kiri/lux-old
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8110e8f10bc702fc64be73e8ee5b2e5c87b04244
lux-old/modules/orion.nix
kiri 8110e8f10b Initial commit
2026-02-28 14:18:57 +01:00

135 lines
3.6 KiB
Nix
Raw Blame History

{ den, lib, ... }:
{
den.aspects.orion = {
includes = [
(
{ host, ... }:
{
# Start all user services on boot not on login (useful for syncthing)
nixos.users.users = lib.mapAttrs (_: _: { linger = true; }) host.users;
}
)
];
nixos =
{ config, pkgs, ... }:
{
environment.systemPackages = [
pkgs.kitty
];
networking = {
firewall.enable = true;
firewall.allowPing = false;
nftables.enable = true;
};
# Use ssh authorization for sudo instead of password
security.pam = {
sshAgentAuth.enable = true;
services.sudo.sshAgentAuth = true;
};
services = {
caddy = {
enable = true;
email = "mail@jelles.net";
openFirewall = true;
};
openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
# TODO: Retrieve usernames dynamically
AllowUsers = [
"kiri"
"git"
];
};
};
vaultwarden = {
enable = true;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://vault.jelles.net";
SIGNUPS_ALLOWED = false;
ROCKET_PORT = 8100;
ROCKET_LOG = "critical";
};
};
caddy.virtualHosts."vault.jelles.net".extraConfig =
"reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}";
radicale = {
enable = true;
settings = {
server.hosts = [ "127.0.0.1:5232" ];
auth = {
type = "htpasswd";
# TODO: Get password file from SOPS
htpasswd_filename = "/var/lib/radicale/users";
htpasswd_encryption = "bcrypt";
};
storage.filesystem_folder = "/var/lib/radicale/collections";
};
};
# TODO: Is this extensive config necessary?
caddy.virtualHosts."radicale.jelles.net".extraConfig = ''
reverse_proxy :5232 {
header_up X-Script-Name /
header_up X-Forwarded-For {remote}
header_up X-Remote-User {http.auth.user.id}
}'';
actual = {
enable = true;
openFirewall = false;
settings = {
port = 3000;
hostname = "127.0.0.1";
};
};
caddy.virtualHosts."finance.jelles.net".extraConfig =
"reverse_proxy :${toString config.services.actual.settings.port}";
gitea = {
enable = true;
settings = {
server = {
DOMAIN = "git.jelles.net";
ROOT_URL = "https://git.jelles.net/";
HTTP_PORT = 3001;
HTTP_ADDR = "127.0.0.1";
START_SSH_SERVER = false;
SSH_PORT = 22;
};
service = {
DISABLE_REGISTRATION = true;
};
};
};
caddy.virtualHosts."git.jelles.net".extraConfig =
"reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}";
};
# TODO: Username dynamically
users.users.kiri = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAU2LydkXRTtNFY7oyX8JQURwXLVhB71DeK8XzrXeFX1 openpgp:0xA490D93A"
];
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink