common: move to modules, move some files out, modules: adjust dir structure

modules/nixos/services/default.nix

@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./mumble.nix
+    ./openssh.nix
+    ./tailscale.nix
+  ];
+}

modules/nixos/services/homeserver/authentik.nix

@@ -0,0 +1,31 @@
+{ inputs, config, ... }:
+
+{
+  imports = [ inputs.authentik-nix.nixosModules.default ];
+  nix.settings = {
+    substituters = [ "https://nix-community.cachix.org" ];
+    trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
+  };
+
+  sops.secrets."authentik/secrets.env".restartUnits = [ "authentik.service" ];
+
+  services.caddy.virtualHosts."authentik.wo2wz.fyi".extraConfig = 
+    assert config.services.caddy.enable;
+    ''
+      import default-settings
+      import cloudflare-tls
+
+      reverse_proxy localhost:9000
+    '';
+
+  services.authentik = {
+    enable = true;
+    environmentFile = config.sops.secrets."authentik/secrets.env".path;
+
+    settings = {
+      disable_startup_analytics = true;
+      disable_update_check = true;
+      avatars = "initials";
+    };
+  };
+}

modules/nixos/services/homeserver/caddy.nix

@@ -0,0 +1,76 @@
+{ config, pkgs, ... }:
+
+{
+  sops.secrets = {
+    "caddy/secrets.env" = {};
+
+    "caddy/wo2wz.fyi.crt" = {
+      owner = "caddy";
+      group = "caddy";
+      reloadUnits = [ "caddy.service" ];
+    };
+    "caddy/wo2wz.fyi.key" = {
+      owner = "caddy";
+      group = "caddy";
+      reloadUnits = [ "caddy.service" ];
+    };
+  };
+
+  services = {
+    tailscale.permitCertUid = "caddy";
+
+    caddy = {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [
+          "github.com/WeidiDeng/caddy-cloudflare-ip@v0.0.0-20231130002422-f53b62aa13cb"
+          "github.com/tailscale/caddy-tailscale@v0.0.0-20250915161136-32b202f0a953"
+        ];
+        hash = "sha256-icldgfR6CidNdsM/AcpaV484hrljGxj5KiAqTOjlKgg=";
+      };
+      environmentFile = config.sops.secrets."caddy/secrets.env".path;
+
+      extraConfig = ''
+        (cloudflare-tls) {
+            tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
+        }
+
+        (default-settings) {
+            encode
+
+            header {
+                Strict-Transport-Security "max-age=15552000;"
+                X-Frame-Options "SAMEORIGIN"
+                X-Content-Type-Options "nosniff"
+                X-Robots-Tag "noindex, nofollow"
+                -Server
+                -X-Powered-By
+            }
+        }
+      '';
+      globalConfig = ''
+        grace_period 30s
+        servers {
+            client_ip_headers CF-Connecting-Ip X-Forwarded-For
+            trusted_proxies cloudflare {
+                interval 7d
+                timeout 15s
+            }
+            trusted_proxies_strict
+        }
+
+        tailscale {
+            auth_key {env.CADDY_TAILSCALE_AUTH_KEY}
+            state_dir ${config.services.caddy.dataDir}/caddy-tailscale
+        }
+      '';
+
+      virtualHosts."wo2wz.fyi".extraConfig = ''
+        import default-settings
+        import cloudflare-tls
+
+        respond "not much to see here"
+      '';
+    };
+  };
+}

modules/nixos/services/homeserver/cloudflared.nix

@@ -0,0 +1,13 @@
+{ config, ... }:
+
+{
+  sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
+
+  services.cloudflared = {
+    enable = true;
+    tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
+      credentialsFile = config.sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json".path;
+      default = "http_status:418";
+    };
+  };
+}

modules/nixos/services/homeserver/default.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./authentik.nix
+    ./caddy.nix
+    ./cloudflared.nix
+    ./nextcloud.nix
+    ./restic.nix
+    ./sops.nix
+    ./uptime-kuma.nix
+    ./vaultwarden.nix
+    ./zipline.nix
+  ];
+}

