From fd1f4fc206f34e91ffa0ae7c22ed1def091c7abc Mon Sep 17 00:00:00 2001 From: wo2wz <189177184+wo2wz@users.noreply.github.com> Date: Mon, 25 Aug 2025 17:10:50 -0400 Subject: [PATCH] modularize Drone config --- hosts/Drone/default.nix | 173 +---------------------- modules/nixos/homeserver/caddy.nix | 90 ++++++++++++ modules/nixos/homeserver/cloudflared.nix | 10 ++ modules/nixos/homeserver/default.nix | 12 ++ modules/nixos/homeserver/nextcloud.nix | 32 +++++ modules/nixos/homeserver/sops.nix | 34 +++++ modules/nixos/homeserver/vaultwarden.nix | 14 ++ modules/nixos/homeserver/zipline.nix | 12 ++ 8 files changed, 205 insertions(+), 172 deletions(-) create mode 100644 modules/nixos/homeserver/caddy.nix create mode 100644 modules/nixos/homeserver/cloudflared.nix create mode 100644 modules/nixos/homeserver/default.nix create mode 100644 modules/nixos/homeserver/nextcloud.nix create mode 100644 modules/nixos/homeserver/sops.nix create mode 100644 modules/nixos/homeserver/vaultwarden.nix create mode 100644 modules/nixos/homeserver/zipline.nix diff --git a/hosts/Drone/default.nix b/hosts/Drone/default.nix index 13b7e01..5434fef 100644 --- a/hosts/Drone/default.nix +++ b/hosts/Drone/default.nix @@ -12,8 +12,7 @@ ../../modules/nixos/bash.nix ../../modules/nixos/tailscale.nix - - inputs.sops-nix.nixosModules.sops + ../../modules/nixos/homeserver ]; fileSystems = { @@ -51,37 +50,6 @@ }; }; - sops = { - defaultSopsFile = "/etc/nixos/secrets/secrets.yaml"; - defaultSopsFormat = "yaml"; - validateSopsFiles = false; - - age.keyFile = "/root/.config/sops/age/keys.txt"; - - secrets = { - "caddy/wo2wz.fyi.crt" = { - owner = "caddy"; - group = "caddy"; - reloadUnits = [ "caddy.service" ]; - }; - "caddy/wo2wz.fyi.key" = { - owner = "caddy"; - group = "caddy"; - reloadUnits = [ "caddy.service" ]; - }; - - "cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {}; - - "nextcloud/adminpass" = {}; - - "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ]; - - "zipline/secrets.env".restartUnits = [ "zipline.service" ]; - }; - }; - - users.users.caddy.extraGroups = [ "nextcloud" ]; - services = { scx.scheduler = lib.mkForce "scx_rusty"; @@ -90,145 +58,6 @@ "hmac-sha2-512" "hmac-sha2-256" ]; - - cloudflared = { - enable = true; - tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = { - credentialsFile = config.sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json".path; - default = "http_status:418"; - }; - }; - - caddy = { - enable = true; - virtualHosts = { - "drone.taild5f7e6.ts.net".extraConfig = '' - encode - - # most of this doesnt matter but why not - header { - Strict-Transport-Security "max-age=31536000;" - X-Frame-Options "SAMEORIGIN" - X-Content-Type-Options "nosniff" - -Server - -X-Powered-By - } - - # block connections to admin login - respond /admin/* 403 - - reverse_proxy localhost:8000 - ''; - - "wo2wz.fyi".extraConfig = '' - encode - - header { - X-Robots-Tag "noindex, nofollow" - -Server - } - - respond "not much to see here" - ''; - - "zipline.wo2wz.fyi".extraConfig = '' - encode - - # most headers are already configured via cloudflare - header { - # nobody is gonna find this site through a search engine anyway - X-Robots-Tag "noindex, nofollow" - -Server - } - - # use cloudflare origin certs for https - tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path} - - reverse_proxy localhost:3000 - ''; - - "nextcloud.wo2wz.fyi".extraConfig = '' - encode - - tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path} - - header { - X-Robots-Tag "noindex, nofollow" - -Server - } - - root ${config.services.nginx.virtualHosts."localhost:8001".root} - file_server - - php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} - - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/caldav /remote.php/dav 301 - redir /.well-known/webfinger /index.php/webfinger 301 - redir /.well-known/nodeinfo /index.php/nodeinfo 301 - redir /.well-known/* /index.php{uri} 301 - redir /remote/* /remote.php{uri} 301 - - @forbidden { - path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* - path /.* /autotest* /occ* /issue* /indie* /db_* /console* - not path /.well-known/* - } - respond @forbidden 403 - - # make .mjs javascript work for the functionality of some buttons/apps - @mjs path *.mjs - header @mjs Content-Type application/javascript - ''; - }; - }; - - tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs - - vaultwarden = { - enable = true; - backupDir = "/var/backups/vaultwarden"; - config = { - DOMAIN = "https://drone.taild5f7e6.ts.net"; - - SIGNUPS_ALLOWED = false; - }; - environmentFile = config.sops.secrets."vaultwarden/secrets.env".path; - }; - - zipline = { - enable = true; - settings = { - FEATURES_VERSION_CHECKING = "false"; - FEATURES_THUMBNAILS_NUM_THREADS = 2; - }; - environmentFiles = [ config.sops.secrets."zipline/secrets.env".path ]; - }; - - nginx.enable = false; - phpfpm.pools.nextcloud.settings = { - "listen.owner" = "caddy"; - "listen.group" = "caddy"; - }; - nextcloud = { - enable = true; - package = pkgs.nextcloud31; - hostName = "localhost:8001"; - config = { - adminuser = "wo2w"; - adminpassFile = config.sops.secrets."nextcloud/adminpass".path; - dbtype = "sqlite"; - }; - settings = { - trusted_domains = [ "nextcloud.wo2wz.fyi" ]; - trusted_proxies = [ "127.0.0.1" ]; - }; - - maxUploadSize = "200G"; - extraApps = { - inherit (config.services.nextcloud.package.packages.apps) calendar tasks deck twofactor_webauthn; - }; - }; }; system.stateVersion = "25.05"; diff --git a/modules/nixos/homeserver/caddy.nix b/modules/nixos/homeserver/caddy.nix new file mode 100644 index 0000000..10f7239 --- /dev/null +++ b/modules/nixos/homeserver/caddy.nix @@ -0,0 +1,90 @@ +{ config, ... }: + +{ + services = { + caddy = { + enable = true; + virtualHosts = { + "drone.taild5f7e6.ts.net".extraConfig = '' + encode + + # most of this doesnt matter but why not + header { + Strict-Transport-Security "max-age=31536000;" + X-Frame-Options "SAMEORIGIN" + X-Content-Type-Options "nosniff" + -Server + -X-Powered-By + } + + # block connections to admin login + respond /admin/* 403 + + reverse_proxy localhost:8000 + ''; + + "wo2wz.fyi".extraConfig = '' + encode + + header { + X-Robots-Tag "noindex, nofollow" + -Server + } + + respond "not much to see here" + ''; + + "nextcloud.wo2wz.fyi".extraConfig = '' + encode + + tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path} + + header { + X-Robots-Tag "noindex, nofollow" + -Server + } + + root ${config.services.nginx.virtualHosts."localhost:8001".root} + file_server + + php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/webfinger /index.php/webfinger 301 + redir /.well-known/nodeinfo /index.php/nodeinfo 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + respond @forbidden 403 + + # make .mjs javascript work for the functionality of some buttons/apps + @mjs path *.mjs + header @mjs Content-Type application/javascript + ''; + + "zipline.wo2wz.fyi".extraConfig = '' + encode + + # most headers are already configured via cloudflare + header { + # nobody is gonna find this site through a search engine anyway + X-Robots-Tag "noindex, nofollow" + -Server + } + + # use cloudflare origin certs for https + tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path} + + reverse_proxy localhost:3000 + ''; + }; + }; + tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs + }; +} \ No newline at end of file diff --git a/modules/nixos/homeserver/cloudflared.nix b/modules/nixos/homeserver/cloudflared.nix new file mode 100644 index 0000000..cd663e5 --- /dev/null +++ b/modules/nixos/homeserver/cloudflared.nix @@ -0,0 +1,10 @@ +{ config, ... }: + +{ + services.cloudflared = { + tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = { + credentialsFile = config.sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json".path; + default = "http_status:418"; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/homeserver/default.nix b/modules/nixos/homeserver/default.nix new file mode 100644 index 0000000..03e6d43 --- /dev/null +++ b/modules/nixos/homeserver/default.nix @@ -0,0 +1,12 @@ +{ config, ... }: + +{ + imports = [ + ./caddy.nix + ./cloudflared.nix + ./nextcloud.nix + ./sops.nix + ./vaultwarden.nix + ./zipline.nix + ]; +} \ No newline at end of file diff --git a/modules/nixos/homeserver/nextcloud.nix b/modules/nixos/homeserver/nextcloud.nix new file mode 100644 index 0000000..56f2bc6 --- /dev/null +++ b/modules/nixos/homeserver/nextcloud.nix @@ -0,0 +1,32 @@ +{ config, pkgs, ... }: + +{ + users.users.caddy.extraGroups = [ "nextcloud" ]; + services = { + nginx.enable = false; # disable to use caddy instead + phpfpm.pools.nextcloud.settings = { + "listen.owner" = "caddy"; + "listen.group" = "caddy"; + }; + + nextcloud = { + enable = true; + package = pkgs.nextcloud31; + hostName = "localhost:8001"; + config = { + adminuser = "wo2w"; + adminpassFile = config.sops.secrets."nextcloud/adminpass".path; + dbtype = "sqlite"; + }; + settings = { + trusted_domains = [ "nextcloud.wo2wz.fyi" ]; + trusted_proxies = [ "127.0.0.1" ]; + }; + + maxUploadSize = "200G"; + extraApps = { + inherit (config.services.nextcloud.package.packages.apps) calendar tasks deck twofactor_webauthn; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/homeserver/sops.nix b/modules/nixos/homeserver/sops.nix new file mode 100644 index 0000000..3825980 --- /dev/null +++ b/modules/nixos/homeserver/sops.nix @@ -0,0 +1,34 @@ +{ config, ... }: + +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops = { + defaultSopsFile = "/etc/nixos/secrets/secrets.yaml"; + defaultSopsFormat = "yaml"; + validateSopsFiles = false; + + age.keyFile = "/root/.config/sops/age/keys.txt"; + + secrets = { + "caddy/wo2wz.fyi.crt" = { + owner = "caddy"; + group = "caddy"; + reloadUnits = [ "caddy.service" ]; + }; + "caddy/wo2wz.fyi.key" = { + owner = "caddy"; + group = "caddy"; + reloadUnits = [ "caddy.service" ]; + }; + + "cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {}; + + "nextcloud/adminpass" = {}; + + "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ]; + + "zipline/secrets.env".restartUnits = [ "zipline.service" ]; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/homeserver/vaultwarden.nix b/modules/nixos/homeserver/vaultwarden.nix new file mode 100644 index 0000000..90d8641 --- /dev/null +++ b/modules/nixos/homeserver/vaultwarden.nix @@ -0,0 +1,14 @@ +{ config, ... }: + +{ + services.vaultwarden = { + enable = true; + backupDir = "/var/backups/vaultwarden"; + config = { + DOMAIN = "https://drone.taild5f7e6.ts.net"; + + SIGNUPS_ALLOWED = false; + }; + environmentFile = config.sops.secrets."vaultwarden/secrets.env".path; + }; +} \ No newline at end of file diff --git a/modules/nixos/homeserver/zipline.nix b/modules/nixos/homeserver/zipline.nix new file mode 100644 index 0000000..0264502 --- /dev/null +++ b/modules/nixos/homeserver/zipline.nix @@ -0,0 +1,12 @@ +{ config, ... }: + +{ + services.zipline = { + enable = true; + settings = { + FEATURES_VERSION_CHECKING = "false"; + FEATURES_THUMBNAILS_NUM_THREADS = 2; + }; + environmentFiles = [ config.sops.secrets."zipline/secrets.env".path ]; + }; +} \ No newline at end of file