Refactor modules into nixos and home-manager
All checks were successful
Check flake / build-amd64-linux (push) Successful in 3m14s
All checks were successful
Check flake / build-amd64-linux (push) Successful in 3m14s
This commit is contained in:
70
modules/nixos/services/netbird.nix
Normal file
70
modules/nixos/services/netbird.nix
Normal file
@ -0,0 +1,70 @@
|
||||
{ config, lib, self, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.netbird;
|
||||
hostname = config.networking.hostName;
|
||||
in {
|
||||
options.modules.services.netbird = {
|
||||
enable = lib.mkEnableOption "netbird";
|
||||
coordinatorDomain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "netbird.vimium.net";
|
||||
};
|
||||
meshDomain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "mesh.vimium.net";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."passwords/services/netbird/data-store-encryption-key" = {
|
||||
file = "${self.inputs.secrets}/passwords/services/netbird/data-store-encryption-key.age";
|
||||
};
|
||||
|
||||
services.netbird = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
services.netbird.server = {
|
||||
domain = cfg.coordinatorDomain;
|
||||
enable = true;
|
||||
enableNginx = true;
|
||||
dashboard.settings = {
|
||||
AUTH_AUTHORITY = "https://auth.vimium.com/oauth2/openid/netbird";
|
||||
};
|
||||
management = rec {
|
||||
disableAnonymousMetrics = true;
|
||||
dnsDomain = cfg.meshDomain;
|
||||
oidcConfigEndpoint = "https://auth.vimium.com/oauth2/openid/netbird/.well-known/openid-configuration";
|
||||
settings = {
|
||||
DataStoreEncryptionKey = {
|
||||
_secret = config.age.secrets."passwords/services/netbird/data-store-encryption-key".path;
|
||||
};
|
||||
HttpConfig = {
|
||||
AuthAudience = "netbird";
|
||||
};
|
||||
StoreConfig = { Engine = "sqlite"; };
|
||||
TURNConfig = {
|
||||
Secret._secret = config.age.secrets."passwords/services/coturn/static-auth-secret".path;
|
||||
TimeBasedCredentials = true;
|
||||
};
|
||||
PKCEAuthorizationFlow.ProviderConfig = {
|
||||
AuthorizationEndpoint = "https://auth.vimium.com/ui/oauth2";
|
||||
TokenEndpoint = "https://auth.vimium.com/oauth2/token";
|
||||
};
|
||||
};
|
||||
singleAccountModeDomain = dnsDomain;
|
||||
turnDomain = config.services.coturn.realm;
|
||||
turnPort = config.services.coturn.listening-port;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.netbird-signal.serviceConfig.RestartSec = "60";
|
||||
systemd.services.netbird-management.serviceConfig.RestartSec = "60";
|
||||
|
||||
services.nginx.virtualHosts."netbird.vimium.net" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
40
modules/nixos/services/postgresql.nix
Normal file
40
modules/nixos/services/postgresql.nix
Normal file
@ -0,0 +1,40 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.postgresql;
|
||||
in {
|
||||
options.modules.services.postgresql = {
|
||||
enable = lib.mkOption {
|
||||
default = false;
|
||||
example = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
initdbArgs = [
|
||||
"--allow-group-access"
|
||||
"--encoding=UTF8"
|
||||
"--locale=C"
|
||||
];
|
||||
settings = {
|
||||
log_connections = true;
|
||||
log_disconnections = true;
|
||||
log_destination = lib.mkForce "syslog";
|
||||
};
|
||||
};
|
||||
|
||||
services.borgmatic.settings = {
|
||||
postgresql_databases = [
|
||||
{
|
||||
name = "all";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
44
modules/nixos/services/tailscale.nix
Normal file
44
modules/nixos/services/tailscale.nix
Normal file
@ -0,0 +1,44 @@
|
||||
{ config, lib, pkgs, self, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.tailscale;
|
||||
headscale = "https://headscale.vimium.net";
|
||||
hostname = config.networking.hostName;
|
||||
in {
|
||||
options.modules.services.tailscale = {
|
||||
enable = lib.mkOption {
|
||||
default = false;
|
||||
example = true;
|
||||
};
|
||||
restrictSSH = lib.mkOption {
|
||||
default = true;
|
||||
example = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
|
||||
file = "${self.inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.tailscale ];
|
||||
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;
|
||||
|
||||
extraUpFlags = [
|
||||
"--login-server"
|
||||
headscale
|
||||
];
|
||||
};
|
||||
|
||||
services.openssh.openFirewall = !cfg.restrictSSH;
|
||||
|
||||
networking.firewall = {
|
||||
checkReversePath = "loose";
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedUDPPorts = [ config.services.tailscale.port ];
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user