modularize Drone config

2025-08-25 17:10:50 -04:00 · 2025-08-25 17:10:50 -04:00 · fd1f4fc206
commit fd1f4fc206
parent 482f9afc57
8 changed files with 205 additions and 172 deletions
--- a/hosts/Drone/default.nix
+++ b/hosts/Drone/default.nix
@ -12,8 +12,7 @@

    ../../modules/nixos/bash.nix
    ../../modules/nixos/tailscale.nix
-
-    inputs.sops-nix.nixosModules.sops
+    ../../modules/nixos/homeserver
  ];
  
  fileSystems = {
@ -51,37 +50,6 @@
    };
  };

-  sops = {
-    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
-    defaultSopsFormat = "yaml";
-    validateSopsFiles = false;
-
-    age.keyFile = "/root/.config/sops/age/keys.txt";
-
-    secrets = {
-      "caddy/wo2wz.fyi.crt" = {
-        owner = "caddy";
-        group = "caddy";
-        reloadUnits = [ "caddy.service" ];
-      };
-      "caddy/wo2wz.fyi.key" = {
-        owner = "caddy";
-        group = "caddy";
-        reloadUnits = [ "caddy.service" ];
-      };
-
-      "cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
-
-      "nextcloud/adminpass" = {};
-
-      "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
-
-      "zipline/secrets.env".restartUnits = [ "zipline.service" ];
-    };
-  };
-
-  users.users.caddy.extraGroups = [ "nextcloud" ];
-
  services = {
    scx.scheduler = lib.mkForce "scx_rusty";

@ -90,145 +58,6 @@
        "hmac-sha2-512"
        "hmac-sha2-256"
    ];
-    
-    cloudflared = {
-      enable = true;
-      tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
-	      credentialsFile = config.sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json".path;
-	      default = "http_status:418";
-      };
-    };
-
-    caddy = {
-      enable = true;
-      virtualHosts = {
-        "drone.taild5f7e6.ts.net".extraConfig = ''
-          encode
-
-          # most of this doesnt matter but why not
-          header {
-              Strict-Transport-Security "max-age=31536000;"
-              X-Frame-Options "SAMEORIGIN"
-              X-Content-Type-Options "nosniff"
-              -Server
-              -X-Powered-By
-          }
-
-          # block connections to admin login
-          respond /admin/* 403
-          
-          reverse_proxy localhost:8000
-        '';
-
-        "wo2wz.fyi".extraConfig = ''
-          encode
-
-          header {
-              X-Robots-Tag "noindex, nofollow"
-              -Server
-          }
-
-          respond "not much to see here"
-        '';
-
-        "zipline.wo2wz.fyi".extraConfig = ''
-          encode
-
-          # most headers are already configured via cloudflare
-          header {
-      	      # nobody is gonna find this site through a search engine anyway
-              X-Robots-Tag "noindex, nofollow"
-              -Server
-          }
-
-          # use cloudflare origin certs for https
-          tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
-
-          reverse_proxy localhost:3000
-        '';
-
-        "nextcloud.wo2wz.fyi".extraConfig = ''
-          encode
-
-          tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
-
-          header {
-              X-Robots-Tag "noindex, nofollow"
-              -Server
-          }
-
-          root ${config.services.nginx.virtualHosts."localhost:8001".root}
-          file_server
-
-          php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
-
-          redir /.well-known/carddav /remote.php/dav 301
-          redir /.well-known/caldav /remote.php/dav 301
-					redir /.well-known/webfinger /index.php/webfinger 301
-					redir /.well-known/nodeinfo /index.php/nodeinfo 301
-          redir /.well-known/* /index.php{uri} 301
-          redir /remote/* /remote.php{uri} 301
-
-          @forbidden {
-            path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
-            path /.* /autotest* /occ* /issue* /indie* /db_* /console*
-            not path /.well-known/*
-          }
-          respond @forbidden 403
-
-          # make .mjs javascript work for the functionality of some buttons/apps
-          @mjs path *.mjs
-          header @mjs Content-Type application/javascript
-        '';
-      };
-    };
-
-    tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs
-
-    vaultwarden = {
-      enable = true;
-      backupDir = "/var/backups/vaultwarden";
-      config = {
-        DOMAIN = "https://drone.taild5f7e6.ts.net";
-
-        SIGNUPS_ALLOWED = false;
-      };
-      environmentFile = config.sops.secrets."vaultwarden/secrets.env".path;
-    };
-
-    zipline = {
-      enable = true;
-      settings = {
-	      FEATURES_VERSION_CHECKING = "false";
-      	FEATURES_THUMBNAILS_NUM_THREADS = 2;
-      };
-      environmentFiles = [ config.sops.secrets."zipline/secrets.env".path ];
-    };
-
-    nginx.enable = false;
-    phpfpm.pools.nextcloud.settings = {
-      "listen.owner" = "caddy";
-      "listen.group" = "caddy";
-    };
-    nextcloud = {
-      enable = true;
-      package = pkgs.nextcloud31;
-      hostName = "localhost:8001";
-      config = {
-        adminuser = "wo2w";
-        adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
-        dbtype = "sqlite";
-      };
-      settings = {
-        trusted_domains = [ "nextcloud.wo2wz.fyi" ];
-        trusted_proxies = [ "127.0.0.1" ];
-      };
-
-      maxUploadSize = "200G";
-      extraApps = {
-        inherit (config.services.nextcloud.package.packages.apps) calendar tasks deck twofactor_webauthn;
-      };
-    };
  };

  system.stateVersion = "25.05";