nixos/server: init (again)

7 files changed, 274 insertions, 0 deletions

diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix
new file mode 100644
index 0000000..83ec0a8
--- /dev/null
+++ b/modules/nixos/server/default.nix
@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: let
+  cfg = config.server;
+in {
+  options.server = {
+    enable = lib.mkEnableOption "server settings";
+  };
+
+  imports = [
+    ./mixins
+  ];
+
+  config = lib.mkIf cfg.enable {
+    _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system};
+
+    boot.tmp.cleanOnBoot = lib.mkDefault true;
+
+    documentation = {
+      enable = false;
+      man.enable = false;
+    };
+
+    environment = {
+      defaultPackages = lib.mkForce [];
+      etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath;
+    };
+
+    nix = {
+      gc = {
+        dates = "*-*-1,5,9,13,17,21,25,29 00:00:00";
+        options = "-d --delete-older-than 2d";
+      };
+
+      registry.n.flake = inputs.nixpkgs-stable;
+      settings.allowed-users = [config.networking.hostName];
+    };
+  };
+}
diff --git a/modules/nixos/server/mixins/acme.nix b/modules/nixos/server/mixins/acme.nix
new file mode 100644
index 0000000..60703e6
--- /dev/null
+++ b/modules/nixos/server/mixins/acme.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}: let
+  cfg = config.server.mixins.acme;
+in {
+  options.server.mixins.acme = {
+    enable = lib.mkEnableOption "ACME mixin";
+
+    manageSecrets =
+      lib.mkEnableOption "automatic secrets management"
+      // {
+        default = config.traits.secrets.enable;
+      };
+
+    useDns = lib.mkEnableOption "the usage of Cloudflare to obtain certs" // {default = true;};
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        security.acme = {
+          acceptTerms = true;
+          defaults =
+            {
+              email = "[email protected]";
+            }
+            // lib.optionalAttrs cfg.useDns {
+              dnsProvider = "cloudflare";
+            }
+            // lib.optionalAttrs cfg.manageSecrets {
+              credentialsFile = config.age.secrets.cloudflareApiKey.path;
+            };
+        };
+      }
+
+      (lib.mkIf cfg.manageSecrets {
+        age.secrets = {
+          cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age";
+        };
+      })
+    ]
+  );
+}
diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/server/mixins/cloudflared.nix
new file mode 100644
index 0000000..5f75a35
--- /dev/null
+++ b/modules/nixos/server/mixins/cloudflared.nix
@@ -0,0 +1,50 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}: let
+  cfg = config.server.mixins.cloudflared;
+  inherit (config.services) nginx;
+in {
+  options.server.mixins.cloudflared = {
+    enable = lib.mkEnableOption "cloudflared mixin";
+    manageSecrets =
+      lib.mkEnableOption "automatic secrets management"
+      // {
+        default = config.traits.secrets.enable;
+      };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        services.cloudflared = {
+          enable = true;
+          tunnels = {
+            "${config.networking.hostName}-nginx" =
+              {
+                default = "http_status:404";
+
+                ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) (
+                  _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";}
+                );
+              }
+              // lib.optionalAttrs cfg.manageSecrets {
+                credentialsFile = config.age.secrets.cloudflaredCreds.path;
+              };
+          };
+        };
+      }
+
+      (lib.mkIf cfg.manageSecrets {
+        age.secrets.cloudflaredCreds = {
+          file = secretsDir + "/cloudflaredCreds.age";
+          mode = "400";
+          owner = "cloudflared";
+          group = "cloudflared";
+        };
+      })
+    ]
+  );
+}
diff --git a/modules/nixos/server/mixins/default.nix b/modules/nixos/server/mixins/default.nix
new file mode 100644
index 0000000..461cd34
--- /dev/null
+++ b/modules/nixos/server/mixins/default.nix
@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./acme.nix
+    ./cloudflared.nix
+    ./hercules.nix
+    ./nginx.nix
+    ./promtail.nix
+  ];
+}
diff --git a/modules/nixos/server/mixins/hercules.nix b/modules/nixos/server/mixins/hercules.nix
new file mode 100644
index 0000000..103f58e
--- /dev/null
+++ b/modules/nixos/server/mixins/hercules.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  unstable,
+  secretsDir,
+  ...
+}: let
+  cfg = config.server.mixins.hercules-ci;
+in {
+  options.server.mixins.hercules-ci = {
+    enable = lib.mkEnableOption "hercules-ci mixin";
+    manageSecrets =
+      lib.mkEnableOption "automatic secrets management"
+      // {
+        default = config.traits.secrets.enable;
+      };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        services.hercules-ci-agent = {
+          enable = true;
+          package = unstable.hercules-ci-agent;
+        };
+      }
+
+      (let
+        secretNames = [
+          "binaryCaches"
+          "clusterJoinToken"
+          "secretsJson"
+        ];
+      in
+        lib.mkIf cfg.manageSecrets {
+          age.secrets = lib.genAttrs secretNames (
+            file: {
+              file = "${secretsDir}/${file}.age";
+              mode = "400";
+              owner = "hercules-ci-agent";
+              group = "hercules-ci-agent";
+            }
+          );
+
+          services.hercules-ci-agent = {
+            settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) (
+              lib.genAttrs secretNames (name: config.age.secrets.${name}.path)
+            );
+          };
+        })
+    ]
+  );
+}
diff --git a/modules/nixos/server/mixins/nginx.nix b/modules/nixos/server/mixins/nginx.nix
new file mode 100644
index 0000000..ba18ecf
--- /dev/null
+++ b/modules/nixos/server/mixins/nginx.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.server.mixins.nginx;
+in {
+  options.server.mixins.nginx = {
+    enable = lib.mkEnableOption "nginx mixin";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedZstdSettings = true;
+    };
+  };
+}
diff --git a/modules/nixos/server/mixins/promtail.nix b/modules/nixos/server/mixins/promtail.nix
new file mode 100644
index 0000000..1baaac6
--- /dev/null
+++ b/modules/nixos/server/mixins/promtail.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.server.mixins.promtail;
+  inherit (lib) types;
+in {
+  options.server.mixins.promtail = {
+    enable = lib.mkEnableOption "Promtail mixin";
+
+    clients = lib.mkOption {
+      type = types.listOf types.attrs;
+      default = [{}];
+      description = "Clients for promtail";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.promtail = {
+      enable = true;
+      configuration = {
+        inherit (cfg) clients;
+        server.disable = true;
+
+        scrape_configs = [
+          {
+            job_name = "journal";
+
+            journal = {
+              max_age = "12h";
+              labels = {
+                job = "systemd-journal";
+                host = "${config.networking.hostName}";
+              };
+            };
+
+            relabel_configs = [
+              {
+                source_labels = ["__journal__systemd_unit"];
+                target_label = "unit";
+              }
+            ];
+          }
+        ];
+      };
+    };
+  };
+}