Initial commit

2026-02-28 14:18:57 +01:00
commit 8110e8f10b
45 changed files with 6381 additions and 0 deletions
--- a/modules/orion.nix
+++ b/modules/orion.nix
@@ -0,0 +1,134 @@
+{ den, lib, ... }:
+{
+  den.aspects.orion = {
+    includes = [
+      (
+        { host, ... }:
+        {
+          # Start all user services on boot not on login (useful for syncthing)
+          nixos.users.users = lib.mapAttrs (_: _: { linger = true; }) host.users;
+        }
+      )
+    ];
+
+    nixos =
+      { config, pkgs, ... }:
+      {
+        environment.systemPackages = [
+          pkgs.kitty
+        ];
+
+        networking = {
+          firewall.enable = true;
+          firewall.allowPing = false;
+          nftables.enable = true;
+        };
+
+        # Use ssh authorization for sudo instead of password
+        security.pam = {
+          sshAgentAuth.enable = true;
+          services.sudo.sshAgentAuth = true;
+        };
+
+        services = {
+          caddy = {
+            enable = true;
+            email = "mail@jelles.net";
+            openFirewall = true;
+          };
+
+          openssh = {
+            enable = true;
+            settings = {
+              PermitRootLogin = "no";
+              PasswordAuthentication = false;
+              # TODO: Retrieve usernames dynamically
+              AllowUsers = [
+                "kiri"
+                "git"
+              ];
+            };
+          };
+
+          vaultwarden = {
+            enable = true;
+            backupDir = "/var/backup/vaultwarden";
+            config = {
+              DOMAIN = "https://vault.jelles.net";
+              SIGNUPS_ALLOWED = false;
+              ROCKET_PORT = 8100;
+              ROCKET_LOG = "critical";
+            };
+          };
+          caddy.virtualHosts."vault.jelles.net".extraConfig =
+            "reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}";
+
+          radicale = {
+            enable = true;
+            settings = {
+              server.hosts = [ "127.0.0.1:5232" ];
+
+              auth = {
+                type = "htpasswd";
+                # TODO: Get password file from SOPS
+                htpasswd_filename = "/var/lib/radicale/users";
+                htpasswd_encryption = "bcrypt";
+              };
+
+              storage.filesystem_folder = "/var/lib/radicale/collections";
+            };
+          };
+
+          # TODO: Is this extensive config necessary?
+          caddy.virtualHosts."radicale.jelles.net".extraConfig = ''
+            reverse_proxy :5232 {
+               header_up X-Script-Name /
+               header_up X-Forwarded-For {remote}
+               header_up X-Remote-User {http.auth.user.id}
+            }'';
+
+          actual = {
+            enable = true;
+            openFirewall = false;
+            settings = {
+              port = 3000;
+              hostname = "127.0.0.1";
+            };
+          };
+          caddy.virtualHosts."finance.jelles.net".extraConfig =
+            "reverse_proxy :${toString config.services.actual.settings.port}";
+
+          gitea = {
+            enable = true;
+
+            settings = {
+              server = {
+                DOMAIN = "git.jelles.net";
+                ROOT_URL = "https://git.jelles.net/";
+                HTTP_PORT = 3001;
+                HTTP_ADDR = "127.0.0.1";
+
+                START_SSH_SERVER = false;
+                SSH_PORT = 22;
+              };
+
+              service = {
+                DISABLE_REGISTRATION = true;
+              };
+            };
+          };
+
+          caddy.virtualHosts."git.jelles.net".extraConfig =
+            "reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}";
+
+        };
+
+        # TODO: Username dynamically
+        users.users.kiri = {
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAU2LydkXRTtNFY7oyX8JQURwXLVhB71DeK8XzrXeFX1 openpgp:0xA490D93A"
+          ];
+        };
+      };
+  };
+}