mirror of https://gitlab.crans.org/nounous/nixos
Factorisation et déplacements services
parent
f8bb89c39d
commit
997d665535
|
@ -85,11 +85,6 @@
|
|||
perSystem =
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
treefmt = {
|
||||
projectRootFile = "flake.nix";
|
||||
programs.nixpkgs-fmt.enable = true;
|
||||
};
|
||||
|
||||
devShells = {
|
||||
default = pkgs.callPackage ./devshells/default.nix { inherit (inputs) agenix; };
|
||||
};
|
||||
|
|
|
@ -4,10 +4,7 @@
|
|||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./networking.nix
|
||||
|
||||
../../../modules
|
||||
../../../modules/services/nginx.nix
|
||||
../../../modules/services/restic.nix
|
||||
./nginx.nix
|
||||
];
|
||||
|
||||
networking.hostId = "bbdd1133";
|
||||
|
@ -44,6 +41,13 @@
|
|||
|
||||
networking.adm.enable = false;
|
||||
resticClient.enable = false;
|
||||
|
||||
services = {
|
||||
resticServer = {
|
||||
enable = true;
|
||||
port = 4242;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts = {
|
||||
"${config.networking.hostName}.adm.crans.org" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.services.restic.server.listenAddress}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -16,7 +16,7 @@ Serveur stirling (manipulation de PDF).
|
|||
|
||||
## neo
|
||||
|
||||
Serveur Matrix et bridge IRC <-> Matrix.
|
||||
Serveur Matrix, bridge IRC <-> Matrix et interface admin pour synapse, accessible à <https://matrix.crans.org/admin>.
|
||||
|
||||
## redite
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
enable = true;
|
||||
|
||||
networking = {
|
||||
id = 50;
|
||||
id = "50";
|
||||
srvNat.enable = true;
|
||||
};
|
||||
|
||||
|
|
|
@ -3,9 +3,7 @@
|
|||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
||||
../../../modules/services/jitsi.nix
|
||||
../../../modules/services/acme.nix
|
||||
./jitsi.nix
|
||||
];
|
||||
|
||||
networking.hostName = "jitsi";
|
||||
|
@ -15,12 +13,16 @@
|
|||
enable = true;
|
||||
|
||||
networking = {
|
||||
id = 63;
|
||||
id = "63";
|
||||
srv = {
|
||||
enable = true;
|
||||
ipv4 = "185.230.79.15";
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
acme.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "24.11";
|
||||
|
|
|
@ -1,22 +1,34 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"sr_mod"
|
||||
"virtio_blk"
|
||||
];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/66101184-15ad-4859-addf-95040bac1145";
|
||||
fsType = "ext4";
|
||||
};
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/66101184-15ad-4859-addf-95040bac1145";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
services.jitsi-meet = {
|
||||
enable = true;
|
||||
hostName = "jitsi.crans.org";
|
||||
|
||||
config = {
|
||||
liveStreaming.enabled = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.jitsi-videobridge = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
services.prometheus.exporters.jitsi = {
|
||||
enable = true;
|
||||
port = 9700;
|
||||
};
|
||||
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"jitsi-meet-1.0.8043"
|
||||
];
|
||||
}
|
|
@ -1,11 +1,9 @@
|
|||
{ config, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
||||
../../../modules/services/nginx.nix
|
||||
../../../modules/services/stirling.nix
|
||||
./stirling.nix
|
||||
];
|
||||
|
||||
networking.hostName = "livre";
|
||||
|
@ -15,18 +13,10 @@
|
|||
enable = true;
|
||||
|
||||
networking = {
|
||||
id = 40;
|
||||
id = "40";
|
||||
srvNat.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"pdf.crans.org" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:${toString config.services.stirling-pdf.environment.SERVER_PORT}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "24.11";
|
||||
}
|
||||
|
|
|
@ -1,22 +1,35 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/9fed1492-e7b2-4ec2-a5f4-8825bf8e89a0";
|
||||
fsType = "ext4";
|
||||
};
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/9fed1492-e7b2-4ec2-a5f4-8825bf8e89a0";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
|
@ -30,4 +43,3 @@
|
|||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
||||
|
||||
|
|
|
@ -10,4 +10,16 @@
|
|||
SYSTEM_DEFAULTLOCALE = "fr-FR";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts = {
|
||||
"pdf.crans.org" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:${toString config.services.stirling-pdf.environment.SERVER_PORT}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -3,9 +3,9 @@
|
|||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
||||
../../../modules/services/matrix.nix
|
||||
../../../modules/services/synapse-admin.nix
|
||||
./matrix.nix
|
||||
./matrix-appservice-irc.nix
|
||||
./synapse-admin.nix
|
||||
];
|
||||
|
||||
boot.loader.grub.devices = [ "/dev/sda" ];
|
||||
|
@ -16,12 +16,17 @@
|
|||
enable = true;
|
||||
|
||||
networking = {
|
||||
id = 41;
|
||||
id = "41";
|
||||
srv = {
|
||||
enable = true;
|
||||
ipv4 = "185.230.79.5";
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
acme.enable = true;
|
||||
coturn.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "24.11";
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, ...
