Move server to persistence, still have stuff to fix

2025-01-17 17:06:28 -05:00 · 2025-01-17 17:06:28 -05:00 · cc68f883ba
parent ce6ffd9ee7
commit cc68f883ba
35 changed files with 293 additions and 235 deletions
--- a/hosts/kitty/boot/default.nix
+++ b/hosts/kitty/boot/default.nix
@ -1,11 +1,7 @@
 { config, lib, pkgs, ... }:
 {
-  boot = {
+  boot.swraid = {
-    kernelPackages = pkgs.linuxPackages_hardened;
+    enable = true;
-    initrd.systemd.services.root-reset.enable = lib.mkForce false;
+    mdadmConf = "MAILADDR contact@${config.domains.p2}";
    swraid = {
      enable = true;
      mdadmConf = "MAILADDR contact@${config.domains.p2}";
    };
  };
 }
--- a/hosts/kitty/default.nix
+++ b/hosts/kitty/default.nix
@ -14,13 +14,12 @@
    hostId = "38ba3f57";
  };
  environment.persistence."/persist".enable = lib.mkForce false;
  system = {
    desktop.enable = false;
    server.enable = true;
    webserver.enable = true;
    fileserver.enable = true;
-    socials.enable = true;
+    socialserver.enable = true;
    wireless.enable = false;
    wireguard.server.enable = true;
    stateVersion = "24.05";
--- a/hosts/kitty/filesystems/default.nix
+++ b/hosts/kitty/filesystems/default.nix
@ -4,22 +4,23 @@
    "/" = {
      device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
      fsType = "btrfs";
-      options = [ "subvol=@" ];
+      options = [ "subvol=root" ];
    };
-    "/home" = {
+    "/prev" = {
      device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
      fsType = "btrfs";
-      options = [ "subvol=@home" ];
+      options = [ "subvol=prev" ];
    };
    "/persist" = {
      device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
      fsType = "btrfs";
      neededForBoot = true;
      options = [ "subvol=persist" "compress=zstd" ];
    };
    "/nix" = {
      device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
      fsType = "btrfs";
-      options = [ "subvol=@nix" ];
+      options = [ "subvol=nix" ];
    };
    "/var" = {
      device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
      fsType = "btrfs";
      options = [ "subvol=@var" ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/CD94-1D3F";
@ -28,23 +29,12 @@
    };
    # Subvols and bindmounts
    "/persist" = {
      device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
      fsType = "btrfs";
      options = [ "subvol=persist" "compress=zstd" ];
    };
    "/export/KittyNFS" = {
      depends = [ "/persist" ];
      device = "/persist/export/KittyNFS";
      fsType = "none";
      options = [ "bind" ];
    };
    "/srv/minecraft" = {
      depends = [ "/persist" ];
      device = "/persist/srv/minecraft";
      fsType = "none";
      options = [ "bind" ];
    };
  };
  swapDevices = [
--- a/modules/system/services/server/acme/default.nix
+++ b/modules/system/services/server/acme/default.nix
@ -1,7 +0,0 @@
 { config, ... }:
 {
  security.acme = { 
    acceptTerms = true;
    defaults.email = "contact@${config.domains.p2}";
  };
 }
--- a/modules/system/services/server/ddclient/default.nix
+++ b/modules/system/services/server/ddclient/default.nix
@ -1,21 +0,0 @@
 { pkgs, config, ... }:
 {
  services.ddclient = {
    enable = config.system.server.enable;
    protocol = "cloudflare";
    zone = "${config.domains.p2}";
    usev6 = "";
    username = "token";
    passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}";
    domains = [
      "${config.domains.p2}"
      "*.${config.domains.p2}"
      "sv.${config.domains.p2}"
      "git.${config.domains.p2}"
      "turn.${config.domains.p2}"
      "dew.${config.domains.p2}"
      "john.${config.domains.p2}"
      "rogue.${config.domains.p2}"
    ];
  };
 }
--- a/modules/system/services/server/default.nix
+++ b/modules/system/services/server/default.nix
@ -1,17 +1,15 @@
 { ... }:
 {
  imports = [
    ./acme
    ./ddclient
    ./fileserver
    ./forgejo
    ./icecast
    ./mailserver
    ./minecraft
    ./mysql
-    ./nginx
+    ./socialserver
    ./social
    ./transmission
    ./vaultwarden
    ./webserver
  ];
 }
--- a/modules/system/services/server/fileserver/jellyfin/default.nix
+++ b/modules/system/services/server/fileserver/jellyfin/default.nix
@ -1,8 +1,13 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  imports = [
    ./nginx
  ];
-  services.jellyfin.enable = config.system.fileserver.enable;
+  config = lib.mkIf config.system.fileserver.enable {
    services.jellyfin.enable = true;
    environment.persistence."/persist".directories = [
      "/var/lib/jellyfin"
    ];
  };
 }
--- a/modules/system/services/server/fileserver/nextcloud/default.nix
+++ b/modules/system/services/server/fileserver/nextcloud/default.nix
@ -1,32 +1,36 @@
-{ pkgs, config, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [
    ./collabora
    ./nginx
  ];
-  services.nextcloud = {
+  config = lib.mkIf config.system.fileserver.enable {
-    enable = config.system.fileserver.enable;
+    services.nextcloud = {
-    package = pkgs.nextcloud30;
+      enable = true;
-    hostName = "cloud.${config.domains.p2}";
+      package = pkgs.nextcloud30;
-    datadir = "/mnt/nextcloud";
+      hostName = "cloud.${config.domains.p2}";
-    https = true;
+      https = true;
-    config = {
+      config = {
-      adminuser = config.sysusers.main;
+        adminuser = config.sysusers.main;
-      adminpassFile = "${pkgs.writeText "initial" config.secrets.initialPass}";
+        adminpassFile = "${pkgs.writeText "initial" config.secrets.initialPass}";
-    };
+      };
-    settings = {
+      settings = {
-      trusted_proxies = [ "127.0.0.1" ];
+        trusted_proxies = [ "127.0.0.1" ];
-      trusted_domains = [ "cloud.${config.domains.p2}" ];
+        trusted_domains = [ "cloud.${config.domains.p2}" ];
-      overwriteprotocol = "https";
+        overwriteprotocol = "https";
-      mail_smtphost = "mx.${config.domains.p1}";
+        mail_smtphost = "mx.${config.domains.p1}";
-      mail_domain = "${config.domains.p1}";
+        mail_domain = "${config.domains.p1}";
-      mail_from_address = "noreply";
+        mail_from_address = "noreply";
-      mail_smtpauth = "true";
+        mail_smtpauth = "true";
-      mail_smtpname = "noreply@${config.domains.p2}";
+        mail_smtpname = "noreply@${config.domains.p2}";
-      mail_smtppassword = config.secrets.noreplyPassword;
+        mail_smtppassword = config.secrets.noreplyPassword;
-      mail_smtpmode = "smtp";
+        mail_smtpmode = "smtp";
-      mail_smtpport = 587;
+        mail_smtpport = 587;
      };
    };
    environment.persistence."/persist".directories = [
      "/var/lib/nextcloud"
    ];
  };
 }
--- a/modules/system/services/server/forgejo/default.nix
+++ b/modules/system/services/server/forgejo/default.nix
@ -30,5 +30,9 @@
    };
    networking.firewall.allowedTCPPorts = [ 2299 ];
    environment.persistence."/persist".directories = [
      "/var/lib/forgejo"
    ];
  };
 }
--- a/modules/system/services/server/minecraft/default.nix
+++ b/modules/system/services/server/minecraft/default.nix
@ -1,4 +1,4 @@
-{ minecraft, config, ... }:
+{ minecraft, config, lib, ... }:
 {
  imports = [
    minecraft.nixosModules.minecraft-servers
@ -10,10 +10,16 @@
    ./servers/uberbeta
  ];
-  nixpkgs.overlays = [ minecraft.overlay ];
+  config = lib.mkIf config.system.server.enable {
    nixpkgs.overlays = [ minecraft.overlay ];
-  services.minecraft-servers = {
+    services.minecraft-servers = {
-    enable = config.system.server.enable;
+      enable = true;
-    eula = true;
+      eula = true;
    };
    environment.persistence."/persist".directories = [
      "/srv/minecraft"
    ];
  };
 }
--- a/modules/system/services/server/mysql/default.nix
+++ b/modules/system/services/server/mysql/default.nix
@ -1,19 +1,23 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
-  services.mysql = {
+  config = lib.mkIf config.system.server.enable {
-    enable = config.system.server.enable;
+    services.mysql = {
-    package = pkgs.mariadb;
+      enable = true;
-    dataDir = "/var/lib/mysql";
+      package = pkgs.mariadb;
-    ensureDatabases = [
+      ensureDatabases = [
-      "minecraft"
+        "minecraft"
-    ];
+      ];
-    ensureUsers = [
+      ensureUsers = [
-      {
+        {
-        name = "minecraft";
+          name = "minecraft";
-        ensurePermissions = {
+          ensurePermissions = {
-          "minecraft.*" = "ALL PRIVILEGES";
+            "minecraft.*" = "ALL PRIVILEGES";
-        };
+          };
-      }
+        }
      ];
    };
    environment.persistence."/persist".directories = [
      "/var/lib/mysql"
    ];
  };
 }
--- a/modules/system/services/server/social/mastodon/default.nix
+++ b/modules/system/services/server/social/mastodon/default.nix
@ -1,18 +0,0 @@
 { pkgs, config, ... }:
 {
  services.mastodon = {
    enable = config.system.socials.enable;
    localDomain = "social.${config.domains.p2}";
    streamingProcesses = 4;
    configureNginx = true;
    smtp = {
      createLocally = false;
      host = "mx.${config.domains.p1}";
      port = 587;
      authenticate = true;
      fromAddress = "NixFox Mastodon <noreply@${config.domains.p2}>";
      user = "noreply@${config.domains.p2}";
      passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword;
    };
  };
 }
--- a/modules/system/services/server/social/matrix/synapse/default.nix
+++ b/modules/system/services/server/social/matrix/synapse/default.nix
@ -1,73 +0,0 @@
 { pkgs, config, ... }:
 {
  imports = [
    ./nginx
  ];
  services.matrix-synapse = {
    enable = config.system.socials.enable;
    settings = {
      server_name = "${config.domains.p1}";
      public_baseurl = "https://matrix.${config.domains.p1}";
      suppress_key_server_warning = true;
      listeners = [
        {
          port = 8008;
          bind_addresses = [ "::" "0.0.0.0" ];
          resources = [{
            compress = true;
            names = [
              "client"
              "federation"
            ];
          }];
          type = "http";
          tls = false;
          x_forwarded = true;
        }
      ];
      email = {
        notif_from = "NixFox Matrix <noreply@${config.domains.p2}>";
        smtp_host = "mx.${config.domains.p1}";
        smtp_user = "noreply@${config.domains.p2}";
        smtp_pass = config.secrets.noreplyPassword;
        enable_tls = true;
        smtp_port = 587;
        require_transport_security = true;
      };
      # Disable registration without email
      registrations_require_3pid = [ "email" ];
      # Allow only this range of emails
      allowed_local_3pids = [
        {
          medium = "email";
          pattern = ''^[^@]+@nixfox\.ca$'';
        }
        {
          medium = "email";
          pattern = ''^[^@]+@freecorn1854\.win$'';
        }
        {
          medium = "email";
          pattern = ''^[^@]+@lunamoonlight\.xyz$'';
        }
      ];
      # Set the type of database
      database.name = "sqlite3";
      # Allow account registration
      enable_registration = true;
      # General settings
      url_preview_enabled = true;
      max_upload_size = "50M";
      report_stats = false;
      burst_count = 15;
    };
  };
 }
--- a/modules/system/services/server/social/owncast/default.nix
+++ b/modules/system/services/server/social/owncast/default.nix
@ -1,11 +0,0 @@
 { config, ... }:
 {
  imports = [ ./nginx ];
  services.owncast = {
    enable = config.system.socials.enable;
    port = 8060;
    rtmp-port = 1945;
    listen = "0.0.0.0";
  };
 }
--- a/modules/system/services/server/socialserver/default.nix
+++ b/modules/system/services/server/socialserver/default.nix
@ -1,6 +1,6 @@
 { lib, ... }:
 {
-  options.system.socials.enable = lib.mkOption {
+  options.system.socialserver.enable = lib.mkOption {
    type = lib.types.bool;
    default = false;
  };
--- a/modules/system/services/server/socialserver/mastodon/default.nix
+++ b/modules/system/services/server/socialserver/mastodon/default.nix
@ -0,0 +1,23 @@
 { config, lib, pkgs, ... }:
 {
  config = lib.mkIf config.system.socialserver.enable {
    services.mastodon = {
      enable = true;
      localDomain = "social.${config.domains.p2}";
      streamingProcesses = 4;
      configureNginx = true;
      smtp = {
        createLocally = false;
        host = "mx.${config.domains.p1}";
        port = 587;
        authenticate = true;
        fromAddress = "NixFox Mastodon <noreply@${config.domains.p2}>";
        user = "noreply@${config.domains.p2}";
        passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword;
      };
    };
    environment.persistence."/persist".directories = [
      "/var/lib/mastodon"
    ];
  };
 }
--- a/modules/system/services/server/socialserver/matrix/coturn/default.nix
+++ b/modules/system/services/server/socialserver/matrix/coturn/default.nix
--- a/modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix
+++ b/modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix
--- a/modules/system/services/server/socialserver/matrix/default.nix
+++ b/modules/system/services/server/socialserver/matrix/default.nix
--- a/modules/system/services/server/socialserver/matrix/element/default.nix
+++ b/modules/system/services/server/socialserver/matrix/element/default.nix
--- a/modules/system/services/server/socialserver/matrix/element/nginx/default.nix
+++ b/modules/system/services/server/socialserver/matrix/element/nginx/default.nix
--- a/modules/system/services/server/socialserver/matrix/synapse/default.nix
+++ b/modules/system/services/server/socialserver/matrix/synapse/default.nix
@ -0,0 +1,78 @@
 { config, lib, pkgs, ... }:
 {
  imports = [
    ./nginx
  ];
  config = lib.mkIf config.system.socialserver.enable {
    services.matrix-synapse = {
      enable = true;
      settings = {
        server_name = "${config.domains.p1}";
        public_baseurl = "https://matrix.${config.domains.p1}";
        suppress_key_server_warning = true;
        listeners = [
          {
            port = 8008;
            bind_addresses = [ "::" "0.0.0.0" ];
            resources = [{
              compress = true;
              names = [
                "client"
                "federation"
              ];
            }];
            type = "http";
            tls = false;
            x_forwarded = true;
          }
        ];
        email = {
          notif_from = "NixFox Matrix <noreply@${config.domains.p2}>";
          smtp_host = "mx.${config.domains.p1}";
          smtp_user = "noreply@${config.domains.p2}";
          smtp_pass = config.secrets.noreplyPassword;
          enable_tls = true;
          smtp_port = 587;
          require_transport_security = true;
        };
        # Disable registration without email
        registrations_require_3pid = [ "email" ];
        # Allow only this range of emails
        allowed_local_3pids = [
          {
            medium = "email";
            pattern = ''^[^@]+@nixfox\.ca$'';
          }
          {
            medium = "email";
            pattern = ''^[^@]+@freecorn1854\.win$'';
          }
          {
            medium = "email";
            pattern = ''^[^@]+@lunamoonlight\.xyz$'';
          }
        ];
        # Set the type of database
        database.name = "sqlite3";
        # Allow account registration
        enable_registration = true;
        # General settings
        url_preview_enabled = true;
        max_upload_size = "50M";
        report_stats = false;
        burst_count = 15;
      };
    };
    environment.persistence."/persist".directories = [
      "/var/lib/matrix-synapse"
    ];
  };
 }
--- a/modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix
+++ b/modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix
--- a/modules/system/services/server/socialserver/owncast/default.nix
+++ b/modules/system/services/server/socialserver/owncast/default.nix
@ -0,0 +1,16 @@
 { config, lib, ... }:
 {
  imports = [ ./nginx ];
  config = lib.mkIf config.system.socialserver.enable {
    services.owncast = {
      enable = true;
      port = 8060;
      rtmp-port = 1945;
      listen = "0.0.0.0";
    };
    environment.persistence."/persist".directories = [
      "/var/lib/owncast"
    ];
  };
 }
--- a/modules/system/services/server/socialserver/owncast/nginx/default.nix
+++ b/modules/system/services/server/socialserver/owncast/nginx/default.nix
--- a/modules/system/services/server/transmission/default.nix
+++ b/modules/system/services/server/transmission/default.nix
@ -1,11 +1,16 @@
-{ pkgs, config, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [ ./nginx ];
-  services.transmission = {
+  config = lib.mkIf config.system.server.enable {
-    enable = config.system.server.enable;
+    services.transmission = {
-    credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile;
+      enable = true;
-    openPeerPorts = true;
+      credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile;
-    settings.rpc-authentication-required = true;
+      openPeerPorts = true;
      settings.rpc-authentication-required = true;
    };
    environment.persistence."/persist".directories = [
      "/var/lib/transmission"
    ];
  };
 }
--- a/modules/system/services/server/vaultwarden/default.nix
+++ b/modules/system/services/server/vaultwarden/default.nix
@ -1,25 +1,30 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  imports = [ ./nginx ];
-  services.vaultwarden = {
+  config = lib.mkIf config.system.server.enable {
-    enable = config.system.server.enable;
+    services.vaultwarden = {
-    config = {
+      enable = true;
-      DOMAIN = "https://pass.${config.domains.p2}";
+      config = {
-      SIGNUPS_ALLOWED = false;
+        DOMAIN = "https://pass.${config.domains.p2}";
-      ROCKET_ADDRESS = "127.0.0.1";
+        SIGNUPS_ALLOWED = false;
-      ROCKET_PORT = 8222;
+        ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_LOG = "critical";
+        ROCKET_PORT = 8222;
        ROCKET_LOG = "critical";
-      # Smtp email
+        # Smtp email
-      SMTP_HOST = "mx.${config.domains.p1}";
+        SMTP_HOST = "mx.${config.domains.p1}";
-      SMTP_FROM = "noreply@${config.domains.p2}";
+        SMTP_FROM = "noreply@${config.domains.p2}";
-      SMTP_FROM_NAME = "Vaultwarden";
+        SMTP_FROM_NAME = "Vaultwarden";
-      SMTP_USERNAME = "noreply@${config.domains.p2}";
+        SMTP_USERNAME = "noreply@${config.domains.p2}";
-      SMTP_PASSWORD = config.secrets.noreplyPassword;
+        SMTP_PASSWORD = config.secrets.noreplyPassword;
-      SMTP_SECURITY = "starttls";
+        SMTP_SECURITY = "starttls";
-      SMTP_PORT = 587;
+        SMTP_PORT = 587;
-      SMTP_TIMEOUT = 15;
+        SMTP_TIMEOUT = 15;
      };
    };
    environment.persistence."/persist".directories = [
      "/var/lib/bitwarden_rs"
    ];
  };
 }
--- a/modules/system/services/server/webserver/acme/default.nix
+++ b/modules/system/services/server/webserver/acme/default.nix
@ -0,0 +1,12 @@
 { config, lib, ... }:
 {
  config = lib.mkIf config.system.webserver.enable {
    security.acme = { 
      acceptTerms = true;
      defaults.email = "contact@${config.domains.p2}";
    };
    environment.persistence."/persist".directories = [
      "/var/lib/acme"
    ];
  };
 }
--- a/modules/system/services/server/webserver/ddclient/default.nix
+++ b/modules/system/services/server/webserver/ddclient/default.nix
@ -0,0 +1,26 @@
 { config, lib, pkgs, ... }:
 {
  config = lib.mkIf config.system.webserver.enable {
    services.ddclient = {
      enable = true;
      protocol = "cloudflare";
      zone = "${config.domains.p2}";
      usev6 = "";
      username = "token";
      passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}";
      domains = [
        "${config.domains.p2}"
        "*.${config.domains.p2}"
        "sv.${config.domains.p2}"
        "git.${config.domains.p2}"
        "turn.${config.domains.p2}"
        "dew.${config.domains.p2}"
        "john.${config.domains.p2}"
        "rogue.${config.domains.p2}"
      ];
    };
    environment.persistence."/persist".directories = [
      "/var/lib/private/ddclient"
    ];
  };
 }
--- a/modules/system/services/server/webserver/default.nix
+++ b/modules/system/services/server/webserver/default.nix
@ -0,0 +1,13 @@
 { lib, ... }: 
 {
  options.system.webserver.enable = lib.mkOption {
    type = lib.types.bool;
    default = false;
  };
  imports = [
    ./acme
    ./ddclient
    ./nginx
  ];
 }
--- a/modules/system/services/server/webserver/nginx/default.nix
+++ b/modules/system/services/server/webserver/nginx/default.nix
@ -5,7 +5,7 @@
    ./virtualhosts
  ];
-  config = lib.mkIf (config.system.server.enable || config.system.mailserver.enable) {
+  config = lib.mkIf config.system.webserver.enable {
    services.nginx = {
      enable = true;
      recommendedTlsSettings = true;
@ -14,6 +14,10 @@
      recommendedProxySettings = true;
    };
    environment.persistence."/persist".directories = [
      "/var/www"
    ];
    networking.firewall.allowedTCPPorts = [
      80
      443
--- a/modules/system/services/server/webserver/nginx/rtmp/default.nix
+++ b/modules/system/services/server/webserver/nginx/rtmp/default.nix
--- a/modules/system/services/server/webserver/nginx/virtualhosts/default.nix
+++ b/modules/system/services/server/webserver/nginx/virtualhosts/default.nix
--- a/modules/system/services/server/webserver/nginx/virtualhosts/p1/default.nix
+++ b/modules/system/services/server/webserver/nginx/virtualhosts/p1/default.nix
--- a/modules/system/services/server/webserver/nginx/virtualhosts/p2/default.nix
+++ b/modules/system/services/server/webserver/nginx/virtualhosts/p2/default.nix