Lemmy broken on Germany

This commit is contained in:
niten 2024-02-10 16:53:55 -08:00
parent 7a73028ad2
commit cf10f910bd
18 changed files with 1501 additions and 920 deletions

View File

@ -6,22 +6,41 @@ let
localDomain = "fudo.org"; localDomain = "fudo.org";
domainSecrets = config.fudo.secrets.files.domain-secrets."${localDomain}"; domainSecrets = config.fudo.secrets.files.domain-secrets."${localDomain}";
hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
inherit (pkgs.lib) getDomainHosts getHostIpv4 getHostIpv6 getHostFqdn; inherit (pkgs.lib)
getDomainHosts getHostIpv4 getHostIpv6 getHostFqdn getSiteV4PrefixLength;
domain = config.fudo.domains."${localDomain}"; domain = config.fudo.domains."${localDomain}";
authentikHost = "legatus"; authentikHost = "legatus";
authentikImage = "ghcr.io/goauthentik/server:2023.10.7";
primaryNameserver = "germany"; primaryNameserver = "germany";
webmailHost = "germany";
defaultHost = "germany"; defaultHost = "germany";
mastodonHost = "germany";
mastodonHostname = "fudo.live"; mastodonHostname = "fudo.live";
giteaHost = "germany";
giteaHostname = "fudo.dev";
giteaIpv4Address = "208.81.3.118";
cloudHost = "germany";
cloudHostname = "fudo.cloud";
lemmyHost = "germany"; lemmyHost = "germany";
lemmyHostname = "fudo.social"; lemmyHostname = "fudo.social";
matrixHost = "germany";
matrixHostname = "fudo.im";
immichHost = "germany";
immichHostname = "pics.fudo.org";
servedDomains = [ servedDomains = [
"fudo.org" "fudo.org"
"test.fudo.org" "test.fudo.org"
@ -30,35 +49,36 @@ let
"fudo.im" "fudo.im"
"fudo.live" "fudo.live"
"fudo.social" "fudo.social"
"fudo.dev"
"fudo.cloud"
"stewartsoundservices.ca" "stewartsoundservices.ca"
]; ];
static = ../../static;
in { in {
imports = [ imports = [
(import ./fudo.org/authentik.nix { (import ./fudo.org/authentik.nix { inherit authentikHost authentikImage; })
inherit authentikHost;
authentikImage = "ghcr.io/goauthentik/server:2023.10.6";
})
(import ./fudo.org/mastodon.nix { (import ./fudo.org/mastodon.nix {
mastodonHost = "germany"; mastodonHost = mastodonHost;
mastodonHostname = mastodonHostname; mastodonHostname = mastodonHostname;
mastodonWebDomain = mastodonHostname; mastodonWebDomain = mastodonHostname;
mastodonOidcClientId = domainSecrets."mastodon-oidc.clientid"; mastodonOidcClientId = domainSecrets."mastodon-oidc.clientid";
mastodonOidcClientSecret = domainSecrets."mastodon-oidc.secret"; mastodonOidcClientSecret = domainSecrets."mastodon-oidc.secret";
}) })
(import ./fudo.org/nextcloud.nix { (import ./fudo.org/nextcloud.nix {
nextcloudHost = "legatus"; nextcloudHost = cloudHost;
nextcloudHostname = "cloud.fudo.org"; nextcloudHostname = cloudHostname;
nextcloudPackage = pkgs.nextcloud28; nextcloudPackage = pkgs.nextcloud28;
}) })
(import ./fudo.org/matrix.nix { (import ./fudo.org/matrix.nix {
matrixHost = "germany"; matrixHost = matrixHost;
matrixServerName = "fudo.im"; matrixServerName = matrixHostname;
openIdClientId = readFile domainSecrets."matrix-oidc.clientid"; openIdClientId = readFile domainSecrets."matrix-oidc.clientid";
openIdClientSecret = readFile domainSecrets."matrix-oidc.secret"; openIdClientSecret = readFile domainSecrets."matrix-oidc.secret";
}) })
(import ./fudo.org/mail-server.nix (rec { (import ./fudo.org/mail-server.nix (rec {
primaryMailserver = "france"; primaryMailserver = "germany";
primaryDomain = "fudo.org"; primaryDomain = "fudo.org";
authentikServer = "authentik.fudo.org"; authentikServer = "authentik.fudo.org";
ldapBase = "dc=fudo,dc=org"; ldapBase = "dc=fudo,dc=org";
@ -73,8 +93,21 @@ in {
]; ];
config = { config = {
# All Fudo hosts should redirect selby.ca to the selbyhomecentre website. systemd.services = { lemmy.after = [ "postgresql.service" ]; };
services = { services = {
immichContainer = mkIf (hostname == immichHost) {
enable = true;
images = let immichVersion = "v1.94.1";
in {
immich = "ghcr.io/immich-app/immich-server:${immichVersion}";
immich-ml =
"ghcr.io/immich-app/immich-machine-learning:${immichVersion}";
redis = "redis:6.2-alpine";
postgresql = "tensorchord/pgvecto-rs:pg14-v0.1.11";
};
};
nginx.virtualHosts = { nginx.virtualHosts = {
# Pass requests to selby on to selbyhomecentre # Pass requests to selby on to selbyhomecentre
"selby.ca".locations."/".return = "selby.ca".locations."/".return =
@ -82,34 +115,110 @@ in {
"www.selby.ca".locations."/".return = "www.selby.ca".locations."/".return =
"301 https://selbyhomecentre.com$request_uri"; "301 https://selbyhomecentre.com$request_uri";
# For Mastodon "pics.fudo.org" = mkIf (hostname == immichHost) {
"fudo.org".locations = { enableACME = true;
"/.well-known/webfinger" = { forceSSL = true;
return = "301 http://${mastodonHostname}"; locations."/" = {
extraConfig = "add_header Access-Control-Allow-Origin '*';"; proxyPass = "http://localhost:${
toString config.services.immichContainer.port
}/";
proxyWebsockets = true;
}; };
"/.well-known/host-meta" = { };
return = "301 https://${mastodonHostname}$request_uri";
"fudo.org" = mkIf (hostname == defaultHost) {
enableACME = true;
forceSSL = true;
locations = let
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
# Mastodon
"/.well-known/webfinger" = {
return = "301 https://${mastodonHostname}";
extraConfig = "add_header Access-Control-Allow-Origin '*';";
};
"/.well-known/host-meta" = {
return = "301 https://${mastodonHostname}$request_uri";
};
# Matrix
"/.well-known/matrix/server".extraConfig =
mkWellKnown { "m.server" = "matrix.${matrixHostname}:443"; };
"/.well-known/matrix/client".extraConfig = mkWellKnown {
"m.homeserver".base_url = "https://web.${matrixHostname}:443";
};
"/.well-known/acme-challenge" = {
root = "/var/lib/acme/acme-challenge/";
extraConfig = "auth_basic off;";
};
}; };
}; };
}; };
lemmyDocker = { # lemmyContainer = {
enable = config.instance.hostname == lemmyHost; # enable = config.instance.hostname == lemmyHost;
hostname = lemmyHostname; # hostname = lemmyHostname;
site-name = "Fudo Lemmy"; # site-name = "Fudo Lemmy";
version = "0.19.2"; # smtp.host = "mail.fudo.org:587";
smtp-server = "mail.fudo.org:587"; # # admin-password-file = hostSecrets.lemmyAdminPasswd.target-file;
docker-images = { # server-package = pkgs.pkgsUnstable.lemmy-server;
pictrs = "asonix/pictrs:0.5.1"; # };
postgres = "postgres:15-alpine";
};
};
}; };
fudo = { fudo = {
secrets.host-secrets."${hostname}" = {
lemmyAdminPasswd = {
source-file =
pkgs.lib.passwd.stablerandom-passwd-file "lemmy-admin.passwd"
config.instance.build-seed;
target-file = "/run/lemmy/admin.passwd";
};
};
zones = {
"fudo.org".aliases = {
cloud = "germany.fudo.org.";
pics = "germany.fudo.org.";
webmail = "germany.fudo.org.";
};
"selby.ca".aliases.webmail = "germany.fudo.org.";
};
webmail = {
enable = hostname == webmailHost;
sites = {
"webmail.fudo.org" = {
title = "Fudo Webmail";
favicon = "${static}/fudo.org/favicon.ico";
mail-server = "mail.fudo.org";
domain = "fudo.org";
edit-mode = "Plain";
};
"webmail.fudo.link" = {
title = "Fudo Link Webmail";
favicon = "${static}/fudo.link/favicon.ico";
mail-server = "mail.fudo.org";
domain = "fudo.link";
edit-mode = "Plain";
layout-mode = "bottom";
};
"webmail.selby.ca" = {
title = "Selby Webmail";
favicon = "${static}/selby.ca/favicon.ico";
mail-server = "mail.fudo.org";
domain = "selby.ca";
};
};
};
services = { services = {
# TEMPORARY # DON'T enable, we're using mail-container instead
mail-server.enable = false; mail-server.enable = false;
jabber = { jabber = {
@ -127,6 +236,25 @@ in {
}; };
}; };
lemmy = {
enable = hostname == lemmyHost;
hostname = "fudo.social";
site-name = "Fudo Lemmy";
smtp.host = "mail.fudo.org";
};
gitea-container = let siteName = config.fudo.hosts."${giteaHost}".site;
in {
enable = hostname == giteaHost;
site-name = "Fudo Git";
hostname = giteaHostname;
trusted-networks = config.instance.local-networks;
networking.ipv4 = {
address = giteaIpv4Address;
prefixLength = getSiteV4PrefixLength siteName;
};
};
authoritative-dns = { authoritative-dns = {
enable = hostname == primaryNameserver; enable = hostname == primaryNameserver;
@ -167,23 +295,56 @@ in {
mkDomain = domain: extraConfig: mkDomain = domain: extraConfig:
{ {
default-host = defaultDeets;
ksk = ksk =
config.fudo.secrets.files.dns.key-signing-keys."${domain}"; config.fudo.secrets.files.dns.key-signing-keys."${domain}";
} // extraConfig; } // extraConfig;
getDeets = hostname: description: {
inherit (config.fudo.zones."fudo.org".hosts."${hostname}")
ipv4-address ipv6-address sshfp-records;
};
in { in {
"fudo.org" = mkDomain "fudo.org" { "fudo.org" = mkDomain "fudo.org" {
reverse-zones = [ "208.81.1.128/28" "208.81.3.112/28" ]; reverse-zones = [ "208.81.1.128/28" "208.81.3.112/28" ];
mail = fudoMailservers; mail = fudoMailservers;
default-host = defaultDeets;
}; };
"test.fudo.org" = mkDomain "test.fudo.org" { }; "test.fudo.org" = mkDomain "test.fudo.org" { };
"selby.ca" = mkDomain "selby.ca" { mail = fudoMailservers; }; "selby.ca" = mkDomain "selby.ca" {
"fudo.ca" = mkDomain "fudo.ca" { mail = fudoMailservers; }; mail = fudoMailservers;
"fudo.im" = mkDomain "fudo.im" { mail = fudoMailservers; }; default-host = defaultDeets;
"stewartsoundservices.ca" = };
mkDomain "stewartsoundservices.ca" { mail = fudoMailservers; }; "fudo.ca" = mkDomain "fudo.ca" {
"fudo.live" = mkDomain "fudo.live" { mail = fudoMailservers; }; mail = fudoMailservers;
"fudo.social" = mkDomain "fudo.social" { mail = fudoMailservers; }; default-host = defaultDeets;
};
"fudo.im" = mkDomain "fudo.im" {
mail = fudoMailservers;
default-host = getDeets matrixHost "fudo.im primary server";
};
"stewartsoundservices.ca" = mkDomain "stewartsoundservices.ca" {
mail = fudoMailservers;
default-host = defaultDeets;
};
"fudo.live" = mkDomain "fudo.live" {
mail = fudoMailservers;
default-host = getDeets mastodonHost "fudo.live primary server";
};
"fudo.social" = mkDomain "fudo.social" {
mail = fudoMailservers;
default-host = getDeets lemmyHost "fudo.social primary server";
};
"fudo.dev" = mkDomain "fudo.dev" {
mail = fudoMailservers;
default-host = {
ipv4-address = giteaIpv4Address;
description = "fudo.dev";
};
};
"fudo.cloud" = mkDomain "fudo.cloud" {
mail = fudoMailservers;
default-host = getDeets cloudHost "fudo.dev primary server";
};
}; };
}; };
}; };

View File

@ -22,39 +22,48 @@ in {
# }; # };
fudo = { fudo = {
zones."${primaryDomain}" = let zones = let
mailserverDomain = config.fudo.hosts."${primaryMailserver}".domain; mailserverIp = getHostIpv4 primaryMailserver;
mailserverIps = { spfRecords = [
ipv4-address = getHostIpv4 primaryMailserver; ''@ IN TXT "v=spf1 mx ip4:${mailserverIp}/32 -all"''
ipv6-address = getHostIpv6 primaryMailserver; ''@ IN SPF "v=spf1 mx ip4:${mailserverIp}/32 -all"''
}; ];
srvRecord = host: port: [{ inherit host port; }];
in { in {
srv-records = { "${primaryDomain}" = let
tcp = { mailserverDomain = config.fudo.hosts."${primaryMailserver}".domain;
imap = srvRecord "imap.${primaryDomain}" 143; mailserverIps = {
imaps = srvRecord "imap.${primaryDomain}" 993; ipv4-address = getHostIpv4 primaryMailserver;
smtp = srvRecord "smtp.${primaryDomain}" 25; ipv6-address = getHostIpv6 primaryMailserver;
submission = srvRecord "smtp.${primaryDomain}" 587;
submissions = srvRecord "smtp.${primaryDomain}" 465;
}; };
udp = { srvRecord = host: port: [{ inherit host port; }];
smtp = srvRecord "smtp.${primaryDomain}" 25; in {
submission = srvRecord "smtp.${primaryDomain}" 587; srv-records = {
tcp = {
imap = srvRecord "mail.${primaryDomain}" 143;
imaps = srvRecord "mail.${primaryDomain}" 993;
smtp = srvRecord "mail.${primaryDomain}" 25;
submission = srvRecord "mail.${primaryDomain}" 587;
submissions = srvRecord "mail.${primaryDomain}" 465;
};
udp = {
smtp = srvRecord "mail.${primaryDomain}" 25;
submission = srvRecord "mail.${primaryDomain}" 587;
};
}; };
};
metric-records = genAttrs [ "dovecot" "postfix" "rspamd" ] metric-records = genAttrs [ "dovecot" "postfix" "rspamd" ]
(_: srvRecord "mail-stats.${primaryDomain}" 443); (_: srvRecord "mail-stats.${primaryDomain}" 443);
hosts = { hosts = {
imap = mailserverIps; imap = mailserverIps;
smtp = mailserverIps; smtp = mailserverIps;
mail = mailserverIps; mail = mailserverIps;
mail-stats = mailserverIps; mail-stats = mailserverIps;
};
verbatim-dns-records = [ dkimRecord ] ++ spfRecords;
}; };
verbatim-dns-records = [ dkimRecord ]; } // (genAttrs (filter (dom: dom != primaryDomain) servedDomains)
}; (domain: { verbatim-dns-records = [ dkimRecord ] ++ spfRecords; }));
metrics.prometheus.service-discovery-dns = metrics.prometheus.service-discovery-dns =
(genAttrs [ "dovecot" "postfix" "rspamd" ] (genAttrs [ "dovecot" "postfix" "rspamd" ]
@ -68,14 +77,14 @@ in {
sasl-domain = saslDomain; sasl-domain = saslDomain;
trusted-networks = config.instance.local-networks; trusted-networks = config.instance.local-networks;
smtp = { smtp = {
hostname = "smtp.${primaryDomain}"; hostname = "mail.${primaryDomain}";
ssl-directory = ssl-directory =
config.security.acme.certs."smtp.${primaryDomain}".directory; config.security.acme.certs."mail.${primaryDomain}".directory;
}; };
imap = { imap = {
hostname = "imap.${primaryDomain}"; hostname = "mail.${primaryDomain}";
ssl-directory = ssl-directory =
config.security.acme.certs."imap.${primaryDomain}".directory; config.security.acme.certs."mail.${primaryDomain}".directory;
}; };
ldap = { ldap = {
authentik-host = "https://${authentikServer}"; authentik-host = "https://${authentikServer}";
@ -112,7 +121,7 @@ in {
"imap.${primaryDomain}" = { "imap.${primaryDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".return = "301 https://webmail.${primaryDomain}"; locations."/".return = "403 Forbidden";
}; };
"mail.${primaryDomain}" = { "mail.${primaryDomain}" = {
enableACME = true; enableACME = true;
@ -122,7 +131,7 @@ in {
"smtp.${primaryDomain}" = { "smtp.${primaryDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".return = "301 https://webmail.${primaryDomain}"; locations."/".return = "403 Forbidden";
}; };
}; };
}; };

View File

@ -7,50 +7,46 @@ with lib;
let let
hostname = config.instance.hostname; hostname = config.instance.hostname;
isMastodon = hostname == mastodonHost; isMastodon = hostname == mastodonHost;
mkEnvFile = vars:
pkgs.writeText "mastodon.env"
(concatStringsSep "\n" (mapAttrsToList (k: v: ''${k}="${v}"'') vars));
in { in {
config = { config = {
fudo.secrets.host-secrets."${hostname}".mastodonEnv = {
source-file = mkEnvFile {
OIDC_ENABLED = "true";
OIDC_DISPLAY_NAME = "fudo auth";
OIDC_DISCOVERY = "true";
OIDC_ISSUER = "https://authentik.fudo.org/application/o/mastodon/";
OIDC_AUTH_ENDPOINT =
"https://authentik.fudo.org/application/o/authorize/";
OIDC_SCOPE = "openid,profile,email";
OIDC_UID_FIELD = "sub";
OIDC_CLIENT_ID = readFile mastodonOidcClientId;
OIDC_CLIENT_SECRET = readFile mastodonOidcClientSecret;
OIDC_REDIRECT_URI =
"https://fudo.live/auth/auth/openid_connect/callback";
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
OMNIAUTH_ONLY = "true";
ONE_CLICK_SSO_LOGIN = "true";
};
target-file = "/run/mastodon/env";
};
services = { services = {
mastodonContainer = mkIf isMastodon { mastodonContainer = mkIf isMastodon {
enable = true; enable = true;
hostname = mastodonWebDomain; hostname = mastodonHostname;
web-domain = mastodonHostname; domain = mastodonWebDomain;
version = "v4.1.6"; environment-files = [
state-directory = "/state/services/mastodon"; config.fudo.secrets.host-secrets."${hostname}".mastodonEnv.target-file
smtp.server = "mail.fudo.org"; ];
environment = { smtp = {
OIDC_ENABLED = "true"; host = "mail.fudo.org";
OIDC_DISPLAY_NAME = "fudo auth"; port = 25;
OIDC_DISCOVERY = "true";
OIDC_ISSUER = "https://authentik.fudo.org/application/o/mastodon/";
OIDC_AUTH_ENDPOINT =
"https://authentik.fudo.org/application/o/authorize/";
OIDC_SCOPE = "openid,profile,email";
OIDC_UID_FIELD = "sub";
OIDC_CLIENT_ID = readFile mastodonOidcClientId;
OIDC_CLIENT_SECRET = readFile mastodonOidcClientSecret;
OIDC_REDIRECT_URI =
"https://mastodon.fudo.org/auth/auth/openid_connect/callback";
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
};
};
nginx = mkIf isMastodon {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
virtualHosts = {
"${mastodonHostname}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${
toString config.services.mastodonContainer.port
}";
proxyWebsockets = true;
};
};
}; };
allow-registrations = false;
}; };
}; };
}; };

View File

@ -40,6 +40,10 @@ in {
}; };
extraConfig = '' extraConfig = ''
client_body_buffer_size 1024m; client_body_buffer_size 1024m;
client_max_body_size 4096m;
fastcgi_read_timeout 120s;
proxy_max_temp_file_size 4096m;
proxy_buffering off;
''; '';
}; };
}; };

View File

@ -5,6 +5,8 @@ let
hostname = config.instance.hostname; hostname = config.instance.hostname;
hostSecrets = config.fudo.secrets.host-secrets."${hostname}"; hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
domainName = "sea.fudo.org";
frigateExternalHost = "sea-cam.fudo.link"; frigateExternalHost = "sea-cam.fudo.link";
frigateHost = "zbox"; frigateHost = "zbox";
frigateDirectory = frigateCfg.state-directory; frigateDirectory = frigateCfg.state-directory;
@ -12,9 +14,15 @@ let
pkgs.lib.passwd.stablerandom-passwd-file "frigate-mqtt-passwd" pkgs.lib.passwd.stablerandom-passwd-file "frigate-mqtt-passwd"
config.instance.build-seed; config.instance.build-seed;
immichHost = "toothless";
in { in {
config = { config = {
fudo.zones."sea.fudo.org".aliases = { "frigate" = "zbox"; }; fudo.zones."sea.fudo.org".aliases = {
chat = "nostromo";
frigate = "zbox";
immich = immichHost;
};
fudo = { fudo = {
services = { services = {
metrics = { metrics = {
@ -37,8 +45,33 @@ in {
}; };
services = { services = {
frigateContainer = { immichContainer = mkIf (hostname == immichHost) {
enable = config.instance.hostname == frigateHost; enable = true;
images = let immichVersion = "v1.94.1";
in {
immich = "ghcr.io/immich-app/immich-server:${immichVersion}";
immich-ml =
"ghcr.io/immich-app/immich-machine-learning:${immichVersion}";
redis = "redis:6.2-alpine";
postgresql = "tensorchord/pgvecto-rs:pg14-v0.1.11";
};
};
nginx = mkIf (hostname == immichHost) {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts."immich.${domainName}".locations."/" = {
proxyPass = "http://${immichHost}.${domainName}:${
toString config.services.immichContainer.port
}/";
recommendedProxySettings = true;
};
};
frigateContainer = mkIf (config.instance.hostname == frigateHost) {
enable = true;
log-level = "info"; log-level = "info";
images.frigate = "ghcr.io/blakeblackshear/frigate:0.13.0-beta5"; images.frigate = "ghcr.io/blakeblackshear/frigate:0.13.0-beta5";
cameras = cameras =

View File

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let generateMac = pkgs.lib.network.generate-mac-address; let generateMac = pkgs.lib.network.generate-mac-address;
in { in {
@ -22,6 +23,8 @@ in {
extraModulePackages = [ ]; extraModulePackages = [ ];
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems = [ "bcachefs" ];
loader.grub = { loader.grub = {
enable = true; enable = true;
devices = [ devices = [
@ -85,11 +88,45 @@ in {
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=@container-data" "noatime" "compress=zstd" "noexec" ]; options = [ "subvol=@container-data" "noatime" "compress=zstd" "noexec" ];
}; };
## BROKEN!
# "/store" = {
# device = lib.concatStringsSep ":" [
# "/dev/disk/by-id/ata-Crucial_CT525MX300SSD1_171516B3CB40"
# "/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR153N5H"
# "/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR153CDK"
# ];
# fsType = "bcachefs";
# options = [ "noexec" "compression=zstd" ];
# };
};
systemd.services.mount-bcachefs-store = let
mountpoint = "/store";
deviceString = concatStringsSep ":" [
"/dev/disk/by-id/ata-Crucial_CT525MX300SSD1_171516B3CB40"
"/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR153N5H"
"/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR153CDK"
];
options = concatStringsSep "," [ "noexec" "compression=zstd" ];
in {
description =
"Mount ${mountpoint} filesystem (can't use fileSystems with multiple devices).";
wantedBy = [ "local-fs.target" ];
script = ''
[ -d ${mountpoint} ] || mkdir ${mountpoint}
if ${pkgs.util-linux}/bin/findmnt ${mountpoint}; then
echo "already mounted: ${mountpoint}"
else
echo "mounting filesystem: ${mountpoint}"
${pkgs.bcachefs-tools}/bin/mount.bcachefs ${deviceString} -o ${options} ${mountpoint}
fi
'';
}; };
swapDevices = [{ device = "/dev/disk/by-label/germany-swap"; }]; swapDevices = [{ device = "/dev/disk/by-label/germany-swap"; }];
nix.settings.max-jobs = lib.mkDefault 24; nix.settings.max-jobs = mkDefault 24;
hardware.bluetooth.enable = false; hardware.bluetooth.enable = false;

View File

@ -248,6 +248,16 @@ in {
(trustedNetworkClauses ++ [ "deny all;" ]); (trustedNetworkClauses ++ [ "deny all;" ]);
}; };
}; };
"pics.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://immich.sea.fudo.org/";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}; };
}; };

View File

@ -31,7 +31,7 @@ in {
}; };
firewall = { firewall = {
enable = false; enable = false;
interfaces."podman+".allowedUDPPorts = [ 53 ]; interfaces."podman[0-9]+".allowedUDPPorts = [ 53 ];
}; };
}; };
@ -60,6 +60,11 @@ in {
''; '';
}; };
}; };
webmail-init = {
after = [ "fudo-secrets.target" ];
requires = [ "fudo-secrets.target" ];
};
}; };
timers.fudo-mail-sync = { timers.fudo-mail-sync = {
@ -79,13 +84,42 @@ in {
enable = true; enable = true;
autoPrune.enable = true; autoPrune.enable = true;
dockerSocket.enable = true; dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true; dockerCompat = true;
defaultNetwork.settings = {
dns_enabled = true;
network_dns_servers = [ "1.1.1.1" "8.8.4.4" ];
};
}; };
oci-containers.backend = "podman"; oci-containers.backend = "podman";
arion.backend = "podman-socket"; arion.backend = "podman-socket";
}; };
services.lemmyDocker.state-directory = "/state/services/lemmy"; services = {
lemmyContainer.state-directory = "/state/services/lemmy-container";
mastodonContainer.streaming-processes = 6;
nextcloudContainer = {
state-directory = "/state/services/nextcloud";
store-directory = "/store/nextcloud";
};
immichContainer = {
state-directory = "/state/services/immich";
store-directory = "/store/immich";
};
nginx = {
enable = true;
commonHttpConfig = ''
log_format with_response_time '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$request_time" "$upstream_response_time"';
access_log /var/log/nginx/access.log with_response_time;
'';
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
};
};
fudo = { fudo = {
client.dns = { client.dns = {
@ -105,12 +139,18 @@ in {
state-directory = "/state/services/postgresql"; state-directory = "/state/services/postgresql";
}; };
webmail.state-directory = "/state/services/webmail";
services = { services = {
auth = { auth = {
kerberos.state-directory = "/state/services/kerberos"; kerberos.state-directory = "/state/services/kerberos";
ldap.state-directory = "/state/services/ldap"; ldap.state-directory = "/state/services/ldap";
}; };
authoritative-dns.state-directory = "/state/services/dns"; authoritative-dns.state-directory = "/state/services/dns";
gitea-container = {
networking.interface = "enp5s0f0";
state-directory = "/state/services/gitea-container";
};
jabber.state-directory = "/state/services/jabber"; jabber.state-directory = "/state/services/jabber";
logging.loki.state-directory = "/state/services/loki"; logging.loki.state-directory = "/state/services/loki";
mail-server.state-directory = "/state/services/mail"; mail-server.state-directory = "/state/services/mail";
@ -118,6 +158,7 @@ in {
prometheus.state-directory = "/state/services/prometheus"; prometheus.state-directory = "/state/services/prometheus";
grafana.state-directory = "/state/services/grafana"; grafana.state-directory = "/state/services/grafana";
}; };
nexus.dns-server.listen-addresses = [ primary-ip ];
postgresql = { postgresql = {
state-directory = "/state/services/postgresql"; state-directory = "/state/services/postgresql";
keytab = extractFudoKeytab { keytab = extractFudoKeytab {

View File

@ -125,22 +125,6 @@ in {
local-networks = config.instance.local-networks; local-networks = config.instance.local-networks;
state-directory = "/state/services/postgresql"; state-directory = "/state/services/postgresql";
}; };
services.gitea-container = {
enable = true;
site-name = "Seattle Fudo Git";
hostname = "git.fudo.org";
state-directory = "/state/services/gitea";
trusted-networks = config.instance.local-networks;
openid-urls = [ "https://authentik.fudo.org/" ];
networking = {
interface = "eno2";
ipv4 = {
address = "10.0.0.15";
prefixLength = 24;
};
};
};
}; };
virtualisation = { virtualisation = {

View File

@ -14,7 +14,7 @@ let
host-secrets = config.fudo.secrets.host-secrets.${hostname}; host-secrets = config.fudo.secrets.host-secrets.${hostname};
postgresql-user = config.systemd.services.postgresql.serviceConfig.User; # postgresql-user = config.systemd.services.postgresql.serviceConfig.User;
files = config.fudo.secrets.files; files = config.fudo.secrets.files;
@ -48,10 +48,10 @@ in {
"L /etc/adjtime - - - - /state/etc/adjtime" "L /etc/adjtime - - - - /state/etc/adjtime"
"d /state/services 0555 - - - -" "d /state/services 0555 - - - -"
]; ];
services.grafana = { # services.grafana = {
bindsTo = [ "postgresql.service" ]; # bindsTo = [ "postgresql.service" ];
requires = [ "postgresql.service" ]; # requires = [ "postgresql.service" ];
}; # };
}; };
environment = { systemPackages = local-packages; }; environment = { systemPackages = local-packages; };
@ -69,11 +69,11 @@ in {
# part-of = [ config.fudo.auth.ldap-server.systemd-target ]; # part-of = [ config.fudo.auth.ldap-server.systemd-target ];
# }; # };
postgresql = { # postgresql = {
user = postgresql-user; # user = postgresql-user;
dependent-services = [ "postgresql.service" ]; # dependent-services = [ "postgresql.service" ];
part-of = [ config.fudo.postgresql.systemd-target ]; # part-of = [ config.fudo.postgresql.systemd-target ];
}; # };
}; };
}; };
@ -99,13 +99,13 @@ in {
}; };
}; };
postgresql = { # postgresql = {
state-directory = "/state/services/postgresql"; # state-directory = "/state/services/postgresql";
keytab = extractFudoKeytab { # keytab = extractFudoKeytab {
realm = domain.gssapi-realm; # realm = domain.gssapi-realm;
principals = [ "postgres/${host-fqdn}" ]; # principals = [ "postgres/${host-fqdn}" ];
}; # };
}; # };
metrics = { metrics = {
prometheus.state-directory = "/state/services/prometheus"; prometheus.state-directory = "/state/services/prometheus";

View File

@ -28,21 +28,14 @@ in {
Defaults lecture = never Defaults lecture = never
''; '';
services = {
immichContainer = {
state-directory = "/state/immich/state";
store-directory = "/state/immich/store";
};
};
fudo = { fudo = {
# minecraft-server = {
# enable = true;
# data-dir = "/state/services/minecraft";
# world-name = "TLS";
# motd = "Welcome to Jasper's TLS minecraft server.";
# game-mode = "survival";
# difficulty = 1;
# allow-cheats = true;
# allocated-memory = 16;
# port = 25555;
# query-port = 25556;
# rcon-port = 25557;
# world-seed = 2090763904884813452;
# };
minecraft-clj = { minecraft-clj = {
enable = true; enable = true;
state-directory = "/state/services/minecraft-clj"; state-directory = "/state/services/minecraft-clj";
@ -86,6 +79,21 @@ in {
}; };
}; };
virtualisation = {
podman = {
enable = true;
autoPrune.enable = true;
dockerSocket.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
dns_enabled = true;
network_dns_servers = [ "1.1.1.1" "8.8.4.4" ];
};
};
oci-containers.backend = "podman";
arion.backend = "podman-socket";
};
systemd.targets = { systemd.targets = {
sleep.enable = false; sleep.enable = false;
suspend.enable = false; suspend.enable = false;

View File

@ -34,9 +34,9 @@ let
isReadOnly = false; isReadOnly = false;
}; };
} // (mapAttrs' (zoneName: _: } // (mapAttrs' (zoneName: _:
let zoneKeyName = zoneKeySecret zoneName; nameValuePair "/run/nsd/keys/${zoneName}" {
in nameValuePair "/run/nsd/keys/${zoneKeyName}" { hostPath =
hostPath = hostSecrets."${zoneKeyName}".target-file; dirOf hostSecrets."${zoneKeySecret zoneName}".target-file;
}) securedZones); }) securedZones);
config = let config = let
nameserverHost = cfg.container.hostname; nameserverHost = cfg.container.hostname;
@ -82,7 +82,10 @@ let
domains = mapAttrs' (zoneName: zoneCfg: domains = mapAttrs' (zoneName: zoneCfg:
nameValuePair zoneCfg.domain { nameValuePair zoneCfg.domain {
ksk.key-file = "/run/nsd/keys/${zoneKeySecret zoneName}"; ksk.key-file = "/run/nsd/keys/${zoneName}/${
baseNameOf
hostSecrets."${zoneKeySecret zoneName}".target-file
}";
reverse-zones = zoneCfg.reverse-zones; reverse-zones = zoneCfg.reverse-zones;
notify = mkIf cfg.enable-notifications { notify = mkIf cfg.enable-notifications {
ipv4 = concatMap ipv4 = concatMap
@ -280,11 +283,21 @@ in {
}; };
fudo = { fudo = {
secrets.host-secrets."${hostname}" = mapAttrs' (zone: zoneCfg: secrets.host-secrets."${hostname}" = concatMapAttrs (zone: zoneCfg: {
nameValuePair (zoneKeySecret zone) { "${zoneKeySecret zone}" = {
source-file = zoneCfg.ksk.private-key; source-file = zoneCfg.ksk.private-key;
target-file = "/run/nsd/${baseNameOf zoneCfg.ksk.private-key}"; target-file =
}) (filterAttrs (_: zoneCfg: zoneCfg.ksk != null) cfg.zones); "/run/nsd/${zone}/${baseNameOf zoneCfg.ksk.private-key}";
};
"${zone}-ds" = {
source-file = zoneCfg.ksk.ds;
target-file = "/run/nsd/${zone}/${baseNameOf zoneCfg.ksk.ds}";
};
"${zone}-pubkey" = {
source-file = zoneCfg.ksk.public-key;
target-file = "/run/nsd/${zone}/${baseNameOf zoneCfg.ksk.public-key}";
};
}) (filterAttrs (_: zoneCfg: zoneCfg.ksk != null) cfg.zones);
zones = mapAttrs (zone-name: zoneCfg: zones = mapAttrs (zone-name: zoneCfg:
let let

View File

@ -1,7 +1,20 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let cfg = config.fudo.services.gitea-container; let
cfg = config.fudo.services.gitea-container;
hostname = config.instance.hostname;
domainName = config.fudo.hosts."${hostname}".domain;
zoneName = config.fudo.domains."${domainName}".zone;
siteName = config.fudo.hosts."${hostname}".site;
getSiteGatewayV4 = pkgs.lib.getSiteGatewayV4;
keyPaths = {
ed25519 = "/state/ssh/ed25519.key";
ecdsa = "/state/ssh/ecdsa.key";
};
in { in {
options.fudo.services.gitea-container = with types; { options.fudo.services.gitea-container = with types; {
@ -29,11 +42,6 @@ in {
default = [ ]; default = [ ];
}; };
openid-urls = mkOption {
type = listOf str;
description = "List of authorized OpenID providers.";
};
networking = { networking = {
interface = mkOption { interface = mkOption {
type = str; type = str;
@ -75,7 +83,10 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.tmpfiles.rules = [ "d ${cfg.state-directory} 700 root root - -" ]; systemd.tmpfiles.rules = [
"d ${cfg.state-directory}/gitea 755 root root - -"
"d ${cfg.state-directory}/acme 755 root root - -"
];
containers.gitea = { containers.gitea = {
autoStart = true; autoStart = true;
@ -83,18 +94,63 @@ in {
macvlans = [ cfg.networking.interface ]; macvlans = [ cfg.networking.interface ];
bindMounts = { bindMounts = {
"/state" = { "/state" = {
hostPath = cfg.state-directory; hostPath = "${cfg.state-directory}/gitea";
isReadOnly = false;
};
"/var/lib/acme" = {
hostPath = "${cfg.state-directory}/acme";
isReadOnly = false; isReadOnly = false;
}; };
}; };
config = { config = {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
systemd = { tmpfiles.rules = [ "d /state 0755 root root - -" ]; }; systemd = {
tmpfiles.rules = [ "d /state 0755 root root - -" ];
services = {
gitea-chown = {
requiredBy = [ "gitea.service" ];
before = [ "gitea.service" ];
serviceConfig.Type = "oneshot";
script = "chown -R gitea:gitea /state";
};
gitea-keygen = {
requiredBy = [ "gitea.service" ];
before = [ "gitea.service" ];
serviceConfig.Type = "oneshot";
script = let
keygenScripts = mapAttrsToList (type: path:
let dir = dirOf path;
in ''
if [ ! -f ${path} ]; then
mkdir -p ${dir}
${pkgs.openssh}/bin/ssh-keygen -q -N "" -t ${type} -f ${path}
chown -R gitea:gitea ${dir}
chmod 0750 ${dir}
chmod 0440 ${path}
fi
'') keyPaths;
in concatStringsSep "\n" keygenScripts;
};
};
};
environment.systemPackages = let
giteaCli = pkgs.writeShellApplication {
name = "gitea-cli";
runtimeInputs = with pkgs; [ gitea ];
text = ''gitea --config /state/gitea/custom/conf/app.ini "$@"'';
};
in [ giteaCli ];
networking = { networking = {
defaultGateway = config.networking.defaultGateway; defaultGateway = {
address = getSiteGatewayV4 siteName;
interface = "mv-${cfg.networking.interface}";
};
enableIPv6 = !isNull cfg.networking.ipv6; enableIPv6 = !isNull cfg.networking.ipv6;
nameservers = config.networking.nameservers;
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 22 80 443 ]; allowedTCPPorts = [ 22 80 443 ];
@ -111,6 +167,11 @@ in {
}; };
}; };
security.acme = {
acceptTerms = true;
defaults.email = "admin@${cfg.hostname}";
};
services = { services = {
gitea = { gitea = {
enable = true; enable = true;
@ -122,7 +183,10 @@ in {
repositoryRoot = "/state/repositories"; repositoryRoot = "/state/repositories";
stateDir = "/state/gitea"; stateDir = "/state/gitea";
settings = { settings = {
service.DISABLE_REGISTRATION = true; service = {
#DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
};
security = { security = {
INSTALL_LOCK = true; INSTALL_LOCK = true;
LOGIN_REMEMBER_DAYS = 30; LOGIN_REMEMBER_DAYS = 30;
@ -133,26 +197,23 @@ in {
# Host & port to display in the clone URL # Host & port to display in the clone URL
SSH_DOMAIN = cfg.hostname; SSH_DOMAIN = cfg.hostname;
# SSH_LISTEN_HOST = "0.0.0.0";
SSH_PORT = 22; SSH_PORT = 22;
SSH_LISTEN_PORT = 2222; SSH_LISTEN_PORT = 2222;
SSH_LISTEN_HOST = "0.0.0.0";
DOMAIN = cfg.hostname; DOMAIN = cfg.hostname;
ROOT_URL = "https://${cfg.hostname}"; ROOT_URL = "https://${cfg.hostname}";
SSH_SERVER_HOST_KEYS =
concatStringsSep "," (attrValues keyPaths);
HTTP_ADDR = "127.0.0.1"; HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 8080; HTTP_PORT = 8080;
}; };
openid = {
ENABLE_OPENID_SIGNIN = true;
WHITELISTED_URIS = concatStringsSep "," cfg.openid-urls;
};
oauth2_client = { oauth2_client = {
REGISTER_EMAIL_CONFIRM = false; REGISTER_EMAIL_CONFIRM = false;
OPENID_CONNECT_SCOPES = OPENID_CONNECT_SCOPES =
concatStringsSep "," [ "email" "profile" ]; concatStringsSep "," [ "email" "profile" ];
ENABLE_AUTO_REGISTRATION = true; #ENABLE_AUTO_REGISTRATION = true;
USERNAME = "email"; USERNAME = "email";
UPDATE_AVATAR = true; UPDATE_AVATAR = true;
ACCOUNT_LINKING = "login"; ACCOUNT_LINKING = "login";
@ -164,8 +225,8 @@ in {
enable = true; enable = true;
services = [{ services = [{
name = "ssh"; name = "ssh";
# port = 22; port = 22;
# protocol = "tcp"; protocol = "tcp";
extraConfig = '' extraConfig = ''
redirect = localhost 2222 redirect = localhost 2222
wait = no wait = no
@ -185,9 +246,13 @@ in {
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
virtualHosts."${cfg.hostname}" = { virtualHosts."${cfg.hostname}" = {
# enableACME = true; enableACME = true;
# forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:8080"; locations."/" = {
proxyPass = "http://127.0.0.1:8080";
proxyWebsockets = true;
recommendedProxySettings = true;
};
locations."/metrics" = mkIf (cfg.trusted-networks != [ ]) { locations."/metrics" = mkIf (cfg.trusted-networks != [ ]) {
proxyPass = "http://127.0.0.1:8080/metrics"; proxyPass = "http://127.0.0.1:8080/metrics";
extraConfig = let extraConfig = let

View File

@ -2,20 +2,12 @@
with lib; with lib;
let let
lemmyDbPasswd = pkgs.lib.passwd.stablerandom-passwd-file "lemmy-server-passwd"
"lemmy-server-${config.instance.build-seed}";
cfg = config.fudo.services.lemmy; cfg = config.fudo.services.lemmy;
hostname = config.instance.hostname; hostname = config.instance.hostname;
domainName = config.fudo.hosts."${hostname}".domain; domainName = config.fudo.hosts."${hostname}".domain;
postgresqlServer = config.fudo.domains."${domainName}".postgresql-server;
postgresqlFqdn = pkgs.lib.getHostFqdn postgresqlServer;
isPostgresServer = hostname == postgresqlServer;
hostSecrets = config.fudo.secrets.host-secrets."${hostname}"; hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
in { in {
@ -27,38 +19,55 @@ in {
description = "Hostname at which this server will be reachable."; description = "Hostname at which this server will be reachable.";
}; };
port = mkOption { site-name = mkOption {
type = port; type = str;
description = "Port on which to listen for requests"; description = "Site Name";
default = 8536;
}; };
listen-ip = mkOption { smtp = {
type = str; host = mkOption {
description = "IP on which to listen for incoming requests."; type = str;
default = "0.0.0.0"; description = "SMTP server to relay Lemmy emails.";
};
port = mkOption {
type = port;
description = "Port to which to send outgoing messages.";
default = 25;
};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
fudo = { fudo = {
secrets.host-secrets."${hostname}" = { secrets.host-secrets."${hostname}" = let
dbLemmyPasswd = mkIf isPostgresServer { lemmyDbPasswdFile =
source-file = lemmyDbPasswd; pkgs.lib.passwd.stablerandom-passwd-file "lemmy-server-passwd"
"lemmy-server-${config.instance.build-seed}";
lemmyDbPasswd = readFile lemmyDbPasswdFile;
in {
lemmyDbUrl = {
source-file = let
url =
"postgres:///lemmy?user=lemmy&password=${lemmyDbPasswd}&host=/var/run/postgresql";
in pkgs.writeText "lemmy-db.url" url;
target-file = "/run/lemmy/db.url";
};
dbLemmyPasswd = {
source-file = lemmyDbPasswdFile;
target-file = "/run/postgres/lemmy.passwd"; target-file = "/run/postgres/lemmy.passwd";
user = config.systemd.services.postgresql.serviceConfig.User; user = config.systemd.services.postgresql.serviceConfig.User;
}; };
lemmyEnv = mkIf cfg.enable { lemmyAdminPasswdFile = {
source-file = pkgs.writeText "lemmy.env" '' source-file =
LEMMY_DATABASE_URL=postgres:///lemmy:${ pkgs.lib.passwd.stablerandom-passwd-file "lemmy-admin.passwd"
readFile lemmyDbPasswd config.instance.build-seed;
}@${postgresqlFqdn}:5432/lemmy target-file = "/run/lemmy/admin.passwd";
'';
target-file = "/run/lemmy/env";
}; };
}; };
postgresql = mkIf isPostgresServer { postgresql = {
enable = true;
databases.lemmy.users = config.instance.local-admins; databases.lemmy.users = config.instance.local-admins;
users.lemmy = { users.lemmy = {
password-file = hostSecrets.dbLemmyPasswd.target-file; password-file = hostSecrets.dbLemmyPasswd.target-file;
@ -74,35 +83,36 @@ in {
}; };
systemd.services.lemmy = { systemd.services.lemmy = {
requires = [ "fudo-secret-lemmyEnv.service" ]; requires = [ "fudo-secret-lemmyDbUrl.service" "postgresql.service" ];
after = [ "fudo-secret-lemmyEnv.service" ]; after = [ "fudo-secret-lemmyDbUrl.service" "postgresql.service" ];
environment.LEMMY_DATABASE_URL = mkForce null;
serviceConfig = mkIf cfg.enable {
LoadCredential = [ "env:${hostSecrets.lemmyEnv.target-file}" ];
EnvironmentFile = "$$CREDENTIALS_DIRECTORY/env";
};
}; };
services.lemmy = mkIf cfg.enable { services.nginx.virtualHosts."${cfg.hostname}" = {
enableACME = true;
forceSSL = true;
};
services.lemmy = {
enable = true; enable = true;
nginx.enable = true;
adminPasswordFile = hostSecrets.lemmyAdminPasswdFile.target-file;
database.uriFile = hostSecrets.lemmyDbUrl.target-file;
ui.port = 50395;
settings = { settings = {
hostname = cfg.hostname; hostname = cfg.hostname;
federation.enabled = true; host = cfg.hostname;
captcha.enabled = true; captcha.enabled = true;
database = { email = {
user = "lemmy"; smtp_server = "${cfg.smtp.host}:${toString cfg.smtp.port}";
host = pkgs.lib.getHostFqdn postgresqlServer; smtp_from_address = "noreply@${cfg.hostname}";
database = "lemmy"; tls_type = "starttls";
password = readFile lemmyDbPasswd; };
admin_username = "admin";
setup = {
site_name = cfg.site-name;
admin_username = "admin";
}; };
bind = cfg.listen-ip;
port = cfg.port;
}; };
}; };
networking.firewall = {
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
}; };
} }

View File

@ -103,22 +103,6 @@ in {
}; };
}; };
zones = {
${mailserver-domain.zone} = let
server-ipv4 = pkgs.lib.network.host-ipv4 config mailserver-host;
server-ipv6 = pkgs.lib.network.host-ipv6 config mailserver-host;
srv-record = host: port: [{ inherit host port; }];
in {
aliases = mkIf metricsEnabled { mail-stats = "${mailserver-fqdn}."; };
metric-records = mkIf metricsEnabled
(genAttrs [ "dovecot" "postfix" "rspamd" ]
(_: srv-record "mail-stats" 443));
};
};
metrics.prometheus.service-discovery-dns = mkIf metricsEnabled metrics.prometheus.service-discovery-dns = mkIf metricsEnabled
(genAttrs [ "dovecot" "postfix" "rspamd" ] (genAttrs [ "dovecot" "postfix" "rspamd" ]
(mtype: [ "${mtype}._metrics._tcp.${mailserver-domain-name}" ])); (mtype: [ "${mtype}._metrics._tcp.${mailserver-domain-name}" ]));

View File

@ -56,7 +56,7 @@ in {
}; };
zones."${zone-name}".aliases.postgresql = zones."${zone-name}".aliases.postgresql =
pkgs.lib.getHostFqdn domain.postgresql-server; "${pkgs.lib.getHostFqdn domain.postgresql-server}.";
postgresql = mkIf isPostgresHost (let postgresql = mkIf isPostgresHost (let
ssl-config = optionalAttrs publicNetwork (let ssl-config = optionalAttrs publicNetwork (let

1520
flake.lock generated

File diff suppressed because it is too large Load Diff

View File

@ -98,6 +98,14 @@
}; };
}; };
lemmy-container = {
url = "git+https://git.fudo.org/fudo-public/lemmy-container.git";
inputs = {
nixpkgs.follows = "nixpkgs";
arion.follows = "arion";
};
};
authentik-container = { authentik-container = {
url = "git+https://git.fudo.org/fudo-nix/authentik-container.git"; url = "git+https://git.fudo.org/fudo-nix/authentik-container.git";
inputs = { inputs = {
@ -121,7 +129,18 @@
mail-server = { mail-server = {
url = "git+https://git.fudo.org/fudo-public/mail-server.git"; url = "git+https://git.fudo.org/fudo-public/mail-server.git";
inputs.nixpkgs.follows = "nixpkgs"; inputs = {
arion.follows = "arion";
nixpkgs.follows = "nixpkgs";
};
};
immich-container = {
url = "git+https://git.fudo.org/fudo-public/immich-container.git";
inputs = {
arion.follows = "arion";
nixpkgs.follows = "nixpkgs";
};
}; };
authoritative-dns = { authoritative-dns = {
@ -150,7 +169,8 @@
, objectifier, nexus, suanni, snooper, tattler, lemmy-docker , objectifier, nexus, suanni, snooper, tattler, lemmy-docker
, tesla-mate-container, mastodon-container, authentik-container , tesla-mate-container, mastodon-container, authentik-container
, nextcloud-container, textfiles, matrix-module, mail-server , nextcloud-container, textfiles, matrix-module, mail-server
, authoritative-dns, frigate-container, grafana-module, ... }@inputs: , authoritative-dns, frigate-container, grafana-module, lemmy-container
, immich-container, ... }@inputs:
with nixpkgs.lib; with nixpkgs.lib;
let let
fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system) fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system)
@ -232,6 +252,8 @@
authoritative-dns.nixosModules.default authoritative-dns.nixosModules.default
frigate-container.nixosModules.default frigate-container.nixosModules.default
grafana-module.nixosModules.default grafana-module.nixosModules.default
lemmy-container.nixosModules.default
immich-container.nixosModules.default
nexus.nixosModules.nexus-client nexus.nixosModules.nexus-client
nexus.nixosModules.nexus-server nexus.nixosModules.nexus-server