modularize Drone config

2025-08-25 17:10:50 -04:00 · 2025-08-25 17:10:50 -04:00 · fd1f4fc206
commit fd1f4fc206
parent 482f9afc57
8 changed files with 205 additions and 172 deletions
--- a/hosts/Drone/default.nix
+++ b/hosts/Drone/default.nix
@ -12,8 +12,7 @@

    ../../modules/nixos/bash.nix
    ../../modules/nixos/tailscale.nix
-
-    inputs.sops-nix.nixosModules.sops
+    ../../modules/nixos/homeserver
  ];
  
  fileSystems = {
@ -51,37 +50,6 @@
    };
  };

-  sops = {
-    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
-    defaultSopsFormat = "yaml";
-    validateSopsFiles = false;
-
-    age.keyFile = "/root/.config/sops/age/keys.txt";
-
-    secrets = {
-      "caddy/wo2wz.fyi.crt" = {
-        owner = "caddy";
-        group = "caddy";
-        reloadUnits = [ "caddy.service" ];
-      };
-      "caddy/wo2wz.fyi.key" = {
-        owner = "caddy";
-        group = "caddy";
-        reloadUnits = [ "caddy.service" ];
-      };
-
-      "cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
-
-      "nextcloud/adminpass" = {};
-
-      "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
-
-      "zipline/secrets.env".restartUnits = [ "zipline.service" ];
-    };
-  };
-
-  users.users.caddy.extraGroups = [ "nextcloud" ];
-
  services = {
    scx.scheduler = lib.mkForce "scx_rusty";

@ -90,145 +58,6 @@
        "hmac-sha2-512"
        "hmac-sha2-256"
    ];
-    
-    cloudflared = {
-      enable = true;
-      tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
-	      credentialsFile = config.sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json".path;
-	      default = "http_status:418";
-      };
-    };
-
-    caddy = {
-      enable = true;
-      virtualHosts = {
-        "drone.taild5f7e6.ts.net".extraConfig = ''
-          encode
-
-          # most of this doesnt matter but why not
-          header {
-              Strict-Transport-Security "max-age=31536000;"
-              X-Frame-Options "SAMEORIGIN"
-              X-Content-Type-Options "nosniff"
-              -Server
-              -X-Powered-By
-          }
-
-          # block connections to admin login
-          respond /admin/* 403
-          
-          reverse_proxy localhost:8000
-        '';
-
-        "wo2wz.fyi".extraConfig = ''
-          encode
-
-          header {
-              X-Robots-Tag "noindex, nofollow"
-              -Server
-          }
-
-          respond "not much to see here"
-        '';
-
-        "zipline.wo2wz.fyi".extraConfig = ''
-          encode
-
-          # most headers are already configured via cloudflare
-          header {
-      	      # nobody is gonna find this site through a search engine anyway
-              X-Robots-Tag "noindex, nofollow"
-              -Server
-          }
-
-          # use cloudflare origin certs for https
-          tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
-
-          reverse_proxy localhost:3000
-        '';
-
-        "nextcloud.wo2wz.fyi".extraConfig = ''
-          encode
-
-          tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
-
-          header {
-              X-Robots-Tag "noindex, nofollow"
-              -Server
-          }
-
-          root ${config.services.nginx.virtualHosts."localhost:8001".root}
-          file_server
-
-          php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
-
-          redir /.well-known/carddav /remote.php/dav 301
-          redir /.well-known/caldav /remote.php/dav 301
-					redir /.well-known/webfinger /index.php/webfinger 301
-					redir /.well-known/nodeinfo /index.php/nodeinfo 301
-          redir /.well-known/* /index.php{uri} 301
-          redir /remote/* /remote.php{uri} 301
-
-          @forbidden {
-            path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
-            path /.* /autotest* /occ* /issue* /indie* /db_* /console*
-            not path /.well-known/*
-          }
-          respond @forbidden 403
-
-          # make .mjs javascript work for the functionality of some buttons/apps
-          @mjs path *.mjs
-          header @mjs Content-Type application/javascript
-        '';
-      };
-    };
-
-    tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs
-
-    vaultwarden = {
-      enable = true;
-      backupDir = "/var/backups/vaultwarden";
-      config = {
-        DOMAIN = "https://drone.taild5f7e6.ts.net";
-
-        SIGNUPS_ALLOWED = false;
-      };
-      environmentFile = config.sops.secrets."vaultwarden/secrets.env".path;
-    };
-
-    zipline = {
-      enable = true;
-      settings = {
-	      FEATURES_VERSION_CHECKING = "false";
-      	FEATURES_THUMBNAILS_NUM_THREADS = 2;
-      };
-      environmentFiles = [ config.sops.secrets."zipline/secrets.env".path ];
-    };
-
-    nginx.enable = false;
-    phpfpm.pools.nextcloud.settings = {
-      "listen.owner" = "caddy";
-      "listen.group" = "caddy";
-    };
-    nextcloud = {
-      enable = true;
-      package = pkgs.nextcloud31;
-      hostName = "localhost:8001";
-      config = {
-        adminuser = "wo2w";
-        adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
-        dbtype = "sqlite";
-      };
-      settings = {
-        trusted_domains = [ "nextcloud.wo2wz.fyi" ];
-        trusted_proxies = [ "127.0.0.1" ];
-      };
-
-      maxUploadSize = "200G";
-      extraApps = {
-        inherit (config.services.nextcloud.package.packages.apps) calendar tasks deck twofactor_webauthn;
-      };
-    };
  };

  system.stateVersion = "25.05";
--- a/modules/nixos/homeserver/caddy.nix
+++ b/modules/nixos/homeserver/caddy.nix
@ -0,0 +1,90 @@
+{ config, ... }:
+
+{
+  services = {
+    caddy = {
+      enable = true;
+      virtualHosts = {
+        "drone.taild5f7e6.ts.net".extraConfig = ''
+          encode
+
+          # most of this doesnt matter but why not
+          header {
+              Strict-Transport-Security "max-age=31536000;"
+              X-Frame-Options "SAMEORIGIN"
+              X-Content-Type-Options "nosniff"
+              -Server
+              -X-Powered-By
+          }
+
+          # block connections to admin login
+          respond /admin/* 403
+          
+          reverse_proxy localhost:8000
+        '';
+
+        "wo2wz.fyi".extraConfig = ''
+          encode
+
+          header {
+              X-Robots-Tag "noindex, nofollow"
+              -Server
+          }
+
+          respond "not much to see here"
+        '';
+
+        "nextcloud.wo2wz.fyi".extraConfig = ''
+          encode
+
+          tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
+
+          header {
+              X-Robots-Tag "noindex, nofollow"
+              -Server
+          }
+
+          root ${config.services.nginx.virtualHosts."localhost:8001".root}
+          file_server
+
+          php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
+
+          redir /.well-known/carddav /remote.php/dav 301
+          redir /.well-known/caldav /remote.php/dav 301
+          redir /.well-known/webfinger /index.php/webfinger 301
+          redir /.well-known/nodeinfo /index.php/nodeinfo 301
+          redir /.well-known/* /index.php{uri} 301
+          redir /remote/* /remote.php{uri} 301
+
+          @forbidden {
+            path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+            path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+            not path /.well-known/*
+          }
+          respond @forbidden 403
+
+          # make .mjs javascript work for the functionality of some buttons/apps
+          @mjs path *.mjs
+          header @mjs Content-Type application/javascript
+        '';
+
+        "zipline.wo2wz.fyi".extraConfig = ''
+          encode
+
+          # most headers are already configured via cloudflare
+          header {
+              # nobody is gonna find this site through a search engine anyway
+              X-Robots-Tag "noindex, nofollow"
+              -Server
+          }
+
+          # use cloudflare origin certs for https
+          tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
+
+          reverse_proxy localhost:3000
+        '';
+      };
+    };
+    tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs
+  };
+}
--- a/modules/nixos/homeserver/cloudflared.nix
+++ b/modules/nixos/homeserver/cloudflared.nix
@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  services.cloudflared = {
+    tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
+      credentialsFile = config.sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json".path;
+      default = "http_status:418";
+    };
+  };
+}
--- a/modules/nixos/homeserver/default.nix
+++ b/modules/nixos/homeserver/default.nix
@ -0,0 +1,12 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./caddy.nix
+    ./cloudflared.nix
+    ./nextcloud.nix
+    ./sops.nix
+    ./vaultwarden.nix
+    ./zipline.nix
+  ];
+}
--- a/modules/nixos/homeserver/nextcloud.nix
+++ b/modules/nixos/homeserver/nextcloud.nix
@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.caddy.extraGroups = [ "nextcloud" ];
+  services = {
+    nginx.enable = false; # disable to use caddy instead
+    phpfpm.pools.nextcloud.settings = {
+      "listen.owner" = "caddy";
+      "listen.group" = "caddy";
+    };
+
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud31;
+      hostName = "localhost:8001";
+      config = {
+        adminuser = "wo2w";
+        adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+        dbtype = "sqlite";
+      };
+      settings = {
+        trusted_domains = [ "nextcloud.wo2wz.fyi" ];
+        trusted_proxies = [ "127.0.0.1" ];
+      };
+
+      maxUploadSize = "200G";
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps) calendar tasks deck twofactor_webauthn;
+      };
+    };
+  };
+}
--- a/modules/nixos/homeserver/sops.nix
+++ b/modules/nixos/homeserver/sops.nix
@ -0,0 +1,34 @@
+{ config, ... }:
+
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  sops = {
+    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+    validateSopsFiles = false;
+
+    age.keyFile = "/root/.config/sops/age/keys.txt";
+
+    secrets = {
+      "caddy/wo2wz.fyi.crt" = {
+        owner = "caddy";
+        group = "caddy";
+        reloadUnits = [ "caddy.service" ];
+      };
+      "caddy/wo2wz.fyi.key" = {
+        owner = "caddy";
+        group = "caddy";
+        reloadUnits = [ "caddy.service" ];
+      };
+
+      "cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
+
+      "nextcloud/adminpass" = {};
+
+      "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
+
+      "zipline/secrets.env".restartUnits = [ "zipline.service" ];
+    };
+  };
+}
--- a/modules/nixos/homeserver/vaultwarden.nix
+++ b/modules/nixos/homeserver/vaultwarden.nix
@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    backupDir = "/var/backups/vaultwarden";
+    config = {
+      DOMAIN = "https://drone.taild5f7e6.ts.net";
+
+      SIGNUPS_ALLOWED = false;
+    };
+    environmentFile = config.sops.secrets."vaultwarden/secrets.env".path;
+  };
+}
--- a/modules/nixos/homeserver/zipline.nix
+++ b/modules/nixos/homeserver/zipline.nix
@ -0,0 +1,12 @@
+{ config, ... }:
+
+{
+  services.zipline = {
+    enable = true;
+    settings = {
+      FEATURES_VERSION_CHECKING = "false";
+      FEATURES_THUMBNAILS_NUM_THREADS = 2;
+    };
+    environmentFiles = [ config.sops.secrets."zipline/secrets.env".path ];
+  };
+}