diffu/machines/massicot/services.nix

{ config, pkgs, ... }:
let
  kanidm_listen_port = 5324;
in
{
  networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ];
  networking.firewall.allowedUDPPorts = [ 80 443 8448 ];

  custom.vaultwarden = {
    enable = true;
    domain = "vaultwarden.xinyang.life";
  };

  custom.hedgedoc = {
    enable = true;
    caddy = true;
    domain = "docs.xinyang.life";
    mediaPath = "/mnt/storage/hedgedoc";
    oidc = {
      enable = true;
      baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc";
      authorizationURL = "https://auth.xinyang.life/ui/oauth2";
      tokenURL = "https://auth.xinyang.life/oauth2/token";
      userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo";
    };
    environmentFile = config.sops.secrets.hedgedoc_env.path;
  };

  custom.prometheus = {
    enable = true;
    exporters.blackbox.enable = true;
  };

  systemd.mounts = map
    (share: {
      what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
      where = "/mnt/storage/${share}";
      type = "cifs";
      options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
      before = [ "${share}.service" ];
      after = [ "cachefilesd.service" ];
      wantedBy = [ "${share}.service" ];
    }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];

  services.cachefilesd.enable = true;

  system.activationScripts = {
    conduit-media-link.text = ''
      mkdir -m 700 -p /var/lib/private/matrix-conduit/media
      chown conduit:conduit /var/lib/private/matrix-conduit/media
      mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
    '';
  };
  security.acme = {
    acceptTerms = true;
    certs."auth.xinyang.life" = {
      email = "lixinyang411@gmail.com";
      listenHTTP = "127.0.0.1:1360";
      group = "kanidm";
    };
  };

  services.ntfy-sh = {
    enable = true;
    group = "caddy";
    settings = {
      listen-unix = "/var/run/ntfy-sh/ntfy.sock";
      listen-unix-mode = 432; # octal 0660
      base-url = "https://ntfy.xinyang.life";
    };
  };

  systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh";

  services.kanidm = {
    package = pkgs.kanidm.withSecretProvisioning;
    enableServer = true;
    serverSettings = {
      domain = "auth.xinyang.life";
      origin = "https://auth.xinyang.life";
      bindaddress = "[::]:${toString kanidm_listen_port}";
      tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
      tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
      # db_path = "/var/lib/kanidm/kanidm.db";
    };
    provision = import ./kanidm-provision.nix;
  };
  services.matrix-conduit = {
    enable = true;
    # package = inputs.conduit.packages.${pkgs.system}.default;
    package = pkgs.matrix-conduit;
    settings.global = {
      server_name = "xinyang.life";
      port = 6167;
      # database_path = "/var/lib/matrix-conduit/";
      max_concurrent_requests = 100;
      log = "info";
      database_backend = "rocksdb";
      allow_registration = false;

      well_known = {
        client = "https://msg.xinyang.life";
        server = "msg.xinyang.life:443";
      };
    };
  };

  services.gotosocial = {
    enable = true;
    settings = {
      log-level = "debug";
      host = "xinyang.life";
      letsencrypt-enabled = false;
      bind-address = "localhost";
      instance-expose-public-timeline = true;
      oidc-enabled = true;
      oidc-idp-name = "Kanidm";
      oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
      oidc-client-id = "gts";
      oidc-link-existing = true;
      storage-local-base-path = "/mnt/storage/gotosocial/storage";
    };
    environmentFile = config.sops.secrets.gts_env.path;
  };

  services.forgejo = {
    enable = true;
    repositoryRoot = "/mnt/storage/forgejo/repositories";
    lfs = {
      enable = true;
      contentDir = "/mnt/storage/forgejo/lfs";
    };
    settings = {
      service.DISABLE_REGISTRATION = true;
      server = {
        ROOT_URL = "https://git.xinyang.life/";
        START_SSH_SERVER = true;
        BUILTIN_SSH_SERVER_USER = "git";
        SSH_USER = "git";
        SSH_DOMAIN = "ssh.xinyang.life";
        SSH_PORT = 2222;
        LFS_MAX_FILE_SIZE = 10737418240;
        LANDING_PAGE = "/explore/repos";
      };
      repository = {
        ENABLE_PUSH_CREATE_USER = true;
      };
      service = {
        ENABLE_BASIC_AUTHENTICATION = false;
      };
      oauth2 = {
        ENABLE = false; # Disable forgejo as oauth2 provider
      };
      oauth2_client = {
        ACCOUNT_LINKING = "auto";
        ENABLE_AUTO_REGISTRATION = true;
        UPDATE_AVATAR = true;
        OPENID_CONNECT_SCOPES = "openid profile email";
      };
      other = {
        SHOW_FOOTER_VERSION = false;
      };
    };
  };

  services.grafana = {
    enable = true;
    settings = {
      server = {
        http_addr = "127.0.0.1";
        http_port = 3003;
        root_url = "https://grafana.xinyang.life";
        domain = "grafana.xinyang.life";
      };
      "auth.generic_oauth" = {
        enabled = true;
        name = "Kanidm";
        client_id = "grafana";
        scopes = "openid,profile,email,groups";
        auth_url = "https://auth.xinyang.life/ui/oauth2";
        token_url = "https://auth.xinyang.life/oauth2/token";
        api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo";
        use_pkce = true;
        use_refresh_token = true;
        allow_sign_up = true;
        login_attribute_path = "preferred_username";
        groups_attribute_path = "groups";
        role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'";
        allow_assign_grafana_admin = true;
        auto_login = true;
      };
      "auth" = { disable_login_form = true; };
    };
  };

  systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path;

  users.users.git = {
    isSystemUser = true;
    useDefaultShell = true;
    group = "git";
    extraGroups = [ "forgejo" ];
  };
  users.groups.git = { };

  users.users = {
    ${config.services.caddy.user}.extraGroups = [
      config.services.ntfy-sh.group
    ];
  };

  services.caddy = {
    enable = true;
    virtualHosts."xinyang.life:443".extraConfig = ''
      tls internal
      encode zstd gzip
      reverse_proxy /.well-known/matrix/* localhost:6167
      reverse_proxy * http://localhost:8080 {
          flush_interval -1
      }
    '';
    virtualHosts."https://msg.xinyang.life:443".extraConfig = ''
      reverse_proxy /_matrix/* localhost:6167
    '';
    virtualHosts."https://git.xinyang.life:443".extraConfig = ''
      reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
    '';

    virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
      reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
    '';
    virtualHosts."https://auth.xinyang.life".extraConfig = ''
      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
          header_up Host {upstream_hostport}
          header_down Access-Control-Allow-Origin "*"
          transport http {
              tls_server_name ${config.services.kanidm.serverSettings.domain}
          }
      }
    '';
    virtualHosts."https://ntfy.xinyang.life".extraConfig = ''
      reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
      @httpget {
        protocol http
        method GET
        path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
      }
      redir @httpget https://{host}{uri}
    '';

    virtualHosts."https://grafana.xinyang.life".extraConfig =
      let
        grafanaSettings = config.services.grafana.settings.server;
      in
      ''
        reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port}
      '';
  };
}
prometheus: enable every where 2024-08-01 09:01:53 +00:00			`{ config, pkgs, ... }:`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`let`
			`kanidm_listen_port = 5324;`
			`in`
Add gitea service 2023-09-11 12:20:32 +00:00			`{`
massicot: add storage-box as extra storage 2023-12-15 13:26:20 +00:00			`networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ];`
			`networking.firewall.allowedUDPPorts = [ 80 443 8448 ];`

massicot: add vaultwarden server 2023-12-17 06:55:53 +00:00			`custom.vaultwarden = {`
			`enable = true;`
			`domain = "vaultwarden.xinyang.life";`
			`};`

massicot: host hedgedoc with oidc 2023-12-24 05:58:53 +00:00			`custom.hedgedoc = {`
			`enable = true;`
			`caddy = true;`
			`domain = "docs.xinyang.life";`
			`mediaPath = "/mnt/storage/hedgedoc";`
			`oidc = {`
			`enable = true;`
			`baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc";`
			`authorizationURL = "https://auth.xinyang.life/ui/oauth2";`
			`tokenURL = "https://auth.xinyang.life/oauth2/token";`
			`userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo";`
			`};`
			`environmentFile = config.sops.secrets.hedgedoc_env.path;`
			`};`

all: add prometheus 2023-12-20 03:13:20 +00:00			`custom.prometheus = {`
			`enable = true;`
massicot,dolomite,calcite: enable blackbox exporter and probes 2024-07-31 07:39:32 +00:00			`exporters.blackbox.enable = true;`
all: add prometheus 2023-12-20 03:13:20 +00:00			`};`

prometheus: enable every where 2024-08-01 09:01:53 +00:00			`systemd.mounts = map`
			`(share: {`
			`what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";`
			`where = "/mnt/storage/${share}";`
			`type = "cifs";`
			`options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";`
			`before = [ "${share}.service" ];`
			`after = [ "cachefilesd.service" ];`
			`wantedBy = [ "${share}.service" ];`
			`}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];`
massicot: fix cifs disk mount 2024-06-11 10:20:21 +00:00
			`services.cachefilesd.enable = true;`
massicot: add storage-box as extra storage 2023-12-15 13:26:20 +00:00
			`system.activationScripts = {`
			`conduit-media-link.text = ''`
massicot: fix cifs disk mount 2024-06-11 10:20:21 +00:00			`mkdir -m 700 -p /var/lib/private/matrix-conduit/media`
			`chown conduit:conduit /var/lib/private/matrix-conduit/media`
			`mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media`
massicot: add storage-box as extra storage 2023-12-15 13:26:20 +00:00			`'';`
			`};`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`security.acme = {`
			`acceptTerms = true;`
			`certs."auth.xinyang.life" = {`
prometheus: enable every where 2024-08-01 09:01:53 +00:00			`email = "lixinyang411@gmail.com";`
			`listenHTTP = "127.0.0.1:1360";`
			`group = "kanidm";`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`};`
			`};`
massicot/ntfy-sh: add 2024-07-31 03:38:44 +00:00
			`services.ntfy-sh = {`
			`enable = true;`
			`group = "caddy";`
			`settings = {`
			`listen-unix = "/var/run/ntfy-sh/ntfy.sock";`
			`listen-unix-mode = 432; # octal 0660`
			`base-url = "https://ntfy.xinyang.life";`
			`};`
			`};`

			`systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh";`

massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`services.kanidm = {`
feat(massicot): provision kanidm 2024-07-30 02:59:12 +00:00			`package = pkgs.kanidm.withSecretProvisioning;`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`enableServer = true;`
			`serverSettings = {`
			`domain = "auth.xinyang.life";`
			`origin = "https://auth.xinyang.life";`
			`bindaddress = "[::]:${toString kanidm_listen_port}";`
			`tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';`
			`tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';`
			`# db_path = "/var/lib/kanidm/kanidm.db";`
			`};`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`provision = import ./kanidm-provision.nix;`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`};`
Add gitea service 2023-09-11 12:20:32 +00:00			`services.matrix-conduit = {`
			`enable = true;`
			`# package = inputs.conduit.packages.${pkgs.system}.default;`
			`package = pkgs.matrix-conduit;`
			`settings.global = {`
			`server_name = "xinyang.life";`
			`port = 6167;`
			`# database_path = "/var/lib/matrix-conduit/";`
massicot: fix cifs disk mount 2024-06-11 10:20:21 +00:00			`max_concurrent_requests = 100;`
			`log = "info";`
Add gitea service 2023-09-11 12:20:32 +00:00			`database_backend = "rocksdb";`
			`allow_registration = false;`
massicot: use conduit native well_known handler 2024-07-10 08:39:00 +00:00
			`well_known = {`
			`client = "https://msg.xinyang.life";`
			`server = "msg.xinyang.life:443";`
			`};`
Add gitea service 2023-09-11 12:20:32 +00:00			`};`
			`};`

			`services.gotosocial = {`
			`enable = true;`
			`settings = {`
			`log-level = "debug";`
			`host = "xinyang.life";`
			`letsencrypt-enabled = false;`
			`bind-address = "localhost";`
			`instance-expose-public-timeline = true;`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`oidc-enabled = true;`
			`oidc-idp-name = "Kanidm";`
			`oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";`
			`oidc-client-id = "gts";`
			`oidc-link-existing = true;`
massicot: add storage-box as extra storage 2023-12-15 13:26:20 +00:00			`storage-local-base-path = "/mnt/storage/gotosocial/storage";`
Add gitea service 2023-09-11 12:20:32 +00:00			`};`
massicot: add storage-box as extra storage 2023-12-15 13:26:20 +00:00			`environmentFile = config.sops.secrets.gts_env.path;`
Add gitea service 2023-09-11 12:20:32 +00:00			`};`

massicot: gitea -> forgejo 2023-10-03 03:53:16 +00:00			`services.forgejo = {`
Add gitea service 2023-09-11 12:20:32 +00:00			`enable = true;`
massicot: add storage-box as extra storage 2023-12-15 13:26:20 +00:00			`repositoryRoot = "/mnt/storage/forgejo/repositories";`
			`lfs = {`
			`enable = true;`
			`contentDir = "/mnt/storage/forgejo/lfs";`
			`};`
Add gitea service 2023-09-11 12:20:32 +00:00			`settings = {`
			`service.DISABLE_REGISTRATION = true;`
			`server = {`
			`ROOT_URL = "https://git.xinyang.life/";`
massicot: add ssh to forgejo 2023-12-06 16:00:30 +00:00			`START_SSH_SERVER = true;`
			`BUILTIN_SSH_SERVER_USER = "git";`
modules: add kanidm-client module 2024-01-09 04:27:51 +00:00			`SSH_USER = "git";`
massicot: add ssh to forgejo 2023-12-06 16:00:30 +00:00			`SSH_DOMAIN = "ssh.xinyang.life";`
			`SSH_PORT = 2222;`
massicot: add storage-box as extra storage 2023-12-15 13:26:20 +00:00			`LFS_MAX_FILE_SIZE = 10737418240;`
			`LANDING_PAGE = "/explore/repos";`
Add gitea service 2023-09-11 12:20:32 +00:00			`};`
massicot: gitea -> forgejo 2023-10-03 03:53:16 +00:00			`repository = {`
			`ENABLE_PUSH_CREATE_USER = true;`
			`};`
			`service = {`
			`ENABLE_BASIC_AUTHENTICATION = false;`
			`};`
			`oauth2 = {`
			`ENABLE = false; # Disable forgejo as oauth2 provider`
			`};`
			`oauth2_client = {`
			`ACCOUNT_LINKING = "auto";`
			`ENABLE_AUTO_REGISTRATION = true;`
			`UPDATE_AVATAR = true;`
			`OPENID_CONNECT_SCOPES = "openid profile email";`
			`};`
			`other = {`
			`SHOW_FOOTER_VERSION = false;`
			`};`
Add gitea service 2023-09-11 12:20:32 +00:00			`};`
			`};`

prometheus: enable every where 2024-08-01 09:01:53 +00:00			`services.grafana = {`
			`enable = true;`
			`settings = {`
			`server = {`
			`http_addr = "127.0.0.1";`
			`http_port = 3003;`
			`root_url = "https://grafana.xinyang.life";`
			`domain = "grafana.xinyang.life";`
			`};`
			`"auth.generic_oauth" = {`
			`enabled = true;`
			`name = "Kanidm";`
			`client_id = "grafana";`
			`scopes = "openid,profile,email,groups";`
			`auth_url = "https://auth.xinyang.life/ui/oauth2";`
			`token_url = "https://auth.xinyang.life/oauth2/token";`
			`api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo";`
			`use_pkce = true;`
			`use_refresh_token = true;`
			`allow_sign_up = true;`
			`login_attribute_path = "preferred_username";`
			`groups_attribute_path = "groups";`
			`role_attribute_path = "contains(grafana_role[], 'GrafanaAdmin') && 'GrafanaAdmin' \|\| contains(grafana_role[], 'Admin') && 'Admin' \|\| contains(grafana_role[*], 'Editor') && 'Editor' \|\| 'Viewer'";`
			`allow_assign_grafana_admin = true;`
			`auto_login = true;`
			`};`
			`"auth" = { disable_login_form = true; };`
			`};`
			`};`

			`systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path;`

modules: add kanidm-client module 2024-01-09 04:27:51 +00:00			`users.users.git = {`
			`isSystemUser = true;`
			`useDefaultShell = true;`
			`group = "git";`
			`extraGroups = [ "forgejo" ];`
			`};`
			`users.groups.git = { };`

massicot/ntfy-sh: add 2024-07-31 03:38:44 +00:00			`users.users = {`
			`${config.services.caddy.user}.extraGroups = [`
			`config.services.ntfy-sh.group`
			`];`
			`};`
modules: add kanidm-client module 2024-01-09 04:27:51 +00:00
Add gitea service 2023-09-11 12:20:32 +00:00			`services.caddy = {`
			`enable = true;`
			`virtualHosts."xinyang.life:443".extraConfig = ''`
			`tls internal`
			`encode zstd gzip`
massicot: use conduit native well_known handler 2024-07-10 08:39:00 +00:00			`reverse_proxy /.well-known/matrix/* localhost:6167`
Add gitea service 2023-09-11 12:20:32 +00:00			`reverse_proxy * http://localhost:8080 {`
			`flush_interval -1`
			`}`
			`'';`
massicot: fix cifs disk mount 2024-06-11 10:20:21 +00:00			`virtualHosts."https://msg.xinyang.life:443".extraConfig = ''`
			`reverse_proxy /_matrix/* localhost:6167`
			`'';`
massicot: host hedgedoc with oidc 2023-12-24 05:58:53 +00:00			`virtualHosts."https://git.xinyang.life:443".extraConfig = ''`
Add gitea service 2023-09-11 12:20:32 +00:00			`reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}`
			`'';`
prometheus: enable every where 2024-08-01 09:01:53 +00:00
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`virtualHosts."http://auth.xinyang.life:80".extraConfig = ''`
prometheus: enable every where 2024-08-01 09:01:53 +00:00			`reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`'';`
massicot: host hedgedoc with oidc 2023-12-24 05:58:53 +00:00			`virtualHosts."https://auth.xinyang.life".extraConfig = ''`
			`reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`header_up Host {upstream_hostport}`
massicot: gitea -> forgejo 2023-10-03 03:53:16 +00:00			`header_down Access-Control-Allow-Origin "*"`
massicot: add kanidm service 2023-09-28 10:58:29 +00:00			`transport http {`
			`tls_server_name ${config.services.kanidm.serverSettings.domain}`
			`}`
			`}`
			`'';`
prometheus: enable every where 2024-08-01 09:01:53 +00:00			`virtualHosts."https://ntfy.xinyang.life".extraConfig = ''`
massicot/ntfy-sh: add 2024-07-31 03:38:44 +00:00			`reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}`
			`@httpget {`
			`protocol http`
			`method GET`
			`path_regexp ^/([-_a-z0-9]{0,64}$\|docs/\|static/)`
			`}`
			`redir @httpget https://{host}{uri}`
			`'';`
prometheus: enable every where 2024-08-01 09:01:53 +00:00
			`virtualHosts."https://grafana.xinyang.life".extraConfig =`
			`let`
			`grafanaSettings = config.services.grafana.settings.server;`
			`in`
			`''`
			`reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port}`
			`'';`
Add gitea service 2023-09-11 12:20:32 +00:00			`};`
			`}`