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
|
@ -1,35 +1,28 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./acme.nix
|
||||
./coturn.nix
|
||||
./matrix-appservice-irc.nix
|
||||
./nginx.nix
|
||||
];
|
||||
|
||||
age.secrets = {
|
||||
ldap_synapse_password = {
|
||||
file = ../../secrets/neo/ldap_synapse_password.age;
|
||||
file = ../../../secrets/neo/ldap_synapse_password.age;
|
||||
owner = "matrix-synapse";
|
||||
};
|
||||
|
||||
database_extra_config = {
|
||||
file = ../../secrets/neo/database_extra_config.age;
|
||||
file = ../../../secrets/neo/database_extra_config.age;
|
||||
owner = "matrix-synapse";
|
||||
};
|
||||
|
||||
note_oidc_extra_config = {
|
||||
file = ../../secrets/neo/note_oidc_extra_config.age;
|
||||
file = ../../../secrets/neo/note_oidc_extra_config.age;
|
||||
owner = "matrix-synapse";
|
||||
};
|
||||
|
||||
appservice_irc_db_env = {
|
||||
file = ../../secrets/neo/appservice_irc_db_env.age;
|
||||
file = ../../../secrets/neo/appservice_irc_db_env.age;
|
||||
};
|
||||
|
||||
coturn_auth_secret = {
|
||||
file = ../../secrets/neo/coturn_auth_secret.age;
|
||||
file = ../../../secrets/neo/coturn_auth_secret.age;
|
||||
owner = "turnserver";
|
||||
};
|
||||
};
|
|
@ -0,0 +1,29 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
synapse-admin_over = pkgs.synapse-admin-etkecc.overrideAttrs (_: {
|
||||
yarnBuildFlags = "--base=/admin";
|
||||
});
|
||||
synapse-admin = synapse-admin_over.withConfig {
|
||||
restrictBaseUrl = [
|
||||
"https://matrix.crans.org"
|
||||
];
|
||||
asManagedUsers = [
|
||||
"^@ircbot:crans\\.org$"
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts = {
|
||||
"matrix.crans.org" = {
|
||||
locations."/admin/".alias = synapse-admin + "/";
|
||||
locations."=/admin".extraConfig = ''
|
||||
return 301 /admin/;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -3,8 +3,7 @@
|
|||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
||||
../../../modules/services/libreddit.nix
|
||||
./redlib.nix
|
||||
];
|
||||
|
||||
networking.hostName = "redite";
|
||||
|
@ -14,7 +13,7 @@
|
|||
enable = true;
|
||||
|
||||
networking = {
|
||||
id = 39;
|
||||
id = "39";
|
||||
srvNat.enable = true;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
services.libreddit = {
|
||||
services.redlib = {
|
||||
openFirewall = true;
|
||||
port = 80;
|
||||
enable = true;
|
|
@ -12,7 +12,7 @@
|
|||
enable = true;
|
||||
|
||||
networking = {
|
||||
id = 35;
|
||||
id = "35";
|
||||
srvNat = {
|
||||
enable = true;
|
||||
interface = "ens19";
|
||||
|
|
|
@ -3,8 +3,7 @@
|
|||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
||||
../../../modules/services/vaultwarden.nix
|
||||
./vaultwarden.nix
|
||||
];
|
||||
|
||||
networking.hostName = "vaultwarden";
|
||||
|
@ -14,7 +13,7 @@
|
|||
enable = true;
|
||||
|
||||
networking = {
|
||||
id = 59;
|
||||
id = "59";
|
||||
srvNat.enable = true;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,22 +1,35 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/c97aeccd-b88a-407e-a08d-f821a3f34936";
|
||||
fsType = "ext4";
|
||||
};
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/c97aeccd-b88a-407e-a08d-f821a3f34936";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
|
|
|
@ -1,13 +1,9 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./nginx.nix
|
||||
];
|
||||
|
||||
age.secrets = {
|
