From 320d76f972e2fdbce26ec29fd45f6a5721660e8e Mon Sep 17 00:00:00 2001 From: Evie Litherland-Smith Date: Fri, 26 May 2023 08:52:46 +0100 Subject: [PATCH] Move server directory and syncthing into services directory Separate service setup from traefik config for each, prep for future server separation --- Vanguard.nix | 7 +---- server/nextcloud.nix | 31 ------------------- services/Vanguard.nix | 16 ++++++++++ services/adguardhome/default.nix | 12 +++++++ .../fail2ban/default.nix | 0 services/fail2ban/gitea.nix | 9 ++++++ services/fail2ban/traefik.nix | 17 ++++++++++ services/gitea/default.nix | 21 +++++++++++++ services/nextcloud/default.nix | 21 +++++++++++++ services/sshd/default.nix | 13 ++++++++ {syncthing => services/syncthing}/H0615.nix | 0 .../syncthing}/Vanguard.nix | 0 {syncthing => services/syncthing}/default.nix | 0 .../syncthing}/devices/default.nix | 0 .../syncthing}/folders/default.nix | 0 {server => services/traefik}/adguardhome.nix | 12 +------ .../traefik/default.nix | 2 +- {server => services/traefik}/gitea.nix | 26 +--------------- services/traefik/nextcloud.nix | 12 +++++++ {server => services/traefik}/qbittorrent.nix | 2 +- {server => services/traefik}/sshd.nix | 12 +------ {server => services/traefik}/syncthing.nix | 1 + systemd/nixos-pull.nix | 20 ------------ 23 files changed, 128 insertions(+), 106 deletions(-) delete mode 100644 server/nextcloud.nix create mode 100644 services/Vanguard.nix create mode 100644 services/adguardhome/default.nix rename server/fail2ban.nix => services/fail2ban/default.nix (100%) create mode 100644 services/fail2ban/gitea.nix create mode 100644 services/fail2ban/traefik.nix create mode 100644 services/gitea/default.nix create mode 100644 services/nextcloud/default.nix create mode 100644 services/sshd/default.nix rename {syncthing => services/syncthing}/H0615.nix (100%) rename {syncthing => services/syncthing}/Vanguard.nix (100%) rename {syncthing => services/syncthing}/default.nix (100%) rename {syncthing => services/syncthing}/devices/default.nix (100%) rename {syncthing => services/syncthing}/folders/default.nix (100%) rename {server => services/traefik}/adguardhome.nix (58%) rename server/traefik.nix => services/traefik/default.nix (97%) rename {server => services/traefik}/gitea.nix (53%) create mode 100644 services/traefik/nextcloud.nix rename {server => services/traefik}/qbittorrent.nix (93%) rename {server => services/traefik}/sshd.nix (54%) rename {server => services/traefik}/syncthing.nix (93%) delete mode 100644 systemd/nixos-pull.nix diff --git a/Vanguard.nix b/Vanguard.nix index 17af0f4b..ca39ad9d 100644 --- a/Vanguard.nix +++ b/Vanguard.nix @@ -6,12 +6,7 @@ ./hardware/bluetooth.nix ./locales/en_GB.nix ./desktop/hyprland.nix - ./syncthing/Vanguard.nix - ./server/sshd.nix - ./server/adguardhome.nix - ./server/gitea.nix - ./server/qbittorrent.nix - # ./server/nextcloud.nix + ./services/Vanguard.nix ]; networking.hostName = "Vanguard"; # Define your hostname. diff --git a/server/nextcloud.nix b/server/nextcloud.nix deleted file mode 100644 index fa940371..00000000 --- a/server/nextcloud.