refactor: move services out of systems/tewi/

2026-02-09 12:29:19 -08:00 · 2024-01-09 13:12:55 -08:00 · 2024-01-09 13:12:55 -08:00 · 5a661e8809
commit 5a661e8809
parent 2f68968238
30 changed files with 992 additions and 638 deletions
--- a/nixos/access/gensokyo.nix
+++ b/nixos/access/gensokyo.nix
@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.nginx.virtualHosts.${config.networking.domain} = {
+    locations."/" = {
+      root = pkgs.gensokyoZone;
+    };
+  };
+}
--- a/nixos/access/nextcloud.nix
+++ b/nixos/access/nextcloud.nix
@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  meta,
+  ...
+}:
+with lib; {
+  services.nginx.virtualHosts."cloud.${config.networking.domain}" = {
+    locations = {
+      "/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/";
+    };
+  };
+}
--- a/nixos/access/plex.nix
+++ b/nixos/access/plex.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  meta,
+  ...
+}:
+with lib; {
+  services.nginx.virtualHosts."plex.${config.networking.domain}" = {
+    locations = {
+      "/" = {
+        proxyPass = meta.tailnet.yukari.pp 4 32400;
+        extraConfig = ''
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_redirect off;
+          proxy_buffering off;
+          proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
+          proxy_set_header X-Plex-Device $http_x_plex_device;
+          proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
+          proxy_set_header X-Plex-Platform $http_x_plex_platform;
+          proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
+          proxy_set_header X-Plex-Product $http_x_plex_product;
+          proxy_set_header X-Plex-Token $http_x_plex_token;
+          proxy_set_header X-Plex-Version $http_x_plex_version;
+          proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
+          proxy_set_header X-Plex-Provides $http_x_plex_provides;
+          proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
+          proxy_set_header X-Plex-Model $http_x_plex_model;
+        '';
+      };
+    };
+  };
+}
--- a/nixos/access/zigbee2mqtt.nix
+++ b/nixos/access/zigbee2mqtt.nix
@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.services.zigbee2mqtt;
+in {
+  services.nginx.virtualHosts.${cfg.domain} = {
+    vouch.enable = true;
+    locations = {
+      "/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.settings.frontend.port}";
+        extraConfig = ''
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_http_version 1.1;
+        '';
+      };
+    };
+  };
+}
--- a/nixos/cloudflared.nix
+++ b/nixos/cloudflared.nix
@ -0,0 +1,5 @@
+{ config, lib, ... }: let
+  inherit (lib.modules) mkDefault;
+in {
+  config.services.cloudflared.enable = mkDefault true;
+}
--- a/nixos/deluge.nix
+++ b/nixos/deluge.nix
@ -0,0 +1,32 @@
+{ config, lib, ... }: let
+  inherit (lib) mkDefault;
+  cfg = config.services.deluge;
+in {
+  sops.secrets.deluge-auth = {
+    inherit (cfg) group;
+    owner = cfg.user;
+  };
+  services.deluge = {
+    enable = mkDefault true;
+    declarative = mkDefault true;
+    openFirewall = mkDefault true;
+    web = {
+      enable = true;
+    };
+    config = {
+      max_upload_speed = 10.0;
+      #share_ratio_limit = 2.0;
+      max_connections_global = 1024;
+      max_connections_per_second = 50;
+      max_active_limit = 100;
+      max_active_downloading = 75;
+      max_upload_slots_global = 25;
+      max_active_seeding = 1;
+      allow_remote = true;
+      daemon_port = 58846;
+      listen_ports = [ 6881 6889 ];
+      random_port = false;
+    };
+    authFile = config.sops.secrets.deluge-auth.path;
+  };
+}
--- a/nixos/home-assistant.nix
+++ b/nixos/home-assistant.nix
@ -0,0 +1,133 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.home-assistant;
+  inherit (lib.modules) mkDefault;
+  inherit (lib.lists) optional;
+in {
+  sops.secrets = {
+    ha-integration = {
+      owner = "hass";
+      path = "${cfg.configDir}/integration.yaml";
+    };
+    ha-secrets = {
+      owner = "hass";
+      path = "${cfg.configDir}/secrets.yaml";
+    };
+  };
+
+  services.home-assistant = {
+    enable = mkDefault true;
+    openFirewall = mkDefault true;
+    mutableUiConfig = mkDefault true;
+    domain = mkDefault "home.${config.networking.domain}";
+    config = {
+      homeassistant = {
+        name = "Gensokyo";
+        unit_system = "metric";
+        latitude = "!secret home_lat";
+        longitude = "!secret home_long";
+        elevation = "!secret home_asl";
+        currency = "CAD";
+        country = "CA";
+        time_zone = "America/Vancouver";
+        packages = {
+          manual = "!include manual.yaml";
+        };
+      };
+      frontend = {
+        themes = "!include_dir_merge_named themes";
+      };
+      powercalc = {
+      };
+      utility_meter = {
+      };
+      withings = {
+        use_webhook = true;
+      };
+      recorder = {
+        auto_purge = true;
+        purge_keep_days = 14;
+        commit_interval = 1;
+        exclude = {
+          domains = [
+            "automation"
+            "updater"
+          ];
+          entity_globs = [
+            "sensor.weather_*"
+            "sensor.date_*"
+          ];
+          entities = [
+            "sun.sun"
+            "sensor.last_boot"
+            "sensor.date"
+            "sensor.time"
+          ];
+          event_types = [
+            "call_service"
+          ];
+        };
+      };
+      google_assistant = {
+        project_id = "gensokyo-5cfaf";
+        service_account = "!include integration.yaml";
+        report_state = true;
+        exposed_domains = [
+          "scene"
+          "script"
+          "climate"
+          #"sensor"
+        ];
+        entity_config = {};
+      };
+      homekit = [ {
+        name = "Tewi";
+        port = 21063;
+        ip_address = "10.1.1.38";
+        filter = let
+          inherit (cfg.config) google_assistant;
+        in {
+          include_domains = google_assistant.exposed_domains;
+          include_entities = "!include homekit_include_entities.yaml";
+        };
+        entity_config = "!include homekit_entity_config.yaml";
+      } ];
+      tts = [
+        {
+          platform = "google_translate";
+          service_name = "google_say";
+        }
+      ];
+      media_player = [
+        {
+          platform = "mpd";
+          name = "Shanghai MPD";
+          host = "shanghai.local.cutie.moe";
+          password = "!secret mpd-shanghai-password";
+        }
+      ];
+      prometheus = {};
+      wake_on_lan = {};
+    };
+    extraComponents = [
+      "zha"
+      "esphome"
+      "apple_tv"
+      "spotify"
+      "brother"
+      "ipp"
+      "androidtv"
+      "cast"
+      "plex"
+      "shopping_list"
+      "tile"
+      "wake_on_lan"
+      "withings"
+      "wled"
+    ];
+  };
+}
--- a/nixos/kanidm.nix
+++ b/nixos/kanidm.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) mkDefault;
+  cfg = config.services.kanidm;
+in {
+  services.kanidm = {
+    enableServer = true;
+    enableClient = true;
+    server = {
+      unencrypted.enable = mkDefault true;
+      openFirewall = mkDefault true;
+      frontend = {
+        domain = mkDefault "id.${cfg.serverSettings.domain}";
+        address = mkDefault "0.0.0.0";
+      };
+      ldap = {
+        enable = mkDefault true;
+        address = mkDefault "0.0.0.0";
+      };
+    };
+    clientSettings = {
+      verify_ca = mkDefault true;
+      verify_hostnames = mkDefault true;
+    };
+    serverSettings = {
+      role = mkDefault "WriteReplica";
+      log_level = mkDefault "info";
+    };
+  };
+}
--- a/nixos/mosquitto.nix
+++ b/nixos/mosquitto.nix
@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkDefault;
+in {
+  sops.secrets = {
+    z2m-pass.owner = "mosquitto";
+    systemd-pass.owner = "mosquitto";
+    hass-pass.owner = "mosquitto";
+    espresense-pass.owner = "mosquitto";
+  };
+
+  services.mosquitto = {
+    enable = mkDefault true;
+    persistence = mkDefault true;
+    listeners = [
+      {
+        openFirewall = mkDefault true;
+        acl = [
+          "pattern readwrite #"
+        ];
+        users = {
+          z2m = {
+            passwordFile = config.sops.secrets.z2m-pass.path;
+            acl = [
+              "readwrite #"
+            ];
+          };
+          espresense = {
+            passwordFile = config.sops.secrets.espresense-pass.path;
+            acl = [
+              "readwrite #"
+            ];
+          };
+          systemd = {
+            passwordFile = config.sops.secrets.systemd-pass.path;
+            acl = [
+              "readwrite #"
+            ];
+          };
+          hass = {
+            passwordFile = config.sops.secrets.hass-pass.path;
+            acl = [
+              "readwrite #"
+            ];
+          };
+        };
+        settings = {
+          allow_anonymous = mkDefault false;
+        };
+      }
+    ];
+  };
+}
--- a/nixos/nginx.nix
+++ b/nixos/nginx.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  networking.firewall.allowedTCPPorts = [
+    443
+    80
+  ];
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = false;
+    commonHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      #add_header Strict-Transport-Security $hsts_header;
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      #add_header X-Frame-Options DENY;
+      #add_header X-Content-Type-Options nosniff;
+      #add_header X-XSS-Protection "1; mode=block";
+      #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+    clientMaxBodySize = "512m";
+  };
+}
--- a/nixos/postgres.nix
+++ b/nixos/postgres.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }: {
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_14;
+    ensureDatabases = [ "hass" ];
+    ensureUsers = [{
+      name = "hass";
+      ensureDBOwnership = true;
+    }];
+  };
+}
--- a/nixos/reisen-ct/filesystem.nix
+++ b/nixos/reisen-ct/filesystem.nix
@ -0,0 +1,8 @@
+{
+  lib,
+  ...
+}: let
+  inherit (lib) mkDefault;
+in {
+  services.kanidm.serverSettings.db_fs_type = mkDefault "zfs";
+}
--- a/nixos/syncplay.nix
+++ b/nixos/syncplay.nix
@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  ...
+}:
+with lib; let
+  cfg = config.services.syncplay;
+  args =
+    [
+      "--disable-ready"
+      "--port"
+      cfg.port
+    ]
+    ++ optionals (cfg.certDir != null) ["--tls" cfg.certDir];
+in {
+  sops.secrets.syncplay-env.owner = cfg.user;
+
+  users.users.${cfg.user} = {
+    inherit (cfg) group;
+    isSystemUser = true;
+    home = "/var/lib/syncplay";
+  };
+  users.groups.${cfg.group} = {};
+
+  networking.firewall.allowedTCPPorts = [cfg.port];
+
+  services.syncplay = {
+    enable = true;
+    user = "syncplay";
+  };
+  systemd.services.syncplay = mkIf cfg.enable {
+    serviceConfig = {
+      StateDirectory = "syncplay";
+      EnvironmentFile = singleton config.sops.secrets.syncplay-env.path;
+      ExecStart = mkForce [
+        "${pkgs.syncplay-nogui}/bin/syncplay-server ${utils.escapeSystemdExecArgs args}"
+      ];
+    };
+  };
+}
--- a/nixos/vouch.nix
+++ b/nixos/vouch.nix
@ -0,0 +1,26 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) mkDefault;
+  cfg = config.services.vouch-proxy;
+in {
+  services.vouch-proxy = {
+    enable = mkDefault true;
+    domain = mkDefault "login.${config.networking.domain}";
+    settings = {
+      vouch.cookie.secure = mkDefault false;
+    };
+    enableSettingsSecrets = mkDefault true;
+    extraSettings = {
+      oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
+      vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path;
+    };
+  };
+
+  sops.secrets = {
+    vouch-jwt.owner = cfg.user;
+    vouch-client-secret.owner = cfg.user;
+  };
+}
--- a/nixos/zigbee2mqtt.nix
+++ b/nixos/zigbee2mqtt.nix
@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.zigbee2mqtt;
+  inherit (lib) mkDefault;
+in {
+  sops.secrets.z2m-secret = {
+    owner = "zigbee2mqtt";
+    path = "${cfg.dataDir}/secret.yaml";
+  };
+
+  users.groups.input.members = [ "zigbee2mqtt" ];
+
+  services.zigbee2mqtt = {
+    enable = mkDefault true;
+    openFirewall = mkDefault true;
+    domain = mkDefault "z2m.${config.networking.domain}";
+    settings = {
+      advanced = {
+        log_level = "info";
+        network_key = "!secret network_key";
+      };
+      mqtt = {
+        user = "z2m";
+        password = "!secret z2m_pass";
+      };
+      homeassistant = true;
+      permit_join = false;
+      frontend = {
+        port = 8072;
+      };
+      serial = {
+        port = "/dev/ttyUSB0";
+      };
+      availability = {
+        # minutes
+        active.timeout = 10;
+        passive.timeout = 60 * 50;
+      };
+    };
+  };
+}