diff --git a/flake.nix b/flake.nix index 4c802e0..4a00bb8 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,7 @@ specialArgs = inputs; modules = [ ./hosts/${fqdn}/default.nix + ./modules/default.nix agenix.nixosModules.default home-manager.nixosModules.default { diff --git a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix index 20d9493..e0bbc64 100644 --- a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix +++ b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix @@ -11,7 +11,6 @@ ../../modules/drone/server.nix ../../modules/matrix/default.nix ../../modules/resilio/default.nix - ../../modules/www/global.nix ./hardware-configuration.nix ]; @@ -20,13 +19,34 @@ device = "/dev/sda"; }; - ## Static Networking + ## Custom Services + config.custom.www.global.enable = true; + + ## Networking config.networking.interfaces.ens18.ipv4.addresses = [{ address = "10.72.164.3"; prefixLength = 24; }]; config.networking.defaultGateway = "10.72.164.1"; + config.networking.firewall = { + allowedTCPPorts = lib.mkForce [ + 22 # SSH + ]; + allowedUDPPorts = lib.mkForce [ ]; + interfaces = { + ens18 = { + allowedTCPPorts = lib.mkForce [ + 80 # HTTP 1-2 + 443 # HTTPS 1-2 + ]; + allowedUDPPorts = lib.mkForce [ + 443 # HTTP 3 + ]; + }; + }; + }; + ## Tailscale config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age; config.tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path; diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..c993513 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,8 @@ +{ config, lib, ... }: + +{ + imports = [ + ./www/global.nix + ./www/www-repo.nix + ]; +} diff --git a/modules/www/global.nix b/modules/www/global.nix index bff447f..1b318a3 100644 --- a/modules/www/global.nix +++ b/modules/www/global.nix @@ -1,57 +1,57 @@ { pkgs, lib, config, ... }: +let + cfg = config.custom.www.global; +in { - imports = [ - ./www-repo.nix - ]; - - networking.firewall = { - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 443 ]; + options.custom.www.global = { + enable = lib.mkEnableOption "global"; }; - services.caddy = { - enable = true; + config = lib.mkIf cfg.enable { + services.caddy = { + enable = true; - virtualHosts."hillion.co.uk".extraConfig = '' - handle /.well-known/* { - respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200 - respond 404 - } - - handle { - redir https://blog.hillion.co.uk{uri} - } - ''; - virtualHosts."blog.hillion.co.uk".extraConfig = '' - root * /var/www/blog.hillion.co.uk - file_server - ''; - virtualHosts."ts.hillion.co.uk".extraConfig = '' - reverse_proxy http://10.48.62.14:8080 - ''; - virtualHosts."gitea.hillion.co.uk".extraConfig = '' - reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000 - ''; - virtualHosts."homeassistant.hillion.co.uk".extraConfig = '' - reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123 - ''; - virtualHosts."emby.hillion.co.uk".extraConfig = '' - reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096 - ''; - virtualHosts."matrix.hillion.co.uk".extraConfig = '' - reverse_proxy http://vm.strangervm.ts.hillion.co.uk:8008 - ''; - virtualHosts."unifi.hillion.co.uk".extraConfig = '' - reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 { - transport http { - tls_insecure_skip_verify + virtualHosts."hillion.co.uk".extraConfig = '' + handle /.well-known/* { + respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200 + respond 404 } - } - ''; - virtualHosts."drone.hillion.co.uk".extraConfig = '' - reverse_proxy http://vm.strangervm.ts.hillion.co.uk:18733 - ''; + + handle { + redir https://blog.hillion.co.uk{uri} + } + ''; + virtualHosts."blog.hillion.co.uk".extraConfig = '' + root * /var/www/blog.hillion.co.uk + file_server + ''; + virtualHosts."ts.hillion.co.uk".extraConfig = '' + reverse_proxy http://10.48.62.14:8080 + ''; + virtualHosts."gitea.hillion.co.uk".extraConfig = '' + reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000 + ''; + virtualHosts."homeassistant.hillion.co.uk".extraConfig = '' + reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123 + ''; + virtualHosts."emby.hillion.co.uk".extraConfig = '' + reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096 + ''; + virtualHosts."matrix.hillion.co.uk".extraConfig = '' + reverse_proxy http://vm.strangervm.ts.hillion.co.uk:8008 + ''; + virtualHosts."unifi.hillion.co.uk".extraConfig = '' + reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 { + transport http { + tls_insecure_skip_verify + } + } + ''; + virtualHosts."drone.hillion.co.uk".extraConfig = '' + reverse_proxy http://vm.strangervm.ts.hillion.co.uk:18733 + ''; + }; }; } diff --git a/modules/www/www-repo.nix b/modules/www/www-repo.nix index 397fe96..011ffe3 100644 --- a/modules/www/www-repo.nix +++ b/modules/www/www-repo.nix @@ -1,40 +1,68 @@ { pkgs, lib, config, ... }: +let + cfg = config.custom.www.www-repo; +in { - config.systemd.tmpfiles.rules = [ - "d /var/www 0755 ${config.services.caddy.user} ${config.services.caddy.group} - -" - ]; + options.custom.www.www-repo = { + enable = lib.mkEnableOption "www-repo"; - config.systemd.timers.clone-www-repo = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "5m"; - OnUnitInactiveSec = "60m"; - Unit = "clone-www-repo.service"; + location = lib.mkOption { + default = "/var/www"; + type = lib.types.path; + description = "Location of the local www repository."; + }; + + remote = lib.mkOption { + default = "https://gitea.hillion.co.uk/JakeHillion/www.git"; + type = lib.types.str; + description = "Remote to pull from for the www repository."; + }; + + branch = lib.mkOption { + default = "main"; + type = lib.types.str; + description = "Branch to pull from the remote."; }; }; - config.systemd.services.clone-www-repo = { - description = "Clone and pull the www repo"; + config = lib.mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d /var/www 0755 ${config.services.caddy.user} ${config.services.caddy.group} - -" + ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - - serviceConfig = { - Type = "oneshot"; - User = "${config.services.caddy.user}"; - Group = "${config.services.caddy.group}"; + systemd.timers.clone-www-repo = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "5m"; + OnUnitInactiveSec = "60m"; + Unit = "clone-www-repo.service"; + }; }; - script = with pkgs; '' - if [ ! -d "/var/www/.git" ] ; then - ${git}/bin/git clone https://gitea.hillion.co.uk/JakeHillion/www.git /var/www - else - cd /var/www - ${git}/bin/git fetch - ${git}/bin/git reset --hard origin/main - fi - ''; + systemd.services.clone-www-repo = { + description = "Clone and pull the www repo"; + + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + serviceConfig = { + Type = "oneshot"; + User = "${config.services.caddy.user}"; + Group = "${config.services.caddy.group}"; + }; + + script = '' + if [ ! -d "${cfg.path}/.git" ] ; then + ${pkgs.git}/bin/git clone ${cfg.remote} ${cfg.path} + else + cd ${cfg.path} + ${pkgs.git} remote set-url origin ${cfg.remote} + ${pkgs.git}/bin/git fetch + ${pkgs.git}/bin/git reset --hard origin/${cfg.branch} + fi + ''; + }; }; }