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - pkgs, - config, - ... -}: { - imports = [./traefik.nix ./fail2ban.nix]; - services.nextcloud = { - enable = true; - package = pkgs.nextcloud26; - hostName = "cloud.xenia.me.uk"; - config = { - adminuser = "xenia"; - adminpassFile = "/secrets/nextcloud_admin.txt"; - }; - }; - services.nginx.virtualHosts.${config.services.nextcloud.hostName}.listen = [ - { - addr = "localhost"; - port = 8000; - } - ]; - services.traefik.dynamicConfigOptions.http = { - routers.nextcloud = { - rule = "Host(`cloud.xenia.me.uk`)"; - entryPoints = ["http" "https"]; - service = "nextcloud-webinterface"; - tls = {certResolver = "default";}; - }; - services.nextcloud-webinterface.loadBalancer.servers = [{url = "http://localhost:8000";}]; - }; -} diff --git a/services/Vanguard.nix b/services/Vanguard.nix new file mode 100644 index 00000000..ec820599 --- /dev/null +++ b/services/Vanguard.nix @@ -0,0 +1,16 @@ +{...}: { + imports = [ + ./adguardhome + ./traefik/adguardhome.nix + ./gitea + ./traefik/gitea.nix + # ./nextcloud + ./traefik/nextcloud.nix + ./qbittorrent + ./traefik/qbittorrent.nix + ./sshd + ./traefik/sshd.nix + ./syncthing/Vanguard.nix + ./traefik/syncthing.nix + ]; +} diff --git a/services/adguardhome/default.nix b/services/adguardhome/default.nix new file mode 100644 index 00000000..df423add --- /dev/null +++ b/services/adguardhome/default.nix @@ -0,0 +1,12 @@ +{...}: { + services.adguardhome = { + enable = true; + mutableSettings = true; + settings.bind_port = 3001; + openFirewall = true; + }; + networking.firewall = { + allowedTCPPorts = [53]; + allowedUDPPorts = [53]; + }; +} diff --git a/server/fail2ban.nix b/services/fail2ban/default.nix similarity index 100% rename from server/fail2ban.nix rename to services/fail2ban/default.nix diff --git a/services/fail2ban/gitea.nix b/services/fail2ban/gitea.nix new file mode 100644 index 00000000..7c8316c0 --- /dev/null +++ b/services/fail2ban/gitea.nix @@ -0,0 +1,9 @@ +{...}: { + imports = [./default.nix]; + services.fail2ban.jails.gitea = '' + enabled = true + filter = sshd + ports = 30922 + backend = systemd + ''; +} diff --git a/services/fail2ban/traefik.nix b/services/fail2ban/traefik.nix new file mode 100644 index 00000000..ec23fa77 --- /dev/null +++ b/services/fail2ban/traefik.nix @@ -0,0 +1,17 @@ +{...}: { + imports = [./default.nix]; + services.fail2ban.jails = { + traefik-http = '' + enabled = true + filter = traefik-auth + ports = http,https,2222 + backend = systemd + ''; + traefik-ssh = '' + enabled = true + filter = sshd + ports = 2222 + backend = systemd + ''; + }; +} diff --git a/services/gitea/default.nix b/services/gitea/default.nix new file mode 100644 index 00000000..46497260 --- /dev/null +++ b/services/gitea/default.nix @@ -0,0 +1,21 @@ +{...}: { + imports = [ ../fail2ban/gitea.nix ]; + services.gitea = { + enable = true; + settings = { + server = { + ROOT_URL = "https://git.xenia.me.uk"; + DOMAIN = "git.xenia.me.uk"; + START_SSH_SERVER = true; + SSH_DOMAIN = "git.xenia.me.uk"; + SSH_PORT = 2222; + SSH_LISTEN_PORT = 30922; + }; + service.DISABLE_REGISTRATION = true; + ui = { + THEMES = "auto,gitea,arc-green,catppuccin-latte-lavender,catppuccin-frappe-lavender,catppuccin-macchiato-lavender,catppuccin-mocha-lavender"; + }; + }; + appName = "Gitea"; + }; +} diff --git a/services/nextcloud/default.nix b/services/nextcloud/default.nix new file mode 100644 index 00000000..fd70382b --- /dev/null +++ b/services/nextcloud/default.nix @@ -0,0 +1,21 @@ +{ + pkgs, + config, + ... +}: { + services.nextcloud = { + enable = true; + package = pkgs.nextcloud26; + hostName = "cloud.xenia.me.uk"; + config = { + adminuser = "xenia"; + adminpassFile = "/etc/nextcloud/admin_secret.txt"; + }; + }; + services.nginx.virtualHosts.