||||
env = {
|
||||
file = ../../secrets/vaultwarden/env.age;
|
||||
vaultwarden-env = {
|
||||
file = ../../../secrets/vaultwarden/env.age;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -15,12 +11,13 @@
|
|||
enable = true;
|
||||
dbBackend = "postgresql";
|
||||
|
||||
environmentFile = config.age.secrets.env.path;
|
||||
environmentFile = config.age.secrets.vaultwarden-env.path;
|
||||
config = {
|
||||
ROCKET_PORT = 8222;
|
||||
SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.vaultwarden.extraGroups = [ "nullmailer" ];
|
||||
|
||||
systemd.services.vaultwarden = {
|
||||
|
@ -37,10 +34,14 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."vaultwarden.crans.org" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
||||
proxyWebsockets = true;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts."vaultwarden.crans.org" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -12,4 +12,4 @@ Le dossier [`crans`](crans) contient tous les services/programmes communs à tou
|
|||
|
||||
## Services
|
||||
|
||||
Le dossier [`services`](services) contient tous les services/programmes utilisés par un nombre restreint de machines. On peut y déclarer deux types de configurations : les configurations directement inscrites car seront toujours utilisées de la même façon, et les configurations mettant en place un système d'options et de configuration générée pour avoir plus de granularités. Cette seconde utilisation est plus complexe à mettre en place et nécessite une meilleure compréhension de `nix`.
|
||||
Le dossier [`services`](services) contient tous les services/programmes utilisés par un nombre restreint de machines. On y déclare les configurations mettant en place un système d'options et de configuration générée pour avoir plus de granularités.
|
||||
|
|
|
@ -2,9 +2,15 @@
|
|||
|
||||
Ce dossier contient tous les modules commun à la majorité des machines virtuelles du Crans. On y retrouve par exemple les utilisateurices, les `home_nounou`, etc.
|
||||
|
||||
Ces modules sont présentés sous forme d'option (si besoin), afin de pouvoir contrôler la présence ou l'absence de certains services.
|
||||
|
||||
## `default.nix`
|
||||
|
||||
Le fichier [`default.nix`](default.nix), comme tous les autres du même nom, importe tous les autres fichiers du dossier. De plus, il déclare des programmes utiles à avoir en permanence, tels que `ssh`, `git`, `nvim`, ...
|
||||
Le fichier [`default.nix`](default.nix), comme tous les autres du même nom, importe tous les autres fichiers du dossier. De plus, il déclare des programmes utiles à avoir en permanence, tels que `ssh`, `git`, `nvim`, ... et importe les options par défaut qui sont utile pour la majorité des machines.
|
||||
|
||||
## `age.nix`
|
||||
|
||||
Le fichier [`age.nix`](age.nix) contient la configuration commune d'agenix (voir [`../../secrets/README.md`](../../secrets/README.md)).
|
||||
|
||||
## `home.nix`
|
||||
|
||||
|
@ -14,18 +20,38 @@ Le fichier [`home.nix`](home.nix) monte les `home_nounou` par NFS à partir de `
|
|||
|
||||
Le fichier [`locale.nix`](locale.nix) déclare simplement les locales à utiliser.
|
||||
|
||||
## `monitoring.nix`
|
||||
|
||||
Le fichier [`monitoring.nix`] déploie une instance prometheus avec un exporteur node contactable sur le port `9100` par défaut, ainsi qu'un exporteur nginx (si pertinent) sur le port `9117`.
