Bruno BELANYI
3bf3980e45
This is in preparation of the migration to agenix, which does not allow access to the secrets at build time.
178 lines
4.9 KiB
Nix
178 lines
4.9 KiB
Nix
# Deployed services
|
|
{ config, ... }:
|
|
let
|
|
my = config.my;
|
|
in
|
|
{
|
|
# List services that you want to enable:
|
|
my.services = {
|
|
# Hosts-based adblock using unbound
|
|
adblock = {
|
|
enable = true;
|
|
};
|
|
# Backblaze B2 backup
|
|
backup = {
|
|
enable = true;
|
|
repository = "b2:porthos-backup";
|
|
# Backup every 6 hours
|
|
timerConfig = {
|
|
OnActiveSec = "6h";
|
|
OnUnitActiveSec = "6h";
|
|
};
|
|
# Insecure, I don't care.
|
|
passwordFile =
|
|
builtins.toFile "password.txt" my.secrets.backup.password;
|
|
credentialsFile =
|
|
builtins.toFile "creds.env" my.secrets.backup.credentials;
|
|
};
|
|
# My blog and related hosts
|
|
blog.enable = true;
|
|
calibre-web = {
|
|
enable = true;
|
|
libraryPath = "/data/media/library";
|
|
};
|
|
drone = {
|
|
enable = true;
|
|
runners = [ "docker" "exec" ];
|
|
# Insecure, I don't care.
|
|
secretFile =
|
|
builtins.toFile "gitea.env" my.secrets.drone.gitea;
|
|
sharedSecretFile =
|
|
builtins.toFile "rpc.env" my.secrets.drone.secret;
|
|
};
|
|
# Flood UI for transmission
|
|
flood = {
|
|
enable = true;
|
|
};
|
|
# Gitea forge
|
|
gitea.enable = true;
|
|
# Meta-indexers
|
|
indexers = {
|
|
jackett.enable = true;
|
|
nzbhydra.enable = true;
|
|
};
|
|
# Jellyfin media server
|
|
jellyfin.enable = true;
|
|
# Gitea mirrorig service
|
|
lohr = {
|
|
enable = true;
|
|
sharedSecretFile =
|
|
let
|
|
content = "LOHR_SECRET=${my.secrets.lohr.secret}";
|
|
in
|
|
builtins.toFile "lohr-secret.env" content;
|
|
};
|
|
# Matrix backend and Element chat front-end
|
|
matrix = {
|
|
enable = true;
|
|
mailConfigFile = builtins.toFile "matrix-mail.yaml" ''
|
|
email:
|
|
smtp_host: "smtp.migadu.com"
|
|
smtp_port: 587
|
|
smtp_user: "${my.secrets.matrix.mail.username}"
|
|
smtp_pass: "${my.secrets.matrix.mail.password}"
|
|
notif_from: "${my.secrets.matrix.mail.notifFrom}"
|
|
# Refuse to connect unless the server supports STARTTLS.
|
|
require_transport_security: true
|
|
'';
|
|
# Only necessary when doing the initial registration
|
|
# secret = "change-me";
|
|
};
|
|
miniflux = {
|
|
enable = true;
|
|
credentialsFiles = builtins.toFile "miniflux-creds.txt" ''
|
|
ADMIN_USERNAME=Ambroisie
|
|
ADMIN_PASSWORD=${my.secrets.miniflux.password}
|
|
'';
|
|
};
|
|
# Various monitoring dashboards
|
|
monitoring = {
|
|
enable = true;
|
|
grafana = {
|
|
passwordFile =
|
|
builtins.toFile "grafana.txt" my.secrets.monitoring.password; # Insecure, I don't care
|
|
};
|
|
};
|
|
# FLOSS music streaming server
|
|
navidrome = {
|
|
enable = true;
|
|
musicFolder = "/data/media/music";
|
|
};
|
|
# Nextcloud self-hosted cloud
|
|
nextcloud = {
|
|
enable = true;
|
|
passwordFile =
|
|
builtins.toFile "nextcloud-pass.txt" my.secrets.nextcloud.password;
|
|
};
|
|
nginx = {
|
|
enable = true;
|
|
acme = {
|
|
credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key;
|
|
};
|
|
sso = {
|
|
authKeyFile = secrets."sso/auth-key".path;
|
|
users = {
|
|
ambroisie = {
|
|
passwordHashFile = builtins.toFile
|
|
"ambroisie-sso-pass.txt"
|
|
my.secrets.sso.ambroisie.passwordHash;
|
|
totpSecretFile = builtins.toFile
|
|
"ambroisie-sso-totp.txt"
|
|
my.secrets.sso.ambroisie.totpSecret;
|
|
};
|
|
};
|
|
groups = {
|
|
root = [ "ambroisie" ];
|
|
};
|
|
};
|
|
};
|
|
paperless = {
|
|
enable = true;
|
|
documentPath = "/data/media/paperless";
|
|
# Insecure, I don't care
|
|
passwordFile =
|
|
builtins.toFile "paperless.env" my.secrets.paperless.password;
|
|
secretKeyFile = builtins.toFile "paperless-key.env" ''
|
|
PAPERLESS_SECRET_KEY=${my.secrets.paperless.secretKey}
|
|
'';
|
|
};
|
|
# The whole *arr software suite
|
|
pirate.enable = true;
|
|
# Podcast automatic downloader
|
|
podgrab = {
|
|
enable = true;
|
|
passwordFile =
|
|
let
|
|
contents = "PASSWORD=${my.secrets.podgrab.password}";
|
|
in
|
|
builtins.toFile "podgrab.env" contents;
|
|
port = 9598;
|
|
};
|
|
# Regular backups
|
|
postgresql-backup.enable = true;
|
|
# An IRC client daemon
|
|
quassel.enable = true;
|
|
# RSS provider for websites that do not provide any feeds
|
|
rss-bridge.enable = true;
|
|
# Usenet client
|
|
sabnzbd.enable = true;
|
|
# Because I stilll need to play sysadmin
|
|
ssh-server.enable = true;
|
|
# Torrent client and webui
|
|
transmission = {
|
|
enable = true;
|
|
credentialsFile = builtins.toFile "transmission-creds.txt" ''
|
|
{
|
|
"rpc-username": "Ambroisie",
|
|
"rpc-password": "${my.secrets.transmission.password}"
|
|
}
|
|
'';
|
|
};
|
|
# Simple, in-kernel VPN
|
|
wireguard = {
|
|
enable = true;
|
|
startAtBoot = true; # Server must be started to ensure clients can connect
|
|
};
|
|
};
|
|
}
|