Compare commits
No commits in common. "9ec97fbda5a74fa876ab74d79c696f3ac0f4b8d6" and "7f12cb9bdc471bf74abb2b65c5354e710bbbe069" have entirely different histories.
9ec97fbda5
...
7f12cb9bdc
|
@ -14,10 +14,6 @@
|
||||||
hostname = lib.mkOption {
|
hostname = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
networking.externalInterface = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "eth0";
|
|
||||||
};
|
|
||||||
|
|
||||||
user = {
|
user = {
|
||||||
name = lib.mkOption {
|
name = lib.mkOption {
|
||||||
|
|
|
@ -2,7 +2,10 @@
|
||||||
{
|
{
|
||||||
options.profile.podman = {
|
options.profile.podman = {
|
||||||
enable = lib.mkEnableOption "podman";
|
enable = lib.mkEnableOption "podman";
|
||||||
caddy.enable = lib.mkEnableOption "caddy podman";
|
caddy.enable = lib.mkOption {
|
||||||
kavita.enable = lib.mkEnableOption "kavita podman";
|
type = lib.types.bool;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
kavita.enable = lib.mkEnableOption "kavita docker";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,7 +10,5 @@ in
|
||||||
kavita.enable = mkEnableOption "kavita";
|
kavita.enable = mkEnableOption "kavita";
|
||||||
samba.enable = mkEnableOption "samba";
|
samba.enable = mkEnableOption "samba";
|
||||||
nextcloud.enable = mkEnableOption "nextcloud";
|
nextcloud.enable = mkEnableOption "nextcloud";
|
||||||
syncthing.enable = mkEnableOption "syncthing";
|
|
||||||
openvpn.enable = mkEnableOption "openvpn";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
|
|
||||||
profile = {
|
profile = {
|
||||||
hostname = "homeserver";
|
hostname = "homeserver";
|
||||||
networking.externalInterface = "enp9s0";
|
|
||||||
user = {
|
user = {
|
||||||
name = "homeserver";
|
name = "homeserver";
|
||||||
fullName = "Homeserver";
|
fullName = "Homeserver";
|
||||||
|
@ -24,6 +23,8 @@
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
podman = {
|
podman = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
caddy.enable = false;
|
||||||
|
kavita.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
@ -33,8 +34,6 @@
|
||||||
kavita.enable = true;
|
kavita.enable = true;
|
||||||
samba.enable = true;
|
samba.enable = true;
|
||||||
nextcloud.enable = true;
|
nextcloud.enable = true;
|
||||||
syncthing.enable = true;
|
|
||||||
openvpn.enable = true;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
kavita:
|
|
||||||
token: ENC[AES256_GCM,data:58jQJq5H/QA/yFlfZgHWrSgE3X+c1F96s+8jIGxzWRb91m4KJ8lGy6NHyZpev5l4XhV3ghhM2/0Gs7HNZn8jn5hdrMsvk0a1iG8Rw9PaF+bnERPOFDO9zQ==,iv:uwPYTIRFvCfMxYmHZOMRKkqi3J0MNiedvbVkqlh+hUs=,tag:cG/IwPO1qjQA/NgsRQhIFQ==,type:str]
|
|
||||||
api_key: ENC[AES256_GCM,data:SDfzZNTj5GJC6uzz7DP/k8s4Yzr8p/8pIBqvECndF4pxg0nD,iv:j1fw5Nm05PcbI8+wViQ4t/rd+BgflVnUNzbzVzmTmsY=,tag:TA6dvBw+fZpMhNeG9klRdg==,type:str]
|
|
||||||
opds_url: ENC[AES256_GCM,data:qgtncw2H/mrCKrdGJdjA2AtQp2lUZGFmT21u1RdMRjAyxxzEfC1kCwQHbhaIlxvKn1M/CqXpa/gXrZAM+TptCAoyN2Kn28DmbA==,iv:o5XJl35EZumAcPiK9NmnPV65YSu8Y4fgIgHmXzoGdqA=,tag:ZQvnWdfAofAfA8EWr7jA0g==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa0c1VlR4V1RUWE1vNUg2
|
|
||||||
bXpuNStTRWozRGhaTGZtcGtMWDBUbm1OREZZClJDQm1uRytFRFNyenY1RUloVXNv
|
|
||||||
Q0F6bFNjMFZZUFUxT1JQTHJnd0Z1QUUKLS0tIEpOaUw4OEdRVUhvYmNoYTRaL2Zy
|
|
||||||
SjFCNUtDbWticUs3d05PS3NuVW00TFkKlqV1V+/Eb5gMj/5NMprAElkBWrO/8tkl
|
|
||||||
/exWXMOie/WCKiwryoyLe6yms+aOl6x5csbyJtpO2piRs7Xp1sso7g==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2024-06-14T04:52:39Z"
|
|
||||||
mac: ENC[AES256_GCM,data:WJrCCdEEaxm/b7KurXl3KUjgnT7sLKkqeu8MhYhKTOajcqTYeLcHZDNu0XZpuB1xJowP8aS9v8aTFkJIexvT44Fqf23qzzYSjSqTyR+0yjGXwJxImB3/noHtYiDMXd/TGhdyLhzPnicoOFy8qsNGy2wvFGhEKxwGT0dQf2Wuvr0=,iv:KVhNsFHkW1cLEeMjxEpyhguFp8LMhw0yF6qkPqh8238=,tag:oMXDVoIGUIRPJEfKpY+7vA==,type:str]
|
|
||||||
pgp: []
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.8.1
|
|
|
@ -1,26 +0,0 @@
|
||||||
openvpn:
|
|
||||||
server:
|
|
||||||
ip: ENC[AES256_GCM,data:hv/lHgWGsx1LBR3wcg7O,iv:JtkecUzT50YGgDQMNlXQC9C1h53sm46EYfhdzT+0K9s=,tag:sdCiPlus1DJRPoET2e4HIQ==,type:str]
|
|
||||||
key:
|
|
||||||
phone: ENC[AES256_GCM,data:JobVqgDl1Lk8jsIPeJgfA3tuMY1IHkTL2+rWY8CQkyJ9Q+dLIS8hMrmlqhtfiEkaWs3NFqwFuyUhK8uuOa0stBzQ/lZiQ7OKjOH8Y3d4fs6sF/FCuaVOuwfAXNy2gVEG2HgKBzFkBT/ciFxF3guy2EVNaLZCm01PaA8XMr8piXDs6lqt/YoEUNr2l+LfOsphrxLCYpGxRJxJkUWjoNGm/ZtbxI/HFO94l9JAlSoCfETqgEgWOOP3OgGKFSjr6pVty5Nw6iKHnhzFYdXyPFy67MPK9NvLWM3sAZnKrmF+B6lUFGAyZwKDwenKbjM/e5VOZrEGjj7O7EgMG7tYkbPngCPvRhQ4URIibKhKlmuP/On2WuJsNhNW7mtGMAKps0Q3B9GVAWeEGAhJUo5Y3FHGtSs0dRglAo6DCB0bgSTpa87LmY0JskW+PXCTQzJgVd6EnqL+ewMXM+1ID9upedivBZpTPbN41KAz9pCa/EziSsz7vEijq1i40RS/TTvjAC2SJkiv0tCmM7/jAoPDd/N4l7doqhk8jvokGw2PBmYkxnhPo0B2Ofhx+td/Pe/Q1fDHt42POTQ1EEuptD+utvPZUdLaOGg2ybiEYn8lsB9oEK4tVZoPaxOqHPlckSOcnTjwLmQ8M2Nf5e+iW74w+dfJrXuSz15XMSGthWmYHNPZGYo24+437HcVpEs2txcysK003PTy62X56jB5Wrv3l8rqqufVeMZDgLqo3Lw3btniFs6b3lJp1+dvYwGFXBhMeOuoannOi0bQvtIwxqTYgovHv+7/HPD06Hg9ZuU6/Lip3Vp/XR0kT3IfU7S0rmxTSVdgmlJbY8IM5VDMJTk=,iv:y6rP58/eIdMOWK1KsIYOL3pve4ew8mLQZBmIWjVWRCM=,tag:PlUTapNdWwkVKqy2yzLTdQ==,type:str]
|
|
||||||
laptop: ENC[AES256_GCM,data:n6atoq4XVXd8xBdXpmlrZ1ZCB3dsuwJ7XUUEJeoFmxkLoT8b+A/SrEo3Cp0xaU7pwMmWZvWBj0trTGlodFM07b+rrpPHiYSPrZkKOSYTx4kj7s6jf2Fu/514fsNS76+hEu3Iof3Bxw+LhEQ3jL1Bd1lYU0+x5bh0b3JSl71VDto40VBoiM1UdQtO54XlfsfKJC9Qy6asWqDUIEpU4L4JElfFXNO9fWSUbHQX1m5UWLaZpAcAwcJknnpdr8MJPbaE2LLf9gddEoEYqZqeDcrxlWuVavgzqCwCdCHuwecmiF/Luvx1F1/O+btG0z2Iz7UzvZKjGONUV0lNE1aJiCLZhNdFluHiv+hTmjU4GRiUe2GJFACOp624GtSENrafnFV8m+cLYqrMnmCByk5FoW1CQ4Clm0txbIRRHG1zZcrwf8G/S0VAJ0CMeEHZJoe6Adh0a/BdxWaLvexxl2OQBAhv0KiISfkp5oU3RPIo5ITrNE06fXXRiVXUiB3YXV+tOUmfUzTqBBLwOiS2yT2ggRxS9j8cWvNpQJFQB0zfYE3Q9TNdzvItXD/0TtGfxC/hBEorjqQEeFrVg60qbV3m8pxZMcCSUK/2+fBrBmuJsZ6KkEX1mqMP+QLg8JyAX8Eyn3FI+EPbcoHTrTts0hrOUbSwKQjJiN3nwOm9iGB2u8q3xUUo8uV4Bx9tyVpZPmeTS3S9aA8md2UnwUHQLd+DsKtdgFMUeW7ynZKGVesi+Tf5TEkw39/zhUor/JbwoXBlKLmPNs+X3a50yr22uRqyQ0rC7WQ2DfR5cXTgS2itcFC/iyUdB0DolDX49flK3Wyr4+taMVA7nf0qnbfMmus=,iv:s8yYzh/sF2Nb+fnr+/X9GhGCg2Ft/bNJk5L+FQhG3nU=,tag:NT7jH148RvcjnmsarL9qZQ==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnpHV0dlaWxXSDNnYnBa
|
|
||||||
NDhaMWdEMDB2allPUm9MUll0QVNWUmNNZlN3CkUxNFF6YmMxMjdWRDlMMTNHZUNq
|
|
||||||
YVJDQWZWT1pVWkFDMVA1ank1amUySjQKLS0tIEs2SFNWTEhLRjdaM2sya3FmYVdP
|
|
||||||
NmVZSk5jUUs3ZnhCTC9NOEQ1WkRJem8KvwC+Tc67NgV6rJM9vdfWbVaJSrX7xZS4
|
|
||||||
aRvTzGL4Q2e+BnrFcyX8QiiZFgEUGEbk6MYbPELeGapwW79WvHzP8A==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2024-06-14T09:39:43Z"
|
|
||||||
mac: ENC[AES256_GCM,data:OnbOkWUCl8Oa+XXHJ8sQVZ+8rQ/XFmMXQlzgJA/wXJgKAdU/FPF6XnfdYdXTH7MTu/nRhctnnRaTbPWaGaWYSejdPOQcu60z53lbALuRAWZXHAa0/tGC6pFV//3TwLd5FduOq9NnPeO0lM4yWF67z1wTDpygnrqoHDkY53OpGvU=,iv:Oj7UIFBg4/We07GD+mIJNb6K/QiGSvOXdNeyf2ezxck=,tag:rvG1y6xR1XaK5e5M9X/jrg==,type:str]
|
|
||||||
pgp: []
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.8.1
|
|
|
@ -6,8 +6,5 @@
|
||||||
./forgejo.nix
|
./forgejo.nix
|
||||||
./samba.nix
|
./samba.nix
|
||||||
./nextcloud.nix
|
./nextcloud.nix
|
||||||
./syncthing.nix
|
|
||||||
./kavita.nix
|
|
||||||
./openvpn.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,31 +0,0 @@
|
||||||
{ config, lib, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.profile.services.kavita;
|
|
||||||
user = config.profile.user;
|
|
||||||
inherit (lib) mkIf;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
fileSystems."/nas/kavita" = {
|
|
||||||
device = "/var/lib/kavita";
|
|
||||||
fsType = "none";
|
|
||||||
options = [ "bind" ];
|
|
||||||
};
|
|
||||||
users.groups.kavita.members = [ user.name ];
|
|
||||||
users.groups.${user.name}.members = [ "kavita" ]; # Allow kavita to read users's files copied to /var/lib/kavita via NAS
|
|
||||||
sops.secrets."kavita/token" = {
|
|
||||||
owner = "kavita";
|
|
||||||
sopsFile = ../../secrets/kavita.yaml;
|
|
||||||
};
|
|
||||||
services.caddy.virtualHosts."kavita.tigor.web.id".extraConfig = ''
|
|
||||||
reverse_proxy 0.0.0.0:${toString config.services.kavita.settings.Port}
|
|
||||||
'';
|
|
||||||
services.kavita = {
|
|
||||||
enable = true;
|
|
||||||
tokenKeyFile = config.sops.secrets."kavita/token".path;
|
|
||||||
settings = {
|
|
||||||
Port = 40001;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,125 +0,0 @@
|
||||||
# It's a pain setting up Certificate Authority, Public Key Infrastructure, etc. for OpenVPN.
|
|
||||||
# Instead setup multiple openvpn servers with multiple ports, with each server having one client.
|
|
||||||
#
|
|
||||||
# Does not scale well, but it's good enough for personal use.
|
|
||||||
#
|
|
||||||
# TODO: Create CA, and ROOTCA, and use them to sign the keys, then store in sops-nix secrets.
|
|
||||||
|
|
||||||
|
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.profile.services.openvpn;
|
|
||||||
domain = "vpn.tigor.web.id";
|
|
||||||
portLaptop = 1194;
|
|
||||||
portPhone = 1195;
|
|
||||||
vpn-dev-laptop = "tun0";
|
|
||||||
vpn-dev-phone = "tun1";
|
|
||||||
externalInterface = config.profile.networking.externalInterface;
|
|
||||||
inherit (lib) mkIf;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
environment.systemPackages = [ pkgs.openvpn ]; # To generate keys with openvpn --genkey --secret <name>.key
|
|
||||||
|
|
||||||
networking.nat = {
|
|
||||||
enable = true;
|
|
||||||
inherit externalInterface;
|
|
||||||
internalInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.trustedInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ portLaptop portPhone ];
|
|
||||||
|
|
||||||
sops = {
|
|
||||||
# Activate the secrets.
|
|
||||||
secrets =
|
|
||||||
let
|
|
||||||
opts = {
|
|
||||||
sopsFile = ../../secrets/openvpn.yaml;
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"openvpn/server/ip" = opts;
|
|
||||||
"openvpn/key/phone" = opts;
|
|
||||||
"openvpn/key/laptop" = opts;
|
|
||||||
};
|
|
||||||
|
|
||||||
# This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients.
|
|
||||||
templates =
|
|
||||||
let
|
|
||||||
template = { secretPlaceholder, port, ifConfig }: ''
|
|
||||||
dev tun
|
|
||||||
remote "${config.sops.placeholder."openvpn/server/ip"}"
|
|
||||||
port ${toString port}
|
|
||||||
ifconfig ${ifConfig}
|
|
||||||
redirect-gateway def1
|
|
||||||
|
|
||||||
cipher AES-256-CBC
|
|
||||||
auth-nocache
|
|
||||||
|
|
||||||
comp-lzo
|
|
||||||
keepalive 10 60
|
|
||||||
resolv-retry infinite
|
|
||||||
nobind
|
|
||||||
persist-key
|
|
||||||
persist-tun
|
|
||||||
secret [inline]
|
|
||||||
|
|
||||||
<secret>
|
|
||||||
${secretPlaceholder}
|
|
||||||
</secret>
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"openvpn/key/phone" = {
|
|
||||||
content = template {
|
|
||||||
secretPlaceholder = config.sops.placeholder."openvpn/key/phone";
|
|
||||||
port = portPhone;
|
|
||||||
ifConfig = "10.8.1.1 10.8.1.2";
|
|
||||||
};
|
|
||||||
path = "/etc/openvpn/phone.ovpn";
|
|
||||||
owner = config.profile.user.name;
|
|
||||||
};
|
|
||||||
"openvpn/key/laptop" = {
|
|
||||||
content = template {
|
|
||||||
secretPlaceholder = config.sops.placeholder."openvpn/key/laptop";
|
|
||||||
port = portLaptop;
|
|
||||||
ifConfig = "10.8.2.1 10.8.2.2";
|
|
||||||
};
|
|
||||||
path = "/etc/openvpn/laptop.ovpn";
|
|
||||||
owner = config.profile.user.name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.openvpn.servers =
|
|
||||||
let
|
|
||||||
configTemplate = { secretFile, port, dev }: ''
|
|
||||||
dev ${dev}
|
|
||||||
proto udp
|
|
||||||
secret ${secretFile}
|
|
||||||
port ${toString port}
|
|
||||||
|
|
||||||
cipher AES-256-CBC
|
|
||||||
auth-nocache
|
|
||||||
|
|
||||||
comp-lzo
|
|
||||||
keepalive 10 60
|
|
||||||
ping-timer-rem
|
|
||||||
persist-tun
|
|
||||||
persist-key
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
|
||||||
phone = {
|
|
||||||
config = configTemplate { secretFile = config.sops.secrets."openvpn/key/phone".path; port = portPhone; dev = vpn-dev-phone; };
|
|
||||||
autoStart = true;
|
|
||||||
};
|
|
||||||
laptop = {
|
|
||||||
config = configTemplate { secretFile = config.sops.secrets."openvpn/key/laptop".path; port = portLaptop; dev = vpn-dev-laptop; };
|
|
||||||
autoStart = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -1,22 +0,0 @@
|
||||||
{ config, lib, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.profile.services.syncthing;
|
|
||||||
inherit (lib) mkIf;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
services.caddy.virtualHosts."syncthing.tigor.web.id".extraConfig = ''
|
|
||||||
reverse_proxy 0.0.0.0:8384
|
|
||||||
'';
|
|
||||||
services.syncthing = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
options.urAccepted = 1; # Allow anonymous usage reporting.
|
|
||||||
};
|
|
||||||
overrideFolders = false;
|
|
||||||
overrideDevices = false;
|
|
||||||
openDefaultPorts = true;
|
|
||||||
guiAddress = "0.0.0.0:8384";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue