diff options
Diffstat (limited to 'modules/nixos/server/mixins')
| -rw-r--r-- | modules/nixos/server/mixins/acme.nix | 46 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/cloudflared.nix | 50 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/default.nix | 9 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/hercules.nix | 53 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/nginx.nix | 24 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/promtail.nix | 49 |
6 files changed, 231 insertions, 0 deletions
diff --git a/modules/nixos/server/mixins/acme.nix b/modules/nixos/server/mixins/acme.nix new file mode 100644 index 0000000..60703e6 --- /dev/null +++ b/modules/nixos/server/mixins/acme.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.server.mixins.acme; +in { + options.server.mixins.acme = { + enable = lib.mkEnableOption "ACME mixin"; + + manageSecrets = + lib.mkEnableOption "automatic secrets management" + // { + default = config.traits.secrets.enable; + }; + + useDns = lib.mkEnableOption "the usage of Cloudflare to obtain certs" // {default = true;}; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + security.acme = { + acceptTerms = true; + defaults = + { + email = "[email protected]"; + } + // lib.optionalAttrs cfg.useDns { + dnsProvider = "cloudflare"; + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/server/mixins/cloudflared.nix new file mode 100644 index 0000000..5f75a35 --- /dev/null +++ b/modules/nixos/server/mixins/cloudflared.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.server.mixins.cloudflared; + inherit (config.services) nginx; +in { + options.server.mixins.cloudflared = { + enable = lib.mkEnableOption "cloudflared mixin"; + manageSecrets = + lib.mkEnableOption "automatic secrets management" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services.cloudflared = { + enable = true; + tunnels = { + "${config.networking.hostName}-nginx" = + { + default = "http_status:404"; + + ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( + _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} + ); + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets.cloudflaredCreds = { + file = secretsDir + "/cloudflaredCreds.age"; + mode = "400"; + owner = "cloudflared"; + group = "cloudflared"; + }; + }) + ] + ); +} diff --git a/modules/nixos/server/mixins/default.nix b/modules/nixos/server/mixins/default.nix new file mode 100644 index 0000000..461cd34 --- /dev/null +++ b/modules/nixos/server/mixins/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./acme.nix + ./cloudflared.nix + ./hercules.nix + ./nginx.nix + ./promtail.nix + ]; +} diff --git a/modules/nixos/server/mixins/hercules.nix b/modules/nixos/server/mixins/hercules.nix new file mode 100644 index 0000000..103f58e --- /dev/null +++ b/modules/nixos/server/mixins/hercules.nix @@ -0,0 +1,53 @@ +{ + config, + lib, + unstable, + secretsDir, + ... +}: let + cfg = config.server.mixins.hercules-ci; +in { + options.server.mixins.hercules-ci = { + enable = lib.mkEnableOption "hercules-ci mixin"; + manageSecrets = + lib.mkEnableOption "automatic secrets management" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services.hercules-ci-agent = { + enable = true; + package = unstable.hercules-ci-agent; + }; + } + + (let + secretNames = [ + "binaryCaches" + "clusterJoinToken" + "secretsJson" + ]; + in + lib.mkIf cfg.manageSecrets { + age.secrets = lib.genAttrs secretNames ( + file: { + file = "${secretsDir}/${file}.age"; + mode = "400"; + owner = "hercules-ci-agent"; + group = "hercules-ci-agent"; + } + ); + + services.hercules-ci-agent = { + settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) ( + lib.genAttrs secretNames (name: config.age.secrets.${name}.path) + ); + }; + }) + ] + ); +} diff --git a/modules/nixos/server/mixins/nginx.nix b/modules/nixos/server/mixins/nginx.nix new file mode 100644 index 0000000..ba18ecf --- /dev/null +++ b/modules/nixos/server/mixins/nginx.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + ... +}: let + cfg = config.server.mixins.nginx; +in { + options.server.mixins.nginx = { + enable = lib.mkEnableOption "nginx mixin"; + }; + + config = lib.mkIf cfg.enable { + services.nginx = { + enable = true; + + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedZstdSettings = true; + }; + }; +} diff --git a/modules/nixos/server/mixins/promtail.nix b/modules/nixos/server/mixins/promtail.nix new file mode 100644 index 0000000..1baaac6 --- /dev/null +++ b/modules/nixos/server/mixins/promtail.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + ... +}: let + cfg = config.server.mixins.promtail; + inherit (lib) types; +in { + options.server.mixins.promtail = { + enable = lib.mkEnableOption "Promtail mixin"; + + clients = lib.mkOption { + type = types.listOf types.attrs; + default = [{}]; + description = "Clients for promtail"; + }; + }; + + config = lib.mkIf cfg.enable { + services.promtail = { + enable = true; + configuration = { + inherit (cfg) clients; + server.disable = true; + + scrape_configs = [ + { + job_name = "journal"; + + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${config.networking.hostName}"; + }; + }; + + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + }; + }; +} |