|
||||
|
||||
## `networking.nix`
|
||||
|
||||
Le fichier [`networking.nix`](networking.nix) a moins d'utilité que ce à quoi on pourrait s'attendre : comme chaque machine possède sa propre configuration réseau, les seules choses communes à déclarer sont : la non-utilisation de DHCP, la non-utilisation d'un pare-feu par défault ainsi que l'ajout d'un serveur DNS.
|
||||
Le fichier [`networking.nix`](networking.nix) contient toute la configuration réseau des machines : l'option `crans.networking.id` permet de configurer la majorité du réseau automatiquement (il faut alors déployer interface par interface).
|
||||
|
||||
## `ntp.nix`
|
||||
|
||||
Le fichier [`ntp.nix`](ntp.nix) active simplement le NTP (Network Time Protocol) en ajoutant le serveur `ntp.adm.crans.org` comme serveur de temps.
|
||||
|
||||
## `sops.nix`
|
||||
## `nullmailer.nix`
|
||||
|
||||
Le fichier [`sops.nix`](sops.nix) déclare l'utilisation de `sops` dans la configuration (voir [ce `README.md`](../../secrets/README.md) pour plus de détails) et importe la clef publique SSH de la machine pour pouvoir l'utiliser dans la gestion des secrets.
|
||||
Le fichier [`nullmailer.nix`](nullmailer.nix) déploie un client SMTP sur chaque serveur afin de pouvoir envoyer des mails en le nom du Crans.
|
||||
|
||||
## `packages.nix`
|
||||
|
||||
Le fichier [`packages.nix`](packages.nix) contient la liste des programmes installés par défaut sur les machines du Crans.
|
||||
|
||||
## `restic_client.nix`
|
||||
|
||||
Le fichier [`restic_client`](restic_client.nix) permet de configurer un client restic sur chaque machine pour faire des backups et les envoyer sur le serveur thot.
|
||||
|
||||
## `ssh.nix`
|
||||
|
||||
Le fichier [`ssh.nix`](ssh.nix) contient la configuration SSH pour toutes les machines.
|
||||
|
||||
## `users.nix`
|
||||
|
||||
Le fichier [`users.nix`](users.nix) configure les `_users` à partir du LDAP d'administration, et configure les droits pour que les `_nounou` aient les accès `sudo`. Il configure également le user `root` en lui donnant son mot de passe haché à travers un fichier `sops`.
|
||||
Le fichier [`users.nix`](users.nix) configure les `_users` à partir du LDAP d'administration, et configure les droits pour que les `_nounou` aient les accès `sudo`. Il configure également le user `root` en lui donnant son mot de passe haché à travers un fichier `age`.
|
||||
|
||||
## `virtualisation.nix`
|
||||
|
||||
Le fichier [`virtualisation.nix`](virtualisation.nix) contient des paramètres utiles pour la virtualisation (pour les VM en priorité donc).
|
||||
|
|
|
@ -86,14 +86,14 @@ in
|
|||
interfaces."${cfg.adm.interface}" = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "172.16.10.1${toString cfg.id}";
|
||||
address = "172.16.10.1${cfg.id}";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
ipv6.addresses = [
|
||||
{
|
||||
address = "fd00::10:0:ff:fe01:${toString cfg.id}10";
|
||||
address = "fd00::10:0:ff:fe01:${cfg.id}10";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
|
@ -128,7 +128,7 @@ in
|
|||
ipv6 = {
|
||||
addresses = [
|
||||
{
|
||||
address = "2a0c:700:2::ff::fe01:${toString cfg.id}02";
|
||||
address = "2a0c:700:2::ff::fe01:${cfg.id}02";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
|
@ -155,7 +155,7 @@ in
|
|||
ipv4 = {
|
||||
addresses = [
|
||||
{
|
||||
address = "172.16.3.1${toString cfg.id}";
|
||||
address = "172.16.3.1${cfg.id}";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
@ -171,7 +171,7 @@ in
|
|||
ipv6 = {
|
||||
addresses = [
|
||||
{
|
||||
address = "2a0c:700:3::ff:fe01:${toString cfg.id}03";
|
||||
address = "2a0c:700:3::ff:fe01:${cfg.id}03";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
|
@ -196,14 +196,14 @@ in
|
|||
interfaces."${cfg.san.interface}" = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "172.16.4.1${toString cfg.id}";
|
||||
address = "172.16.4.1${cfg.id}";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
ipv6.addresses = [
|
||||
{
|
||||
address = "fd00::4:0:ff:fe01:${toString cfg.id}04";
|
||||
address = "fd00::4:0:ff:fe01:${cfg.id}04";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
|
|
|
@ -1,24 +1,36 @@
|
|||
{ config, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.crans.services.acme;
|
||||
|
||||
inherit (lib) mkEnableOption mkIf;
|
||||
in
|
||||
|
||||
{
|
||||
age.secrets = {
|
||||
acme-env.file = ../../secrets/acme/env.age;
|
||||
options.crans.services.acme = {
|
||||
enable = mkEnableOption "Activer les certificats ACME via let's encrypt.";
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
|
||||
defaults = {
|
||||
email = "root@crans.org";
|
||||
dnsPropagationCheck = false;
|
||||
config = mkIf cfg.enable {
|
||||
age.secrets = {
|
||||
acme-env.file = ../../secrets/acme/env.age;
|
||||
};
|
||||
|
||||
certs."crans.org" = {
|
||||
domain = "*.crans.org";
|
||||
dnsProvider = "rfc2136";
|
||||
# Contient le serveur à contacter avec le protocole
|
||||
# et le mot de passe
|
||||
environmentFile = config.age.secrets.acme-env.path;
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
|
||||
defaults = {
|
||||
email = "root@crans.org";
|
||||
dnsPropagationCheck = false;
|
||||
};
|
||||
|
||||
certs."crans.org" = {
|
||||
domain = "*.crans.org";
|
||||
dnsProvider = "rfc2136";
|
||||
# Contient le serveur à contacter avec le protocole
|
||||
# et le mot de passe
|
||||
environmentFile = config.age.secrets.acme-env.path;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,59 +1,100 @@
|
|||
{ config, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.crans.services.coturn;
|
||||
|
||||
inherit (lib)
|
||||
mkEnableOption
|
||||
mkOption
|
||||
mkIf
|
||||
types
|
||||
;
|
||||
in
|
||||
|
||||
{
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
no-cli = true;
|
||||
no-tcp-relay = true;
|
||||
min-port = 49000;
|
||||
max-port = 50000;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = config.age.secrets.coturn_auth_secret.path;
|
||||
realm = "crans.org";
|
||||
cert = "/var/lib/acme/crans.org/full.pem";
|
||||
pkey = "/var/lib/acme/crans.org/key.pem";
|
||||
extraConfig = ''
|
||||
verbose
|
||||
no-multicast-peers
|
||||
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||
denied-peer-ip=::1
|
||||
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||||
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
||||
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
'';
|
||||
options.crans.services.coturn = {
|
||||
enable = mkEnableOption "Coturn, un serveur TURN open-source.";
|
||||
|
||||
secretFile = mkOption {
|
||||
type = types.path;
|
||||
default = config.age.secrets.coturn_auth_secret.path;
|
||||
description = "Fichier contenant le secret de configuration du serveur.";
|
||||
};
|
||||
|
||||
fqdn = mkOption {
|
||||
type = types.str;
|
||||
default = "crans.org";
|
||||
description = "Domaine pour lequel le serveur coturn est configuré.";
|
||||
};
|
||||
|
||||
certFile = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/acme/${cfg.fqdn}/full.pem";
|
||||
description = "Fichier contenant le certificat associé au FQDN.";
|
||||
};
|
||||
|
||||
keyFile = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/acme/${cfg.fqdn}/key.pem";
