diff --git a/assets/grafana_dashboards/alloy-logs.json b/assets/grafana_dashboards/alloy-logs.json new file mode 100644 index 0000000..36021c1 --- /dev/null +++ b/assets/grafana_dashboards/alloy-logs.json @@ -0,0 +1,594 @@ +{ + "annotations": { + "list": [ + { + "$$hashKey": "object:75", + "builtIn": 1, + "datasource": { + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Log Viewer Dashboard for Loki", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 20, + "links": [ + { + "$$hashKey": "object:59", + "icon": "bolt", + "includeVars": true, + "keepTime": true, + "tags": [], + "targetBlank": true, + "title": "View In Explore", + "type": "link", + "url": "/explore?orgId=1&left=[\"now-1h\",\"now\",\"Loki\",{\"expr\":\"{job=\\\"$app\\\"}\"},{\"ui\":[true,true,true,\"none\"]}]" + }, + { + "$$hashKey": "object:61", + "icon": "external link", + "tags": [], + "targetBlank": true, + "title": "Learn LogQL", + "type": "link", + "url": "https://grafana.com/docs/loki/latest/logql/" + } + ], + "panels": [ + { + "datasource": { + "uid": "bfesvtbn7l534f" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "fixed" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "error" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "warn" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-yellow", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "info" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "debug" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 6, + "options": { + "displayLabels": [], + "legend": { + "displayMode": "list", + "placement": "right", + "showLegend": true, + "values": [ + "percent" + ] + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "sort": "none", + "tooltip": { + "hideZeros": true, + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "12.3.3", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"debug\" [$__auto])) by (detected_level)", + "hide": false, + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "D", + "step": "" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"info\" [$__auto])) by (detected_level)", + "hide": false, + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "C", + "step": "" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"unknown\" [$__auto])) by (detected_level)", + "hide": false, + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "E", + "step": "" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"warn\" [$__auto])) by (detected_level)", + "hide": false, + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "B", + "step": "" + }, + { + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"error\" [$__auto])) by (detected_level)", + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "A", + "step": "" + } + ], + "title": "Type log pie chart", + "transparent": true, + "type": "piechart" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMin": 0, + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 0, + "pointSize": 0, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "showValues": false, + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": 0 + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byRegexp", + "options": "/^(info|information)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^debug$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^(warn|warning)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^(error|errors)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^(crit|critical|fatal|severe)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#705da0", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^(logs|unknown)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "darkgray", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 16, + "x": 8, + "y": 0 + }, + "id": 9, + "interval": "5s", + "maxDataPoints": 500, + "options": { + "legend": { + "calcs": [ + "sum" + ], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "hideZeros": false, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "12.3.3", + "targets": [ + { + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} [$__auto])) by (detected_level)", + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "A" + } + ], + "title": "Metric query", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "description": "All warn/error's logs will be printed here", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 18, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 8, + "maxDataPoints": "", + "options": { + "dedupStrategy": "none", + "detailsMode": "inline", + "enableInfiniteScrolling": true, + "enableLogDetails": true, + "prettifyLogMessage": false, + "showControls": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "syntaxHighlighting": true, + "timestampResolution": "ms", + "wrapLogMessage": false + }, + "pluginVersion": "12.3.3", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "{job=\"$app\"} | logfmt | detected_level =~ `err|error|emerg|emergency|fatal|crit|critical|warn` | line_format \"Service: {{ if .logger }}{{ .logger }}{{ else }}Loki{{ end }} | Message: {{ if .msg }}{{ .msg }}{{ else }}No Message{{ end }}\"", + "hide": false, + "legendFormat": "", + "queryType": "range", + "refId": "A" + } + ], + "title": "Warn/Error's logs", + "transparent": true, + "type": "logs" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "description": "All infos logs will be printed here", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 18, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 7, + "maxDataPoints": "", + "options": { + "dedupStrategy": "none", + "detailsMode": "inline", + "enableInfiniteScrolling": true, + "enableLogDetails": true, + "prettifyLogMessage": false, + "showControls": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "syntaxHighlighting": true, + "timestampResolution": "ms", + "wrapLogMessage": false + }, + "pluginVersion": "12.3.3", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "{job=\"$app\"} | logfmt | detected_level =~ `info|notice|debug|trace` | line_format \"Service: {{ if .logger }}{{ .logger }}{{ else }}Loki{{ end }} | Message: {{ if .msg }}{{ .msg }}{{ else }}No Message{{ end }}\"", + "hide": false, + "legendFormat": "", + "queryType": "range", + "refId": "A" + } + ], + "title": "Logs Informative", + "transparent": true, + "type": "logs" + } + ], + "preload": false, + "refresh": "", + "schemaVersion": 42, + "tags": [], + "templating": { + "list": [ + { + "current": { + "text": "systemd-journal", + "value": "systemd-journal" + }, + "datasource": "bfesvtbn7l534f", + "definition": "label_values(job)", + "includeAll": false, + "label": "App", + "name": "app", + "options": [], + "query": "label_values(job)", + "refresh": 1, + "regex": "", + "type": "query" + }, + { + "current": { + "text": "", + "value": "" + }, + "label": "String Match", + "name": "search", + "options": [ + { + "selected": true, + "text": "", + "value": "" + } + ], + "query": "", + "type": "textbox" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Logs / App", + "uid": "sadlil-loki-apps-dashboard", + "version": 13 +} diff --git a/flake.nix b/flake.nix index c6fb519..c1f1508 100644 --- a/flake.nix +++ b/flake.nix @@ -45,6 +45,7 @@ ./hosts/fix/configuration.nix home-manager.nixosModules.home-manager { + home-manager.sharedModules = [ catppuccin.homeModules.catppuccin ]; home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; home-manager.extraSpecialArgs = { @@ -53,7 +54,7 @@ nixvim = inputs.nixvim.packages."x86_64-linux".default; zen-browser = inputs.zen-browser.packages."x86_64-linux".default; }; - home-manager.users.raphael = hm-config.homeConfigurations."hm-fix"; + home-manager.users.raphael = import hm-config.outputs.homeModules.fix; } ]; specialArgs = { diff --git a/hosts/fix/configuration.nix b/hosts/fix/configuration.nix index 44d74f4..3d1fb03 100644 --- a/hosts/fix/configuration.nix +++ b/hosts/fix/configuration.nix @@ -6,6 +6,12 @@ ... }: +let + mullvad-autostart = pkgs.makeAutostartItem { + name = "mullvad-vpn"; + package = pkgs.mullvad-vpn; + }; +in { imports = [ ../global.nix @@ -19,7 +25,23 @@ hostName = "nixos-fix"; firewall.enable = false; networkmanager.enable = true; - wireless.enable = false; + }; + + hardware = { + graphics = { + enable = true; + enable32Bit = true; + }; + nvidia = { + open = false; + modesetting.enable = true; + powerManagement = { + enable = false; + finegrained = false; + }; + nvidiaSettings = true; + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; }; games = { @@ -37,27 +59,7 @@ swaylock = { }; }; - users = { - defaultUserShell = pkgs.zsh; - users = { - deb = { - isNormalUser = true; - initialPassword = "pasadmin1234"; - description = "deb"; - useDefaultShell = true; - extraGroups = [ - "networkmanager" - "dialout" - "docker" - "video" - ]; - packages = with pkgs; [ - gnome-session - home-manager - ]; - }; - }; - }; + users.defaultUserShell = pkgs.zsh; # Bootloader. boot.loader = { @@ -66,31 +68,36 @@ }; programs = { + thunderbird.enable = true; hyprland = { enable = true; xwayland.enable = true; }; }; + environment.systemPackages = with pkgs; [ + mullvad-autostart + pciutils + vulkan-tools + ]; + services = { - seatd.enable = true; - xserver = { - desktopManager.gnome.enable = true; - displayManager.gdm.wayland = true; + mullvad-vpn = { + enable = true; + package = pkgs.mullvad-vpn; }; + xserver.videoDrivers = [ "nvidia" ]; + seatd.enable = true; greetd = { enable = true; settings = { default_session = { - command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --user-menu --remember-user-session --time"; + command = "${pkgs.tuigreet}/bin/tuigreet --remember --user-menu --remember-user-session --time"; }; }; + useTextGreeter = true; }; dbus.enable = true; - openssh = { - enable = true; - ports = [ 42131 ]; - }; pipewire = { enable = true; alsa.enable = true; @@ -115,6 +122,7 @@ enable = true; extraPortals = [ pkgs.xdg-desktop-portal-hyprland + pkgs.xdg-desktop-portal-gtk ]; config.common.default = "*"; }; diff --git a/hosts/fix/hardware-configuration.nix b/hosts/fix/hardware-configuration.nix index a202e4a..9eb70cc 100644 --- a/hosts/fix/hardware-configuration.nix +++ b/hosts/fix/hardware-configuration.nix @@ -1,83 +1,36 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: +{ config, lib, pkgs, modulesPath, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - # services.dbus.enable = true; - boot = { - initrd = { - availableKernelModules = [ - "xhci_pci" - "ahci" - "usbhid" - "sd_mod" - ]; - kernelModules = [ ]; - }; - kernelModules = [ - "kvm-intel" + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") ]; - extraModulePackages = [ ]; - }; - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/a943d592-57d3-497e-bf43-49b50ac73f0b"; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/2eec2aaa-4576-4591-9b9e-6d36ee4b0d02"; fsType = "ext4"; }; - "/boot" = { - device = "/dev/disk/by-uuid/5AAB-0026"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/FE5B-8026"; fsType = "vfat"; - options = [ - "fmask=0077" - "dmask=0077" - ]; + options = [ "fmask=0077" "dmask=0077" ]; }; - "/mnt/data" = { - device = "/dev/disk/by-uuid/5729d30c-5806-4ccd-8a2a-080a258084dc"; + + fileSystems."/mnt/data" = + { device = "/dev/disk/by-uuid/416367e1-a2dc-4724-b9f5-9c10da4d87a5"; fsType = "ext4"; - options = [ - "acl" - "exec" - ]; }; - }; swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.docker0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; - - services.xserver.videoDrivers = [ "nvidia" ]; - - hardware = { - graphics.enable = true; - nvidia = { - open = false; - modesetting.enable = true; - powerManagement.enable = false; - powerManagement.finegrained = false; - nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - }; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/global.nix b/hosts/global.nix index f3e6d9e..034d314 100644 --- a/hosts/global.nix +++ b/hosts/global.nix @@ -45,6 +45,7 @@ "wheel" "docker" "video" + "render" ]; }; }; @@ -75,6 +76,7 @@ }; environment.systemPackages = with pkgs; [ + uwsm git postgresql vim diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index f2ea58b..60f8f62 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -7,7 +7,7 @@ }: let - sshKeyMac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbHk7YasSMK5FBCArKLeqIoaGXsN+WlgVquObyC5Zec raphael@MacBook-Pro-de-raphael.local"; + sshKeyMac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIML4yVz1fhccwaTL0iHixkNkU5zUWU1rsit9u2TIIa5r raphael@raphaels-MacBook-Pro.local"; in { imports = [ @@ -26,7 +26,6 @@ in hostName = "nixos-server"; firewall.enable = false; networkmanager.enable = true; - wireless.enable = false; interfaces.enp0s31f6.ipv4.addresses = [ { address = "192.168.1.1"; @@ -59,15 +58,16 @@ in nextcloud = true; jellyfin = true; sso = true; + vault = true; }; - forty_two.irc = true; + forty_two.irc = false; web.portefolio = true; server = { - minecraft = false; + minecraft = true; teamspeak = true; }; bot_discord = { - master = true; + master = false; bde = false; tut = false; marty = false; @@ -78,46 +78,49 @@ in }; }; - environment.systemPackages = with pkgs; [ - age - bat - cairo - dconf - fastfetch - git - home-manager - lego - libjpeg - libpng - libuuid - linux-manual - man - man-pages - man-pages-posix - networkmanager - openssl - pkg-config - postgresql - protonup-ng - python3 - python3Packages.pip - qFlipper - ripgrep - swaylock - swaylock-fancy - tmux - unzip - vim - wget - wl-clipboard - xclip - xdg-desktop-portal-hyprland - xsel - yarn - zsh - ] ++ [ - inputs.agenix.packages.${pkgs.system}.agenix - ]; + environment.systemPackages = + with pkgs; + [ + age + bat + cairo + dconf + fastfetch + git + home-manager + lego + libjpeg + libpng + libuuid + linux-manual + man + man-pages + man-pages-posix + networkmanager + openssl + pkg-config + postgresql + protonup-ng + python3 + python3Packages.pip + qFlipper + ripgrep + swaylock + swaylock-fancy + tmux + unzip + vim + wget + wl-clipboard + xclip + xdg-desktop-portal-hyprland + xsel + yarn + zsh + ] + ++ [ + inputs.agenix.packages.${pkgs.system}.agenix + ]; # Bootloader. boot.loader = { @@ -140,7 +143,7 @@ in openssh = { enable = true; ports = [ - 42131 + 42131 ]; }; udev.extraRules = '' diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware-configuration.nix index 955eb4c..68b3b48 100644 --- a/hosts/server/hardware-configuration.nix +++ b/hosts/server/hardware-configuration.nix @@ -1,28 +1,51 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/67b9f544-f7d6-4203-a1ee-3d527f0c4ace"; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/67b9f544-f7d6-4203-a1ee-3d527f0c4ace"; fsType = "ext4"; }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/C2ED-90A4"; + "/boot" = { + device = "/dev/disk/by-uuid/C2ED-90A4"; fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; + options = [ + "fmask=0077" + "dmask=0077" + ]; }; + "/mnt/data" = { + device = "/dev/disk/by-uuid/efa8669d-d141-4858-9e66-d3efa9a88816"; + fsType = "ext4"; + options = [ + "acl" + "exec" + ]; + }; + }; swapDevices = [ ]; diff --git a/hosts/server/secrets.nix b/hosts/server/secrets.nix index cc754ff..c90b5e5 100644 --- a/hosts/server/secrets.nix +++ b/hosts/server/secrets.nix @@ -5,66 +5,100 @@ age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.secrets."wireguard-secret" = { + file = ../../secrets/wireguard-secret.age; + owner = "root"; + group = "root"; + mode = "0400"; + }; + age.secrets."mailjet-user" = { file = ../../secrets/mailjet-user.age; owner = "root"; group = "root"; - mode = "0400"; + mode = "0400"; }; age.secrets."mailjet-pass" = { file = ../../secrets/mailjet-pass.age; owner = "root"; group = "root"; - mode = "0400"; + mode = "0400"; }; age.secrets."nextcloud-admin-pass" = { file = ../../secrets/nextcloud-admin-pass.age; owner = "nextcloud"; group = "nextcloud"; - mode = "0400"; + mode = "0400"; }; age.secrets."nextcloud-oidc-secret" = { file = ../../secrets/nextcloud-oidc-secret.age; owner = "kanidm"; group = "kanidm"; - mode = "0400"; + mode = "0400"; }; age.secrets."grafana-oidc-secret" = { file = ../../secrets/grafana-oidc-secret.age; owner = "kanidm"; group = "grafana"; - mode = "0440"; + mode = "0440"; + }; + + age.secrets."grafana-secret-key" = { + file = ../../secrets/grafana-secret-key.age; + owner = "grafana"; + group = "grafana"; + mode = "0440"; }; age.secrets."forgejo-oidc-secret" = { file = ../../secrets/forgejo-oidc-secret.age; owner = "kanidm"; group = "forgejo"; - mode = "0440"; + mode = "0440"; + }; + + age.secrets."forgejo-runner-token" = { + file = ../../secrets/forgejo-runner-token.age; + owner = "forgejo"; + group = "forgejo"; + mode = "0440"; }; age.secrets."nextcloud-database" = { file = ../../secrets/nextcloud-database.age; owner = "nextcloud"; group = "nextcloud"; - mode = "0400"; + mode = "0400"; }; age.secrets."kanidm-admin" = { file = ../../secrets/kandim-admin.age; owner = "kanidm"; group = "kanidm"; - mode = "0400"; + mode = "0400"; }; age.secrets."kanidm-idmAdmin" = { file = ../../secrets/kandim-idmAdmin.age; owner = "kanidm"; group = "kanidm"; - mode = "0400"; + mode = "0400"; }; + age.secrets."vault-oidc-secret" = { + file = ../../secrets/vault-oidc-secret.age; + owner = "kanidm"; + group = "kanidm"; + mode = "0400"; + }; + + age.secrets."vault-secret-env" = { + file = ../../secrets/vault-secret-env.age; + owner = "vaultwarden"; + group = "vaultwarden"; + mode = "0400"; + }; } diff --git a/modules/games/steam.nix b/modules/games/steam.nix index bc81d4d..ca3bde0 100644 --- a/modules/games/steam.nix +++ b/modules/games/steam.nix @@ -22,6 +22,7 @@ in }; environment.systemPackages = with pkgs; [ + gamescope wine-staging lutris dxvk diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age new file mode 100644 index 0000000..47e7e7f Binary files /dev/null and b/secrets/forgejo-runner-token.age differ diff --git a/secrets/grafana-secret-key.age b/secrets/grafana-secret-key.age new file mode 100644 index 0000000..af16ce7 --- /dev/null +++ b/secrets/grafana-secret-key.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Iy+0iw a6V5MbX371JEVJM4L1AiL0f3/W4oPhc0EeydmBlCwzI +QnsMyhcDyrCGkkJaQWA04u5YdiVrlIISyp/PEnY7emE +-> ssh-ed25519 ocqiLQ 6vkETQNUq8iMWqPD3uf+UrVcY34xz8KBPLWK2WRHjgk +ttdk+iK/DFYoshfffBN+tbxXkWHgVPz5fYQ+m4684aM +--- gBW+PH1fOqhXi0ChESyPAj7fqM21Lb9UYPJ5JWVuoFk +%Alb3SdTPHf{&.5@;VPkz׶+lZvV \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8810616..3c4d101 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,13 +10,18 @@ let ]; in { + "wireguard-secret.age".publicKeys = users ++ systems; "mailjet-user.age".publicKeys = users ++ systems; "mailjet-pass.age".publicKeys = users ++ systems; "nextcloud-admin-pass.age".publicKeys = users ++ systems; "nextcloud-database.age".publicKeys = users ++ systems; "nextcloud-oidc-secret.age".publicKeys = users ++ systems; "grafana-oidc-secret.age".publicKeys = users ++ systems; + "grafana-secret-key.age".publicKeys = users ++ systems; "forgejo-oidc-secret.age".publicKeys = users ++ systems; + "forgejo-runner-token.age".publicKeys = users ++ systems; "kandim-admin.age".publicKeys = users ++ systems; "kandim-idmAdmin.age".publicKeys = users ++ systems; + "vault-secret-env.age".publicKeys = users ++ systems; + "vault-oidc-secret.age".publicKeys = users ++ systems; } diff --git a/secrets/vault-oidc-secret.age b/secrets/vault-oidc-secret.age new file mode 100644 index 0000000..752b97a Binary files /dev/null and b/secrets/vault-oidc-secret.age differ diff --git a/secrets/vault-secret-env.age b/secrets/vault-secret-env.age new file mode 100644 index 0000000..e5cfb4b --- /dev/null +++ b/secrets/vault-secret-env.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 Iy+0iw rpRn2BgDtK3p1tHofUH/nCEwRh4z7rjAwLbvbhCTSkg +6ZiVqx6pNZyYmhsDhZh3YG6+LKiRsnuWMfN8KzJLyhw +-> ssh-ed25519 ocqiLQ AguX30lc6+1ckV3ENiHhboGyNyf2pN0hqIytsTAjwz4 +rAGWhtuROHn8p0eAGEKS6Xp+PyYmpbw2EbdadbfJxt0 +--- WA9Zus5yXPXPD+TiHyUlEIqozmvhAxWQTE6s2olZ1fs +2*8ց3g E(+w[ ssh-ed25519 Iy+0iw 65IsIObRg7SuYCZnDp/LKpSn1tpnJTLaXFcc7/9gRkA +3L16P+XHyyfwSZLInsPv3UPMVYsPpYAV2E+/kl+oQbA +-> ssh-ed25519 ocqiLQ R3CkxF9zthAEZGE3CZypFGb/uwLazrBpwWT97N+1izA +EP6vUm4Y511GMctNJi0FO7bzUw6qHMqPRzxJiSTD23M +--- JqhMdyVwELZA++21d9WMdbGTciFtsea44hbbC+WWLHI +'N =x0TEPܯPmʒ=ȝah*p`%Qwo+WJ@OkKTR \ No newline at end of file diff --git a/services/self_host.nix b/services/self_host.nix index 9a146e3..92ecb5d 100644 --- a/services/self_host.nix +++ b/services/self_host.nix @@ -71,6 +71,14 @@ let lib ; }; + vault = import ./self_host/vault.nix { + inherit + inputs + config + pkgs + lib + ; + }; cfg = config.service.selfhost; in { @@ -83,6 +91,7 @@ in nextcloud ollama sso + vault ]; config = { @@ -129,7 +138,12 @@ in sso = lib.mkOption { type = lib.types.bool; default = false; - description = "Enable the nextcloud"; + description = "Enable the sso"; + }; + vault = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable the vault"; }; }; } diff --git a/services/self_host/git.nix b/services/self_host/git.nix index 191d46d..902c291 100644 --- a/services/self_host/git.nix +++ b/services/self_host/git.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let gitDomain = "git.enium.eu"; @@ -30,13 +35,14 @@ in AUTH_URL = "https://git.enium.eu/ui/oauth2"; TOKEN_URL = "https://git.enium.eu/oauth2/token"; API_URL = "https://git.enium.eu/oauth2/openid/forgejo/userinfo"; + REDIRECT_URI = "https://git.enium.eu/user/oauth2/Enium/callback"; CODE_CHALLENGE_METHOD = "S256"; ENABLE_AUTO_REGISTRATION = true; UPDATE_AVATAR = true; }; service = { - DISABLE_REGISTRATION = true; + DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; DISABLE_PASSWORD_SIGNIN_FORM = true; @@ -46,7 +52,18 @@ in }; }; }; - + gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.enium.eu"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:16-bullseye" + ]; + }; + }; nginx.virtualHosts."${gitDomain}" = { enableACME = true; forceSSL = true; diff --git a/services/self_host/jellyfin.nix b/services/self_host/jellyfin.nix index a0e558f..0c1d50d 100644 --- a/services/self_host/jellyfin.nix +++ b/services/self_host/jellyfin.nix @@ -1,84 +1,128 @@ { -config, -pkgs, -lib, -... + config, + pkgs, + lib, + ... }: let cfg = config.service.selfhost.jellyfin; + wireguard-key = config.age.secrets."wireguard-secret".path; in - { +{ config = lib.mkIf cfg { + virtualisation = { + docker.enable = true; + oci-containers = { + backend = "docker"; + containers = { + gluetun = { + image = "qmcgaw/gluetun:latest"; + autoStart = true; + extraOptions = [ + "--cap-add=NET_ADMIN" + "--device=/dev/net/tun" + ]; + environment = { + VPN_SERVICE_PROVIDER = "mullvad"; + VPN_TYPE = "wireguard"; + WIREGUARD_PRIVATE_KEY = builtins.readFile wireguard-key; + BLOCK_MALICIOUS = "off"; + BLOCK_SURVEILLANCE = "off"; + BLOCK_ADS = "off"; + WIREGUARD_ADDRESSES = "10.70.168.94/32"; + SERVER_COUNTRIES = "Sweden"; + SERVER_CITIES = "Stockholm"; + SERVER_HOSTNAMES = "se-sto-wg-206"; + TZ = "Europe/Paris"; + }; + ports = [ + "8080:8080" + "7878:7878" + "8989:8989" + "9696:9696" + ]; + }; + qbittorrent = { + image = "lscr.io/linuxserver/qbittorrent:latest"; + autoStart = true; + extraOptions = [ + "--network=container:gluetun" + ]; + environment = { + PUID = "1000"; + PGID = "991"; + WEBUI_PORT = "8080"; + TZ = "Europe/Paris"; + }; + volumes = [ + "/mnt/data/qbittorrent/config:/config" + "/mnt/data/downloads:/downloads" + ]; + }; + radarr = { + image = "lscr.io/linuxserver/radarr:latest"; + autoStart = true; + extraOptions = [ + "--network=container:gluetun" + ]; + environment = { + PUID = "1000"; + PGID = "991"; + TZ = "Europe/Paris"; + }; + volumes = [ + "/mnt/data/radarr/config:/config" + "/mnt/data/downloads:/downloads" + "/mnt/data:/data" + ]; + }; + sonarr = { + image = "lscr.io/linuxserver/sonarr:latest"; + autoStart = true; + extraOptions = [ + "--network=container:gluetun" + ]; + environment = { + PUID = "1000"; + PGID = "991"; + TZ = "Europe/Paris"; + }; + volumes = [ + "/mnt/data/sonarr/config:/config" + "/mnt/data/downloads:/downloads" + "/mnt/data:/data" + ]; + }; + prowlarr = { + image = "lscr.io/linuxserver/prowlarr:latest"; + autoStart = true; + extraOptions = [ + "--network=container:gluetun" + ]; + environment = { + PUID = "1000"; + PGID = "991"; + TZ = "Europe/Paris"; + }; + volumes = [ + "/mnt/data/prowlarr/config:/config" + ]; + }; + }; + }; + }; users = { groups.datausers = { }; users = { jellyfin.extraGroups = [ "datausers" ]; - radarr.extraGroups = [ "datausers" ]; - sonarr.extraGroups = [ "datausers" ]; }; }; services = { jellyfin = { enable = true; - dataDir = "/mnt/data/media"; + dataDir = "/mnt/data/jellyfin"; openFirewall = true; }; - - qbittorrent = { - enable = true; - openFirewall = true; - user = "qbittorrent"; - group = "datausers"; - - webuiPort = 8137; - - serverConfig = { - Preferences = { - Downloads = { - SavePath = "/mnt/data/downloads"; - TempPathEnabled = false; - }; - General = { - Locale = "fr_FR"; - }; - WebUI = { - Username = "raphael"; - Password_PBKDF2 = "@ByteArray(CmH/e4LVehCMTT2BUTVo5g==:VqhgnDIsg0owhZqINmi6O0Ac3tXgz6JYAkxB7sqSH18VPQ6R6Tz9jT2a6KXtld4wG6ld41nFXSst0UqRFTUTUw==)"; - }; - }; - }; - }; - - flaresolverr = { - enable = true; - openFirewall = true; - port = 8191; - }; - - sonarr = { - enable = true; - dataDir = "/var/lib/sonarr"; - user = "sonarr"; - group = "datausers"; - openFirewall = true; - }; - - radarr = { - enable = true; - dataDir = "/var/lib/radarr"; - user = "radarr"; - group = "datausers"; - openFirewall = true; - }; - - prowlarr = { - enable = true; - dataDir = "/var/lib/prowlarr"; - openFirewall = true; - }; - - bazarr.enable = true; - nginx.virtualHosts = { "jellyfin.enium.eu" = { enableACME = true; diff --git a/services/self_host/mail.nix b/services/self_host/mail.nix index eb0b401..6844985 100644 --- a/services/self_host/mail.nix +++ b/services/self_host/mail.nix @@ -22,7 +22,7 @@ in shell = "/run/current-system/sw/bin/nologin"; }; users.groups = { - vmail = {}; + vmail = { }; }; systemd.tmpfiles.rules = [ "d /run/dovecot 0755 dovecot dovecot - -" @@ -84,14 +84,22 @@ in chroot = false; command = "smtpd"; args = [ - "-o" "smtpd_recipient_restrictions=permit_sasl_authenticated,reject" - "-o" "smtpd_sasl_auth_enable=yes" - "-o" "smtpd_sasl_security_options=noanonymous" - "-o" "smtpd_sender_login_maps=hash:/var/lib/postfix/sender_login" - "-o" "smtpd_sender_restrictions=reject_sender_login_mismatch" - "-o" "smtpd_tls_auth_only=yes" - "-o" "smtpd_tls_security_level=encrypt" - "-o" "syslog_name=postfix/submission" + "-o" + "smtpd_recipient_restrictions=permit_sasl_authenticated,reject" + "-o" + "smtpd_sasl_auth_enable=yes" + "-o" + "smtpd_sasl_security_options=noanonymous" + "-o" + "smtpd_sender_login_maps=hash:/var/lib/postfix/sender_login" + "-o" + "smtpd_sender_restrictions=reject_sender_login_mismatch" + "-o" + "smtpd_tls_auth_only=yes" + "-o" + "smtpd_tls_security_level=encrypt" + "-o" + "syslog_name=postfix/submission" ]; }; }; @@ -211,16 +219,19 @@ in raphael@enium.eu:{SHA512-CRYPT}$6$rIsn6/dLJ6MbITx5$vMo82dgkQZoV8BQIaO6Bs9J86ZjgcJ.LqMuIqnXVfuBRgZOqY/YiURBUOcS1P2wAo5h4TCFkKExfcjjX1reUU. benjamin@enium.eu:{SHA512-CRYPT}$6$.34vS2JkrmGnioYo$pUF.vN5Q3njn5WRTLdMU5n7vGJdwk64bB/si0vQXFw.ioky4xlHUVocFXC8GI9wkVJNif.2kHvAYEcEtXvU2I0 deborah@enium.eu:{SHA512-CRYPT}$6$IZ7Dd31uZ4VKzz04$z5IhS25Jve8KsX0GIIXB8GUiPYd3eSuxlDz9RZQHa2tE4hptgtXQVU3av42MIRpaN9GPqG9iM6jiQUwRZ9V39/ + rchouraqui@enium.eu:{SHA512-CRYPT}$6$.YW4sF83D1EZXQW8$AZoxbni6XFGf3XuSp1sKhZ9cHjU5CcryEH8C45Fbu5s2nJHixDRnDeH6Vl5EvfQfH09wrxhDYp0Tld.TiUSpn. ''; environment.etc."postfix-vmailbox".text = '' raphael@enium.eu enium.eu/raphael/ benjamin@enium.eu enium.eu/benjamin/ deborah@enium.eu enium.eu/deborah/ + rchouraqui@enium.eu enium.eu/rchouraqui/ ''; environment.etc."postfix-sender_login".text = '' raphael@enium.eu raphael@enium.eu benjamin@enium.eu benjamin@enium.eu deborah@enium.eu deborah@enium.eu + rchouraqui@enium.eu rchouraqui@enium.eu no-reply@enium.eu raphael@enium.eu, benjamin@enium.eu direction@enium.eu raphael@enium.eu, benjamin@enium.eu @@ -229,7 +240,7 @@ in ''; environment.etc."postfix-virtual".text = '' direction@enium.eu raphael@enium.eu, benjamin@enium.eu - recrutement@enium.eu raphael@enium.eu, benjamin@enium.eu + recrutement@enium.eu raphael@enium.eu, benjamin@enium.eu, rchouraqui@enium.eu contact@enium.eu raphael@enium.eu, benjamin@enium.eu ''; @@ -237,68 +248,68 @@ in enable = true; postfix.enable = true; extraConfig = '' - worker "controller" { - bind_socket = "127.0.0.1:11334"; - password = "admin"; - }; + worker "controller" { + bind_socket = "127.0.0.1:11334"; + password = "admin"; + }; - worker "normal" { - bind_socket = "127.0.0.1:11333"; - }; + worker "normal" { + bind_socket = "127.0.0.1:11333"; + }; - worker "rspamd_proxy" { - bind_socket = "127.0.0.1:11332"; - milter = yes; - timeout = 120s; - upstream "local" { - self_scan = yes; - }; - }; + worker "rspamd_proxy" { + bind_socket = "127.0.0.1:11332"; + milter = yes; + timeout = 120s; + upstream "local" { + self_scan = yes; + }; + }; - actions { - reject = 12; - add_header = 6; - greylist = 4; - }; + actions { + reject = 12; + add_header = 6; + greylist = 4; + }; - classifier "bayes" { - backend = "redis"; - servers = "127.0.0.1:6381"; - autolearn = true; - min_learns = 200; - new_schema = true; - cache = true; + classifier "bayes" { + backend = "redis"; + servers = "127.0.0.1:6381"; + autolearn = true; + min_learns = 200; + new_schema = true; + cache = true; - statfile { - symbol = "BAYES_HAM"; - spam = false; - }; + statfile { + symbol = "BAYES_HAM"; + spam = false; + }; - statfile { - symbol = "BAYES_SPAM"; - spam = true; - }; + statfile { + symbol = "BAYES_SPAM"; + spam = true; + }; - learn_condition = <1m." - - - alert: nginxServiceUp - expr: process_up{job="process_exporter",name="nginx"} == 1 - for: 1m - labels: - severity: info - annotations: - summary: "Processus nginx rétabli" - description: "Le processus nginx tourne de nouveau." - - - alert: grafanaServiceDown - expr: process_up{job="process_exporter",name="grafana"} == 0 - for: 1m - labels: - severity: critical - annotations: - summary: "Processus grafana arrêté" - description: "Le processus grafana ne tourne plus depuis >1m." - - - alert: grafanaServiceUp - expr: process_up{job="process_exporter",name="grafana"} == 1 - for: 1m - labels: - severity: info - annotations: - summary: "Processus grafana rétabli" - description: "Le processus grafana tourne de nouveau." - ''; - - services.nginx.virtualHosts."monitor.enium.eu" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - proxyWebsockets = true; + loki.write "local" { + endpoint { + url = "http://localhost:3100/loki/api/v1/push" + } + } + ''; + }; + nginx.virtualHosts."monitor.enium.eu" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + proxyWebsockets = true; + }; }; }; + + systemd.services = { + alloy.serviceConfig.SupplementaryGroups = [ "systemd-journal" ]; + process_exporter = { + description = "Prometheus Process Exporter"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.prometheus-process-exporter}/bin/process-exporter --config.path /etc/process-exporter.json"; + Restart = "always"; + }; + }; + }; + + environment.etc = { + "process-exporter.json".text = builtins.toJSON { + procMatchers = lib.map (svc: { + name = svc; + cmdline = [ + "${svc}:" + ]; + }) monitored; + }; + "grafana/dashboards".source = dashboardsDir; + "prometheus/services.rules".text = '' + groups: + - name: services + rules: + - alert: nginxServiceDown + expr: process_up{job="process_exporter",name="nginx"} == 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Processus nginx arrêté" + description: "Le processus nginx ne tourne plus depuis >1m." + + - alert: nginxServiceUp + expr: process_up{job="process_exporter",name="nginx"} == 1 + for: 1m + labels: + severity: info + annotations: + summary: "Processus nginx rétabli" + description: "Le processus nginx tourne de nouveau." + + - alert: grafanaServiceDown + expr: process_up{job="process_exporter",name="grafana"} == 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Processus grafana arrêté" + description: "Le processus grafana ne tourne plus depuis >1m." + + - alert: grafanaServiceUp + expr: process_up{job="process_exporter",name="grafana"} == 1 + for: 1m + labels: + severity: info + annotations: + summary: "Processus grafana rétabli" + description: "Le processus grafana tourne de nouveau." + ''; + }; + }; } diff --git a/services/self_host/nextcloud.nix b/services/self_host/nextcloud.nix index 5e8b2d6..d5bb96e 100644 --- a/services/self_host/nextcloud.nix +++ b/services/self_host/nextcloud.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.service.selfhost.nextcloud; @@ -6,7 +11,7 @@ let nextcloud-database = config.age.secrets."nextcloud-database".path; dataDir = "/mnt/data/nextcloud"; in - { +{ config = lib.mkIf cfg { environment.systemPackages = with pkgs; [ php @@ -66,7 +71,7 @@ in nextcloud = { enable = true; https = true; - package = pkgs.nextcloud32; + package = pkgs.nextcloud33; hostName = "nextcloud.enium.eu"; datadir = dataDir; config = { diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index e83b5e3..aa102a8 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -9,8 +9,7 @@ let cfg = config.service.selfhost.sso; kanidm-admin = config.age.secrets."kanidm-admin".path; kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path; - imagesDir = "/user/share/kanidm/assets"; - kanidmLogo = pkgs.fetchurl { + forgejoLogo = pkgs.fetchurl { url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg"; name = "kanidm.svg"; sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig="; @@ -25,11 +24,16 @@ let name = "nextcloud.svg"; sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo="; }; + vaultLogo = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/dani-garcia/vaultwarden/ba5519167634ebe1e1f0fc10d610d10d1f405101/resources/vaultwarden-icon.svg"; + name = "vault.svg"; + sha256 = "sha256-xY/pFVS9puG+Ub0M9WrISrY/eY1Rc+QeceGqHeUVx+8="; + }; in - { +{ config = lib.mkIf cfg { users = { - groups.kanidm = {}; + groups.kanidm = { }; users.kanidm = { isSystemUser = true; group = "kanidm"; @@ -39,17 +43,21 @@ in security.acme.certs."auth.enium.eu".group = "nginx"; services = { kanidm = { - package = pkgs.kanidmWithSecretProvisioning_1_8; - enableServer = true; - serverSettings = { - domain = "enium.eu"; - origin = "https://auth.enium.eu"; - bindaddress = "127.0.0.1:9000"; - tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem"; - tls_key = "/var/lib/acme/auth.enium.eu/key.pem"; + package = pkgs.kanidmWithSecretProvisioning_1_9; + server = { + enable = true; + settings = { + domain = "enium.eu"; + origin = "https://auth.enium.eu"; + bindaddress = "127.0.0.1:9000"; + tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem"; + tls_key = "/var/lib/acme/auth.enium.eu/key.pem"; + }; + }; + client = { + enable = true; + settings.uri = config.services.kanidm.server.settings.origin; }; - enableClient = true; - clientSettings.uri = config.services.kanidm.serverSettings.origin; provision = { enable = true; autoRemove = false; @@ -66,6 +74,19 @@ in "grafana_superadmins" "forgejo_admins" "nextcloud_user" + "vault_admins" + ]; + }; + deborah = { + displayName = "Deborah"; + legalName = "Deborah Parodi"; + mailAddresses = [ + "deborah@enium.eu" + ]; + groups = [ + "grafana_superadmins" + "forgejo_users" + "vault_users" ]; }; }; @@ -88,6 +109,12 @@ in forgejo_users = { present = true; }; + vault_admins = { + present = true; + }; + vault_users = { + present = true; + }; nextcloud_user = { present = true; }; @@ -96,8 +123,8 @@ in forgejo = { present = true; displayName = "Forjego"; + imageFile = forgejoLogo; originUrl = "https://git.enium.eu"; - imageFile = kanidmLogo; originLanding = "https://git.enium.eu/user/oauth2/Enium/callback"; basicSecretFile = config.age.secrets.forgejo-oidc-secret.path; public = false; @@ -211,23 +238,47 @@ in email = { joinType = "array"; valuesByGroup = { - nextcloud_user = ["mail"]; + nextcloud_user = [ "mail" ]; }; }; preferred_username = { joinType = "array"; valuesByGroup = { - nextcloud_user = ["name"]; + nextcloud_user = [ "name" ]; }; }; name = { joinType = "array"; valuesByGroup = { - nextcloud_user = ["displayname"]; + nextcloud_user = [ "displayname" ]; }; }; }; }; + vault = { + present = true; + displayName = "Vault"; + imageFile = vaultLogo; + originUrl = "https://vault.enium.eu"; + originLanding = "https://vault.enium.eu/identity/connect/oidc-signin"; + basicSecretFile = config.age.secrets.vault-oidc-secret.path; + public = false; + enableLocalhostRedirects = false; + allowInsecureClientDisablePkce = false; + preferShortUsername = true; + scopeMaps = { + vault_admins = [ + "openid" + "profile" + "email" + ]; + vault_users = [ + "openid" + "profile" + "email" + ]; + }; + }; }; }; }; diff --git a/services/self_host/vault.nix b/services/self_host/vault.nix new file mode 100644 index 0000000..62f1511 --- /dev/null +++ b/services/self_host/vault.nix @@ -0,0 +1,35 @@ +{ config, ... }: + +let + vaultEnv = config.age.secrets.vault-secret-env.path; +in +{ + services.vaultwarden = { + enable = true; + + environmentFile = vaultEnv; + + config = { + DOMAIN = "https://vault.enium.eu"; + ROCKET_PORT = 8222; + SIGNUPS_ALLOWED = false; + SSO_ENABLED = true; + SSO_CLIENT_ID = "vault"; + SSO_CLIENT_SECRET = "cat ${config.age.secrets.vault-oidc-secret.path}"; + SSO_AUTHORITY = "https://auth.enium.eu/oauth2/openid/vault"; + SSO_SIGNUPS_MATCH_EMAIL = true; + SSO_PKCE = true; + SSO_SCOPES = "openid profile email"; + SSO_ONLY = true; + }; + }; + + services.nginx.virtualHosts."vault.enium.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8222"; + proxyWebsockets = true; + }; + }; +} diff --git a/services/server/minecraft.nix b/services/server/minecraft.nix index 310dc77..b719e30 100644 --- a/services/server/minecraft.nix +++ b/services/server/minecraft.nix @@ -24,18 +24,67 @@ in servers.enium-pv = { enable = true; - package = pkgs.fabricServers.fabric-1_20_1; - jvmOpts = "-Xms4092M -Xmx4092M"; + autoStart = true; + package = pkgs.fabricServers.fabric-1_21_11; + restart = "always"; + jvmOpts = "-Xms2048M -Xmx8192M"; serverProperties = { - difficulty = 3; + difficulty = 2; gamemode = 0; max-players = 42; motd = "§l §3 Enium Survival§r\n§l §b Whitelisted Server"; - server-port = 64421; - spawn-protection = 16; + server-port = 25565; + spawn-protection = 0; white-list = true; }; - restart = "no"; + symlinks = { + mods = pkgs.linkFarmFromDrvs "mods" ( + builtins.attrValues { + graves = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/kieAM9Us/versions/YiPkk2xn/ly-graves-v3.0.1.jar"; + sha512 = "sha512-Wo+Sw6nVyqcaS7PWr+p3/+AkTYGAcuqk7heyBos/0jQYkCS/Z9q4Or6DInECkv8Cg4ZctmzrLOt6S8nr/sQYHw=="; + }; + lithium = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/gl30uZvp/lithium-fabric-0.21.2%2Bmc1.21.11.jar"; + sha512 = "sha512-lGJVEAE+DarxwuK22KRjyTL/YiD5G6WwzV+GhlghXwRtlNB7NGVmD1dsTcJ6WqGD373ByTA/EYlLWyWh3Gw7tg=="; + }; + jei = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/u6dRKJwZ/versions/9i2DXscL/jei-1.21.11-fabric-27.3.0.14.jar"; + sha512 = "sha512-ua8at0LkNpFFIleVM6D6GQthBZvuIh7rt8GSuY0mKjMIJ+dJr5G0wIKqcnsT8oBwkQvlWuitfWAz/cnM1maM9A=="; + }; + jade = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/nvQzSEkH/versions/7cBo3s22/Jade-1.21.11-Fabric-21.0.1.jar"; + sha512 = "sha512-aj1lnOyaPiH+AG6HYN6mNQtkqm1xGA+PCHouKn2U3t2mpfJ+r7+T3nCtxgbHXAe9/NncJb46Ds9ZTgIt7odRGw=="; + }; + chuncky = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/fALzjamp/versions/1CpEkmcD/Chunky-Fabric-1.4.55.jar"; + sha512 = "sha512-O+DgSePepiVrOVzLH33MycayPLex9qcXp80cpV+dvaSJZ53zKGjHJmTrsoygXyw2ZZDR4aEfDcX2n5R5A7rYMw=="; + }; + fabric_api = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/gB6TkYEJ/fabric-api-0.140.2%2B1.21.11.jar"; + sha512 = "sha512-r0RleX2AQBAhpq78jFRyAOfA+MrhNCmb8/r7wxD6gfBVJGsGFPwOA3U49KhE5VqtMKv6PGdGBCKFPfxCbwhtAA=="; + }; + create_fly = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/dKvj0eNn/versions/be2IkC5H/create-fly-1.21.11-6.0.8-4.jar"; + sha512 = "1r9qx8q5s49xlycs9k02ylb0cgn5x0d3s0crl0942kwf2r6vvnk8pv46bxj6p4jnqg4r5c6b4526zjxwdjc1d5fg7613sgv6f71817x"; + }; + } + ); + }; + whitelist = { + EniumRaphael = "3134072d-eb2f-49d5-afb4-2a3cc4375100"; + EniumBenjamin = "63e7d8d3-5090-4323-a7e6-c89707747b4b"; + EniumTeam = "d4706408-ccfc-4a3d-b128-07db95b34843"; + Zeldraft = "01cf2ab1-68a5-48c1-a948-76cda9574ae5"; + dprive05 = "0ad8a45a-417a-40d3-aa10-b67765792c42"; + }; + operators = { + Zeldraft = { + uuid = "01cf2ab1-68a5-48c1-a948-76cda9574ae5"; + level = 4; + bypassesPlayerLimit = true; + }; + }; }; }; }; diff --git a/services/server/teamspeak.nix b/services/server/teamspeak.nix index 4eb26d1..c5f4411 100644 --- a/services/server/teamspeak.nix +++ b/services/server/teamspeak.nix @@ -21,6 +21,13 @@ in locations."/" = { proxyPass = "http://127.0.0.1:9987"; proxyWebsockets = true; + extraConfig = '' + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + ''; }; }; }; diff --git a/services/web/portefolio.nix b/services/web/portefolio.nix index d54ef44..87db8e1 100644 --- a/services/web/portefolio.nix +++ b/services/web/portefolio.nix @@ -36,8 +36,8 @@ in }; security.acme = { certs = { - "parodi.pro" = {}; - "raphael.parodi.pro" = {}; + "parodi.pro" = { }; + "raphael.parodi.pro" = { }; }; }; };