modules/nixos/services/homeserver/nextcloud.nix

@@ -0,0 +1,99 @@
+{ config, pkgs, ... }:
+
+{  
+  sops.secrets."nextcloud/adminpass" = {};
+
+  services.caddy.virtualHosts."nextcloud.wo2wz.fyi".extraConfig =
+    assert config.services.caddy.enable;
+    ''
+      import default-settings
+
+      root ${config.services.nginx.virtualHosts."localhost:8002".root}
+      file_server
+
+      php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
+
+      redir /.well-known/carddav /remote.php/dav 301
+      redir /.well-known/caldav /remote.php/dav 301
+      redir /.well-known/webfinger /index.php/webfinger 301
+      redir /.well-known/nodeinfo /index.php/nodeinfo 301
+      redir /.well-known/* /index.php{uri} 301
+      redir /remote/* /remote.php{uri} 301
+
+      @forbidden {
+        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+        not path /.well-known/*
+      }
+
+      respond @forbidden 403
+
+      # make .mjs javascript work for the functionality of some buttons/apps
+      @mjs path *.mjs
+      header @mjs Content-Type application/javascript
+    '';
+
+  services.nginx.enable = false; # disable to use caddy instead
+  users.users.nginx = {
+    group = "nginx";
+    isSystemUser = true;
+  };
+  users.groups.nginx = {};
+
+  users.users.caddy.extraGroups = [ "nextcloud" ];
+  services.phpfpm.pools.nextcloud.settings = {
+    "listen.owner" = "caddy";
+    "listen.group" = "caddy";
+  };
+
+  services = {
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud31;
+      hostName = "localhost:8002";
+      configureRedis = true;
+      config = {
+        adminuser = "wo2w";
+        adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+        dbtype = "sqlite";
+      };
+      settings = {
+        trusted_domains = [ "nextcloud.wo2wz.fyi" ];
+        trusted_proxies = [ "127.0.0.1" "::1" ];
+      };
+
+      maxUploadSize = "200G";
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps) calendar deck onlyoffice tasks music twofactor_webauthn user_oidc;
+      };
+    };
+  };
+
+  sops.secrets."onlyoffice/jwt" = {
+    owner = "onlyoffice";
+    group = "onlyoffice";
+  };
+
+  services.caddy.virtualHosts."onlyoffice.wo2wz.fyi".extraConfig =
+    assert config.services.caddy.enable;
+    ''
+      import default-settings
+      import cloudflare-tls
+
+      @blockinternal {
+        path /internal/*
+        path /info/*
+        not remote_ip 127.0.0.1
+      }
+      respond @blockinternal 403
+
+      reverse_proxy localhost:8003
+    '';
+
+  services.onlyoffice = {
+    enable = true;
+    hostname = "localhost";
+    port = 8003;
+    jwtSecretFile = config.sops.secrets."onlyoffice/jwt".path;
+  };
+}

modules/nixos/services/homeserver/restic.nix

@@ -0,0 +1,80 @@
+{ config, pkgs, ... }:
+
+{
+  sops.secrets = {
+    "restic/password" = {};
+    "restic/rclone/offsite" = {};
+  };
+
+  # for use as rclone backend
+  environment.systemPackages = [ pkgs.rclone ];
+
+  systemd.services.db-dump = {
+    wantedBy = [ "restic-backups-main.service" "restic-backups-offsite.service" ];
+    script = ''
+      if [ ! -d /var/backups/db-backup ]; then
+          mkdir -p -m 600 /var/backups/db-backup
+      fi
+
+      ${pkgs.sqlite}/bin/sqlite3 /var/lib/vaultwarden/db.sqlite3 ".backup /var/backups/db-backup/vaultwarden.sqlite3"
+      ${pkgs.sqlite}/bin/sqlite3 /var/lib/uptime-kuma/kuma.db ".backup /var/backups/db-backup/kuma.db"
+
+      ${pkgs.sudo}/bin/sudo -u authentik -- ${pkgs.postgresql}/bin/pg_dump > /var/backups/db-backup/dump-authentik
+      ${pkgs.sudo}/bin/sudo -u onlyoffice -- ${pkgs.postgresql}/bin/pg_dump > /var/backups/db-backup/dump-onlyoffice
+      ${pkgs.sudo}/bin/sudo -u zipline -- ${pkgs.postgresql}/bin/pg_dump > /var/backups/db-backup/dump-zipline
+      ${pkgs.sudo}/bin/sudo -u postgres -- ${pkgs.postgresql}/bin/pg_dumpall -g > /var/backups/db-backup/dump-globals      
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+  };
+
+  services.restic.backups = {
+    main = {
+      initialize = true;
+      repository = "/mnt/external/backup/restic";
+      passwordFile = config.sops.secrets."restic/password".path;
+      timerConfig = {
+        OnCalendar = "03:00";
+        Persistent = true;
+      };
+
+      paths = [
+        "/var/lib/private/authentik"
+        "/var/lib/private/uptime-kuma"
+        "/var/lib/nextcloud"
+        "/var/lib/vaultwarden"
+        "/var/backups/db-backup"
+      ];
+      # exclude databases since they are covered separately
+      exclude = [
+        "*.db"
+        "*.db-shm"
+        "*.db-wal"
+        "*.sqlite3"
+        "*.sqlite3-shm"
+        "*.sqlite3-wal"
+      ];
+
+      backupCleanupCommand = "rm -r /var/backups/db-backup/*";
+    };
+
+#    offsite = {
+#      initialize = true;
+#      repository = "rclone:protondrive:restic";
+#      passwordFile = config.sops.secrets."restic/password".path;
+#      timerConfig = {
+#        OnCalendar = "3:05";
+#        Persistent = true;
+#      };
+#      rcloneOptions = { protondrive-replace-existing-draft = true; };
+#      rcloneConfigFile = config.sops.secrets."restic/rclone/offsite".path;
+
+#      paths = config.services.restic.backups.main.paths;
+#      exclude = config.services.restic.backups.main.exclude;
+
+#      backupCleanupCommand = "rm -r /var/backups/db-backup/*";
+#    };
+  };
+}