|
||||
description = "Fichier contenant la clef associé au FQDN.";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [
|
||||
3478
|
||||
5349
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
3478
|
||||
5349
|
||||
];
|
||||
allowedUDPPortRanges = [
|
||||
{
|
||||
from = config.services.coturn.min-port;
|
||||
to = config.services.coturn.max-port;
|
||||
}
|
||||
];
|
||||
config = mkIf cfg.enable {
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
no-cli = true;
|
||||
no-tcp-relay = true;
|
||||
min-port = 49000;
|
||||
max-port = 50000;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = cfg.secretFile;
|
||||
realm = cfg.fqdn;
|
||||
cert = cfg.certFile;
|
||||
pkey = cfg.keyFile;
|
||||
extraConfig = ''
|
||||
verbose
|
||||
no-multicast-peers
|
||||
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||
denied-peer-ip=::1
|
||||
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||||
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
||||
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [
|
||||
3478
|
||||
5349
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
3478
|
||||
5349
|
||||
];
|
||||
allowedUDPPortRanges = [
|
||||
{
|
||||
from = config.services.coturn.min-port;
|
||||
to = config.services.coturn.max-port;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
|
||||
imports = [
|
||||
./acme.nix
|
||||
./coturn.nix
|
||||
./nginx.nix
|
||||
./restic.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,44 +0,0 @@
|
|||
{ ... }:
|
||||
{
|
||||
# il y a une faille de secu mais c'est pas exploitable
|
||||
# libolm : https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"jitsi-meet-1.0.8043"
|
||||
];
|
||||
|
||||
|
||||
services.jitsi-meet = {
|
||||
enable = true;
|
||||
hostName = "jitsi.crans.org";
|
||||
|
||||
config = {
|
||||
# vient de l'ancienne config liveStreamingEnable = true
|
||||
liveStreaming.enabled = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.jitsi-videobridge = {
|
||||
enable = true;
|
||||
|
||||
#xmppConfigs."localhost" = {
|
||||
# port = 5347;
|
||||
#};
|
||||
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
services.jicofo = {
|
||||
enable = true;
|
||||
|
||||
config = {
|
||||
xmpp = {
|
||||
trusted-domains = [ "recoder.jitsi.crans.org" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus.exporters.jitsi = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
}
|
|
@ -1,9 +1,7 @@
|
|||
{ ... }:
|
||||
{ lib, config, ... }:
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
services.nginx = lib.mkIf config.services.nginx.enable {
|
||||
recommendedProxySettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
|
|
|
@ -1,19 +1,42 @@
|
|||
{ config, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.crans.services.resticServer;
|
||||
|
||||
inherit (lib)
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkOption
|
||||
types
|
||||
;
|
||||
in
|
||||
|
||||
{
|
||||
services.restic.server = {
|
||||
enable = true;
|
||||
options.crans.services.resticServer = {
|
||||
enable = mkEnableOption "Serveur de backups restic.";
|
||||
|
||||
dataDir = "/backups";
|
||||
listenAddress = "localhost:4242";
|
||||
privateRepos = true;
|
||||
dataDir = mkOption {
|
||||
type = types.path;
|
||||
default = "/backups";
|
||||
example = "/var/backups";
|
||||
description = "Dossier dans lequel les backups seront effectuées.";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 8080;
|
||||
example = 4242;
|
||||
description = "Port sur lequel le serveur restic écoute.";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"${config.networking.hostName}.adm.crans.org" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.services.restic.server.listenAddress}";
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
services.restic.server = {
|
||||
enable = true;
|
||||
|
||||
dataDir = cfg.dataDir;
|
||||
listenAddress = "localhost:${toString cfg.port}";
|
||||
privateRepos = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
synapse-admin_over = pkgs.synapse-admin-etkecc.overrideAttrs (_: { yarnBuildFlags = "--base=/admin"; });
|
||||
synapse-admin = synapse-admin_over
|
||||
.withConfig {
|
||||
restrictBaseUrl = [
|
||||
"https://matrix.crans.org"
|
||||
];
|
||||
asManagedUsers = [
|
||||
"^@ircbot:crans\\.org$"
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./nginx.nix
|
||||
];
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"matrix.crans.org" = {
|
||||
locations."/admin/".alias = synapse-admin + "/";
|
||||
locations."=/admin".extraConfig = ''
|
||||
return 301 /admin/;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue