-laptop; };
autoStart = true;
};
};
};
}

View file

@ -1,22 +0,0 @@
{ config, lib, ... }:
let
cfg = config.profile.services.syncthing;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
services.caddy.virtualHosts."syncthing.tigor.web.id".extraConfig = ''
reverse_proxy 0.0.0.0:8384
'';
services.syncthing = {
enable = true;
settings = {
options.urAccepted = 1; # Allow anonymous usage reporting.
};
overrideFolders = false;
overrideDevices = false;
openDefaultPorts = true;
guiAddress = "0.0.0.0:8384";
};
};
}