modules/nixos/services/homeserver/sops.nix

@@ -0,0 +1,13 @@
+{ inputs, config, ... }:
+
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  sops = {
+    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+    validateSopsFiles = false;
+
+    age.keyFile = "/root/.config/sops/age/keys.txt";
+  };
+}

modules/nixos/services/homeserver/uptime-kuma.nix

@@ -0,0 +1,17 @@
+{ config, ... }:
+
+{
+  services.caddy.virtualHosts."uptime-kuma.wo2wz.fyi".extraConfig =
+    assert config.services.caddy.enable;
+    ''
+      import default-settings
+      import cloudflare-tls
+
+      reverse_proxy localhost:8005
+    '';
+
+  services.uptime-kuma = {
+    enable = true;
+    settings.PORT = "8005";
+  };
+}

modules/nixos/services/homeserver/vaultwarden.nix

@@ -0,0 +1,29 @@
+{ config, ... }:
+
+{
+  sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
+
+  services.caddy.virtualHosts."vaultwarden.taild5f7e6.net".extraConfig =
+    assert config.services.caddy.enable;
+    ''
+      import default-settings
+
+      bind tailscale/vaultwarden
+
+      # block connections to admin login
+      respond /admin/* 403
+
+      reverse_proxy localhost:8000
+    '';
+
+  services.vaultwarden = {
+    enable = true;
+    backupDir = "/var/backups/vaultwarden";
+    config = {
+      DOMAIN = "https://vaultwarden.taild5f7e6.ts.net";
+
+      SIGNUPS_ALLOWED = false;
+    };
+    environmentFile = config.sops.secrets."vaultwarden/secrets.env".path;
+  };
+}

modules/nixos/services/homeserver/zipline.nix

@@ -0,0 +1,32 @@
+{ config, ... }:
+
+{
+  sops.secrets."zipline/secrets.env".restartUnits = [ "zipline.service" ];
+
+  services.caddy.virtualHosts."zipline.wo2wz.fyi".extraConfig =
+    assert config.services.caddy.enable;
+    ''
+      import default-settings
+      import cloudflare-tls
+
+      reverse_proxy localhost:8001
+    '';
+
+  users.users.zipline = {
+    group = "zipline";
+    isSystemUser = true;
+  };
+  users.groups.zipline = {};
+  services.zipline = {
+    enable = true;
+    settings = {
+      CORE_PORT = 8001;
+      DATASOURCE_LOCAL_DIRECTORY = "/mnt/external/storage/zipline/uploads";
+
+      FEATURES_VERSION_CHECKING = "false";
+      FEATURES_THUMBNAILS_NUM_THREADS = 2;
+      FEATURES_OAUTH_REGISTRATION = "true";
+    };
+    environmentFiles = [ config.sops.secrets."zipline/secrets.env".path ];
+  };
+}

modules/nixos/services/mumble.nix

@@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+
+{
+  services.murmur = {
+    enable = true;
+    environmentFile = "${config.services.murmur.stateDir}/secrets.env";
+    openFirewall = true;
+    autobanAttempts = 3;
+  };
+  environment.systemPackages = [ pkgs.mumble ];
+
+  services.pipewire.extraConfig.pipewire = {
+    "97-null-sink"."context.objects" = [
+      {
+        factory = "adapter";
+        args = {
+          "factory.name" = "support.null-audio-sink";
+          "node.name" = "Null-Sink";
+          "node.description" = "Null Sink";
+          "media.class" = "Audio/Sink";
+          "audio.position" = "FL,FR";
+        };
+      }
+      {
+        factory = "adapter";
+        args = {
+          "factory.name" = "support.null-audio-sink";
+          "node.name" = "Null-Source";
+          "node.description" = "Null Source";
+          "media.class" = "Audio/Source";
+          "audio.position" = "FL,FR";
+        };
+      }
+    ];
+
+    "98-virtual-mic"."context.modules" = [
+      {
+        name = "libpipewire-module-loopback";
+        args = {
+          "audio.position" = "FL,FR";
+          "node.description" = "Mumble as Microphone";
+          "capture.props" = {
+            # Mumble's output node name.
+            "node.target" = "Mumble";
+            "node.passive" = true;
+          };
+          "playback.props" = {
+            "node.name" = "Virtual-Mumble-Microphone";
+            "media.class" = "Audio/Source";
+          };
+        };
+      }
+    ];
+  };
+}

modules/nixos/services/openssh.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  services.openssh = {
+    enable = true;
+    ports = [ 8743 ];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+      AllowUsers = [ "wo2w" ];
+    };
+  };
+}

modules/nixos/services/tailscale.nix

@@ -0,0 +1,7 @@
+{ config, inputs, pkgs, ... }:
+
+{
+  services.tailscale.enable = true;
+  # fix build failure temporarily
+  services.tailscale.package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.tailscale;
+}