${config.services.nextcloud.hostName}.listen = [ + { + addr = "localhost"; + port = 8000; + } + ]; +} diff --git a/services/sshd/default.nix b/services/sshd/default.nix new file mode 100644 index 00000000..e2a38a7c --- /dev/null +++ b/services/sshd/default.nix @@ -0,0 +1,13 @@ +{...}: { + services.openssh = { + enable = true; + ports = [22]; + settings = { + UseDns = true; + PermitRootLogin = "no"; + PasswordAuthentication = false; + GatewayPorts = "yes"; + LogLevel = "VERBOSE"; + }; + }; +} diff --git a/syncthing/H0615.nix b/services/syncthing/H0615.nix similarity index 100% rename from syncthing/H0615.nix rename to services/syncthing/H0615.nix diff --git a/syncthing/Vanguard.nix b/services/syncthing/Vanguard.nix similarity index 100% rename from syncthing/Vanguard.nix rename to services/syncthing/Vanguard.nix diff --git a/syncthing/default.nix b/services/syncthing/default.nix similarity index 100% rename from syncthing/default.nix rename to services/syncthing/default.nix diff --git a/syncthing/devices/default.nix b/services/syncthing/devices/default.nix similarity index 100% rename from syncthing/devices/default.nix rename to services/syncthing/devices/default.nix diff --git a/syncthing/folders/default.nix b/services/syncthing/folders/default.nix similarity index 100% rename from syncthing/folders/default.nix rename to services/syncthing/folders/default.nix diff --git a/server/adguardhome.nix b/services/traefik/adguardhome.nix similarity index 58% rename from server/adguardhome.nix rename to services/traefik/adguardhome.nix index 68f6a95a..fe125a50 100644 --- a/server/adguardhome.nix +++ b/services/traefik/adguardhome.nix @@ -1,15 +1,5 @@ {...}: { - imports = [./traefik.nix]; - services.adguardhome = { - enable = true; - mutableSettings = true; - settings.bind_port = 3001; - openFirewall = true; - }; - networking.firewall = { - allowedTCPPorts = [53]; - allowedUDPPorts = [53]; - }; + imports = [./default.nix]; services.traefik.dynamicConfigOptions.http = { routers.adguard = { rule = "Host(`guard.xenia.me.uk`)"; diff --git a/server/traefik.nix b/services/traefik/default.nix similarity index 97% rename from server/traefik.nix rename to services/traefik/default.nix index cf009e6a..d3c3483e 100644 --- a/server/traefik.nix +++ b/services/traefik/default.nix @@ -1,5 +1,5 @@ {...}: { - imports = [./fail2ban.nix]; + imports = [../fail2ban/traefik.nix]; services.traefik = { enable = true; staticConfigOptions = { diff --git a/server/gitea.nix b/services/traefik/gitea.nix similarity index 53% rename from server/gitea.nix rename to services/traefik/gitea.nix index f6575690..7a981710 100644 --- a/server/gitea.nix +++ b/services/traefik/gitea.nix @@ -1,23 +1,5 @@ {...}: { - imports = [./traefik.nix ./fail2ban.nix]; - services.gitea = { - enable = true; - settings = { - server = { - ROOT_URL = "https://git.xenia.me.uk"; - DOMAIN = "git.xenia.me.uk"; - START_SSH_SERVER = true; - SSH_DOMAIN = "git.xenia.me.uk"; - SSH_PORT = 2222; - SSH_LISTEN_PORT = 30922; - }; - service.DISABLE_REGISTRATION = true; - ui = { - THEMES = "auto,gitea,arc-green,catppuccin-latte-lavender,catppuccin-frappe-lavender,catppuccin-macchiato-lavender,catppuccin-mocha-lavender"; - }; - }; - appName = "Gitea"; - }; + imports = [./default.nix]; services.traefik.dynamicConfigOptions = { http = { routers.gitea = { @@ -43,10 +25,4 @@ services.gitea-sshservice.loadBalancer.servers = [{address = "localhost:30922";}]; }; }; - services.fail2ban.jails.gitea = '' - enabled = true - filter = sshd - ports = 30922 - backend = systemd - ''; } diff --git a/services/traefik/nextcloud.nix b/services/traefik/nextcloud.nix new file mode 100644 index 00000000..dd405584 --- /dev/null +++ b/services/traefik/nextcloud.nix @@ -0,0 +1,12 @@ +{...}: { + imports = [./default.nix]; + services.traefik.dynamicConfigOptions.http = { + routers.nextcloud = { + rule = "Host(`cloud.xenia.me.uk`)"; + entryPoints = ["http" "https"]; + service = "nextcloud-webinterface"; + tls = {certResolver = "default";}; + }; + services.nextcloud-webinterface.loadBalancer.servers = [{url = "http://localhost:8000";}]; + }; +} diff --git a/server/qbittorrent.nix b/services/traefik/qbittorrent.nix similarity index 93% rename from server/qbittorrent.nix rename to services/traefik/qbittorrent.nix index e8d894f6..ff72fb42 100644 --- a/server/qbittorrent.nix +++ b/services/traefik/qbittorrent.nix @@ -1,5 +1,5 @@ {pkgs, ...}: { - imports = [./traefik.nix]; + imports = [./default.nix]; environment.systemPackages = [pkgs.qbittorrent]; services.traefik.dynamicConfigOptions.http = { routers.qbittorrent = { diff --git a/server/sshd.nix b/services/traefik/sshd.nix similarity index 54% rename from server/sshd.nix rename to services/traefik/sshd.nix index 32250f13..b7e3b5ba 100644 --- a/server/sshd.nix +++ b/services/traefik/sshd.nix @@ -1,15 +1,5 @@ {...}: { - services.openssh = { - enable = true; - ports = [22]; - settings = { - UseDns = true; - PermitRootLogin = "no"; - PasswordAuthentication = false; - GatewayPorts = "yes"; - LogLevel = "VERBOSE"; - }; - }; + imports = [./default.nix]; services.traefik.dynamicConfigOptions.tcp = { routers.ssh = { rule = "ClientIP(`192.168.0.0/16`)"; diff --git a/server/syncthing.nix b/services/traefik/syncthing.nix similarity index 93% rename from server/syncthing.nix rename to services/traefik/syncthing.nix index 4af8a78b..6fc6d574 100644 --- a/server/syncthing.nix +++ b/services/traefik/syncthing.nix @@ -1,4 +1,5 @@ {...}: { + imports = [./default.nix]; services.traefik.dynamicConfigOptions.http = { routers.syncthing = { rule = "Host(`syncthing.xenia.me.uk`)"; diff --git a/systemd/nixos-pull.nix b/systemd/nixos-pull.nix deleted file mode 100644 index b8ed325f..00000000 --- a/systemd/nixos-pull.nix +++ /dev/null @@ -1,20 +0,0 @@ -{pkgs, ...}: { - systemd.timers."nixos-pull-config" = { - wantedBy = ["timers.target"]; - description = "Timer to update /etc/nixos/config/ repository"; - timerConfig = { - OnBootSec = "5m"; - OnUnitActiveSec = "5m"; - Unit = "hello-world.service"; - }; - }; - systemd.services."nixos-pull-config" = { - script = '' - ${pkgs.git}/bin/git pull -C /etc/nixos/config/ --ff-only --no-edit - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; -}