diff --git a/system/accounts/users/system/nginx/default.nix b/system/accounts/users/system/nginx/default.nix index 2c5fa8a..c625847 100644 --- a/system/accounts/users/system/nginx/default.nix +++ b/system/accounts/users/system/nginx/default.nix @@ -3,10 +3,7 @@ users = { users.nginx = { group = "nginx"; - extraGroups = [ - "turnserver" - "virtualMail" - ]; + extraGroups = [ "virtualMail" ]; isSystemUser = true; uid = 60; }; diff --git a/system/devices/boot/root-reset/default.nix b/system/devices/boot/root-reset/default.nix index c7ac461..d8be8d6 100644 --- a/system/devices/boot/root-reset/default.nix +++ b/system/devices/boot/root-reset/default.nix @@ -1,7 +1,6 @@ { config, ... }: { boot.initrd.systemd.services.root-reset = { - enable = true; description = "Create new and snapshot previous root"; wantedBy = [ "initrd.target" ]; before = [ "sysroot.mount" ]; diff --git a/system/devices/disks/snapper/jimbo/default.nix b/system/devices/disks/snapper/jimbo/default.nix index 229beef..56e07d5 100644 --- a/system/devices/disks/snapper/jimbo/default.nix +++ b/system/devices/disks/snapper/jimbo/default.nix @@ -1,6 +1,6 @@ -{ config, lib, ... }: +{ ... }: { - services.snapper.configs.jimbo = lib.mkIf config.environment.persistence."/persist".enable { + services.snapper.configs.jimbo = { SUBVOLUME = "/persist/home/jimbo"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; diff --git a/system/devices/disks/snapper/jules/default.nix b/system/devices/disks/snapper/jules/default.nix index b9bbf9e..cdbabfd 100644 --- a/system/devices/disks/snapper/jules/default.nix +++ b/system/devices/disks/snapper/jules/default.nix @@ -1,6 +1,6 @@ -{ config, lib, ... }: +{ ... }: { - services.snapper.configs.jules = lib.mkIf config.environment.persistence."/persist".enable { + services.snapper.configs.jules = { SUBVOLUME = "/persist/home/jules"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; diff --git a/system/devices/disks/snapper/root/default.nix b/system/devices/disks/snapper/root/default.nix index b6de751..92e28cf 100644 --- a/system/devices/disks/snapper/root/default.nix +++ b/system/devices/disks/snapper/root/default.nix @@ -1,6 +1,6 @@ -{ config, lib, ... }: +{ ... }: { - services.snapper.configs.root = lib.mkIf config.environment.persistence."/persist".enable { + services.snapper.configs.root = { SUBVOLUME = "/persist"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; diff --git a/system/secrets/default.nix b/system/secrets/default.nix index d18b6b7..6f2918e 100644 Binary files a/system/secrets/default.nix and b/system/secrets/default.nix differ diff --git a/system/services/server/default.nix b/system/services/server/default.nix index 6ad7046..1fa1c26 100644 --- a/system/services/server/default.nix +++ b/system/services/server/default.nix @@ -7,10 +7,10 @@ ./mysql ./nextcloud ./nfs + ./nginx ./owncast ./transmission ./vaultwarden - ./webserver ]; options.system.server.enable = with lib; mkEnableOption "Enable server apps and services"; diff --git a/system/services/server/forgejo/default.nix b/system/services/server/forgejo/default.nix index 9f6de97..963bfe1 100644 --- a/system/services/server/forgejo/default.nix +++ b/system/services/server/forgejo/default.nix @@ -8,17 +8,17 @@ package = pkgs.forgejo; settings = { server = { - DOMAIN = "git.nixfox.ca"; - ROOT_URL = "https://git.nixfox.ca:443"; + DOMAIN = "git.example.com"; + ROOT_URL = "https://git.example.com:443"; HTTP_PORT = 3110; SSH_PORT = 2299; START_SSH_SERVER = true; }; mailer = { ENABLED = true; - SMTP_ADDR = "mx.nixfox.ca"; - FROM = "NixFox Git "; - USER = "noreply@nixfox.ca"; + SMTP_ADDR = "mx.example.com"; + FROM = "Example Git "; + USER = "noreply@example.com"; PASSWD = config.secrets.noreplyPassword; PROTOCOL = "smtps"; }; diff --git a/system/services/server/forgejo/nginx/default.nix b/system/services/server/forgejo/nginx/default.nix index 5428884..f33cade 100644 --- a/system/services/server/forgejo/nginx/default.nix +++ b/system/services/server/forgejo/nginx/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: { - services.nginx.virtualHosts."git.nixfox.ca" = lib.mkIf config.services.forgejo.enable { + services.nginx.virtualHosts."git.example.com" = lib.mkIf config.services.forgejo.enable { enableACME = true; forceSSL = true; locations."/" = { diff --git a/system/services/server/jellyfin/nginx/default.nix b/system/services/server/jellyfin/nginx/default.nix index bc9db65..73cd9da 100644 --- a/system/services/server/jellyfin/nginx/default.nix +++ b/system/services/server/jellyfin/nginx/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: { - services.nginx.virtualHosts."jelly.nixfox.ca" = lib.mkIf config.services.forgejo.enable { + services.nginx.virtualHosts."jelly.example.com" = lib.mkIf config.services.forgejo.enable { enableACME = true; forceSSL = true; locations."/" = { diff --git a/system/services/server/mysql/default.nix b/system/services/server/mysql/default.nix index 65d5e15..4bd6b62 100644 --- a/system/services/server/mysql/default.nix +++ b/system/services/server/mysql/default.nix @@ -1,7 +1,7 @@ -{ config, lib, pkgs, ... }: +{ config, pkgs, ... }: { - services.mysql = lib.mkIf config.system.server.enable { - enable = true; + services.mysql = { + enable = config.system.server.enable; package = pkgs.mariadb; ensureDatabases = [ "minecraft" diff --git a/system/services/server/nextcloud/default.nix b/system/services/server/nextcloud/default.nix index 6bdb1de..de2e455 100644 --- a/system/services/server/nextcloud/default.nix +++ b/system/services/server/nextcloud/default.nix @@ -1,30 +1,28 @@ -{ config, lib, pkgs, ... }: +{ config, pkgs, ... }: { imports = [ ./nginx ]; - config = lib.mkIf config.system.server.enable { - services.nextcloud = { - enable = true; - package = pkgs.nextcloud30; - hostName = "cloud.nixfox.ca"; - https = true; - config = { - adminuser = config.sysusers.main; - adminpassFile = "${pkgs.writeText "initial" config.secrets.initialPass}"; - }; - settings = { - trusted_proxies = [ "127.0.0.1" ]; - trusted_domains = [ "cloud.nixfox.ca" ]; - overwriteprotocol = "https"; - mail_smtphost = "mx.nixfox.ca"; - mail_domain = "nixfox.ca"; - mail_from_address = "noreply"; - mail_smtpauth = "true"; - mail_smtpname = "noreply@nixfox.ca"; - mail_smtppassword = config.secrets.noreplyPassword; - mail_smtpmode = "smtp"; - mail_smtpport = 587; - }; + services.nextcloud = { + enable = config.system.server.enable; + package = pkgs.nextcloud30; + hostName = "cloud.example.com"; + https = true; + config = { + adminuser = config.sysusers.main; + adminpassFile = "${pkgs.writeText "initial" config.secrets.initialPass}"; + }; + settings = { + trusted_proxies = [ "127.0.0.1" ]; + trusted_domains = [ "cloud.example.com" ]; + overwriteprotocol = "https"; + mail_smtphost = "mx.example.com"; + mail_domain = "example.com"; + mail_from_address = "noreply"; + mail_smtpauth = "true"; + mail_smtpname = "noreply@example.com"; + mail_smtppassword = config.secrets.noreplyPassword; + mail_smtpmode = "smtp"; + mail_smtpport = 587; }; }; } diff --git a/system/services/server/nextcloud/nginx/default.nix b/system/services/server/nextcloud/nginx/default.nix index 88712d4..b3e87a7 100644 --- a/system/services/server/nextcloud/nginx/default.nix +++ b/system/services/server/nextcloud/nginx/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: { - services.nginx.virtualHosts."cloud.nixfox.ca" = lib.mkIf config.services.nextcloud.enable { + services.nginx.virtualHosts."cloud.example.com" = lib.mkIf config.services.nextcloud.enable { enableACME = true; addSSL = true; locations."/" = { diff --git a/system/services/server/webserver/acme/default.nix b/system/services/server/nginx/acme/default.nix similarity index 100% rename from system/services/server/webserver/acme/default.nix rename to system/services/server/nginx/acme/default.nix diff --git a/system/services/server/nginx/default.nix b/system/services/server/nginx/default.nix new file mode 100644 index 0000000..0ad0194 --- /dev/null +++ b/system/services/server/nginx/default.nix @@ -0,0 +1,17 @@ +{ config, lib, ... }: +{ + imports = [ ./virtualhosts ]; + + services.nginx = { + enable = config.system.server.enable; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +} diff --git a/system/services/server/webserver/nginx/virtualhosts/default.nix b/system/services/server/nginx/virtualhosts/default.nix similarity index 100% rename from system/services/server/webserver/nginx/virtualhosts/default.nix rename to system/services/server/nginx/virtualhosts/default.nix diff --git a/system/services/server/webserver/nginx/virtualhosts/example/default.nix b/system/services/server/nginx/virtualhosts/example/default.nix similarity index 100% rename from system/services/server/webserver/nginx/virtualhosts/example/default.nix rename to system/services/server/nginx/virtualhosts/example/default.nix diff --git a/system/services/server/owncast/default.nix b/system/services/server/owncast/default.nix index fd66cd6..a1cd7ab 100644 --- a/system/services/server/owncast/default.nix +++ b/system/services/server/owncast/default.nix @@ -1,13 +1,11 @@ -{ config, lib, ... }: +{ config, ... }: { imports = [ ./nginx ]; - config = lib.mkIf config.system.server.enable { - services.owncast = { - enable = true; - port = 8060; - rtmp-port = 1945; - listen = "0.0.0.0"; - }; + services.owncast = { + enable = config.system.server.enable; + port = 8060; + rtmp-port = 1945; + listen = "0.0.0.0"; }; } diff --git a/system/services/server/owncast/nginx/default.nix b/system/services/server/owncast/nginx/default.nix index abc052f..5dee103 100644 --- a/system/services/server/owncast/nginx/default.nix +++ b/system/services/server/owncast/nginx/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: { - services.nginx.virtualHosts."live.nixfox.ca" = lib.mkIf config.services.owncast.enable { + services.nginx.virtualHosts."live.example.com" = lib.mkIf config.services.owncast.enable { enableACME = true; forceSSL = true; locations."/" = { diff --git a/system/services/server/transmission/default.nix b/system/services/server/transmission/default.nix index fbf29bb..c6594e1 100644 --- a/system/services/server/transmission/default.nix +++ b/system/services/server/transmission/default.nix @@ -1,13 +1,11 @@ -{ config, lib, pkgs, ... }: +{ config, pkgs, ... }: { imports = [ ./nginx ]; - config = lib.mkIf config.system.server.enable { - services.transmission = { - enable = true; - credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile; - openPeerPorts = true; - settings.rpc-authentication-required = true; - }; + services.transmission = { + enable = config.system.server.enable; + credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile; + openPeerPorts = true; + settings.rpc-authentication-required = true; }; } diff --git a/system/services/server/transmission/nginx/default.nix b/system/services/server/transmission/nginx/default.nix index c4c737a..ee0ec29 100644 --- a/system/services/server/transmission/nginx/default.nix +++ b/system/services/server/transmission/nginx/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: { - services.nginx.virtualHosts."tor.nixfox.ca" = lib.mkIf config.services.transmission.enable { + services.nginx.virtualHosts."tor.example.com" = lib.mkIf config.services.transmission.enable { enableACME = true; forceSSL = true; locations."/" = { diff --git a/system/services/server/vaultwarden/default.nix b/system/services/server/vaultwarden/default.nix index 2b2e1a9..47bb956 100644 --- a/system/services/server/vaultwarden/default.nix +++ b/system/services/server/vaultwarden/default.nix @@ -1,27 +1,25 @@ -{ config, lib, ... }: +{ config, ... }: { imports = [ ./nginx ]; - config = lib.mkIf config.system.server.enable { - services.vaultwarden = { - enable = true; - config = { - DOMAIN = "https://pass.nixfox.ca"; - SIGNUPS_ALLOWED = false; - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = 8222; - ROCKET_LOG = "critical"; + services.vaultwarden = { + enable = config.system.server.enable; + config = { + DOMAIN = "https://pass.example.com"; + SIGNUPS_ALLOWED = false; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + ROCKET_LOG = "critical"; - # Smtp email - SMTP_HOST = "mx.nixfox.ca"; - SMTP_FROM = "noreply@nixfox.ca"; - SMTP_FROM_NAME = "Vaultwarden"; - SMTP_USERNAME = "noreply@nixfox.ca"; - SMTP_PASSWORD = config.secrets.noreplyPassword; - SMTP_SECURITY = "starttls"; - SMTP_PORT = 587; - SMTP_TIMEOUT = 15; - }; + # Smtp email + SMTP_HOST = "mx.example.com"; + SMTP_FROM = "noreply@example.com"; + SMTP_FROM_NAME = "Vaultwarden"; + SMTP_USERNAME = "noreply@example.com"; + SMTP_PASSWORD = config.secrets.noreplyPassword; + SMTP_SECURITY = "starttls"; + SMTP_PORT = 587; + SMTP_TIMEOUT = 15; }; }; } diff --git a/system/services/server/vaultwarden/nginx/default.nix b/system/services/server/vaultwarden/nginx/default.nix index 0877413..c2df452 100644 --- a/system/services/server/vaultwarden/nginx/default.nix +++ b/system/services/server/vaultwarden/nginx/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: { - services.nginx.virtualHosts."pass.nixfox.ca" = lib.mkIf config.services.vaultwarden.enable { + services.nginx.virtualHosts."pass.example.com" = lib.mkIf config.services.vaultwarden.enable { enableACME = true; forceSSL = true; locations."/" = { diff --git a/system/services/server/webserver/default.nix b/system/services/server/webserver/default.nix deleted file mode 100644 index 5ccf66c..0000000 --- a/system/services/server/webserver/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ lib, ... }: -{ - imports = [ - ./acme - ./nginx - ]; - - options.system.webserver.enable = lib.mkEnableOption "Enable nginx related services"; -} diff --git a/system/services/server/webserver/nginx/default.nix b/system/services/server/webserver/nginx/default.nix deleted file mode 100644 index 1a43163..0000000 --- a/system/services/server/webserver/nginx/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, ... }: -{ - imports = [ ./virtualhosts ]; - - config = lib.mkIf config.system.server.enable { - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - }; -}